Physical Security is essential while data is being processed. Often, the Cipher Data is decrypted to Plaintext during processing. The decrypted data can leave residues behind in on-line and off-line storage, as well as in memory after the processing is complete. Therefore, when it is not possible to guarantee physical security, steps be taken to prevent:

• Cold Boot Attack
• Data Remanence

Data Security is the process of protecting data from unauthorized access and data corruption by using a Encryption Algorithm to encrypt data throughout its lifecycle especially while the data is in use. Encryption can be any combination of Hashing, tokenization, and Key Management practices that protect data across all Applications and Platforms.

With the rise of Decentralized and Distributed systems, it is no longer possible to trust all the parts of a Software Stack and Solution Stack especially devices such as: Network Device, Mobile Device, Peripheral Device, or Storage Device, Web Service. Also, each Web Service also represents a stack of additional components, such as: Apache CloudStack, LAMP (Linux, Apache, MySQL, PHP/Perl/Python) , Oracle Cloud Stack , Web Service Protocol Stack. Each of these components, the connections and the Network devices, represent a risk, especially when Instrumentation for monitoring of the component is added to the mix. For example, using a Debugger tool is useful during development for observing the state of the component, but those features leave vulnerabilities for exposing sensitive information. See the MITRE Common Weakness Enumeration (CWE) list.

The following are approaches to help solve some of these problems:

• Access Control List (ACL)
• Zero Trust Security Model
• Zero Trust Architecture (ZTA)
• The Onion Router (Tor)
• Secure Memory Encryption (SME)
• Full Memory Encryption (FME)
• Total Memory Encryption (TME)
• Software Guard Extensions (SGX)
• Multi-Party Computation (MPC)
• TRESOR
• Homomorphic Encryption (HE)
• CWE-215: Insertion of Sensitive Information into Debugging Code - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
• CWE-489: Active Debug Code - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
• CWE-1295: Debug Messages Revealing Unnecessary Information - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.

Network Security covers all Network Device and is an over-arching term describing the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources.

This means that a well-implemented network security blocks viruses, Malicious Software (Malware), hackers, etc. from accessing or altering secure information. Many of these goals can be achieved by having:

• Hardware Firewall
• Access Control List (ACL)
• Hypertext Transport Protocol Secure (HTTPS)
• Secure Sockets Layer (SSL)
• Transport layer security (TLS)

Platform Security is the security architecture covering Hardware (H/W), and Software (SW) for the entire Computing Platform Stack, including: Hardware Platform, Operating System Platform, Runtime Platform, and Network Platform.

Many of these goals can be achieved by considering:

• Software Firewall
• Access Control List (ACL)
• Full-Disk Encryption (FDE)
• Full Memory Encryption (FME)
• Total Memory Encryption (TME)
• Software Guard Extensions (SGX)
• Multi-Party Computation (MPC)
• TRESOR
• Homomorphic Encryption (HE)
• Authorization of Peripheral Device such as:

  • Geolocation services
  • Bluetooth
  • Transmission Control Protocol (TCP) networks
  • Wireless Network
  • Memory and Storage

Application Security is the Business Process of developing, adding, and testing security features within applications to prevent security Vulnerabilities against cyberthreats such as unauthorized access and modification.

Application Security describes security measures in the Application that aim to prevent data or code within the Application from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect Applications after deployment.

Application Security covers Hardware (H/W), Software (SW), and Business Processes to minimize security Vulnerabilities. Application Security also covers any security measures added-to or integrated-into the Appication. For example, the use of a Software Firewall.

Note: The use of the word Application here should not beconfused with OSI Application Layer or the TCP/IP Conceptual Model Application Level.

• Software Firewall
• Authentication
• Access Control
• Multifactor Authentication (MFA)
• One-Time PIN (OTP)
• Two-Factor Authentication (2FA)
• N-Tier Architecture
• CWE-215: Insertion of Sensitive Information into Debugging Code - The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
• CWE-489: Active Debug Code - The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
• CWE-1295: Debug Messages Revealing Unnecessary Information - The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.

CyberSecurity Culture (CSC) CyberSecurity Culture (CSC) of organizations refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding Cybersecurity and how these manifest in people’s behavior with information technologies. CyberSecurity Culture (CSC) is about making information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions.

Some common tools to help create a good Security Culture are:

• Biometrics
• Identification
• Non-Disclosure Agreement (NDA)
• Data Loss Prevention (DLP)
• Data Retention Policy
• Talk Openly Develop Openly (TODO)
• Policies and Procedures (P&P)
• Business impact Analysis (BIA)

Data Logging (also known as Logging) is the process of creating a Log which is the automatically production of time-stamped documentation for events relevant to a particular system. There are many tools available to help with Logging, some are Technical Standards and some are de facto Standards:

• Technical Standards

  • ISO 10003:2018 Quality management — Customer satisfaction — Guidelines for dispute resolution external to organizations
  • ISO 10004:2018 Quality management — Customer satisfaction — Guidelines for monitoring and measuring
  • RFC5424 - The Syslog Protocol (SYSLOG)
• de facto Standards

  • Oracle: Java logger API
  • Apache: Log4j
  • Apache: Log4cxx
  • Apache: log4php
  • Apache: log4net
  • Apache: log4jscala
  • Solidity Events
• Tools:

  • Tools: Logging Tools

Access Control defines a set of controls restricting access to resources based on the group membership, identity, clearance, physical & logical location, and need-to-know. In other words, it provides the Authorization for access to resources. Additionally, access includes a method of permission to consume, enter, control, restrict, use and protect the resource to guarantee: Availability, Confidentiality, and Integrity.

Some of the more traditional resources requiring Access Control are: Memory and Storage, Peripheral Device, Central Processing Unit (CPU), Heap Memory, Stack Memory, Non-Volatile Storage (NVS), and Network Interface Card (NIC).

Many of these goals can be achieved by considering:

• Lightweight Directory Access Protocol (LDAP)
• Access Control Function
• Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)
• eXtensible Access Control Markup Language (XACML)
• Policy Based Management System (PBMS)
• Security Policy
• Policy Decision Point (PDP)
• Policy Enforcement Point (PEP)
• Policy Information Block (PIB)
• Policy Information Point (PIP)
• Policy Retrieval Point (PRP)
• Access Control Engine (ACE)
• Access Control Policy (ACP)

Identification and Authentication are the basis for access to the system. Recently, a new Data State has been added called Data-in-Use. In many ways, it is harder to to use Identification and Authentication than with Data-at-Rest or Data-in-Motion because processing the Data generally requires processing a Cryptographic Algorithm to decrypt the Data. The use of Protection Rings can help, but at each level there is still a need to identify and authenticate the request.

The following are some of the ways to establish the identity of an entity and Authenticate the entity making the request.

• Identification
• Authentication
• Access Control
• Password
• Personal Identification Number (PIN)
• Multifactor Authentication (MFA)
• One-Time PIN (OTP)
• Two-Factor Authentication (2FA)
• Biometric Authentication
• Identifier (ID)
• Hash Key
• Self-sovereign Identity (SSI)
• Decentralized IDentifier (DID)
• Uniform Resource Locator (URL)
• Uniform Resource Identifier (URI)
• Quick Response Code (QR Code)
• Bar Code (Barcode)
• Universally Unique IDentifier (UUID)
• Financial Instrument Global Identifier (FIGI)