12. Explore the principles of security by design (AC 3.2)

A closer look at the principles of security by design according to the National Cyber Security Centre (NCSC) Establish the context Before you can create a secure system design, you need to have a good understanding of the fundamentals and resolve any identified problems. You need to understand what the system is for, what is needed to operate it and which risks are acceptable. To understand what threats you might be facing, you can use attack trees to help you discover the ways in which an attacker could realise their goals. Your design should include how skilful the attacker would need to be to be successful. You need to determine if your goal is to defend, detect or recover. For example, to be able to defend against known tools and techniques, detect attempted attacks and be able to recover within a given time frame from a worst case scenario following a successful attack such as loss of all data. You'll need to understand the role of suppliers in establishing and maintaining system security. It's important to build good relations and understanding with suppliers. Contracts should make your security requirements clear, but being too rigid may cause problems. It's more effective to establish a shared risk arrangement with suppliers, encouraging them to actively engage in doing the right thing rather than merely meeting contractual requirements. Understand the system 'end-to-end' You should understand the critical data that flows through your system. Make note of every point where data could be stored, manipulated or rendered. Pay special interest to these areas: Devices used to access data, Third party services, Network-security devices, Copies of your data, Communications over insecure networks, Appropriate security for every iteration of your system. How you manage security risks is very important. Good cyber security governance enables the flow of cyber security information. Bad cyber security governance will lead to poor and delayed cyber security risk decision making. Often, design decisions will require you to balance security, usability and cost. Ensure there is no ambiguity about responsibilities. Everyone involved in the design of the system should be adequately qualified and have each role clearly defined. Have senior roles manage the critical parts of the system, and less important parts to the juniors staff. Make compromise difficult. This principle is about anticipating how an attacker might attack your system and how to prevent it. For example: Check that all externally input data is safe or make it safe. It might have been crafter to attack your system. To protect your system: Transformation - Pdfs and other word-processing files are difficult to check for malicious code, so these should be transformed into safer formats to disable any malicious content. Validation - This process checks the structure and content of data or files are as they should be and therefor are safe. Render Safe - If the above options aren't possible. Rendering them in a disposable virtual environment might be the safest option. Make disruption difficult System downtime caused by an attack can be costly and challenging for an organisation to recover from. To reduce the risk of disruption, system developers should focus on the following strategies: Ensure the system can withstand attacks and failures by incorporating standby systems, alternative pathways, and regular data backups. Create systems that can be easily scaled to handle increased demand without requiring downtime. Anticipate and mitigate potential bottlenecks, such as high-traffic periods or DDoS attacks. Tools like Netflix's Chaos Monkey can stimulate failures and stress-test system performance under heavy load. ("Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment. Exposing engineers to failures more frequently incentivizes them to build resilient services") Many organisations rely on third-party services, such as telecommunications, hosting, authentication, or administrative tools. Assess the potential impact of their failure on your operations and develop contingency plans to minimise disruption. Make compromise detection easier Despite taking every precaution, there's always risk that a system may be compromised by a new or unknown attack. To improve your chances of detecting such breaches, consider the following practices during system development. Ensure that all relevant security events and logs are collected. This not only aids in identifying the root cause of failure but also make is harder for an attacker to erase their tracks. Keep communication flows between system components as simple as possible. This help security analysis and make it easier to spot irregularities. Monitoring tools should be configured to detect these anomalies and trigger automatic alerts when necessary. Be on the lookout for compromised components trying to contact command-and-control server. To stay one step ahead, ensure your monitoring is independent of the system you're watching. That way, if the system gets compromised, the attacker won't realise that you've already detected the breach. It's also important to make it harder for attackers to figure out your security setup through external tests. If they can't map out your defences, they'll have tougher time finding weak points. Finally, get familiar with your system's normal behaviour. Keep an on things like network load, storage use and transaction activity. The more you understand how your system usually runs, the easier it'll be to spot any unexpected behaviour. Reduce the impact of compromise Design your systems in a way that naturally limits the damage caused by a breach. To achieve this, consider the following strategies: Start by implementing a zoned or segmented network approach. This confines an attack to a specific area of the network, protecting our most sensitive or valuable data. Additionally, strip out any unnecessary functionality. The more features a system has, the more opportunities there are for attackers to exploit. Removing features you don't need not only minimizes risks but also simplifies system maintenance and monitoring. Avoid creating a "management bypass" where management communications have a weaker security measures than the systems they oversee. Such gaps can provide attackers with an easier way in. Make a system recovery straightforward. Architect your systems so that, in the event of a compromise, you can quickly restore them to a clean state. When exporting data to reporting tools, anonymise it to reduce the risk of exposing sensitive information. Similarly, limit the use of data caches. These often lack the same level of protection as primary data storage and can be an easy target for attackers. Implement a data-fading policy to automatically purge cached data as soon as its's no longer needed. By designing with these principles in mind, you can significantly reduce the severity of an attack and make recovery faster and more efficient.