Domain Cheat Sheet - SkillCertPro
SKILLCERTPRO Domain Cheat sheet Domain 1: Security and Risk Management Domain 2: Asset Security Domain 3: Security Architecture and Engineering Domain 4: Communication and Network Security Domain 5: Identity and Access Management (IAM) Domain 6: Security Assessment and Testing Domain 7: Security Operations Domain 8: Software Development Security About the exam: Need 5 year’s experience for certification. Get associate if less than that. 3 hours 100-150 Multiple Choice Questions 70% to pass All domains 10-15% of score Domain 1: Security and Risk Management Understand and apply concepts of confidentiality, integrity and availability Definitions and examples Confidentiality - Making sure the right people can access the material. Data must be classified so the administrators knows exactly who should have access. Users must Identify themselves, authenticate, and then be given authorization before having access. Contents must be encrypted or restricted for users who don't do the above. o End to End symetric encryption holds confidentiality because only users with a key can see the data o File permissions only allow authorized users to view the contents Integrity - Protected from changes o Hashing o Segregation of duties 1 Page
SKILLCERTPRO o approval checkpoints (SDLC) o RSA(uses HMC) o IPSec Availability - Information is available to users when they need it o Not vulnerable to DOS o Has backups and redundancy to ensure no downtime How do they relate to each other? CIA TRIAD - You can't have maximum levels of everything Evaluate and apply security governance principles English please? - These are just defined roles, and processes for each role, to make sure executive management is informed about IT decisions being made. This makes sure that information is appropriately secured, communicated, documented, and budgeted for. It's like a questionaire. Look at ISO 27000 to get requimrents for which security frameworks you should impliment. Think of security frameworks as blue prints and governance principles(iso 27000 or togaf) as guides for how to draw blueprints. Alignment of security function to business strategy, goals, mission, and objectives o Have to analyze cost of loss/thieft information, cost to impliment controls, and the benefit to organization by certain controls. Organizational processes (e.g., acquisitions, divestitures, governance committees) o if the business changes at all, security needs to be involved in that changing process. apply frameworks to those processes. Organizational roles and responsibilities o different job titles have to work with others and be aware of things. each job has a checklist of things to be concerend about. some positions will be reponsible for risk on certain decisions. Security control frameworks o the blue prints to how security in the organization is done. ex. if you are going to label an area on a blueprint as a "bed room", it needs to meet certain requirements. certain frameworks need to be applied to your organization based off what you contain. Due care/due diligence o legal perspective. What would a "reasonable person" due in the same circumstance if they were being responsible? Difference between Process/architecture/framework/standard? Process: A set up steps to accomplish a task. Architecture: specifies when and where to apply security controls. Describes interactions and roles Framework: A set up processes with implimentation guidance Standard: A set of requirements, roles, and controls/frameworks to impliment 2 Page
SKILLCERTPRO Determine compliance requirements Governments are required to impliment NIST 800-53. Private sector is required to implimented COBIT. Many businesses end up implimenting part of each framework to meet its business objectives. Organizations operate in environments where laws, regulations, and compliance requirements must be met. Want to handle people’s cred cards? - must meet certain requirements and implement certain frameworks. Want to be a defence contractor? - Same as before. Contractual, legal, industry standards, and regulatory requirements o one example is all federal agencies are required to adhere to FISMA. Gives list of requirements because they handle mission information as well as PIV. Privacy requirements o Mitre has a good framework for dealing with privacy. You just need to identify what data you process and see if it applies in your TOGAF or other blueprint guidelines you are following. Understand legal and regulatory issues that pertain to information security in a global context Cybercrimes and data breaches Licensing and intellectual property requirements Import/export controls Trans-border data flow Privacy Difference between Criminal Law/Common Law/Private law/Civil Law/Federal Law/ Criminal Law: punished by jail, fine, or death Common Law: jury makes decision. then judge decides punishment Civil Law: a.k.a Tort Law: Non-criminal. Injured party seeks to be 'made whole' through financial means. ex. Money for pain, suffering Private Law: deals with relations between individuals and institutions. Part of civil law Federal Law: body of law consisting of a constitution, enacted laws, and the court decisions pertaining to them Understand, adhere to, and promote professional ethics (ISC)² Code of Professional Ethics - be a nice boy or girl Organizational code of ethics - basically that anything you invent/design/consult is for good. you do your due diligence 3 Page
SKILLCERTPRO Develop, document, and implement security policy, standards, procedures, and guidelines Examples below Policy: write policy for people who use lab at work. no usb allow, need to take this training, etc etc Standards: FIPS 140-2 is a common cryptographic standard in the military. Must do certain things to have your device certified. procedure: you are tasked with the job of writing a procedure for analysing computers that may contain malware guidelines: this is not mandatory and no penalties happen if not followed. ex. i give guidelines for how to configure SMB shares at work since there are no SMB STIGs we must follow. Identify, analyse, and prioritize Business Continuity (BC) requirements Develop and document scope and plan Business Impact Analysis (BIA) - process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. If a function went down, could the rest of the business function? Could customers still function? Could customers still purchase things? Contribute to and enforce personnel security policies and procedures Candidate screening and hiring - talk to references. Background check. Credit history. Criminal history. Education. Drug testing. Employment agreements and policies - write policies that people can only use computers for work. NDA. Mandatory vacations. On boarding and termination processes - make sure people are given least privilege. take away access, badge, account, change passwords. Vendor, consultant, and contractor agreements and controls - your business has security requirements when dealing business with them. if their code is in yours, they must develop securely. their information systems that connect to yours must be hardened Compliance policy requirements - PCI is a policy that makes sure you must follow various controls to deal with credit cards Privacy policy requirements - FISMA regulates peoples PII info and that is appropriately controlled Understand and apply risk management concepts Identify threats and vulnerabilities - NIST 800-30 defines threat sources. microsoft also has great threat model Risk assessment/analysis - find all vulnerabilities and flaws in scope. Prioritize them by level of effort to fix and the amount of risk of not fixing that. 4 Page
SKILLCERTPRO Risk response - If you face risk, you can do one of the following things: avoid it, transfer it, mitigate it, or accept it Countermeasure selection and implementation - If risk is identified, need to consider accountability, reliability, dependencies, CIA, when implementing a countermeasure. Think of solution to problem and other supplemental controls to help fix it. sometimes you won't be able apply a patch to completely fix problem, so you will need some supplemental fixes (band aids) Applicable types of controls (e.g., preventive, detective, corrective) - directive, deterrent, preventive, compensating, detective, corrective, recovery. a good plan usually contains most of the types of controls just listed. that is defence in depth Security Control Assessment (SCA) Monitoring and measurement - make sure problems, vulnerabilities, failures are monitored. make sure metrics are recorded that document hours spent to fix and recover. cost from failure. for network, get IDS and log server. do bi-weekly analysis to determine information system failures and patterns Asset valuation - conduct software and hardware inventories regularly and automatically Reporting - document baseline. Explain why something is a risk. how severe. provide a fix, supplemental fixes, level of effort to fix, and a mitigation for why this risk could potentially be accepted (if you think it should). Continuous improvement - Six Sigma. record metrics on your processes. find bottlenecks. eliminate bottlenecks. Risk frameworks - below is list of frameowkrs o ISACA o ISO 31000 o ISO 2009 o NIST RMF Framework Understand and apply threat modelling concepts and methodologies Threat modelling methodologies - make scope, applicable attack vectors, vulnerabilities open, risks, and countermeasures. should result in architecture changes, remediation actions, and good data for a risk report Threat modelling concepts - same as above Apply risk-based management concepts to the supply chain Risks associated with hardware, software, and services - look at past CVEs Third-party assessment and monitoring - the third party solutions you use could have vulnerabilities or back doors Minimum security requirements - decide on requirements for your product. those, and only those things will be delivered. very hard. Service-level requirements - requirements for a service from the client viewpoint, defining detailed service level targets and mutual responsibilities 5 Page
SKILLCERTPRO Establish and maintain a security awareness, education, and training program Methods and techniques to present awareness and training - need to always train people constantly in security awareness or it doesn't work. Always echo it. Disaster recovery is always way more expensive. Periodic content reviews - make sure as new responsibilities and processes arise that we have security training in mind for them. make sure we are being aware of current threats Program effectiveness evaluation - track enforcement and enhancement of security initiatives. periodic walk troughs and quizzes to make sure people are staying up to date Domain 2: Asset Security Identify and classify information and assets Data classification - indicates the level of confidentiality, integrity, and availability protection that is required Levels: Confidential Private Sensitive Public Asset Classification - Determine and maintain information and asset ownership Primary information security roles include business or mission owners, data owners, system owners, custodians, and users. Each role has a different set of responsibilities in securing an organization's assets. There should be a plan in place to audit assets atleast every year Protect privacy Data owners - The data/information owner is a manager responsible for ensuring that specific data is protected. Data sensitivity labels and the frequency of data backup is something they decide. They focus on data itself(electronic or paper format). Generally each line of business will have their own data owner. The data owner performs management duties, while custodians perform the hands-on protection of data. Data processers - A data controller is someone who controls sensitive data, they own it. A data processor is someone that uses and reads that. An outsourced payroll company is an example of a data processor. Data processors manage payroll data, which is used to determine the amount to pay individual employees, on behalf of a data controller, such as an HR department. 6 Page
SKILLCERTPRO Data remanence - Data that persists beyond noninvasive means to delete it. Though data remanence is sometimes used specifically to refer to residual data that persists on magnetic storage, remanence concerns go beyond just that of magnetic storage media. Collection limitation - There should be limits to the collection of personal data. The subject must consent before this data is collected Ensure appropriate asset retention Information stops being useful after a certain amount of time. Sensitive data should have a retention time on it. There may be regulations or legal reasons why an organization may have to keep information for a long time. Determine data security controls Understand data states - data is either at rest or in motion. Different controls apply to them. Scoping and tailoring - scoping is deciding which standards will be carried out by organization. Tailoring is customizing that standard towards the organization (like implementing supplemental controls) Standards selection - pick the following: PCI-DSS, OCTAVE, ISO 17799, COBIT, ITIL Data protection methods - network encryption, HDD and tape encryption, and transportation protection Establish information and asset handling requirements Need to have classification and need to know before accessing information or assets. There should be solid justification for accessing these things. Domain 3: Security Architecture and Engineering Implement and manage engineering processes using secure design principles Designing and managing secure computer systems breaks out into 4 layers: hardware, kernel and device drivers, operating system, applications. Perimeter defences is physical security. There should be multiple layers of defence at each component that needs to be protected. 7 Page
SKILLCERTPRO Understand the fundamental concepts of security models Access control and least privilege - Bella-lapadula model Complex environments - Lattice-based access control Integirty - Biba Model, Clark-Wilson Conflict of Interest - Chinese Wall Model Select controls based upon systems security requirements NIST document for selecting controls: Generally a framework is used to categorize the information system or business, and then it will tell you which controls or standards are applicable. Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) Access control - ring model is used. Ring 3 is user, ring 0 is Kernel. Memory Protection - prevents a program from affecting the integrity, availability, and confidentiality from another TPM - a processor at harware level that allows computer to do cryptographic operations. If TPM, can do secure boot and full disk encryption Encryption - can provide confidentiality and integrity depending on type of cryptography used Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Client-based systems - when user downloads content or has a vulnerable browser on a malicious website Server-based systems - clients attacking systems accepting connections/commands Database systems - data mining, polyinstantiation, inference and aggregation Cryptographic systems - weak IV, key size, key exchange, or symmetric encryption algorithm used. good crypto is mathematically difficult Industrial Control Systems (ICS) - generic term that refers to anything from a thermostat to a chemical processing monitor Cloud-based systems - A company that stands up several servers for outsourcing. Pay them money to get the below examples o Infrastructure as a Service(IaaS) Linux Server Hosting o Platform as a Service(PaaS) Web Service hosting o Software as a Service(SaaS) Web mail Distributed systems - use lots of devices that aren't necessarily high performance. think Docker swarm or Beowulf cluster 8 Page
SKILLCERTPRO Internet of Things (IoT) - embedded systems that do only set few things. Smart TV, fridge, thermostat, etc. often built on Linux kernel, has libraries that allow basic functionality like ping, store data, and query APIs. Assess and mitigate vulnerabilities in web-based systems Types of code run in web browsers Applets - small pieces of mobile code embedded in web browsers to display content. executable that are run locally. Write them in java. Java script - scripts that can be embedded in web pages to make your browser do certain things. everyone uses java script DOM/CSS - There are DOM/CSS vulnerabilities you have to watch out for. attackers can inject their own code here. ActiveX - same as applets but use digital certificates instead of sandbox like java. Microsoft only Want to fix? Look at OWASP. See if any of your web app is vulnerable of the things. scan it with OWASP ZAP. Update hosting software. use secure libraries. follow OWASP rules. use a static analysis tool. run OWASP zap on it. update web browser. Types of Vulns? Web hosting software vulns hard coded credentials improper permissions and redirects bad authentication bad session management bad encryption SQL injection cross site scripting (XSS) cross site forgery requests local/remote file inclusion API information disclosure Assess and mitigate vulnerabilities in mobile systems Mobile devices are actually a real problem. Should manage them with "mobile device manager" to push policies out. Can also remotely wipe them, and put full disk encryption on them. 9 Page
SKILLCERTPRO Assess and mitigate vulnerabilities in embedded devices Should see what track the device flows across the network. See if you can connect to any ports. See if they have any CVEs or a security program for their products. Apply cryptography OWASP CHEATSHEET LINK Cryptographic life cycle (e.g., key management, algorithm selection) key management: how are you going to store all of your private/public keys? are there backups? who do you trust Algorithm selection: need to know if you need CIA? Speed? How much strength do you need? Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves) symmetric: one key that encrypts and decrpts Asymmetric: each person has their own public and private key. Private decrypts, public encrypts elliptic cures: a type of math model used to gennerate commputationally difficult private/public key pairs Public Key Infrastructure (PKI) - leverages all three forms of encryption to provide and manage digital certificates. Users have confidentiality, integrity, non-repudiation Key management practices: Have certificate authority for managaging and signing certificates Digital signatures - uniquely represents who someone is Non-repudiation - can't deny that you did something Integrity (e.g., hashing) - proving that the data hasn't been altered Understand methods of cryptanalytic attacks - analyzing initilzation vectors, key exchanges, symmetric encryption, etc for weaknesses that could be exploited Digital Rights Management (DRM) - systematic approach for protecting digital rights Apply security principles to site and facility design Need to know about physical security like: doors, locks, walls, fences, lights, guards, badges, gates, man traps, sensors, alarms, securely failing, emergency protocols. Implement site and facility security controls Wiring closets/intermediate distribution facilities Server rooms/data centres - could need shielded racks, cabling, separation of equipment, locks, temperature monitors Media storage facilities - encryption Evidence storage - classification and access control Restricted and work area security 10 P a g e
SKILLCERTPRO Utilities and Heating, Ventilation, and Air Conditioning (HVAC) Environmental issues Fire prevention, detection, and suppression - know which fire extinguishers put out different fires Domain 4: Communication and Network Security Implement secure design principles in network architectures Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models Layers: 7. Application - Google chrome 6. Presentation - JPEG 5. Sessions - RPC 4. Transport - TCP/UDP 3. Network - IP Addressing 2. Data Link - MAC Address 1. Physical - Electrical/Optical Current Think of it like you are trying to send a package of cookies to someone else half way across the world. Internet Protocol (IP) networking - DHCP on LAN. Lan connects to WAN. ISPs route traffic Implications of multilayer protocols Converged protocols - providing industrial controls, storage, voice, etc via Ethernet(tcp/udp) Software-defined networks - separates a router's control plane from data forwarding plane Wireless networks - WEP, WPA, WPA2. 802.11 is the wireless standard Many varieties of EAP o o o o LEAP : Cisco-proprietary, very bad EAP-TLS : requires server/client certificates EAP-TTLS : allows passwords for client-side authentication PEAP : similar to EAP-TTLS, developed by cisco and Microsoft Firewalls - network segmentation o o 11 P a g e Packet Filter: no decisions. set list of allow rules Stateful: slower but more secure. Compare packets to previous ones.
SKILLCERTPRO o o Proxy: acts as middle man on network. does not give anything back if doesn't meet proxy rules application-layer proxy: make decisions on like HTTP, and layers 3 and 4 VoIP - voice over IP o o RTP for streaming SRTP for secure communication Secure network components Operation of hardware Transmission media - properly encrypt media Network Access Control (NAC) devices - 802.1X is port based network access control Endpoint security - deep packet inspection. Email filtering. Content-distribution networks - series of distributed caching servers to improve performance and lower latency. They find closest servers to you and go Implement secure communication channels according to design Figure out what type of security mechanisms are best for scenarios you get on the test Voice Multimedia collaboration Remote access Data communications Virtualized networks Domain 5: Identity and Access Management (IAM) Control physical and logical access to assets Access is controlled by setting up rules and procedures for access. If you are going to use the object, there should only be one/two ways to get to it. You must confirm someone’s identity by having them prove: Something they know, something they have, or something they are. Information Systems Devices Facilities 12 P a g e
SKILLCERTPRO Manage identification and authentication of people, devices, and services Identity management implementation Single/multi-factor authentication - in multi-factor authentication, you must provide two of three different forms of identity Accountability - beng able to audit a system and demonstrate the actions of subjects Session management - providing the user some type of token that they use to acquire resources and identity them with. They don't need to re-authenticate every time they want to access something Registration and proofing of identity - when signing up for a service you may be asked for PII, personal questions about your pas that would be difficult for other to figure out, and information that is unique to you like your email. Federated Identity Management (FIM) - setup a trust relationship between two companies so they can share authentication information Credential management systems - keeps passwords encrypted and safe from unauthorized access. allows passwords services read permissions to the hashes that need to authenticate someone’s password Integrate identity as a third-party service On-premise - generally most identifications with information systems are on premise Cloud - Identity as a service (IDaaS) Federated - doing SSO at a much larger scale. doing it across organizations Implement and manage authorization mechanisms Role Based Access Control (RBAC) - define roles in your organization(nurse, janitor, IT, manager) and give them default permissions Rule-based access control - series of rules, restrictions, and filters for accessing objects Mandatory Access Control (MAC) - system-enforced based on a subject's clearance and object's labels Discretionary Access Control (DAC) - give full control of objects they created or given access to Attribute Based Access Control (ABAC) - "IF" "then" access control. lots of policies combined together Manage the identity and access provisioning lifecycle User access review - users can slowly keep gaining privileges over time. need to review them and take away when they are longer need those roles/permissions/resources. This is authorization creep System account access review - something? Provisioning and deprovisioning - need to have policies and guides in place to review people, give them permissions, and take them away after certain key events 13 P a g e
SKILLCERTPRO Definition of Existing Services what is it used for? what does it provide? Directory services - allows an admin to configure and manage how identification, authentication, authorization, and access control take place within the network and on individual systems. Active Directory - A database that is a directory service. allows user access control functionality and network resources. like some users can only view certain files, use printer, etc LDAP - a protocol used to query the directory services database. this is how subjects and applications find out if they can AAA a user, because LDAP queries their database information. Domain Controller - hosts Active Directory CA - users don't trust each other, but they do trust certificate authority. CA vouches for individual’s identities by using digital certificates. Samba - directory services for linux. Domain controller for linux SSO - subject may authenticate once, then access multiple systems. Authentication, authorization, and accountability. SAML - an XML standard that allows the exchange of authentication and authorization to be shared between security domains. Ex, your business uses Gmail and SAML. When a user goes to login, they are directed to your SSO server, which has access and password rules. SAML is the request and response to/from SSO server. REST requests will explicit an HTML, XML, or JSON response. Example operations are GET,POST,PUT,DELETE REST - Representation State Transfer. an approach that uses HTTP protocol to access and manipulate text without keeping track of any data(or state) SOAP - like REST but has security in mind. Outlines how web service information is exchanged. When requesting access, a SOAP body contains a SAML request or response inside of it JSON - JavaScript Object Notation is a lightweight data format OAUTH - open standard for authorization (not authentication) to third parties. Like when you authenticate with facebook, you can then authorize it to go off and manage your photos. Facebook could access your photos until you tell it not to anymore Kerberos - Authentication protocol. works in client/server model. SSO for distributed environment. Symmetric key encryption that doesn't send any passwords over the network. has a session key. has a key distribution center that holds all users keys. a challenge packet is sent to user for their user name, and if they enter password right, the challenge is decrypted. session keys are created for each session greated. One time pad - can't be cracked. required a preshared key that is same size or longer than message being sent RADIUS - provides client/server authentication and audits remote users. TACACS - basically same as RADIUS but uses TCP. Seems more secure than RADIUS. Biometrics - a way to authenticate a user. won't match perfectly all the time, so if more restrict will have more false positives. 14 P a g e
SKILLCERTPRO Domain 6: Security Assessment and Testing Definitions War Dialing - technique to automatically scan a list of telephone numbers Pentesting Methodology o Planning o Reconnaissance o Scanning(enumeration) o Vulnerability Assessment o Exploitation o Reporting Unit Testing - low level, functions, procedures, or objects Installation Testing - seeing if it installs and can run Integration Testing - multiple components together. say there is unit test for head lights and one for turn signal. integration test would be making sure they both work at same time Regression Testing - testing updates, modifications, or patches Acceptance Testing - ensuring it meets standards and requirements Fuzzing - black-box testing that submits random, malformed data to see if it will crash Dynamic Analysis - giving program inputs to test all paths for bugs, weaknesses, vulnerabilities, etc Static Analysis - analyzing the source for bugs, weaknesses, vulnerabilities, style, etc Risk Threat X Vulnerability Design and validate assessment, test, and audit strategies Pentesting and active assessments. Once you create something, look for weaknesses or abuse cases Internal - usually done by checking logs, scanning internal network with vulnerability scanner, checking camera coverage, etc External - analyzing firewall rules, IDS/IPS, endpoint protection, fences, gates, etc Third-party - paying another organization to test your security for you Conduct security control testing Vulnerability assessment - describes a ton of weaknesses in the system. Doesn't exploit anything Penetration testing - chaining together weaknesses
Domain Cheat sheet Domain 1: Security and Risk Management Domain 2: Asset Security Domain 3: Security Architecture and Engineering Domain 4: Communication and Network Security Domain 5: Identity and Access Management (IAM) Domain 6: Security Assessment and Testing Domain 7: Security Operations Domain 8: Software Development Security About the exam:
Cissp cheat sheet all domains. Cissp cheat sheet 2022 pdf. Cissp cheat sheet 2022. Cissp cheat sheet domain 4. Cissp cheat sheet pdf. Cissp cheat sheet 2021. Cissp cheat sheet domain 1. Cissp cheat sheet reddit. We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements.
Git-cheat-sheet Optional Reading: Bourbon-cheat-sheet CLI-cheat-sheet Git-for-subversion-cheat-sheet Tower-cheat-sheet (for Mac or Windows depending on your computer) Website_optimization-cheat-sheet Workflow-of-version-control Xcode-cheat-sheet _tower-git-client (
Google Slides Cheat Sheet p. 15-18 Google Sheets Cheat Sheet p. 19-22 Google Drawings Cheat Sheet p. 23-26 Google Drive for iOS Cheat Sheet p. 27-29 Google Chrome Cheat Sheet p. 30-32 ShakeUpLearning.com Google Cheat Sheets - By Kasey Bell 3
The Excel 2010 Ribbon looks and works much the same as the Excel 2007 Ribbon, with one nifty addition: In Excel 2010, you can customize what's on the Ribbon. In this series Word 2010 cheat sheet Excel 2010 cheat sheet Outlook 2010 cheat sheet PowerPoint 2010 cheat sheet The Scrollbar.
cheat sheet for each student and have them glue it into their interactive notebooks. If you give one to each student, you could have them color the cheat sheet (If time is limited, I would skip or have students color at home). Please let me know if you have any questions about the cheat sheet! You can email me at mathindemand@hotmail.com.
Excel 2010 cheat sheet Outlook 2010 cheat sheet PowerPoint 2010 cheat sheet Status bar. Here you'll see information about the current slide you're viewing, including what number it is in the presentation and what design theme it's using. Notes pane. Underneath the slide you'll find a spot where you can type speaker notes. You can
“The One Page Sales Funnel” Cheat Sheet How to use this cheat sheet: This cheat sheet breaks down a new sales strategy called the One Page Funnel. It’s simple. Saves time. And gets amazing results! You should read through it at least once first and then simply take the format and replace the content with your own to create
16.02.2018 Colin Harris, Sutherland Hussey Harris, Glasgow 23.02.2018 Shadi Rahbaran & Ursula Hürzeler, Rahbaran Hürzeler Architekten, Basel 02.03.2018 Carl Turner, Carl Turner Architects (cancelled for snow storm) 09.03.2018 Mary Duggan, Mary Duggan Architects, London 16.03.2018 Jaime Font, Mesura, Barcelona
