2.0 Architecture and Design Flashcards
data are subject to the laws and governance structures of the nation where they are collected
Data Sovereignty
the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data
Data Loss Prevention
a way to create a fake, but a realistic version of your organizational data. The goal is to protect sensitive data, while providing a functional alternative when real data is not needed
Data Masking
data that has reached a destination and is not being accessed or used
Data at rest
any data that is sent from one system to another
data in transit/motion
occurs when data is collected and translated into usable information
data in processing
is the process of de-identifying sensitive cardholder data by converting it to a string of randomly generated numbers called a “token.” Similar to encryption, tokenization obfuscates the original data to render it unreadable in the event of a data breach or other exposure.
Tokenization
the process of intercepting and reviewing SSL-encrypted internet communication between the client and the server
SSL Secure Socket Layer Inspection
a security mechanism that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network
TLS Transport Layer Security Inspection
the process of transforming any given key or a string of characters into another value
Hasing
an off-premises location where a company’s work can resume immediately during a disaster. It has all the equipment ready to go and be used. Available 24/7
Hot Site
A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. Only available during the disaster
Cold Site
some or all of the IT equipment found in a typical primary data center, such as software and hardware. After a disaster at the primary site, an organization will introduce customer data and may install additional equipment at the site
Warm Site
a controlled and safe environment for showing how attackers work and examining different types of threats
honeypot
bait files intended for hackers to access
honeyfiles
a decoy network that contains one or more honeypots
honeynets
Hacker method that is trying to get the machine to think that the malware is actually something good.
Fake Telemetry
a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address
DNS Sinkholing
a type of cloud computing service that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis.
IaaS Infrastructure as a Service
is a cloud computing model provides a platform for customers to develop, run, and manage applications without building and maintaining the cloud infrastructure required to develop and launch an app.
PaaS Platform as a Service
a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted
Software as a Service
describes a general category of services related to cloud computing and remote access. It recognizes the vast number of products, tools, and technologies that are now delivered to users as a service over the internet
Anything as a service
a decentralized computing infrastructure in which data, compute, storage and applications are located somewhere between the data source and the cloud
Fog Computing
an emerging computing paradigm which refers to a range of networks and devices at or near the user. about processing data closer to where it’s being generated, enabling processing at greater speeds and volumes, leading to greater action-led results in real time.
Edge Computing
work by connecting remotely to a server-based computing environment where most applications, sensitive data, and memory, are stored.
Thin Client
packages of software that contain all of the necessary elements to run in any environment. In this way, virtualize the operating system and run anywhere, from a private data center to the public cloud or even on a developer’s personal laptop
Containers
an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network
Software Defined Networking
allows us to deploy next-generation firewalls, intrusion prevention, web application firewalls, and other security devices while at the same time being able to understand exactly what type of data is flowing between all of these systems
Software Defined Visibility
happens when an administrator can no longer effectively control and manage all the virtual machines on a network
virtual machine sprawl avoidance
protection that prevents a virtual machine from directly interacting with the host operating system
VM Escape Protection
checking through all of the data to make sure it’s in the right format, and if it’s not the right format, it should add any corrections
Normalization
prepared SQL code that you can save, so the code can be reused over and over again
Stored Procedure
process of taking something that would commonly be relatively easy to understand and make it very difficult to understand
Obfuscation
the processing takes place on a web server. This processing is important to execute the tasks required by the user on the web
Service Side Execution
the processing takes place on the user’s computer
Client Side Execution
when sensitive information is lost due to unintentional exposure
data exposure
nonprofit foundation dedicated to improving software security. It operates under an “open community” model, which means that anyone can participate in and contribute to related online chats, projects, and more
Open Web Application Security Project
a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats to support organizational risk management decisions
Continuous Monitoring
lets you constantly monitor new code, testing it against criteria for functionality, security, and performance. It’s a vital way to screen out bugs, stop potential issues from reaching the main database, and ensure that rollouts go as smoothly as possible
continuous validation
application developers may constantly be updating an application and perhaps even merging it into a central repository many times a day
continuous integration
a way that you could provide access to your network using credentials that someone uses for a completely different service. This can be done for users that are on your local network or you could use this for third party individuals such as partners or customers to be able to gain access to your server
Federation
a review and confirmation of your organization’s security status by an independent reviewer
Attestation
a one-time password (OTP) algorithm based of Hashes
HMAC-based one-time password
Is a biometric feature where these capillaries that are in the back of your eye. They are a relatively unique feature of your eye and they don’t often change, making them a very good biometric factor to use for authentication
Retina
is a biometric feature where its in the front of our eye, and there’s usually specific textures and colors associated
Iris
biometric feature where the vascular scanners can look at veins that might be in our arms. This can look at the blood vessels in our extremities, and determine who a person is based on the unique layout of their veins.
Veins
assessment of the way the body moves, usually by walking or running, from one place to another.
The purpose of this is to detect any abnormalities in locomotion.
Gait Analysis
how often your biometric system will approve an unauthorized user by looking at these biometric value
False Acceptance Rate
someone who is authorized to get into the system, they put their finger on the fingerprint reader of the biometric system and instead of getting a green light, they get a red light
False Rejection Rate
an area where we have minimized the number of false acceptance rates, and we’ve minimized the amount of false rejection rates, and effectively gotten both of those down to an equal level
Crossover error rate
something that’s in your brain, and only you happen to know what this particular value is
Something you know
usually a device or some type of system that is near where you happen to be. Something like a smart card
Something you have
associating these characteristics with a specific individual or person. Basically features that makes you
something you are
is a personal way that you do things. For example, the way that you walk is very unique to you
Something you exhibit
Name the Triple As
Authentication, Accounting, Authorization
if you do lose one of those physical drives, you have separate pieces of that data stored on other multiple drives as part of that array
What is this called?
RAID Redundant Array of inexpensive disks
Raid type that has no redundancy whatsoever, it’s usually called striping without parity. Where you have very good performance to be able to read and write to that array
Raid 0
Raid type where we can take one physical drive, and duplicate all of the data on that physical drive to a separate physical drive. It’s a mirror of the information. That way if we lose any one of those drives, all the information continues to be available and accessible on that separate drive
Raid 1
where we have striping with parity where we’re putting pieces of information on separate physical drives, and then on a last physical drive we’re putting some parity information. If we lose any of the drives on that particular array, it will rebuild the data based on the parity information that’s put on that extra drive
Raid 5
network drives, with configurations with multiple links in the network to provide redundancy if one part of the network was to fail.
Multipath
provide redundancy to a server using multiple network interface cards on that device
NIC Teaming
a device that provides multiple power sources
Power distribution Unit
dedicated, independent high-speed network that interconnects and delivers shared pools of storage devices to multiple servers
Storage area Network
A back up type when performing a backup on a system, that you back up every single file on the system
Full Back Up
occur after the full backup has occurred, and it will back up all of the files that have changed since the last backup
Incremental Back up
a full backup that backs up everything on the system. Each subsequent differential backup, though, is going to back up everything that’s changed since the last full backup. So every day, the backup is going to get bigger and bigger and bigger as we change more and more information since the last full backup
Differential back up
the practice of periodically copying data from a primary storage device to a tape cartridge so the data can be recovered if there is a hard disk crash or failure
Tape Back up
dedicated file storage that enables multiple users and client devices to retrieve data from centralized disk capacity
NAS Network attached Storage
one that is constantly accessible and constantly updated throughout the day. This is one that occurs over the network, usually to a third-party or cloud-based service, and it’s usually over an encrypted channel
online back up
backing up your local devices to this backup component. It’s usually something that performs very quickly, and it’s over a secure channel We have to make sure that the communication between the system that’s being backed up and the backup service itself is protected and constantly maintained, and it often requires that this information be stored at an offsite facility for disaster recovery purposes
offline back up
integrated circuits often sold off-the-shelf. They’re referred to as ‘field programmable’ because they provide customers the ability to reconfigure the hardware to meet specific use case requirements after the manufacturing process.
Field programmable Gate Arrays
an automated software control system that monitors industrial control systems (ICS) and provides data insights to industrial supervisors about the condition of the entire operation
SCADA Supervisory Control and data acquisition
OS that guarantees real-time applications a certain capability within a specified deadline. are designed for critical systems and for devices like microcontrollers that are timing-specific. processing time requirements are measured in milliseconds
Real Time OS
microchip with all the necessary electronic circuits and parts for a given system, such as a smartphone or wearable computer, on a single integrated circuit (IC)
System on Chip
are signals that occupy a narrow range of frequencies or that have a small fractional bandwidth
Narrowband
using a single frequency to be able to communicate.very often done over a single cable or a single fiber connection, and it’s usually using a digital communication. Since there is a single frequency being used for this communication, anything going over this link is going to use all of the bandwidth on that connection
Baseband
devices can transmit data over long distances by passing data through a mesh network of intermediate devices to reach more distant ones
typically used in low data rate applications that require long battery life and secure networking.
Zigbee
a device that plugs into the charging port on your phone, acting as a shield between the public charging station’s cord and your phone
USB Data Blocker
shield is an enclosure used to block electromagnetic fields
Faraday Cage
security measure that involves isolating a computer or network and preventing it from establishing an external connection
Airgap
triple-homed firewall, refers to a network architecture where a single firewall is used with three network interfaces. It provides additional protection from outside cyber attacks by adding a perimeter network to isolate or separate the internal network from the public-facing internet
Screened Subnet
adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) for cables and to permit its use for the transmission of unencrypted information through an area of lesser classification or control
Protected cable distribution
to collect the IT equipment’s hot exhaust air, allowing the rest of the data center to become a large cold-air return plenum. Air is being taken from the back of the servers
Hot Aisle
face air conditioner output ducts and air is being take into the front of the servers
Cold Aisle
to insert a random set of characters to a weak key and make it stronger and as well increase the size of the password hash, making things harder for a brute-force attack
Key Stretching
a technique that is a unique value that can be added to the end of the password to create/ change a different hash value
Salting
the procedure of translating a given key into a code.
Hashing
a method in cryptography by which cryptographic keys are exchanged between two parties
Key Exchange
is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller and more efficient cryptographic keys.
elliptic-curve cryptography
an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated
perfect forward secrecy
a field of applied quantum physics closely related to quantum information processing and quantum teleportation.
Quantum communications
an area of computer science that uses the principles of quantum theory
Quantum Computing
to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks
Post-Quantum Cryptography
A cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type
Ephemeral Key
record-keeping system that maintains participants’ identities in secure and (pseudo-)anonymous form, their respective cryptocurrency balances, and a record book of all the genuine transactions executed between network participants
Public Ledger
are encrypting one byte at a time. So we will take our plaintext, we’ll grab the first byte, we’ll encrypt that byte, and we’ll store the encrypted information
Stream Cipher
encrypting a fixed length block of information at a time. So instead of taking a single byte, it will take a block of bytes and encrypt that entire block at one time. We usually will see this with 64-bit or 128-bit blocks.
Block Cipher
encryption uses a single key to encrypt and decrypt
Symmetric
encryption uses a mathematically related pair of keys for encryption and decryption: a public key and a private key
asymmetric
an encryption method that features a small footprint and/or low computational complexity. It is aimed at expanding the applications of cryptography to constrained devices and its related international standardization and guidelines compilation are currently underway
Lightweight Cryptography
the practice of concealing messages or information within other nonsecret text or data.
Steganography
encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form
homomorphic encryption
is a way to measure just how unpredictable a password might be.
Entropy
technical best practice to authenticate DNS queries and responses by using cryptographic digital signatures
domain name system security extensions
