2.0 - Architecture & Design Flashcards

1
Q

List 6 Examples of

Configuration Management

A
  • Network maps / diagrams
  • Device diagrams
  • Port maps
  • Baseline configurations
  • Standard naming conventions
  • IP schemas
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define

Data Sovereignty

A
  • Laws associated with data depending on where it geographically resides
  • Data that resides in a country is subject to the laws of that country
  • Must comply with legal monitoring, court orders, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define

GDPR

A
  • “General Data Protection Regulation”
  • A set of rules in the European Union

• Among other things, it specifies that data collected on EU citizens must be stored in
the EU

• Extensive and complex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define

Ciphertext

A

• Information that has been encrypted, in its encrypted form. The opposite of plaintext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define

Confusion

A

• The difference between a plaintext and its cyphertext is the amount of confusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define

Diffusion

A

• The difference between cyphertexts of plaintexts that are very similar

• Ex., two plaintexts that are identical except for one character should each produce
cyphertexts that are completely different. When they do, they have diffusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How to protect data in-transit?

A
  • Network-based protection including firewalls, IPS

* Transport encryption, such as TLS and IPsec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to protect data at-rest?

A
  • Disk encryption, database encryption, and file- or folder-level encryption
  • Access control lists, permission controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define

Tokenization

A
  • Replacing sensitive data with a non-sensitive placeholder
  • Common with credit card processing, using a temporary token during payment that is only good for the one transaction.
  • If intercepted by an attacker, the attacker only gets the token and not the sensitive data that it represents.
  • The token is NOT a result of encryption or hashing. The original data and the token are not mathematically related.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define

IRM

A
  • “Information Rights Management”
  • Restrictions placed on a file or message to control how it is used

• Can restrict functions on a document such as ability to copy/paste, print, edit,
screenshot, etc.

• Can have different sets of rights for different users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define

DLP

A
  • A system that monitors for sensitive data leaving the network, to prevent it.
  • Can run on an endpoint, on the network, on the server, or cloud-based
  • Can block custom defined data strings, file types, specific contents, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define

SSL

A

• Secure Socket Layer

• Has been replaced by TLS, but TLS is still often referred to colloquially as SSL or
as SSL/TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can SSL/TLS inspection be performed?

A
  • A device (usually a firewall) must sit in the middle of all secure information and act as a proxy.
  • Endpoint devices must have a CA certificate installed for the middle device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What typically causes older hashes to be retired?

A

• If it runs into collisions (different source data producing the same hash output)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define

API Injection

A
  • An attack where the attacked injects data into an API message
  • Often performed via an on-path attack or replay attack
  • (API stands for “Application Programming Interface”)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can API be secured? (Four answers)

A
  • Authentication
  • Require secure protocols
  • Limit authorization; the API should not have access to more than it absolutely needs
  • Utilize a WAF to apply rules to API communication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does this stand for:

WAF

A

• Web Application Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define

Hot Site

A
  • An exact, or almost exact, replica of your primary site
  • Contains all necessary hardware, infrastructure, etc.
  • Has all data and applications synchronized in real-time from the primary site
  • Serves as an immediately fail-over if the primary site goes down
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define

Cold Site

A
  • A failover location for when a primary site goes down
  • Does not keep any hardware or staffing on hand
  • Does not keep a live copy of data synchronized
  • Would take a significant amount of time to get running if the primary site went down.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define

Warm Site

A
  • A failover location that is not as equipped and ready as a hot site
  • May have all necessary equipment, but it may not be powered on and data sync may not be in real time
  • May take time to get brought online when needed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define

Honeynet

A

• Multiple honeypots on a network

• Can be used to observe multiple attackers, or see what an attack does between
multiple devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define

Honeyfiles

A
  • Bait for the honeynet / honeypot
  • Files that you want the attacker to try to get, such as a file named passwords.txt
  • An alert is triggered if the file is accessed, like a virtual bear trap
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define

Fake Telemetry

A

• Attackers send fake data to a machine learning system in order to make malicious
malware appear benign

• Once the machine learning is trained on the fake telemetry, it will not detect the
malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define

Sinkhole

A
  • A DNS server that hands out incorrect IP Addresses
  • If the DNS server hands out a non-routable address, then it’s a particular type of Sinkhole known as a Blackhole
  • Can be malicious, if used by an attacker for a DOS, or to redirect traffic to a malicious site
  • More often used for security purposes, to redirect known malicious domains to a benign IP address. It then collects info on devices that hit that benign IP address, since that identifies them as being infected.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define

HaaS

A
  • Hardware as a Service

* Another, less common, name for IaaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Define

XaaS

A
  • Anything as a Service
  • A broad description of all cloud models
  • Usually describes services delivered over the Internet, not locally hosted or managed
  • Usually associated with a flexible, pay-what-you-use subscription-based pricing models with no up-front costs
  • Any IT function can be changed into such a service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Define

MSSP

A
  • Managed Security Service Provider
  • A specialized type of MSP that focuses on security
  • Firewall management, patch management, security audits, emergency response, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

List and Define

Cloud Deployment Models

A
  • Public - available to everyone on the Internet (though your own data is still private)
  • Community - several organizations share the same resources
  • Private - your own virtualized data center
  • Hybrid - a mix of public and private
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define

Edge Computing

A
  • Typically used of IoT devices
  • The application processes its data on the actual device itself
  • Nothing is stored or processed in the cloud
  • E.g. You control a thermostat from an app on your phone, and the app communicates directly with that thermostat. The thermostat stores and processes data on its own device.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Define

Fog Computing

A
  • A cloud that is close to your data.
  • Usually in reference to IoT
  • A distributed cloud architecture
  • Immediate and sensitive data can stay local, but some data and long-term analysis can be performed in the cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Define

DaaS

A
  • Desktop as a Service
  • Usually for thin clients
  • A form of VDI (Virtual Desktop Infrastructure), but DaaS is specifically a cloud-based service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Define

Monolithic application

A
  • A traditional application; large and does everything it needs within itself as a single application
  • The application contains all decision-making processes
  • User interface, logic, input and output are all in one application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Define

Microservice Architecture

A
  • A newer architecture for applications where its various services are separated into distinct “microservices”
  • Each microservice is containerized, independent
  • The microservices communicate to each other through APIs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the advantages of Microservice Architecture? (Four answers)

A
  • Scalable - can scale only the specific services that are needed
  • Resilient - outages are contained to the specific microservice that fails
  • Security and compliance - containment is built-in
  • Coding - simpler because each microservice is coded and updated independently.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Define

Serverless Architecture

A
  • Applications are separated into individual, autonomous functions
  • No OS needed, the app communicates directly to specialized processors
  • The processors are known as “stateless compute containers” - processors designed to respond to API requests
  • Since they are containerized, they can be scaled and removed as needed with little effort
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Define

FaaS

A
  • Function as a Service

* Another name for Serverless Architecture provided as a cloud service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Define

Transit Gateway

A
  • Connects multiple VPCs to each other, and connects users to VPCs
  • Essentially, a “cloud router”
  • Commonly, users connect to their VPCs by using a VPN connection to the Transit Gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Define

Resource Policy

A
  • Policies for assigning permissions to cloud resources

* Ex., restricting data or API resources to a list of users or IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Define

Multisourcing

A
  • Deploying a cloud application to multiple cloud service providers for purposes of high availability
  • If one provider goes down, your application stays up
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Define

SIAM

A
  • Service Integration and Management
  • A management console that integrates multiple cloud service provider’s platforms into a single interface
  • Beneficial when multisourcing
  • Every cloud provider has different processes for managing, deploying, etc., and the SIAM streamlines the process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Define

Infrastructure as code

A
  • Servers, networks, and applications described as code, so they can be deployed instantly without the need for configuration
  • An important part of cloud computing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Define

SDN

A
  • Software Defined Networking
  • An approach to network management that enables programmatic configuration
  • Separates control pane from data pane
  • Changes can be made dynamically, on the fly, no hardware changes or reboots needed.
  • Centrally managed, open standards, vendor neutral
  • Makes networking more like cloud computing than traditional network management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Define

SDV

A
  • Software Defined Visibility
  • Provides visibility and real-time metrics to traffic flows in cloud computing
  • Can include next-generation firewalls, web app firewalls, and a SIEM
  • Needs to be aware of encapsulated and encrypted data, microservices, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Define

VM Sprawl

A
  • The tendency for too many separate VMs to be running, since they are so easy to create
  • Becomes difficult to deprovision when documentation is poor. Which VM is related to which application?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Define

VM Escape

A
  • An event or attack wherein a VM is able to interact with the host operating system or hardware, or other guest VMs
  • VMs are supposed to be isolated and this should never happen. They rarely happen and are major security problems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Define

Staging

A
  • The stage of application development after QA checks but before Production
  • The application is deployed to a production-like environment, perhaps working with a copy of production data
  • Performance, usability, and features are all tested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Define

Secure Baselines

A
  • Defines an application’s security environment: what is required to secure and maintain the security of the app
  • All application instances must follow this baseline
  • Firewall settings required for it to work and still be secure; patch levels of the application and OS; etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Define

Integrity Measurement

A
  • procedure that confirms that an application and its production environment match the security baseline
  • Should be performed often, and errors should be immediately corrected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Define

Scalability

A

• The ability for application instance(s) to increase the workload in a given infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Define

Elasticity

A

• The ability for application instance(s) to increase and decrease available resources and instances as a workload changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Define

Orchestration

A
  • The automation of provisioning and deprovisioning
  • For application instances, servers, networks, switches, firewalls, and policies
  • The automation can follow defined rules such as workload, schedule, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Define

Deprovisioning

A
  • Removal of an application instance

* When deprovisioning, all security policies must be reverted: firewall rules, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Define

Stored Procedures

A
  • When an application makes a database call, instead of sending the actual call (such as a SQL query), it only sends a “stored procedure.”
  • The stored procedure is pre-configured on the database server, and the server uses it to produce the actual database call / query.
  • This prevents a client from discovering the exact query, and potentially making any modifications to it.
  • To really be secure, a stored procedure must be used for every possible database call that an application can perform.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Define

Dead Code

A
  • Code that exists in an application that performs some process but isn’t utilized
  • Often a result of copying / reusing code, and not removing unnecessary parts
  • All code is an opportunity for a security problem, so dead code should be removed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Define

Code Obfuscation

A
  • A developer deliberately making code difficult for humans to read, even though it performs the same function as a much simpler, readable code
  • Helps prevent the search for security holes by making it more difficult to figure out what the code is doing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Define

Normalization

A
  • modifying the format of input to bring it into a standardized format
  • ex. adding and/or removing typed characters from a phone number so it gets stored in the following format, regardless of how it was typed in: (800) 555-1234
57
Q

Define

Validation Points

A
  • Input validation can be performed either client-side, server-side, or both
  • Using both is ideal
  • If only using one, server-side is more secure because it prevents changes from being made after a client-side validation completes
  • Client-side validation may be faster since it doesn’t require waiting for a response from the server.
58
Q

Define

SDK

A
  • Software Development Kit
  • Third-party code to extend the functionality of a programming language or provide pre-programmed functions
  • Added by developers to their own code to speed up the process
  • A security risk since the code was written by someone else. Requires extensive testing.
59
Q

Define

Software Diversity

A
  • Systems and software that are functionally the same, but use different binary
  • Makes them less susceptible to malware. It may infect one, but can’t infect all others in the same way.
  • Accomplished by using varying complier paths when producing the binary
60
Q

Define

CI

A
  • Continuous Integration
  • A process where code is constantly being written and worked on, merged into a central repository throughout the day
  • Requires the use of automated security checks to keep up with the constant changes
61
Q

Define

CD

A

Continuous Delivery:

  • When the process of testing and releasing code / applications is automated.
  • Automated security checks are performed during testing process, and the application is deployed into production with the click of a button.
  • “Continuous Deployment,” also “CD,” is when it doesn’t even require human interaction to deploy into production, that is also automatic as long as security checks are passed.
62
Q

Define

Federation

A
  • Providing network access to users based on a third-party’s authentication
  • The third-party must have a trust relationship established
  • Ex. logging into a third-party site by using your Facebook or Google account
63
Q

Define

Attestation

A
  • Method of validating a device’s trusted identity.
  • Ex., to confirm a remote user is on their company-assigned laptop when they try to connect via VPN
  • Device provides a report to a verification server. Usually signed with the device’s TPM, and may include an IMEI or other unique hardware component identifier
64
Q

Define

TOTP

A
  • Time-based One-Time Password
  • Uses a secret key to generate codes based on the current time
  • usually used for MFA
65
Q

Define

HOTP

A
  • HMAC-based One-Time Password algorithm
  • Single use passcode, usually used for MFA
  • Similar to TOTP, but each code is only used once and goes to the next code in sequence, rather than being time-based
66
Q

Define

Static Code

A
  • A code that never changes (at least not automatically).
  • Ex., a PIN, such as for an ATM
  • Traditional passwords are also examples of static codes
67
Q

Define

FAR

A
  • False Acceptance Rate
  • The likelihood that a biometic system will incorrectly approve an unauthorized user
  • A high rate means that the sensitivity must be increased
68
Q

Define

FRR

A
  • False Rejection Rate
  • The likelihood that a biometic system will incorrectly reject an authorized user
  • A high rate means that the sensitivity must be decreased
69
Q

Define

CER

A
  • Crossover Error Rate
  • Defines the overall accuracy of a biometric system
  • The rate at which FAR and FRR are equal
70
Q

Define

AAA

A
  • Authorization, Authentication, and Accounting
  • The “Triple-A Framework”
  • Identification (who are you: usually a username)
  • Authentication (prove you are who you say you are: password and other authentication factors)
  • Authorization (based on the last two, what access do you have)
  • Accounting (logging activity and resources used)
71
Q

List Examples of

Factors of Authentication

(Three answers)

A
  • Something you know (password)
  • Something you have (phone, TOTP generator)
  • Something you are (biometric)
72
Q

List Examples of

Attributes of Authentication

(Four answers)

A
  • Somewhere you are (IP address, GPS data)
  • Something you can do (handwriting, signature)
  • Something you exhibit (gait analysis, typing analysis)
  • Someone you know (Web of trust, digital signature)
73
Q

Define

Multipath I/O

A
  • A form of redundancy in network-based storage systems
  • Multiple network routes exist to get to the storage
  • Ex. Multiple Fibre Channel interfaces with multiple switches
74
Q

Define

Generator

A
  • Long-term power backup
  • Requires fuel
  • May be enough to power an entire building, or at least particular outlets marked as generator-powered
  • Takes a few minutes to run once power is lost; use a battery UPS for the interim.
75
Q

Define

PDU

A
  • Power Distribution Unit
  • Provides multiple power outlets, usually in a rack
  • Often networked and includes monitoring and control
  • Remotely manage power capacity and remotely enable/disable individual outlets
76
Q

Difference between NAS and SAN?

A
  • NAS is file-level access, SAN is block-level access
  • SAN acts similar to a local storage device
  • NAS requires overwriting an entire file if one part of it changes
77
Q

Define

Non-Persistence

A
  • The ability for applications (usually cloud) to be built and torn down continuously
  • Involves the ability to take snapshots, and revert or rollback to a known state
78
Q

Define

Restoration Order

A
  • The order that must be followed when restoring an application or data
  • Example, a database may need to be started up before an application can be
  • Or, in backup, full backups and incremental backups must follow the correct restore order
79
Q

Define

Diversity

A
  • The use of different technologies, OSs, vendors, controls, cryptographic ciphers, and CAs
  • For the purpose of hardening security. Gives you options and makes you less prone to a single type of attack.
80
Q

Define

Embedded System

A
  • Hardware and software designed together for a specific function
  • Built with only one task in mind
  • Often running on a SoC
  • Ex. traffic light controllers; smart watches; medical devices
81
Q

Define

FPGA

A
  • Field Programmable Gate Array
  • An integrated circuit that can be configured and reconfigured after manufacturing
  • Common in embedded systems
  • An array of logic blocks that can be software-controlled, allowing a device to be reprogrammed without needing to replace hardware
  • Common in infrastructure, such as switches, firewalls, and routers.
82
Q

Define

SCADA

A
  • Supervisory Control and Data Acquisition System
  • System allowing a PC to control industrial equipment
  • Ex. for power generation systems, manufacturing, industrial devices, etc.
  • Networked, but only internally. Requires extensive segmentation with no external access.
83
Q

Define

ICS

A
  • Industrial Control System
  • Essentially, another name for SCADA
  • System allowing a PC to control industrial equipment
  • Networked, but only internally. Requires extensive segmentation with no external access.
84
Q

List examples of

Embedded Systems

A
  • IoT devices
  • SCADA / ICS Systems
  • Vehicle internal network and controls
  • HVAC
  • Drones
  • Printers, scanners, faxes
  • Surveillance systems
85
Q

Define

POTS

A
  • Plain Old Telephone Service

* A new term for the same old, traditional, analog phone service

86
Q

Explain

RTOS

A
  • Real-Time Operating System
  • An OS with a deterministic processing schedule
  • Typically used in certain types of embedded systems
  • For systems that cannot wait for other processes, but must react immediately to live sensor data, and cannot be overridden
  • Ex. anti-lock brake systems, industrial equipment, military environments
  • Sensitive to security issues, as you must ensure the security does not interfere with or delay the process.
  • It’s also difficult to know what kind of security is in place and running on such a system.
87
Q

Define

IMSI

A
  • International Mobile Subscriber Identity
  • Often contained in a SIM card
  • Allows a mobile service provider to recognize the SIM card and add it to the cellular network
  • provides authentication and contact information
88
Q

Define

Narrowband

A
  • The use of a narrow range of frequencies rather than the full broadband signal
  • Allows communication over a longer distance, and conserves frequency use
  • Often used by IoT devices and SCADA equipment, particularly those that must communicate over long distances
89
Q

Define

Baseband

A
  • The use of a single frequency to communicate, rather than a narrow or broadband
  • Usually done over a single cable connection.
  • Because it is a single frequency, the signal uses all bandwidth. Utilization is always either 0% or 100%.
  • Therefore it is half-duplex. Communication can be bidirectional, but not at the same time on the same wire.
90
Q

What standards exist for Baseband communication?

A
  • It is often over Ethernet, with the following standards:
  • 100BASE-TX
  • 1000BASE-TX
  • 10GBASE-T
  • The “BASE” in the Ethernet standard indicates baseband.
91
Q

Define

Zigbee

A
  • An Open Standard for IoT networking
  • An alternative to Wi-Fi and Bluetooth
  • Longer range than Bluetooth, less power consumption than Wi-Fi
  • All devices mesh together, to hop connections through each other to reach network infrastructure
92
Q

Define

IEEE 802.15.4 PAN

A
  • The IEEE designation for Zigbee

* PAN indicates “Personal Area Network”

93
Q

What bands are used by Zigbee?

A
  • In the USA, it uses the ISM Band (Industrial, Scientific, and Medical)
  • 900 MHz and 2.4 GHz frequencies
94
Q

What are five common physical constraints of Embedded Systems?

A
  • They usually have very limited resources and features
  • Compute capability is very limited; therefore cryptographic capabilities
  • Communication options are limited; networking requirements may be very specific
  • Power is a common constraint, as they are often in the field and may not have access to a main power source
  • Upgrade options are usually very limited or impossible
95
Q

What are five common security concerns for Embedded Systems?

A
  • Adding or changing cryptography functionality may not be possible
  • Ability to update / patch is usually very limited or not possible
  • Security features are often an after-thought
  • Authentication requirements may be non-existent, or very limited
  • Direct access to the OS and software is often very limited or impossible, thus security cannot be verified
96
Q

Define

Bollard

A

• a post that is put in the middle or at the end of a road to keep vehicles off or out of a particular area

97
Q

Define

Duress alarm

A

• an alarm that is triggered by a panic button or similar method

98
Q

Define

Industrial Camouflage

A

• Concealing an secure facility in plain sight, blending it into the local environment and leaving it unmarked.

99
Q

Define

Robot Sentry

A

• Self-explanatory, but yes, they apparently exist, and they are on the exam.

100
Q

Define

Two-Person Integrity

A
  • Method of guarding, where no single person has access to a physical asset
  • Requires two people to grant access, which minimizes exposure to an attack
101
Q

Two-Person Control

Is also known as?

A

Another term for Two-Person Integrity

102
Q

Define

Juice-Jacking

A
  • An attack on devices that use the same cable for both charging and transferring data (typically USB)
  • A malicious device appears as a power charging source, but while charging, it is actually communicating with your device
  • Either to steal data, or install malware
103
Q

Define

USB Data Blocker

A
  • A USB adapter cable that allows voltage but prevents any data transfer
  • i.e., your device can charge over this USB cable, but not communicate
  • Prevents juice-jacking
104
Q

How to prevent juice-jacking?

A
  • Only use your own power adapters

* Use a USB Data Blocker

105
Q

What are two security concerns regarding Faraday Cages?

A
  • No all signal types can be blocked

* If access to mobile networks are restricted, then contingencies must be in place for emergency calls

106
Q

Define

Screened Subnet

A
  • Apparently, the new name for a DMZ, though no one has ever heard anyone use this term.
  • In reality, it’s just some bullshit that CompTIA is trying to invent to exert control.
  • To quote Mean Girls, “Stop trying to make ‘fetch’ happen. It’s NOT going to happen.”
107
Q

Define

PDS

A
  • Protected Distribution System
  • A physically secured cabled network.
  • Prevents cable taps
  • Prevents a physical DoS of cutting cables
108
Q

Define

Air Gap

A
  • A physical separation between networks
  • Whereas most network environments are shared, and may only have virtualized or software separation, air gaps provide complete physical separation.
109
Q

What types of specialized networks often require Air Gaps?

A
  • airplanes
  • nuclear plants
  • stock market networks
  • power systems/SCADA
110
Q

Define

Degaussing

A
  • The process of using a strong electromagnetic field to destroy data magnetically stored on a hard drive, rendering the drive unusable
  • Also destroys the drive configuration data, so not only is the drive unreadable, it can never be reused
111
Q

Define

Pulping

A
  • Placing shredded paper into a large tank to remove ink and break the paper down into pulp.
  • Creates recycled paper, and ensures information on the original paper is unrecoverable.
112
Q

List four beneficial functions of cryptography.

A
  • Confidentiality
  • Authentication / access control
  • Non-repudiation
  • Integrity
113
Q

Define

Cipher

A

• The particular algorithm used to encrypt and/or decrypt

114
Q

Define

Cryptanalysis

A
  • The art of cracking encryption
  • Not just a job for the bad guys; researchers also work to find weaknesses in ciphers, as a flawed cypher is bad for everyone.
115
Q

Define

Key

A
  • The secret information that is added to a cipher in order to encrypt plaintext
  • Though ciphers are publicly known, the keys are secret
  • The key is then required to decrypt the ciphertext
  • Using larger keys, and/or multiple keys, increases the security of the cryptography
116
Q

Define

Key Stretching

A
  • The process of making a weak key stronger by performing multiple encryption processes with it
  • I.e., hashing a password, then hashing the hash of the password, and so on.
  • Makes brute force attacks more difficult, as the attack would require reversing each stage of the hashes
  • Adds security without needing a larger key.
117
Q

Key Strengthening is also known as?

A

• Another term for Key Stretching

118
Q

Define

Lightweight Cryptography

A
  • New technology still in the process of development.
  • Method of cryptography that has lower demands on CPU and power.
  • Designed with IoT devices in mind.
119
Q

Define

Homomorphic Encryption

A
  • Typically, encrypted data must be decrypted, then perform the function, then encryption is re-applied to the answer.
  • Homomorphic Encryption is the process of using and performing calculations on data while it remains in an encrypted state.
  • Allows data to remain securely stored in the cloud while still being utilized
  • Allows users to utilize the data without being able to view it.
120
Q

Explain

Symmetric Encryption

A
  • The same key is used to encrypt and decrypt
  • Faster, less overhead than asymmetric encryption
  • Does not scale well, and difficult to securely share the key
121
Q

Explain

Asymmetric Encryption

A
  • A public key is used to encrypt, and a private key is used to decrypt.
  • The keys are mathematically related, but the private key cannot be derived from the public key
  • Requires significant work from the CPU
122
Q

Explain

Symmetric key from asymmetric keys

A
  • You can combine your private key with a recipient’s public key to create a new, symmetric key
  • That recipient likewise combines their private key with your public key, and produces that same symmetric key
  • You now both have the same symmetric key, and can use symmetric encryption, without ever having to share your private keys or any symmetric key.
  • This process is used by the Diffie-Hellman key exchange
123
Q

Explain

ECC

A
  • Elliptic Curve Cryptography
  • Uses curves instead of numbers to generate asymmetric encryption keys
  • The keys are smaller than non-ECC encryption
  • Smaller storage and transmission requirements
  • Ideal for mobile and IoT devices
124
Q

Explain

Hashing

A
  • A way to represent data as a short string of text, serving as a digital signature of that data
  • A one-way trip, the data cannot be derived from the hash
  • May be used to verify a downloaded file
  • May be used to store passwords, so that your actual password is never stored in plaintext and can’t be derived
125
Q

Define

Perfect Forward Secrecy (PFS)

A
  • A method of web server encryption that uses a different private key for every TLS session
  • This way, if the private key is compromised, an attacker cannot decrypt all data for all sessions
  • Uses Elliptic curve or Diffie-Hellman ephemeral
  • The browser must support PFS (most modern browsers do)
126
Q

Define

Steganography

A
  • Hiding information inside something else
  • From Greek for “concealed writing”
  • Not truly secure, but a form of “Security through obscurity”
  • May be hidden in an image, an audio file, within other network traffic, etc.
127
Q

Define

Covertext

A

• In Steganography, the container image, document, or file for a hidden message.

128
Q

Explain

Quantum Computing

A
  • Computers based on quantum physics
  • An emerging technology
  • Uses qubits instead of bits, which are super-positioned bits of 1s, 0s, and any combination in-between, at the same time
  • Allows for searching, indexing, and simulating extremely quickly
  • Theoretically will be able to quickly brute force all traditional cryptography.
129
Q

Explain

Quantum Communication

A
  • If qubits are examined, they are changed. Therefore, you can be aware if your communication has been intercepted and observed.
  • Especially useful for distribution of encryption keys. Both sides can verify they key. If it was observed en route, then it will have changed and won’t match what was sent.
130
Q

Define

Stream Cipher

A
  • Encryption performed one bit or byte at a time.
  • High-speed, low demands on resources
  • Randomization is challenging, especially if multiple bytes are identical, so an IV is often added.
131
Q

Explain:

Block cipher

A
  • Encrypts a fixed-length block of bytes at a time, often 64- or 128-bits in size
  • If the final block does not fit, padding is added
  • Each block is encrypted and decrypted separately
  • Different methods of encrypting blocks are referred to as “Modes of operation”
132
Q

List four modes of operation for block cipher

A
  • Electronic codebook
  • Cipher Block Chaining
  • Counter Mode
  • Galois/Counter Mode
133
Q

Define

Electronic Codebook

A
  • A mode of Block Ciphering

* Each block is encrypted with the same key; too simple for most use cases

134
Q

Define

Cipher Block Chaining

A
  • A mode of Block Ciphering
  • Each plaintext block is XORed with the previous cipher block
  • (the first block uses an IV)
135
Q

Define

Counter Mode

A
  • A mode of Block Ciphering

* Encrypts successive values of a counter, using the plaintext as part of the XOR to create the ciphertext

136
Q

Define

Galois/Counter Mode

A
  • A mode of Block Ciphering that also applies authentication
  • Combines Counter Mode with Galois authentication
  • Very efficient at encrypting, and authenticates where the data came from
  • Commonly used in packetized data, wireless communication, IPsec communication, TLS
137
Q

List four practical applications of Blockchain technology

A
  • Payment processing
  • Digital identification
  • Supply chain monitoring
  • Digital voting
138
Q

Explain:

OWASP

A
  • Open Web Application Security Project
  • International non-profit organization
  • Provides free materials to promote and support web application security