2.0 - Architecture & Design Flashcards
List 6 Examples of
Configuration Management
- Network maps / diagrams
- Device diagrams
- Port maps
- Baseline configurations
- Standard naming conventions
- IP schemas
Define
Data Sovereignty
- Laws associated with data depending on where it geographically resides
- Data that resides in a country is subject to the laws of that country
- Must comply with legal monitoring, court orders, etc.
Define
GDPR
- “General Data Protection Regulation”
- A set of rules in the European Union
• Among other things, it specifies that data collected on EU citizens must be stored in
the EU
• Extensive and complex
Define
Ciphertext
• Information that has been encrypted, in its encrypted form. The opposite of plaintext.
Define
Confusion
• The difference between a plaintext and its cyphertext is the amount of confusion
Define
Diffusion
• The difference between cyphertexts of plaintexts that are very similar
• Ex., two plaintexts that are identical except for one character should each produce
cyphertexts that are completely different. When they do, they have diffusion.
How to protect data in-transit?
- Network-based protection including firewalls, IPS
* Transport encryption, such as TLS and IPsec
How to protect data at-rest?
- Disk encryption, database encryption, and file- or folder-level encryption
- Access control lists, permission controls
Define
Tokenization
- Replacing sensitive data with a non-sensitive placeholder
- Common with credit card processing, using a temporary token during payment that is only good for the one transaction.
- If intercepted by an attacker, the attacker only gets the token and not the sensitive data that it represents.
- The token is NOT a result of encryption or hashing. The original data and the token are not mathematically related.
Define
IRM
- “Information Rights Management”
- Restrictions placed on a file or message to control how it is used
• Can restrict functions on a document such as ability to copy/paste, print, edit,
screenshot, etc.
• Can have different sets of rights for different users
Define
DLP
- A system that monitors for sensitive data leaving the network, to prevent it.
- Can run on an endpoint, on the network, on the server, or cloud-based
- Can block custom defined data strings, file types, specific contents, etc.
Define
SSL
• Secure Socket Layer
• Has been replaced by TLS, but TLS is still often referred to colloquially as SSL or
as SSL/TLS
How can SSL/TLS inspection be performed?
- A device (usually a firewall) must sit in the middle of all secure information and act as a proxy.
- Endpoint devices must have a CA certificate installed for the middle device
What typically causes older hashes to be retired?
• If it runs into collisions (different source data producing the same hash output)
Define
API Injection
- An attack where the attacked injects data into an API message
- Often performed via an on-path attack or replay attack
- (API stands for “Application Programming Interface”)
How can API be secured? (Four answers)
- Authentication
- Require secure protocols
- Limit authorization; the API should not have access to more than it absolutely needs
- Utilize a WAF to apply rules to API communication
What does this stand for:
WAF
• Web Application Firewall
Define
Hot Site
- An exact, or almost exact, replica of your primary site
- Contains all necessary hardware, infrastructure, etc.
- Has all data and applications synchronized in real-time from the primary site
- Serves as an immediately fail-over if the primary site goes down
Define
Cold Site
- A failover location for when a primary site goes down
- Does not keep any hardware or staffing on hand
- Does not keep a live copy of data synchronized
- Would take a significant amount of time to get running if the primary site went down.
Define
Warm Site
- A failover location that is not as equipped and ready as a hot site
- May have all necessary equipment, but it may not be powered on and data sync may not be in real time
- May take time to get brought online when needed
Define
Honeynet
• Multiple honeypots on a network
• Can be used to observe multiple attackers, or see what an attack does between
multiple devices
Define
Honeyfiles
- Bait for the honeynet / honeypot
- Files that you want the attacker to try to get, such as a file named passwords.txt
- An alert is triggered if the file is accessed, like a virtual bear trap
Define
Fake Telemetry
• Attackers send fake data to a machine learning system in order to make malicious
malware appear benign
• Once the machine learning is trained on the fake telemetry, it will not detect the
malware
Define
Sinkhole
- A DNS server that hands out incorrect IP Addresses
- If the DNS server hands out a non-routable address, then it’s a particular type of Sinkhole known as a Blackhole
- Can be malicious, if used by an attacker for a DOS, or to redirect traffic to a malicious site
- More often used for security purposes, to redirect known malicious domains to a benign IP address. It then collects info on devices that hit that benign IP address, since that identifies them as being infected.
Define
HaaS
- Hardware as a Service
* Another, less common, name for IaaS
Define
XaaS
- Anything as a Service
- A broad description of all cloud models
- Usually describes services delivered over the Internet, not locally hosted or managed
- Usually associated with a flexible, pay-what-you-use subscription-based pricing models with no up-front costs
- Any IT function can be changed into such a service
Define
MSSP
- Managed Security Service Provider
- A specialized type of MSP that focuses on security
- Firewall management, patch management, security audits, emergency response, etc.
List and Define
Cloud Deployment Models
- Public - available to everyone on the Internet (though your own data is still private)
- Community - several organizations share the same resources
- Private - your own virtualized data center
- Hybrid - a mix of public and private
Define
Edge Computing
- Typically used of IoT devices
- The application processes its data on the actual device itself
- Nothing is stored or processed in the cloud
- E.g. You control a thermostat from an app on your phone, and the app communicates directly with that thermostat. The thermostat stores and processes data on its own device.
Define
Fog Computing
- A cloud that is close to your data.
- Usually in reference to IoT
- A distributed cloud architecture
- Immediate and sensitive data can stay local, but some data and long-term analysis can be performed in the cloud
Define
DaaS
- Desktop as a Service
- Usually for thin clients
- A form of VDI (Virtual Desktop Infrastructure), but DaaS is specifically a cloud-based service
Define
Monolithic application
- A traditional application; large and does everything it needs within itself as a single application
- The application contains all decision-making processes
- User interface, logic, input and output are all in one application
Define
Microservice Architecture
- A newer architecture for applications where its various services are separated into distinct “microservices”
- Each microservice is containerized, independent
- The microservices communicate to each other through APIs
What are the advantages of Microservice Architecture? (Four answers)
- Scalable - can scale only the specific services that are needed
- Resilient - outages are contained to the specific microservice that fails
- Security and compliance - containment is built-in
- Coding - simpler because each microservice is coded and updated independently.
Define
Serverless Architecture
- Applications are separated into individual, autonomous functions
- No OS needed, the app communicates directly to specialized processors
- The processors are known as “stateless compute containers” - processors designed to respond to API requests
- Since they are containerized, they can be scaled and removed as needed with little effort
Define
FaaS
- Function as a Service
* Another name for Serverless Architecture provided as a cloud service
Define
Transit Gateway
- Connects multiple VPCs to each other, and connects users to VPCs
- Essentially, a “cloud router”
- Commonly, users connect to their VPCs by using a VPN connection to the Transit Gateway
Define
Resource Policy
- Policies for assigning permissions to cloud resources
* Ex., restricting data or API resources to a list of users or IP addresses
Define
Multisourcing
- Deploying a cloud application to multiple cloud service providers for purposes of high availability
- If one provider goes down, your application stays up
Define
SIAM
- Service Integration and Management
- A management console that integrates multiple cloud service provider’s platforms into a single interface
- Beneficial when multisourcing
- Every cloud provider has different processes for managing, deploying, etc., and the SIAM streamlines the process
Define
Infrastructure as code
- Servers, networks, and applications described as code, so they can be deployed instantly without the need for configuration
- An important part of cloud computing
Define
SDN
- Software Defined Networking
- An approach to network management that enables programmatic configuration
- Separates control pane from data pane
- Changes can be made dynamically, on the fly, no hardware changes or reboots needed.
- Centrally managed, open standards, vendor neutral
- Makes networking more like cloud computing than traditional network management
Define
SDV
- Software Defined Visibility
- Provides visibility and real-time metrics to traffic flows in cloud computing
- Can include next-generation firewalls, web app firewalls, and a SIEM
- Needs to be aware of encapsulated and encrypted data, microservices, etc.
Define
VM Sprawl
- The tendency for too many separate VMs to be running, since they are so easy to create
- Becomes difficult to deprovision when documentation is poor. Which VM is related to which application?
Define
VM Escape
- An event or attack wherein a VM is able to interact with the host operating system or hardware, or other guest VMs
- VMs are supposed to be isolated and this should never happen. They rarely happen and are major security problems.
Define
Staging
- The stage of application development after QA checks but before Production
- The application is deployed to a production-like environment, perhaps working with a copy of production data
- Performance, usability, and features are all tested
Define
Secure Baselines
- Defines an application’s security environment: what is required to secure and maintain the security of the app
- All application instances must follow this baseline
- Firewall settings required for it to work and still be secure; patch levels of the application and OS; etc.
Define
Integrity Measurement
- procedure that confirms that an application and its production environment match the security baseline
- Should be performed often, and errors should be immediately corrected
Define
Scalability
• The ability for application instance(s) to increase the workload in a given infrastructure
Define
Elasticity
• The ability for application instance(s) to increase and decrease available resources and instances as a workload changes
Define
Orchestration
- The automation of provisioning and deprovisioning
- For application instances, servers, networks, switches, firewalls, and policies
- The automation can follow defined rules such as workload, schedule, etc.
Define
Deprovisioning
- Removal of an application instance
* When deprovisioning, all security policies must be reverted: firewall rules, etc.
Define
Stored Procedures
- When an application makes a database call, instead of sending the actual call (such as a SQL query), it only sends a “stored procedure.”
- The stored procedure is pre-configured on the database server, and the server uses it to produce the actual database call / query.
- This prevents a client from discovering the exact query, and potentially making any modifications to it.
- To really be secure, a stored procedure must be used for every possible database call that an application can perform.
Define
Dead Code
- Code that exists in an application that performs some process but isn’t utilized
- Often a result of copying / reusing code, and not removing unnecessary parts
- All code is an opportunity for a security problem, so dead code should be removed
Define
Code Obfuscation
- A developer deliberately making code difficult for humans to read, even though it performs the same function as a much simpler, readable code
- Helps prevent the search for security holes by making it more difficult to figure out what the code is doing.