2.1 - Enterprise Environment Security Concepts Flashcards
1
Q
Configuration management
A
- Challenges: Constantly changing
- Ex: Updates to OS, patches, application updates, network modifications, new application instances, etc.
2
Q
Documentation
A
- Must be modified and updated as configuration management
- Documentation should allow you to rebuild your entire application instance from the beginning with just your documentation
3
Q
Network diagram
A
- An example of a configuration management document
- Documents the physical wire and device
- Can include physical data center layout (physical rack locations)
- Can show what devices are connected to each other
- May also want to include info about patch cable/ panel locations (tracking path a wire takes from beginning to end)
4
Q
Data Center
A
- Racks can be connected under the floor, you can document what’s on the inside of each rack
5
Q
Application Baseline
A
- Want to include firewall settings, patch levels, OS file versions, may require constant updates
- This is your baseline configuration (this needs to be documented)
- It can be verified through the documentation with an Integrity Measurement Check
6
Q
Integrity Measurement Check
A
- Verify that all details in documentation are running in applications (checks to see if your documentation aligns with application)
- If you find deviations, you need to understand how to correct them
- Should be performed often
7
Q
Standard Naming Conventions
A
- Need to be understood by everyone
- Ex: Asset tag, name of computer, location
- clear labels
- Port Labeling
- Standard user name/ emails in servers
- Can label rack rows
8
Q
IP Schema
A
- Can include IP standardization
- Ex: standardize the number of subnets associated with an IP address range
- helps avoid duplicate IP addressing
- Could have reserved addresses for IP gateways, printers, routers, other devices
9
Q
Protecting data difficulties
A
- Could be in many locations
- Ex: Storage drive, on the network, in a CPU
- Combine technologies with data for protection (Ex: encryption / security policies)
- Use permissions to control access
10
Q
Data Sovereignty
A
- Determines how data is protected in different areas
- Understand the laws regarding data depending on where the data geographically resides
11
Q
GDPR
A
- General Data Protection Regulation
- EU
- Data collected on EU citizens must be stored in the EU
- extensive and complex so you need to understand if you’re planning to collect it
- many similarities in other countries
12
Q
Masking
A
- A way to protect data
- Obfuscate the original data to make it harder to read
- Ex: putting asterisks over credit card number on a receipt (but the full data could be stored on a server, but the physical copy would be masked)
- Ex: Can substitute numbers or use completely different information
- Essentially controlling view based on permissions
- Can be used to protect to PII and sensitive data
13
Q
Encryption
A
- A way to protect data
- original text vs ciphertext (before and after encryption)
- Allows you to go back and forth if you have the proper key and proper processing
- Encryption uses confusing since the encrypted text is drastically different than the plain text
14
Q
Diffusion
A
- Related to encryption / data protection
- If you change one character in plain text, the resulting encryption will be dramatically different
- difficult to tell it’s a similar plain text
15
Q
Data at-rest
A
- Data on a storage device
- EX: hard drive, SSD, flash drive, etc.
16
Q
Securing large amounts of data at - rest
A
- Ex: Whole disk encryption, database encryption, file or folder level encryption
- Can assign permissions by users/ groups of users to certain files etc.
17
Q
Data in-transit
A
- AKA data in motion
- Ex: data moving between switches, routers, all different devices
- often all / deny passage through network based protect (Firewall / IPS)
18
Q
Network-based protections
A
- Ex: Firewall, IPS (intrusion preventions system)
- can encrypt
- TLS (Transport Layer Security), which is the newer SSL and IPsec (Internet Protocol Security) will encrypt data in transit
19
Q
Data in-use
A
- Data that is actively processing in memory
- Ex: System RAM, CPU registers, cache
- Almost always decrypted (b/c easier to perform calculations and actually use it)
- B/c it’s in memory and decrypted its a very tempting place for hackers to focus their efforts
20
Q
Tokenization
A
- A way to protect data
- Take sensitive data and replace it with a non-sensitive placeholder
- Ex: replacing a SSN with random numbers
- Ex: common with credit card numbers and transactions
- Not the same thing as hashing or encryption (the original data and token aren’t mathematically related)
- No encryption overhead (computational overhead)
21
Q
Tokenization process
A
- User registers credit card on their phone ->
- Sent to a Remote Token Service Server ->
- Server sends back to phone a token ->
- Phone is used at store to buy something using NFC (near field communication) ->
- Information goes to the merchant’s payment processing server - >
- Goes to Remote token service Server ->
- This will confirm to the merchant’s server that the token is valid and it will be approved
22
Q
NFC
A
- Near field communication
- Ex: when you use your phone / watch to pay for something at a store
- Often an example of the tokenization process