Architecture And Design . Flashcards
What are the three main goals of information security?
- Confidentiality
- Integrity
- Availability
_______ prevents unauthorized disclosure.
Confidentiality
_______ prevents unauthorized alteration.
Integrity
_______ ensures authorized access.
Availability
Security activities must be aligned with…
- Business Strategy
- Mission
- Goals
- Objectives
(T/F)?
True!
What kind of planning is required with the alignment of security activities?
- Strategic
- Tactical
- Operational
Security _______ provide templates for security activities.
Frameworks
COBIT, NIST, CSF, and ISO 27001/2 are examples of security frameworks (T/F)?
True!
Due _____ is taking reasonable steps to protect the interest of the organization.
Care
Due _______ ensures those steps are carried out.
Diligence
What four things carry out security governance?
- Policies
- Standards
- Procedures
- Guidelines
This Security Governance…
States high-level objectives and is a MANDATORY COMPLIANCE.
Policies
This Security Governance…
States detailed technical requirements and is a MANDATORY COMPLIANCE.
Standards
This Security Governance…
Provides step-by-step processes and is a MANDATORY COMPLIANCE.
Procedures
This Security Governance…
Offers advice and best practices and is an OPTIONAL COMPLIANCE.
Guidelines
Security baselines such as NIST SP800-53, provides standardized set of controls that an organization may use as a benchmark (T/F)?
True!
An organization would typically adopt a baseline standard wholesale (T/F)?
False!
- They would tailor a baseline to meet their specific security requirements instead.
What does the principle of defense-in-depth say?
Organizations should use a variety of overlapping security controls to prevent against the failure of a single control.
When designing overlapping controls, strive for _______ of vendors and control types.
Diversity
What are the three most common zones that firewall deployment topologies use?
- a trusted intranet
- an untrusted Internet
- demilitarized zone (DMZ)
- These networks are often created using a triple-homed firewall.
When managing security of a system, what operating system security principles do you have to keep in mind?
- Disable unnecessary services and applications.
- Close unneeded network ports.
- Disable default accounts and passwords.
- Apply all security patches.
When developing new systems, organizations move them through a four-stage process using different environments, what are they?
- Development - environments where developers create and modify the system.
- Test - environments where the system is tested. If flaws are discovered, it is returned to development.
- Staging - environments are where approved code is placed, awaiting release to production.
- Production - environments contain systems that are currently serving customer needs.
The _________ model of software development is fairly rigid, allowing the process to return only to the previous step.
Waterfall
The ________ model uses a more iterative approach:
- Determine Objectives
- Identify & resolve risks
- Development & Test
- Plan the next iteration
Spiral
Which approach uses a process that values:
- Individuals & Interactions INSTEAD of processes & tools.
- Working Software INSTEAD of Comprehensive Documentation.
- Customer Collaboration INSTEAD of Contract Negotiation.
- Responding To Change INSTEAD of following a plan.
Agile approach
In ______ environments many guest systems run on a single piece of hardware.
Virtualized
The hypervisor is responsible for separating resources used by different guests (T/F)?
True!
Type ___ hypervisors run directly on the “bare metal.”
1
Type ___ hypervisors run on a host operating system.
2
__________ virtualization virtualizes individual software apps instead of entire operating systems.
Application
When deploying services in the cloud, what THREE major cloud strategies can organizations choose from?
- Software-as-a-Service (SaaS)
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
This cloud storage…
Deploys entire applications to the cloud. The customer is only responsible for supplying data and manipulating the application.
SaaS
•Software-as-a-Service
This cloud storage…
Sells basic building blocks, such as servers and storage. The customer manages the operating system and configured and installs software.
IaaS
• Infrastructure-as-a-Service
This cloud storage…
Provides the customer with a managed environment to run their own software without concern for the underlying hardware.
PaaS
• Platform-as-a-Service
Cloud services may be built and/or purchased in several forms, what are they?
- Public Cloud
- Private Cloud
- Hybrid Cloud
- Community Cloud
What is a public cloud?
Providers sell services to many different customers and many customers may share the same physical hardware.
What is a Private Cloud?
Environments dedicate hardware to a single user.
What is a Hybrid Cloud?
Environments combine elements of public cloud but with access restricted to a specific set of customers.
What is a Community Cloud?
Environments use a model similar to the public cloud but with access restricted to a specific set of customers.
When managing the physical environment, you should be familiar with common power issues (T/F)?
True
Fires require the combination of _____, _____, and _____.
- Heat
- Oxygen
- Fuel
How many classes are fires are there?
- Class A
- Class B
- Class C
- Class D
What types of fires are in each class level (A,B,C, and D).
- Class A: Common combustible fires.
- Class B: Liquid fires
- Class C: Electrical fires
- Class D: Metal fires.
____ pipe fire suppression systems always contain water.
Wet
____ pipe systems that only fill with water when activated.
Dry
______ systems that fill the pipes at the first sign of fire detection.
Preaction
Mantraps use a set of double doors to restrict physical access to a facility (T/F) ?
True!
What manages cooling by aligning data centers so that the front of one row of servers faces the front of the adjacent row (cold aisle) and the backs of servers also face each other (hot aisle).
Hot and cold aisle
In this type of testing…
The people have full knowlege of the software.
White Box Test
In this type of testing…
The people have no knowlege.
Black Box Test
In this type of testing…
The people have partial knowlege.
Grey Box Test
What are the top 10 security vulnerabilities in web applications, according to OWASP?
- Injection attacks
- Broken authentication
- Sensitive data exposure
- XML external entities
- Broken access control
- Security misconfiguration
- Cross-site scripting
- Insecure deserialisation
- Using components with known vulnerabilities.
- Insufficient logging and monitoring.
In addition to maintaining current and patched platforms, one of the most effective application security techniques is input validation (T/F)?
True!
What is Input Validation?
Ensures that user input matches the expected pattern before using it in code.
What is an immutable system?
The environment in which an application runs, with no changes to the system. If the system must change, a new system is deployed for the application.
What is Baselining?
Involves making sure that systems meet a hardened baseline of software and configuration settings. This. ensures that the application is running in a secure state.
Match the physical security controls with their use…
___ Used as a physical barrier
___ Used to open a door
___ Used to prevent overheating
___ Used to identify changes in thermal heat
A - Biometric Reader
B - Hot & Cold Aisles
C - Bollards
D - Infrared Detectors
C - Used as a physical barrier
A - Used to open a door
B - Used to prevent overheating
D - Used to identify changes in thermal heat
