Architecture & Design Flashcards
Penalty Types
Criminal
Civil
Administrative
Private Regulations
Sources of Industry Standards
Vendors
Government Agencies
Independent/Consulting Agencies
Define Defense in Depth
Multiple layers of overlapping security controls
Security Control Types by Method
Technical
Administrative
Physical
Examples of Technical Controls
DLP Systems
NIDS/NIPS
Firewall
Examples of Administrative Controls
Background Investigations
NDAs
Security Training and Awareness
Examples of Physical Controls
Fences/Cages Locks Smart Cards Man Traps Video Surveillance Bollards Lighting Signs
Vendor Diversity Issues
Lack of Innovation
Technical Inefficiencies
Security Training and Awareness Methods
Classroom Orientation Online Vendor Surveys Reminders
Information Classification Factors
Sensitivity
Criticality
Military Classification System
Top Secret
Secret
Confidential
Unclassified
Business Classification
Highly Sensitive
Sensitive
Internal
Public
Compliance Obligations
Laws
Regulations
Standards
Password Factors
Complexity Length History Minimum age Expiration
Define Tailgating/Piggybacking
Unauthorized access to a facility by following another credentialed user when they enter
Security Zones
Intranet Internet DMZ Extranets Honeynets Ad Hoc MANET WIFI Direct
Define Intranet
Companies internal network
Define Internet
Public external network
Define DMZ
Demilitarized Zone, typically an organizations public facing assets separated from internal assets for security purposes
Define Extranets
Shared networks between separate organizations
Define Honeynets
Decoy networks for gaining threat intelligence on attackers
Define Ad Hoc Networks
Temporary networks for specific usage
Private IP Address Ranges
- 0.0.1-10.255.255.255
- 16.0.1-172.31.255.255
- 168.0.1-192.168.255.255
Define Static NAT
Translate private to public IP addresses (or visa versa) on a one-to-one basis
Define Dynamic NAT
Translate private to public IP addresses (or visa versa) over multiple public and/or private addresses
Define PAT
Port Address Translation, allows systems to share a public IP address over ports
Convert 192.168.1.0/24 to Subnet Mask Notation
IP Address 192.168.1.0
Subnet Mask 255.255.255.0
Define SDN
Software Defined Networking
SDN Layers
Application Layer
Control Layer
Physical Layer
Database Encryption Types at Rest
HSM
TPM
SED
UEFI Features
Secure Boot
Remote Attestation
Hardware Root of Trust
Software Deployment Environments
Developer
Test
Staging
Production
Embedded Systems Benefits
Cost
Size
Manageability
ICS Types
SCADA
DCS
PLC
Define ICS
Industrial Control Systems
Define SCADA
Supervisory Control and Data Acquisition; remote monitoring, telemetry, and report back
Define DCS
Distributed Control Systems; process control
Define PLC
Programmable Logic Controller; specialized input/output for human interaction
Define IoT
Internet of Things; smart tech for general consumer goods
IoT Protection Methods
Firmware Updates Security Wrappers Segmentation Air Gap Application Firewalls
Define Air Gap
Networks with no external network connection
Development Methodologies
Waterfall
Spiral
Agile
Explain the Waterfall Model
Rigid step based process
Explain the Spiral Model
Phased approach; Determine requirements, risks, begin, develop and test
Explain the Agile Model
Flexible approach for external input integration
Software Capitalization Maturity Model
Initial Repeatable Defined Managed Optimizing
IDEAL Model
Initializing Diagnosing Establishing Action Learning
Purpose of Code Repositories
Store code Coordination Version Control Code Reuse Avoid Dead Code
Code Signing Process
Obtain Digital Certificate
Assign key to code
OS verifies hash of code with CA
Software Testing Types
Stress test
UAT
Regression Testing
Define Software Stress Testing
Testing using automated scripts for multiple and/or simultaneous input validation
Define UAT
User Acceptance Testing, also referred to as “Beta testing”
Define Regression Testing
Correctional bug fixes
Checking for accidental changes
Fagen Inspection Steps
Planning Overview Preparation Meeting Rework Follow Up
Define Static Software Testing
Examine code for common errors without executing script
Define Dynamic Software Testing
Execute code with provided inputs
Define Fuzzing
Expose security problems by providing invalid, unexpected, or random data inputs
Fuzzing Input Methods
Developer supplied
Script Generation
Mutation testing
Code Execution Types
Interpreted
Compiled
Define Interpreted Code
Code executed as written
Define Compiled Code
Code compiled into an executable file
Types of Hypervisors
Type 1; “Bare Metal”
Type 2; OS
Virtual Machine Security Concerns
VM Sprawl
VM Escape
Cloud Computing Models
Private
Public
Hybrid
Public Cloud Services
SaaS
IaaS
PaaS
SaaS Vendor Responsibilities
Applications
OS
Hardware
Data Center
PaaS Vendor Responsibilities
OS
Hardware
Data Center
IaaS Vendor Responsibilities
Hardware
Data Center
Cloud Security Concerns
Encryption
Access Controls
Define CASB
Cloud Access Security Broker
CASB Types
Network Based; intercept (Forward/Reverse Proxy)
API Based; monitor
Define VDI
Virtual Desktop Infrastructure
Facility Types
Data Centers Server Rooms Media Storage Wiring Closets Operation Centers
Ideal Data Center Temperatures
64.4-86 F
Ideal Data Center Dew Point
41.9-50.0 F (40-60% humidity)
Explain the purpose of Hot and Cold Isles
Air flow:
Intake cold air to servers
Exhaust back end
Fire Necessary Ingredients
Heat
Fuel
Oxygen
Classes of Fire
A, B, C, D, K
A Fuel Type
Combustibles
B Fuel Type
Petroleum Based Products
C Fuel Type
Electrical
D Fuel Type
Metals
K Fuel Type
Grease, cooking oils
Installed Fire Fighting Equipment
Wet Pipe Systems
Dry Pipe Systems
Chemical Suppressants
Define EMI
Electromagnet Interference
EMI Eavesdropping Prevention
Faraday Cage
Protective Distribution Systems (PDS)
Ethernet port locking devices
Encryption (may bog down infrastructure)
Security Control Types by Effect
Deterrent
Preventative
Detective
Corrective
Mobile Device Tracking Protections
Encryption
Asset Tracking
Cloud Elasticity Concerns
Confidentiality; sanitization of no longer used resources
Define MANET
Mobile Ad Hoc Network
Define API-based CASB
Application Programming Interface Cloud Access Security Broker;
out-of-band solution which improves network performance but reduces CASB response time
Common Non-Regulatory RMFs
NIST CIS Control COBIT FedRAMP COPPA
Common Regulatory RMFs
Basel III PCI-DSS HIPAA FISMA GLBA
Define Basel III and Industry of Concern
International Financial Institutions
Define PCI-DSS and Industry of Concern
Payment Card Industry Data Security Standard; Credit Cards
Define HIPAA and Industry of Concern
Health Insurance Portability and Accountability Act; healthcare PHI
Define FISMA and Industry of Concern
Federal Information Security Modernization Act; Government and Disaster Relief
Define GLBA and Industry of Concern
Gramm-Leach-Bliley Act; United States Financial Institutions
Define FedRAMP and Industry of Concern
Federal Risk and Authorization Management Program; Cloud services across executive departments and agencies
Define COPPA and Industry of Concern
Children’s Online Privacy Protection Act; online privacy of children under 13 in the USA
Define CIS Controls and Industry of Concern
Center for Internet Security Controls; IoT security
Define NIST and Industry of Concern
National Institute of Standards and Technology; generic cyber security risk mitigation
Define COBIT and Industry of Concern
Control Objectives for Information and Related Technologies; business process related to technology and quality control of information
VM Escape Protection Methods
Regular Snapshots
Harden VM image (i.e. reduce attack surface)
Sandboxing
Key Management Best Practices
Encryption and Decryption of data should be distributed
Use secure keys to encrypt data of any kind
Encrypted data using old keys should be kept as is
Use multiple encryption standards
Steps to De-provisioning a Resource
Warning
Remove access/permissions
Backup
De-provision
VM Sprawl Protection Methods
VM image library
VM life cycle management tools
Limit VM creation permissions
Purpose of Automated Security Tools
Configuration validation using generated reports. Do not create, configure, or publish.
Purpose of RAID
Improve performance
Data redundancy
Run Time Code Benefits
Flexible OS support
Flexible web browsers support
Compiled Code Benefits
Faster performance
More secure
Vehicle Vulnerabilities
Bluetooth
Firmware
Security Tasks which can be Automated
Monitor network for breaches
Take immediate action to overcome breaches
Update security policies on multiple servers
Network Cabling Types
UTP (Shortest lengths and least resistant to EMI, $)
STP
Coaxial
Fiber Optic (Longest lengths and most resistant to EMI, $$$)
Virtual Machine Network Modes
NAT NAT Network Bridged Adapter Internal Network Host-Only Network
Explain VM NAT Mode
VM can communicate to the internet via the host
Each guest has it’s own separate network
Explain VM NAT Network Mode
VM can communicate to the internet and other VMs on host network
Explain VM Bridged Adapter Mode
VM share host’s network adapter and participate directly with host’s network. DHCP is controlled by host’s network.
Explain VM Internal Network Mode
VMs can only communicate with each other
Explain VM Host-only Network Mode
VMs can only communicate with host and each other
Define Shadow IT
IT Projects managed outside of or without the knowledge of the IT department
Explain purpose of Secure Boot
Protect system and data from unauthorized access
Define a Supply Chain Assessment
Assess vendors hardware and software supply chain for availability and risks
Define Scaling Out
Purchasing more machines to distribute the load
Purpose of User Security Training
Awareness
Management support
Perimeter Security Controls
Fence Cage Firewall Border Router IDS IPS
Securing a Public Kiosk Methods
Antivirus
Cable lock
System hardening
Define Structured Programming
Provide optimal control over coherence, security, accuracy, and comprehensibility during SDLC
NoSQL Database Security Concerns
No Default authentication
No Default Access Controls
Most do not use encryption at rest or in transit
*Less susceptible to SQL injection
HIDS/HIPS Dependencies
Host system auditing capabilities
Security Devices which Perform Stateful Inspections
IPS, IDS
Define a Padded Cell
Transfers an attacker into simulated, safe environment where no critical data is stored
Hotfix Patching Procedure
Apply and test in lab environment
Deploy to a set of systems (i.e. a department)
Deploy system-wide
Patch Management Tools
WSUS
Group Policy
Define DriveLock
Encrypts entire hard drive
Bitlocker Encryption Components
C:\ volume
Master boot record
*External media will remain unencrypted (i.e. thumb drives)
Define Van Eck Phreaking
Collection of electronic emissions for eavesdropping
Types of Firewalls
Stateless packet filtering
Stateful Circuit-level (layer 5)
Application Level (level 7)
Firewall Filter Dependencies
IP address
Port number
Application Level Gateway Features
OSI Layer 7
Stops and inspects each packet
Inspects encrypted packets
Examines entire content
Interface with other application layer protocol
Can filter based on user, group, and data
Slowest form of firewall
VPN Protocols
L2TP (employs IPsec)
PPP (uses PAP)
PPTP (uses CHAP)
L2F
Purpose of Parabolic, High Gain Antennae
Connect networks between buildings wirelessly
Define 802.16
WiMAX implementation of IEEE committee for metropolitan WAN
Define RAS
Remote Access Service; enables users to remotely dial in to a server
Virtualization Benefits
Server consolidation
Migrate systems between hardware
Increase utilization of hardware resources
Isolation of systems and applications
Disadvantages of Virtualization
Compromise of host system or hardware failure could effect multiple guest systems
VLAN Switch Benefits
Logical grouping of LANs, Simplify device moves, Control broadcast traffic and create collision domains based on logic, Control security, Load balance network traffic
VLAN Connection Methods
Routers
Layer 3 Switches
SDN Control Layer Function
Removes individual control planes on networking devices and replaces with a single control plane
Purpose of a Virtual Switch
Facilitates communication between virtual machines by checking data packets before moving them to destination
Virtual Network Key Facts
VM support unlimited number of VLAN,
Multiple VLAN can be associated with a single network adapter,
VLAN is dependent on host configuration, OS, and hardware,
Network access depends on OS as a part of the network
Cloud Storage Features
Distributed resources acting as one federated cooperative storage,
High fault tolerance through redundancy and distribution of data,
Highly durable through creation of versioned copies
Define a Reciprocal Agreement
Contract between two organizations to share resources in the event of a disaster
