Chapter 2 - Architecture and Design Flashcards
Configuration Management
The process of maintaining systems, such as computer hardware and software, in a desired state
Network Diagram
Documentation of physical wire and device
Device Diagram
Documentation of individual cabling
Baseline Configuration
A documented set of specifications for an information system; security and integrity
Standard Naming Conventions
A set of rules for choosing the character sequence to be used for identifiers which denote variables, types, functions, and other entities in source code and documentation
Internet Protocol (IP) Schema
A plan or model used for addressing for network devices and avoiding duplicated IP addressing
Data Sovereignty
The idea that a country or jurisdiction has the authority and right to govern and control the data generated within its borders
Data Loss Prevention (DLP)
The practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data
Data Masking
Data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel
Example: number on a receipt - Bank card: **687
Data Encryption
Encoding information into unreadable data
Data at Rest
Data on a storage device
Data in Transit/ Motion
Data transmitted over the network
Data in Use
Data actively processing in memory
Tokenization
Replacing sensitive data with a non-sensitive placeholder
Example: SSN 266-12-1112 is now 691-61-8539
Information Rights Management (IRM)
Control how data is used by specific people
Geographical Considerations
Legal implications, offsite backup, offsite recovery
Incident Response and Recovery Controls
The handling of how respond and recover from a disaster
Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Inspection
Used to examine outgoing data that is using the SSL/ TLS protocols
Hashing
Representing data as a short string of text
Site Resiliency
A network or system’s ability to adapt and to protect data and services from disruptions and disasters by having a second data center
Hot Site
An exact replica of the original data center
Cold Site
No hardware, data, or people
Will take a long time to get back up and running
Warm Site
Just enough resources to get back up and running again
Honeypots
A computer security mechanism set to lure in attackers that attempts an unauthorized use of information systems
Honeyfiles
A fake file designed to detect attackers who are accessing and potentially removing data from your network
Honeynets
A network or group of honeypots set up with intentional vulnerabilities hosted on a decoy server to attract hackers
Fake Telemetry
An attacker sending malicious data that the machine thinks is benign or not malicious
DNS Sinkhole
A DNS that sends out incorrect IP addresses
Infrastructure as a Service (IaaS)
Model in which computing resources are supplied by a cloud services provider
Customer responsible for management and security
Customer NOT responsible for physical components, such as computers, networks, or physical security of datacenter
Customer has responsibility for software components running on the computing infrastructure such as operating systems, network controls, applications, or protecting data
Platform as a Service (PaaS)
Used for building, testing, and deploying applications
Used for creating application quickly without using managing underlying infrastructure
Cloud provider manages hardware and operating systems
Customer responsible for applications and data
Software as a Service (SaaS)
Hosted and managed by the cloud provider for the customer
Least amount of management by cloud customer
Cloud provider responsible for managing everything but data, devices, accounts, and identities
Anything as a Service (XaaS)
A broad description of all cloud models that use any combination of the cloud
Public Cloud Deployment Model
Available to everyone over the internet
Community Cloud Deployment Model
Several organizations share the same resources
Private Cloud Deployment Model
Your own virtualized data center
Hybrid Cloud Deployment Model
A mix of public and private
Cloud Service Provider
A third-party that offers a cloud computing platform, infrastructure, application, or storage services, usually for a fee
Managed Service Provider (MSP)
Used as information technology-related support for companies who lack the in-house resources needed to maintain their systems
Managed Security Service Provider (MSSP)
Provides outsourced monitoring and management of security devices and systems
On-premises
Applications are on local hardware and your servers are in your data center building
Off-premises
Servers are not in the building and are usually running in a specialized computing environment
Cloud Computing
The on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user
Fog Computing
Helps in filtering important information from the massive amount of data collected from the device and saves it in the cloud by sending the filtered data
Edge Computing
Helps devices to get faster results by processing the data simultaneously received from the devices
Thin Client
A simple computer that has been optimized for establishing a remote connection with a server-based computing environment
Containers
Portable digital compartments holding a bundle of application files in one runtime environment that live in the cloud
Microservices/ API
A style of application architecture where a collection of independent services communicate through lightweight APIs
Infrastructure as Code
Managing and provisioning of infrastructure through code instead of through manual processes
Software-defined Networking (SDN)
An approach to network management that enables dynamic, programmatically efficient network configuration
Software-defined Visibility (SDV)
A way to monitor and understand what the traffic flows are for application instances
Serverless Architecture
A way to build and run applications and services without having to manage an operating system
Function as a Service (FaaS)
Services Integration and Management (SIAM)
Approach to managing multiple suppliers of services and integrating them to provide a single business-facing IT organization
Resource Policies
System rules that specify resources and actions for a particular access feature
Transit Gateway
A network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks
Virtualization
Process of running many different operating systems on the same hardware
Virtual Machine (VM) Sprawl Avoidance
Having a formal process and detailed documentation by having information on every virtual object
VM Escape Protection
Updating software regularly by installing updates and patches the moment they are available
Development Stage
Establish by securing the environment, writing code, and testing in sandboxes
Test Stage
All pieces are put together and are used in functional tests to see if the application works
Staging Stage
A copy of the production data is being used for performance tests and usability features
Almost ready to roll out
Production Stage
Application is live and rolled out to the user community
Quality Assurance (QA) Stage
Verifies if features are working correctly and validates new functionality
Elasticity
Increase or decrease available resources as the workload changes
Scalability
Ability to increase the workload in a given infrastructure
Deprovisioning
Dismantling and removing an application instance
Code Reuse
Use old code to build new applications to save time - copy and paste
Dead Code
A section in the source code of a program which is executed but whose result is never used in any other computation
Server-side Validation
Checks occurring on the server to help protect against malicious users
Memory Management
Ways to dynamically allocate portions of memory to programs at their request, and free it for reuse when no longer needed
Open Web Application Security Project (OWASP)
Online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Compiler
Computer program that translates computer code written in one programming language into another language
Automated Courses of Action
Predetermined/ predicted automated responses
Continuous Monitoring
Always checking for a particular event then responding
Continuous Validation
Automatically validate configuration of a change
Continuous Integration (CI)
Practice of merging all developers’ working copies to a shared mainline several times a day
Continuous Delivery (CD)
Automate testing process, release process, and deploying the application
Continuous Deployment
Automatically deploy to production with no manual checks
Provisioning
Process of preparing and equipping a network to allow it to provide new services to its users
Integrity Measurement
Check for a secure baseline and see if corrections need to be made
Normalization
Making sure data is correct and in the right format
Stored Procedures
A set of SQL statements that limit client interactions to secure data
Obfuscation/ Camouflage
Make something normally understandable very difficult to understand
Client-side Validation
End-user’s app makes the validation decisions
Third-party Libraries and SDKs
Extend the functionality of a programming language
Binary File
A file whose content is in a binary format consisting of a series of sequential bytes, each of which is eight bits in length
Software Diversity
Research field about the comprehension and engineering of diversity in the context of software
Version Control
The practice of tracking and managing changes to software code
Directory Services
A database for all of an organization’s usernames, passwords, computers, printers, and other devices
Federation
A technology that allows users to access multiple tools, apps, and domains with only one set of credentials
Attestation
Prove that the hardware is really yours
Authentication Method - Time-based One-time Password (TOTP)
Temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors
Authentication Method - HMAC-based One-time Password (HTOP)
Type of one-time password (OTP) that is generated using a keyed-hash message authentication code (HMAC) - shared secret key
Authentication Method - Short Message Service (SMS)
Provide username and password, phone receives an SMS, and the code is inputted into the login form
Authentication Method - Token Key
A key that is unique to a user’s session and is protected by an algorithm, which ensures servers can identify a token that has been tampered with and block it
Authentication Method - Static Codes
Authentication factors that don’t change
Example: PIN
Authentication Method - Authentication Applications
Application downloaded that provides pseudo-random token generators that are usually 6 digits
Authentication Method - Push Notifications
Provide username and password, app sends phone a notification, and the code is inputted into the login form
Authentication Method - Phone Call
A call providing authentication code
Biometric Factor - Fingerprint
Hold finger down on scanner
Biometric Factor - Retina
Unique capillary structure in the back of the eye
Biometric Factor - Iris
Texture and color
Biometric Factor - Facial
Shape of the face and features
Biometric Factor - Voice
Talking for access
Biometric Factor - Vein
Match the blood vessels visible from the surface of the skin
Biometric Factor - Gait Analysis
Unique measurements
Example: how a person walks
Efficacy Rates
A measurable result acquired in ideal or controlled conditions