Chapter 2 - Architecture and Design Flashcards
Configuration Management
The process of maintaining systems, such as computer hardware and software, in a desired state
Network Diagram
Documentation of physical wire and device
Device Diagram
Documentation of individual cabling
Baseline Configuration
A documented set of specifications for an information system; security and integrity
Standard Naming Conventions
A set of rules for choosing the character sequence to be used for identifiers which denote variables, types, functions, and other entities in source code and documentation
Internet Protocol (IP) Schema
A plan or model used for addressing for network devices and avoiding duplicated IP addressing
Data Sovereignty
The idea that a country or jurisdiction has the authority and right to govern and control the data generated within its borders
Data Loss Prevention (DLP)
The practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data
Data Masking
Data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel
Example: number on a receipt - Bank card: **687
Data Encryption
Encoding information into unreadable data
Data at Rest
Data on a storage device
Data in Transit/ Motion
Data transmitted over the network
Data in Use
Data actively processing in memory
Tokenization
Replacing sensitive data with a non-sensitive placeholder
Example: SSN 266-12-1112 is now 691-61-8539
Information Rights Management (IRM)
Control how data is used by specific people
Geographical Considerations
Legal implications, offsite backup, offsite recovery
Incident Response and Recovery Controls
The handling of how respond and recover from a disaster
Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) Inspection
Used to examine outgoing data that is using the SSL/ TLS protocols
Hashing
Representing data as a short string of text
Site Resiliency
A network or system’s ability to adapt and to protect data and services from disruptions and disasters by having a second data center
Hot Site
An exact replica of the original data center
Cold Site
No hardware, data, or people
Will take a long time to get back up and running
Warm Site
Just enough resources to get back up and running again
Honeypots
A computer security mechanism set to lure in attackers that attempts an unauthorized use of information systems
Honeyfiles
A fake file designed to detect attackers who are accessing and potentially removing data from your network
Honeynets
A network or group of honeypots set up with intentional vulnerabilities hosted on a decoy server to attract hackers
Fake Telemetry
An attacker sending malicious data that the machine thinks is benign or not malicious
DNS Sinkhole
A DNS that sends out incorrect IP addresses
Infrastructure as a Service (IaaS)
Model in which computing resources are supplied by a cloud services provider
Customer responsible for management and security
Customer NOT responsible for physical components, such as computers, networks, or physical security of datacenter
Customer has responsibility for software components running on the computing infrastructure such as operating systems, network controls, applications, or protecting data
Platform as a Service (PaaS)
Used for building, testing, and deploying applications
Used for creating application quickly without using managing underlying infrastructure
Cloud provider manages hardware and operating systems
Customer responsible for applications and data
Software as a Service (SaaS)
Hosted and managed by the cloud provider for the customer
Least amount of management by cloud customer
Cloud provider responsible for managing everything but data, devices, accounts, and identities
Anything as a Service (XaaS)
A broad description of all cloud models that use any combination of the cloud
Public Cloud Deployment Model
Available to everyone over the internet
Community Cloud Deployment Model
Several organizations share the same resources
Private Cloud Deployment Model
Your own virtualized data center
Hybrid Cloud Deployment Model
A mix of public and private
Cloud Service Provider
A third-party that offers a cloud computing platform, infrastructure, application, or storage services, usually for a fee
Managed Service Provider (MSP)
Used as information technology-related support for companies who lack the in-house resources needed to maintain their systems
Managed Security Service Provider (MSSP)
Provides outsourced monitoring and management of security devices and systems
On-premises
Applications are on local hardware and your servers are in your data center building
Off-premises
Servers are not in the building and are usually running in a specialized computing environment
Cloud Computing
The on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user
Fog Computing
Helps in filtering important information from the massive amount of data collected from the device and saves it in the cloud by sending the filtered data
Edge Computing
Helps devices to get faster results by processing the data simultaneously received from the devices
Thin Client
A simple computer that has been optimized for establishing a remote connection with a server-based computing environment
Containers
Portable digital compartments holding a bundle of application files in one runtime environment that live in the cloud
Microservices/ API
A style of application architecture where a collection of independent services communicate through lightweight APIs
Infrastructure as Code
Managing and provisioning of infrastructure through code instead of through manual processes
Software-defined Networking (SDN)
An approach to network management that enables dynamic, programmatically efficient network configuration
Software-defined Visibility (SDV)
A way to monitor and understand what the traffic flows are for application instances
Serverless Architecture
A way to build and run applications and services without having to manage an operating system
Function as a Service (FaaS)
Services Integration and Management (SIAM)
Approach to managing multiple suppliers of services and integrating them to provide a single business-facing IT organization
Resource Policies
System rules that specify resources and actions for a particular access feature
Transit Gateway
A network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks
Virtualization
Process of running many different operating systems on the same hardware
Virtual Machine (VM) Sprawl Avoidance
Having a formal process and detailed documentation by having information on every virtual object
VM Escape Protection
Updating software regularly by installing updates and patches the moment they are available
Development Stage
Establish by securing the environment, writing code, and testing in sandboxes
Test Stage
All pieces are put together and are used in functional tests to see if the application works
Staging Stage
A copy of the production data is being used for performance tests and usability features
Almost ready to roll out
Production Stage
Application is live and rolled out to the user community
Quality Assurance (QA) Stage
Verifies if features are working correctly and validates new functionality
Elasticity
Increase or decrease available resources as the workload changes
Scalability
Ability to increase the workload in a given infrastructure
Deprovisioning
Dismantling and removing an application instance
Code Reuse
Use old code to build new applications to save time - copy and paste
Dead Code
A section in the source code of a program which is executed but whose result is never used in any other computation
Server-side Validation
Checks occurring on the server to help protect against malicious users
Memory Management
Ways to dynamically allocate portions of memory to programs at their request, and free it for reuse when no longer needed
Open Web Application Security Project (OWASP)
Online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Compiler
Computer program that translates computer code written in one programming language into another language
Automated Courses of Action
Predetermined/ predicted automated responses
Continuous Monitoring
Always checking for a particular event then responding
Continuous Validation
Automatically validate configuration of a change
Continuous Integration (CI)
Practice of merging all developers’ working copies to a shared mainline several times a day
Continuous Delivery (CD)
Automate testing process, release process, and deploying the application
Continuous Deployment
Automatically deploy to production with no manual checks
Provisioning
Process of preparing and equipping a network to allow it to provide new services to its users
Integrity Measurement
Check for a secure baseline and see if corrections need to be made
Normalization
Making sure data is correct and in the right format
Stored Procedures
A set of SQL statements that limit client interactions to secure data
Obfuscation/ Camouflage
Make something normally understandable very difficult to understand
Client-side Validation
End-user’s app makes the validation decisions
Third-party Libraries and SDKs
Extend the functionality of a programming language
Binary File
A file whose content is in a binary format consisting of a series of sequential bytes, each of which is eight bits in length
Software Diversity
Research field about the comprehension and engineering of diversity in the context of software
Version Control
The practice of tracking and managing changes to software code
Directory Services
A database for all of an organization’s usernames, passwords, computers, printers, and other devices
Federation
A technology that allows users to access multiple tools, apps, and domains with only one set of credentials
Attestation
Prove that the hardware is really yours
Authentication Method - Time-based One-time Password (TOTP)
Temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors
Authentication Method - HMAC-based One-time Password (HTOP)
Type of one-time password (OTP) that is generated using a keyed-hash message authentication code (HMAC) - shared secret key
Authentication Method - Short Message Service (SMS)
Provide username and password, phone receives an SMS, and the code is inputted into the login form
Authentication Method - Token Key
A key that is unique to a user’s session and is protected by an algorithm, which ensures servers can identify a token that has been tampered with and block it
Authentication Method - Static Codes
Authentication factors that don’t change
Example: PIN
Authentication Method - Authentication Applications
Application downloaded that provides pseudo-random token generators that are usually 6 digits
Authentication Method - Push Notifications
Provide username and password, app sends phone a notification, and the code is inputted into the login form
Authentication Method - Phone Call
A call providing authentication code
Biometric Factor - Fingerprint
Hold finger down on scanner
Biometric Factor - Retina
Unique capillary structure in the back of the eye
Biometric Factor - Iris
Texture and color
Biometric Factor - Facial
Shape of the face and features
Biometric Factor - Voice
Talking for access
Biometric Factor - Vein
Match the blood vessels visible from the surface of the skin
Biometric Factor - Gait Analysis
Unique measurements
Example: how a person walks
Efficacy Rates
A measurable result acquired in ideal or controlled conditions
False Acceptance Rate (FAR)
Likelihood that an unauthorized user will be accepted
False Rejection Rate (FRR)
Likelihood that an authorized user will be rejected
Crossover Error Rate (CER)
The rate at which the FAR and FRR are equal
Multifactor Authentication Factor - Something You Know
Password, PIN, Pattern
Multifactor Authentication Factor - Something You Have
Smart card, USB token, hardware/ software tokens, phone
Multifactor Authentication Factor - Something You Are
Biometric authentication
Multifactor Authentication Attribute - Somewhere You Are
Location, IP address
Multifactor Authentication Attribute - Something You Can Do
Personal way of doing things - handwriting
Multifactor Authentication Attribute - Something You Exhibit
Unique trait - gait, typing
Multifactor Authentication Attribute - Someone You Know
Social factor, digital signature
Authentication, Authorization, and Accounting (AAA)
Authentication - Prove you are who you say you are
Authorization - Based on your identification and authentication, what access do you have?
Accounting - Resources used: login time, data sent and received, logout time
Redundancy
Keeping data in two or more places within a database or data storage system so that if something fails, operations can still be continued
Disk Redundancy
Having the same data stored on separate disks enables the data to be recovered in the event of a disk failure
Redundant Array of Independent Disks (RAID)
Using multiple drives within a single array where you can store some or all of the data on a redundant drive. If a physical drive is lost, you have separate pieces of data stored on multiple drives as part of that array
Multipath I/O (Input/ Output) Redundancy
Configuring multiple links in the network to provide redundancy if one part of the network was to fail
Load Balancing
Some servers are active and others are on standby
If one server fails, the passive server takes its place
Network Interface Card (NIC) Teaming
Grouping physical network adapters to improve performance and redundancy
Uninterruptable Power Supply (UPS)
A type of device that powers equipment, nearly instantaneously, in the event of grid power failure
Examples: offline/ standby, line-interactive, On-line/ double conversion
Generator
Long-term power backup that can power an entire building but takes a little time to power up
Dual-power Supplies
Redundant circuits that generate two different output voltages from a single input source
Both run at 50% but can handle all 100%
Can swap out without powering down
Power Distribution Units (PDUs)
Device fitted with multiple outputs designed to distribute electric power, especially to racks of computers and networking equipment located within a data center
Storage Area Network (SAN) Replication
Sharing data between two devices so if one fails you can still work with the data that has a very fast recovery time compared to traditional backups
VM Replication
Create backup versions of virtual machines that can be kept and used to restore the machine in the event that its data is corrupted or lost
On-premises Redundancy
Local devices are connected over fast networks
Purchasing your own storage is an expensive capital investment
Local data is private
Cloud Redundancy
Cloud connections are almost always slower
Cloud costs have a low entry point and can scale
Data stored in the cloud requires additional security controls
Full Backup
A complete copy of a business or organization’s data assets in their entirety
Incremental Backup
All files changed since the last incremental backup
Differential Backup
All files changed since the last full backup
Snapshot Backup
The state of a system at a particular point in time
Tape Backup
A sequential storage device that is easy to ship and store
Disk Backup
A fast and efficient type of backup that can be deduplicated and compressed
Copy Backup
An exact replica of a system at a particular point in time
Network Attached Storage (NAS)
File-level storage server connected to a computer network, providing data access to a group of users on that network
Storage Area Network (SAN)
Dedicated network of storage devices that provides a shared pool of storage and appears to each user on the network as if it were connected directly to the computer
Cloud Backup
A backup to a remote device in a cloud that can support many devices
Image Backup
Capture an exact replica of everything on a storage device that can restore everything on a partition like OS files and documents
Online Backup
The use of a third-party service to back up data remotely over the Internet
Offline Backup
A backup to local devices in a secure external location that is completely isolated from the production environment
Offsite Storage
Any data or document facility that is physically separate from the organization usually for disaster recovery purposes
Non-persistence
Application instances being constantly built and torn down
Revert to Known State
Data that falls back to a previous snapshot
Last Known-good Configuration
Don’t modify the data, but use a previous configuration
Live Boot Media
Being able to launch an entire operating system from removable media that is portable
High Availability (HA)
Describes systems that are dependable enough to operate continuously without failing
Restoration Order
The order in which you have to rebuild an application instance
Technology Diversity
Having a diversity of technology can be beneficial if an OS fails or gets exploited
Vendor Diversity
Can purchase different devices from different vendors to have flexibility during purchase process and renewal process
Different vendors can have different support teams as well
Crypto Diversity
Diverse certificate authorities can provide additional protection
Controls Diversity
Combine different administrative, physical, and technical controls together to create a defense in depth for security
Application-specific Restoration Order
Databases should be restored before the application
Backup-specific Restoration Order
Incremental backups restore the full backup, then all subsequent incremental backups
Differential backups restore the full backup, then the last differential backup
Embedded Systems
Hardware and software designed for specific functions or to operate as part of a larger system
Raspberry Pi
Is a System on a Chip (SoC) - multiple components running on a single chip
Field-programmable Gate Array (FPGA)
An integrated circuit that can be configured/ reprogrammed after manufacturing
Arduino
Hardware and software company, project, and user community that designs open-sourced electronics platform based on easy-to-use hardware and software
Supervisory Control and Data Acquisition (SCADA)/ Industrial Control System (ICS)
Provides a centralized interface for operations personnel to control and monitor all critical devices and processes from one location
Allows a PC to manage equipment such as: facilities, industrial, manufacturing, energy, logistics
Smart Devices/ Internet of Things (IoT)
Devices commonly connected to the internet and connected to many different types of systems inside of our homes and businesses
Smart Devices/ Internet of Things (IoT) - Sensors
Heating and cooling, lighting
Smart Devices/ Internet of Things (IoT) - Smart Devices
Home automations, video door bell
Smart Devices/ Internet of Things (IoT) - Wearables
Watches, health monitors
Smart Devices/ Internet of Things (IoT) - Facility Automation
Temperature, air quality, lighting
Smart Devices/ Internet of Things (IoT) - Weak Defaults
IoT manufacturers are not security professionals
Specialized Embedded Device - Medical Systems
Heart monitors, insulin pumps - older OS
Specialized Embedded Device - Vehicles
Multiple embedded systems that can all communicate with each other for a better driving experience
Specialized Embedded Device - Aircraft
Multiple embedded systems that can all communicate with each other
Specialized Embedded Device - Smart Meters
In home to measure power and water usage
Voice Over IP (VoIP)
Type of phone system that uses an internet connection to make and receive calls, rather than traditional landlines
Heating, Ventilation, Air Conditioning (HVAC)
PC manages this equipment to make cooling and heating decisions for workspaces and data centers
Multifunction Printer (MFP)
A piece of office equipment that consolidates the capabilities of multiple devices
Real-time Operating System (RTOS)
Operating system with a deterministic processing schedule that does not wait for other processes
Example: automatic brakes on a car
Surveillance Systems
Video/ audio have embedded systems in the camera and the monitoring stations
Embedded Systems Communication - 5G
Wireless cellular technology, offering higher upload and download speeds, more consistent connections, and improved capacity than previous networks
Embedded Systems Communication - Narrow-band
Communicate analog signals over a narrow range of frequencies
Over a long distance - conserve the frequency use
Embedded Systems Communication - Baseband Radio
Using a single frequency to be able to communicate
Embedded Systems Communication - Subscriber Identity Module (SIM) Cards
Used to provide information to a cellular network provider - phones, tablets, embedded systems
Embedded Systems Communication - Zigbee
The meshed communication between IoT devices that is an alternative to Wi-Fi and Bluetooth
Embedded Systems Constraints - Power
May not have access to main power source
Batteries need replaced
Embedded Systems Constraints - Compute
Low-power CPUs are limited in speed
Embedded Systems Constraints - Network
May not have the option for a wired link or may be in the middle of a field
Embedded Systems Constraints - Crypto
Limited hardware options that is difficult to change or modify cryptography features
Embedded Systems Constraints - Inability to Patch
Some devices have no field-upgradable options or difficult to install
Embedded Systems Constraints - Authentication
Security features are an after thought such as no multi-factor, limited integration
Embedded Systems Constraints - Range
Purpose-built and usually does one thing very well which may not provide additional functionality
Embedded Systems Constraints - Cost
Single-purpose comes at a low cost and low cost may affect product quality
Embedded Systems Constraints - Implied Trust
Limited access to hardware and software which makes it difficult to verify the security posture
Physical Controls - Bollards/ Barricades
Allow people, prevent access to cars and trucks
Physical Controls - Access Control Vestibules
Provides a space between two sets of interlocking doors
Physical Controls - Badges
Allows access to true employees/ workers
Physical Controls - Alarms
Triggered by a person and alerts people
Physical Controls - Signage
Provides clear and specific instructions
Physical Controls - Cameras
Motion recognition - can alarm and alert when something moves
Object detection - can identify a license plat or a person’s face
Physical Controls - Closed-circuit Television (CCTV)
A video surveillance resource that can replace physical guards
Physical Controls - Industrial Camouflage
Conceal an important facility in plain site
Physical Controls - Personnel
Guards
Robot Sentries - continuously monitors
Two-person integrity/ control - no single person has access to asset
Reception
Physical Controls - Cable Locks
Temporary security to keep something from being removed
Physical Controls - USB Data Blocker
Prevents “juice jacking”
Allows the voltage and rejects the data
Physical Controls - Lighting
More security by seeing easier and attackers avoiding
Physical Controls - Fencing
Builds a perimeter to keep people out
Physical Controls - Fire Suppression
Water is bad for electronics
Chemical suppression - Dupont FM 200
Physical Controls - Sensors
Detects aspects such as motion, noise, proximity, moisture, and temperature
Physical Controls - Drones
Covers large areas quickly with motion detection and thermal sensors
Physical Controls - Visitor Logs
Keeps track of people going in and out of building of building for when something happens
Physical Controls - Faraday Cages
Blocks electromagnetic fields
Physical Controls - Screen Subnet (DZ)
An additional layer of security between internet and you
Physical Controls - Protected Cable Distribution
A physically secure cabled network
Secure Areas - Air Gap
Physical separation between networks
Secure Areas - Vault
Secure reinforced room
Secure Areas - Safe
Smaller less expensive space
Secure Areas - Hot Aisle and Cold Aisle
A way to keep components at optimal temperatures
Secure Data Destruction - Burning
Physically light documents on fire
Secure Data Destruction - Shredding
Put through a shredder and cut into tiny pieces
Secure Data Destruction - Pulping
Put in large tank to remove ink and broken down to a pulp
Secure Data Destruction - Pulverizing
Using heavy machinery for complete destruction
Secure Data Destruction - Degaussing
Remove the magnetic field to destroy the drive data
Secure Data Destruction - Third-party Solutions
Having someone destroy data for you
Make sure to get certificate of destruction
Physical Controls - Door Locks
Conventional - Lock and key
Deadbolt - Physical bolt
Electronic - Keyless, PIN
Token-based - RFID badge, magnetic swipe
Biometric - Hand, fingers, retina
Multi-factor - smart card and PIN
Digital Signature
An electronic, encrypted, stamp of authentication on digital information
Authentication, non-repudiation, integrity
Key Length
Larger = more secure
Shorter = more weak
Symmetric = 128-bit or larger
Asymmetric = 3,072 bits or larger
Key Stretching
Making a weak key more secure against a brute force attack by hashing a hash and hashing that hash and so on…
Salting
Random data added to a password when hashing
Hashing
Representing data as a short string of text
Key Exchange
Exchange the secret key so that each party is able to encrypt messages before sending, and decrypt received ones
Elliptic-curve Cryptography (ECC)
An approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields
Powerful and used for a device with limited number of resources
Perfect Forward Secrecy (PFS)
Feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised
Quantum Communication
Protecting against eavesdropping using quantum cryptography by creating unbreakable encryption
Quantum Computing
Using a new computing technology that bases computers off of quantum physics
Qubit is the smallest form of information
Post-quantum Cryptography
Not yet secure against classical computers
Cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer
Ephemeral Key
Generated for each execution of a key establishment process
Changing often
Modes of Operation - Electronic Code Book (ECB)
Each block being encrypted with the same key
Identical plaintext blocks create identical ciphertext blocks
Modes of Operation - Cipher Block Chaining (CBC)
Each plaintext block is exclusive or (XORed) with the previous ciphertext block
Modes of Operation - Counter (CTR)
Every time a counter-initiated value is encrypted and given as input to XOR with plaintext which results in ciphertext block
Blockchain - Public Ledgers
A place to keep track of transactions that is distributed to everyone
Stream Cipher
An encryption technique that works byte by byte to transform plain text into code
Each plaintext digit is encrypted one at a time
Block Cipher
A method of encrypting data in blocks to produce ciphertext
Algorithm operating on fixed-length groups of bits, called blocks
Steganography
Security through obscurity
Making a message invisible even though it is there
Steganography - Audio
Modifying the digital audio file to interlace a secret message within the audio file
Steganography - Video
A sequence of images
Using image steganography on a larger scale
Steganography - Image
Embedding a message in an image itself
Homomorphic Encryption
The ability to perform calculations and research on data while it is encrypted
Common Use Cases - Low Power Devices
Smaller symmetric key
Elliptic curve cryptography (ECC) for asymmetric encryption
Common Use Cases - Low Latency
Fast computation time
Symmetric encryption, smaller key sized
Common Use Cases - High Resiliency
Larger key sizes
Encryption algorithm quality
Hashing provides data integrity
Common Use Cases - Supporting Confidentiality
To keep secret and private use encryption
Common Use Cases - Supporting Integrity
Use a hash to to prevent modification of data such as file downloads and password storage
Common Use Cases - Supporting Obfuscation
Encrypted data hides the active malware code and decryption occurs during execution
Common Use Cases - Supporting Authentication
Password hashing and salting to protect the password
Common Use Cases - Supporting Non-repudiation
Use digital signature to confirm the authenticity of data
Limitations - Speed
Cryptography adds overhead and more encryption can increase the load
Limitations - Size
Encrypting bytes might double storage size
Limitations - Weak Keys
Easier to brute force and may be security issues
Limitations - Time
Large files take a long time to encrypt and hash
Limitations - Longevity
A specific cryptographic technology can become less secure over time
Limitations - Predictability
Hardware random number generators can be predictable in which random numbers are critical for cryptography
Limitations - Reuse
Reduces complexity and if the key is compromised everything can be at risk
Limitations - Resource vs. Security Constraints
IoT - limited security, memory, and power
Real-time applications can’t delay
Difficult to maintain and update security components
Symmetric Encryption
A single key, encrypt and decrypt with the same key
Asymmetric Encryption
Two (or more) mathematically related keys, private and public key
Private key decrypt and public key encrypts
Private key encrypts and public key decrypts
Lightweight Cryptography
Designed to protect information created and transmitted by the Internet of Things, as well as for other miniature technologies
Out-of-band Key Exchange
Sending the symmetric key by phone, courier, in person, etc.
In-band Key Exchange
Sending it on the network with additional encryption and using asymmetric encryption to deliver the symmetric key
Block Cipher Mode of Operation
An algorithm that uses a block cipher to provide information security such as confidentiality or authenticity