Chapter 3 Flashcards
Infrastructure as a Service (IaaS)
A cloud computing service model that provides computing resources on demand, such as storage, servers, networking, and virtualization.
Platform as a Service (Paas)
A cloud computing model that provides a complete environment for developers to build, test, deploy, and manage applications. PaaS allows developers to focus on their code without having to worry about the underlying infrastructure, such as servers, storage, and networking.
Software as a Service (SaaS)
A cloud-based software delivery model that allows users to access software through the internet on a subscription basis
Hybrid Cloud
Using more than one cloud provider. Adds additional flexibility but also adds complexity to the system. Most cloud provider systems do not talk to each other directly, so manual configuration of things like authentication, Firewalls, and server settings may be needed. Cloud providers use different security monitoring systems, as well as different logging terminology.
Data Leakage
Data stored in the cloud often needs to traverse the public internet which exposes it to attackers
Infrastructure as Code
Code architecture exists that allows you to define a cloud infrastructure such as servers, network, and applications. This allows you to reduce the human error that can occur manually creating the infrastructure. Also allows you to modify and create versions of the infrastructure.
Function as a Service (FaaS)
Applications can be separated into individual autonomous functions. Each function performs a small part of the application. These functions are commonly event triggered, and can be built in real time as the event is triggered.
Monolithic Applications
One big application that does everything you need. This is the traditional way of writing applications. One single executable is handling all user interface, logic, and data input and output. This makes the application take up a lot of storage space and have a large codebase.
Application Programming Interface (API)
Allows programs to access code written elsewhere.
Microservice
Uses APIs to create multiple smaller programs that handle discrete parts of an application. If one of the microservices goes down the rest will continue to work.
Air Gap
Physically separating devices. If one device is compromised it wont compromise the other.
Virtual Local Area Networks (VLANs)
A logical segmentation that allows the segmentation of data on the same device.
Software Defined Networking (SDN)
Splitting functions into separate logical units to extend the functionality and management of a single device. Separates the control functions from the forwarding functions. 3 layers of SDN architecture: Infrastructure Layer, Control layer, Application layer.
Infrastructure Layer
Data plane. Process the network frames and packets. Forwarding, trunking encrypting, NAT.
Control Layer
Manages the actions of the infrastructure layer. Routing tables, session tables, NAT tables. Dynamic routing protocol updates
Application Layer
Management Plane. Configures and manages the device. SSH, browser, API
Advantages of Cloud based Infrastructure
Security is centralized and costs less. No on site hardware or data center to secure. A third party handles everything.
Virtualization
Allows you to run many different operating systems on the same hardware. Each application instance has its own operating system, which adds overhead and complexity.
Containerization
A segmentation that contains everything you need to run an application, including code and dependencies. A standardized unit of software.
Container
An isolated process that is a self contained system. Apps can’t interact with each other.
Container image
A standard for portability. Lightweight and uses the host kernel. Secure separation between applications
Internet of things (IOT)
Devices that are integrated into your network. Smart devices, sensors, wearable tech. Convenient but often not very secure.
Supervisory Control and Data Acquisition System (SCADA)
Used to monitor the status of large scale industrial equipment. Requires extensive segmentation, no access from the outside. Many SCADA systems are incredibly secure.
Industrial Control Systems (ICS)
used to network together large pieces of machinery.
Real Time Operating System (RTOS)
An operating system with a deterministic processing schedule. Makes sure that actions are performed within a time constraint. Will dedicate all resources to important tasks immediately. Used in industrial equipment, automobiles, and military environments. Extremely sensitive to security issues. No time for antivirus checks. Systems are often self contained and it is difficult to find a way in.
Embedded systems
Hardware and software are created as a self contained and purpose built device. May work as a single component of a larger system. Can be very optimized for it’s task. Traffic light controllers, digital watches, medical imaging systems
High Availability (HA)
Always on, always available. Automatic redundancy. May include many components working together. Higher availability means higher costs.
Infrastructure Considerations
Availability and security can be a difficult balancing act. Available but only to the right people. Uptime % is an important metric when evaluating availability.R
Resilience
Eventually something will happen. How quickly can you recover. Based on many different variables: Root cause, replacement hardware installation, software patch availability, system redundency. Commonly referred to as MTTR: Mean time to Repair.
Mean Time to Repair (MTTR)
The length of time to replace something that is no longer available, with components that are available.
Responsiveness
How long does it take for a user to recieve their information after they make a request? This is very important for interactive applications, as humans are sensitive to delays.
Scalability
How quickly or easily can we increase or decrease capacity. This may happen many times per day. Need to make sure that security monitoring keeps up with the system scaling. Project management and scalability are an important factor to consider during the engineering phase. One missed detail can cause major deployment issues.
Cybersecurity Insurance
Allows you to recover lost funds resulting from things like randsomeware attacks, or outages and business downtime. Helps mitigate risks associated with legal proceedings from customers.
Patch Availability
The only constant is change. Software usually isn’t static. The first step after installation is usually making sure you are running the latest version. Patches need to be tested.
Patch Tuesday
The second tuesday of each month microsoft rolls out patches.
Power
A foundational element. Must be monitored. Requirements are very different depending on the purpose.
Compute
An applications heavy lifting. More than just a single CPU. Cloud services provide a compute engine.
Secure Infrastructure
Every network is different, but there are often simularities. We often use firewalls to segment the network, as well as provide additional security to specific parts of the network. Other services may require their own security technologies: Honeypots, jump server, load balancers, sensors.
Zone Based Security Technologies
A logical separation of all of the devices on the network by their use or access type. More flexible and secure than IP address ranges. Each area of the network is associated with a zone. Simplifies security policies, allows you to determine what kinds of data can be sent between zones.
Attack surface
Everything can be a vulnerability. Application code, open ports, authentication process, human error. The goal is to minimize the attack surface. Audit code, block ports on the firewall, monitor network traffic in real time, train employees. Secure physical network cabling. Application level encryption makes the data traveling our network encrypted and secure.
Network level encryption
IPSec tunnels and VPN connections
Intruision Prevention System (IPS)
Watches network traffic in real time. If there is any data that may be an intruision or an exploit it can block the traffic in real time. Looks for known exploits, buffer overflows, XSS
Intrusion Detection System (IDS)
Watches network traffic and sounds an alarm if it thinks there is a problem.
Failure modes
Eventually something will break. Depending on device configuration different things may happen. Fail open and fail closed
Fail open
When a system fails data continues to wflow. Security processes are disabled but the network stays up and running.
Fail Closed
When a system fails the data does not flow
Active Monitoring
System in connected in line. Data can be blocked as it passes by. intrusion prevention is commonly active
Passive Monitoring
A copy of the network traffic is examined using a tap or port monitor. Data can not be blocked in real time, intrusion detection is commonly passive.
Jump Server
A device on the inside of your network that is accessable from the outside. This is a highly secured device that is hardened and closely monitored. Usually a 2 step process: SSH/Tunnel/VPN to the jump server, and then connect to the rest of the network from there. The compromise of a jump server is a significant breach
Proxy Server
A device that sits between two endpoints and transmits data between by sending and recieving requests on their behalf. Useful for caching, access control, URL filtering, content scanning.
Network Address Translation (NAT)
Converts between internal and external IP addresses on internet facing routers. A network level proxy.
Forward Proxy
A proxy inside of your network that controls outbound traffic to the internet. “Internal Proxy”. Commonly used to protect and control user access to the internet.
Reverse Proxy
A proxy inside your network that controls inbound traffic from the internet to your specific internal service. Can also act as a caching server for identical requests.
Open Proxy
A third party, uncontrolled proxy. Can be a significant concern. Often can be used to circumvent existing security controls.
Load Balancer
Distributes network traffic across multiple servers and is invisible to the end user. Useful for large scale implementations. Provides fault tolerance, server outages will not disrupt availability.
Active-Active Load balancing
Keeps connections open across all the servers. Can provide TCB offloading where it keeps a connection open with all servers so users do not have to keep making new server connections which adds protocol overhead. Some load balancers provide SSL offload, which means that encryption and decryption is done by the load balancer instead of the servers. Can provide Caching and prioritization. Content switching.
Active Passive Load balancing
Some of the servers are active, while others are on standby. If an active server fails, the passive server takes it’s place.
Sensors and Collectors
Aggregate information from the network devices. Some are their own stand alone device, while others are built in to switches, routers, servers, firewalls, etc. All of the data collected by these sensors are sent to a central database called a collector.
Extensible Authentication Protocol (EAP)
A framework for authentication that can be applied to various network configurations. Manufacturers can build their own EAP methods. The most common integration of EAP is with 802.1x which prevents access to the network until authentication succeeds.
IEEE 802.1x
Sometimes refered to as Port Based Network Access Control (NAC). When you plug into an available access point on a switch you would not gain access to the network until you authenticate. Used in conjunction with other authentication protocols or databases such as RADIUS, LDAP, etc. Involves 3 separate components: Supplicant, Authenticator, and Authentication server.
Supplicant
End user or client
Authenticator
The device that provides access such as a switch or AP (access point)
Authentication Server
A backend database that contains and validates the log in credentials
Network Based Firewall
Controls the traffic through the use of a purpose built appliance. Traditional network firewalls control traffic based on OSI layer 4: A TCP port or UDP port layer number. Next generation firewalls use OSI layer 7, which is the application layer. Firewalls can integrate other services such as the encyption of traffic. Many firewalls cna be layer 3 devices (routers). These devices commonly sit on the ingress/egress of the network.
Unified Threat Management device (UTM)
An older type of firewall that has a number of security features built in. Also called an all in one security applicance or a web security gateway.
Next Generation Firewall (NGFW)
Operates at OSI layer 7, the application layer. Can make forwarding decisions based on the applications being used on the network. Also called: application layer gateway, stateful multilayer inspection, deep packet inspection. Can view all the data in every packet. Can perform a deep packet decode and recognize who is sending the traffic, where it is going, what is contained within the application layer of the traffic, and determine if the packet is allowed or disallowed through the firewall. Gives you granular control of what people are able to do on the network. Ex. employee can view twitter but cannot post. They often act as an intrusion prevention system. Allows for URL catagorization and allow/deny lists.
Web Application Firewall (WAF)
Analizes input into web based applications and allow or disallow traffic based on the input. Commonly used for web based conversations using HTTP or HTTPS. Can be used to identify SQL injection. A major focus of the payment card industry data security standard (PCI DSS) often used along side a next generation firewall.
Virtual Private Network (VPN)
Encrypts private data traversing a public network. Managed using a VPN concentrator: A purpose built device that is designed to be an endpoint for everyone to connect to using the encrypted link. They are often integrated into NGFW. There are many deployment options, specialized cryptographic hardware as well as software based options. Often used with client software and sometimes built into the OS.
VPN Concentrator
A purpose built device that is designed to be an endpoint for everyone to connect to using the encrypted link.
Secure Sockets Layer (SSL)
The same protocol used to encrypt web server traffic. Runs over TCP port 443. Usually easily passes through firewalls. Used for remote access communication from a single device. No requirement for digital certificates or shared passwords for authentication. Can be run from a browser or light VPN client so additional software is not needed. Some VPN software can be configured as always on, that when you start up your laptop you automatically connect.
Software Defined Networking in a Wide Area Network (SD-WAN)
Designed to solve issues with securely connecting to cloud based applications. Data centers used to be found in our own buildings. Now out data can be anywhere with the cloud. Allows us to build dynamic networks that can connect directly to cloud based applications.
Secure Access Service Edge (SASE)
Combines networking and security as a service functions into a single cloud-delivered service at the network edge. Allows you to combine multiple technologies and cloud offerings into one security architecture.
Regulated Data
Data that a third party sets rules on for how it should be protected. ex. Credit Card Information. Government laws and statutes can determine how data can be stored, and for how long.
Trade Secrets
The secret formula
Intellectual Property
May be publicly visible but protected using copyright and trademark law
Legal Information
It can be difficult to provide information that should be public while protecting information that needs to be private. These are usually stored on different systems.
Human Readable
People can read and understand the data
Non-Human Readable
Encoded data, barcodes, qr code
Proprietary Data
Data that is the property of an organization. May include trade secrets. Often unique to the organization
Personally Identifiable Information (PII)
Data that can be used to identify an individual. Name, DOB, mothers maiden name, buimetric information
Protected Health Information (PHI)
Health information associated with an individual. Health status, healthcare records, payments for healthcare, etc.
Sensitive Data
Intellectual propery, PII, PHICo
Confidential
Very Sensitive, must be approved to view
Public
No restrictions on viewing the data
Private/classified/restricted
Restricted access, may require an NDA
Critical
Should always be accessable
Data at rest
Data on a storage device. May want to encrypt and apply permissions and access control lists
Data in Transit
Data being transmitted over the network. Also called data in motion. If the data isn’t encrypted then there is not much protection as it traverses switches, routers, and devices. Someone could tap into any of these network links and view your data.
Network Based Protection
Firewall/IPS
Data in Use
Data actively being processed in memory or by the CPU. Could be System RAM, CPU registers, and cache. The data is almost always non-encrypted. Attackers like to go after data in use for this reason.
Data Sovereignty
Data that resides in a country is subject to the laws of that country. It is important to consider laws on data monitoring, court orders, etc.
General Data Protection Regulation (GDPR)
A European Union regulation that dicctates that any data collected on EU citizens must be stored in the EU.
Geolocation
Tells you the localized area of something. Endpoints, data, etc. There are many ways to determine the location of something: 802.11, mobile service, GPS. Can be used to manage access.
Geofencing
Automatically allow or restrict access when the user is in a particular location.
Confusion
Encrypted data is very different from the plaintext
Segmentation
Separating sensitive data into different locations. Also allows additional security to be added for more sensitive data.
Server Clustering
Combine two or more servers. Appears and operates like one large server. End users only see one device. Easy to scale and is configured in the server OS.
Recovery Site
Data is sychronized here in case of a disaster. In that case, business processes failover to the alternate processing site. Allows for operations to continue while the problem is addressed.
Hot Site
An exact replica of the datacenter. Contains all of the same hardware as your primary site. Must buy everything twice. Applications are constantly updated and data is synched. Can move over at any time.
Cold Site
An empty building with no hardware. Have to bring all of your data, hardware, and people over to run the site
Warm Site
Anything in between a hot and cold site. Can get going, but hardware and data will need to be moved over to get everything running as before.
Geographic Dispersion
Sites that are physically far from each other. Many disruptions can effect a large area such as hurricanes, floods, etc. This can be a logistical problem when transporting equipment and employees between the sites.
Platform Diversity
Every operating system contains potential security risks. Many security vulnerabilities are specific to a single OS.
Muti-cloud systems
Cloud outages happen from time to time, so it may be a good idea to have backup services on multiple providers.
Continuity of Operations Planning (COOP)
Not everything goes according to plan. When tech fails we still want to have a manual way to provide our services. Should be tested and documented before a problem occurs.
Capacity Planning
Match supply to the demand. Too much supply and you are spending more money than needed. Too much demand and you experience application slowdowns and outages. Requires a balanced approach. Some services require people, which is difficult to scale up and down.
Recovery Testing
Testing the process and procedures that take place in the event of a disaster. Use well defined rules of scope, and make sure you do not effect the live production systems. Practice specific scenarios.
Failover Test
A failure is inevitable, but you may be able to keep things running. Redundant infrastructure allows you to perform a failover.
Simulations
Test an imaginary event. Pen Testing. Allows you to see how your organization would respond.
On Site Backups
No internet link required, data is immediately available. Generally less expensive than offsite.
