chapter1b Flashcards
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.
Impact Analysis
The identification of all work products affected by a change, including an estimate of the resources needed to accomplish the change.
Sandbox Testing
Isolated testing environment; no connection to the real world or production system; a technological safe space; use before making a change to production; try the upgrade, apply the patch; test and confirm before deployment; confirm the rollback plan; move everything back to the original; a sandbox can’t consider every possibility
Maintenance Window
The time period in which a change is expected to be implemented.
Technical Change Management
Put the change management process into action.; Execute the plan; There’s no such thing as a simple upgrade; Can have many moving parts; Separate events may be required; Change management is often concerned with ‘what’ needs to change; The technical team is concerned with ‘how’ to change it
Allow/Deny list
A list of applications that can or cannot be used on the network. Applications can have known vulnerabilities and introduce security risks.
Downtime
Refers to a period of time when a system is unavailable
Legacy Applications
Some applications were here before you arrived; They’ll be here when you leave; Often no longer supported by the developer; You’re now the support team; Fear of the unknown; Face your fears and document the system; It may not be as bad as you think; May be quirky; Create specific processes and procedures; Become the expert
Dependencies
The relationship between project activities. Changing one thing may affect many other processes.
Version Control
Track changes to a file or configuration over time
Public Key Infrastructure
Policies and procedures that are responsible for creating, distributing, managing, storing, and revoking as well as performing other processes associated with digital certificates.
Symmetric Encryption
An encryption method whereby the same key is used to encode and to decode the message
Asymmetric Encryption
Used in public key encryption, it is a scheme in which the key to encrypt data is different from the key to decrypt.
Transparent Encryption
Encrypt all database information with a symmetric key
Record level Encryption
Used when not all of the data is sensitive. Encrypting individual columns. Use separate symmetric keys for each column
Transport Encryption
Protecting data traversing the network.
Virtual Private Network (VPN)
A private data network that creates secure connections, or ‘tunnels,’ over regular Internet lines
Key Stretching
A technique that is used to mitigate a weaker key by increasing the time needed to crack it. Uses Hashing, salting, and further encryption
Key Exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Out of Band Key exchange
Sending an encryption key to someone through telephone, courier, in person. Not over the web
In band key exchange
Sending an encryption key through the network. The key must be protected with additional encryption.
Session Key
A key that is used for a short period of time
Trusted Platform Module (TPM)
A standardized piece of hardware designed to perform cryptographic operations. Found on most modern motherboards. Can be used to generate random numbers and cryptographic keys. Has keys that were created and burned into the persistent memory of the device.
Hardware Security Module (HSM)
A device used to securely store thousands of cryptographic keys. Often used in clusters with power redundancies. Used in large environments like data centers.
Key Management Systems
Used to manage many different keys from a single management console. Also keeps all the keys separate from the data that it is trying to protect.
Secure Enclave
A protected area for our secrets that is isolated from the main processor. Has its own boot ROM and monitors the system boot process. Has a true random number generator. Can perform real-time encryption, has built-in root cryptographic keys, and performs AES encryption in hardware.
Obfuscation
The action of making something obscure, unclear, or unintelligible
Steganography
The art and science of hiding information by embedding messages within other, seemingly harmless messages
Covertext
In Steganography, the container document or file that contains hidden info
Tokenization
The process of replacing sensitive data with unique identification symbols. The original data and token are not mathematically related.
Data Masking
Hiding parts of the original data
Salt
Random data added during the hashing process.
Rainbow table
A table of hash values and their corresponding plaintext values
Blockchain Technology
A distributed ledger available for anyone to see, which keeps track of transactions.
Public Key Certificate
Data that associates a public key with a specific owner, signed by a CA that attests to its correctness
X.509
The most widely accepted format for digital certificates
Root of Trust
Hardware or software components that are inherently trusted
Certificate Authority (CA)
A trusted internal or third party authority that vouches for websites by digitally signing them
Private Certificate Authority
An internal or digital certificate management system
Wildcard Certificates
Allow all of the subdomains to use the same public key certificate and have it displayed as valid
Subject Alternative Name (SAN)
Allows a certificate owner to specify additional domains and IP addresses to be supported. An extension to the X.509 Certificate
Certificate Revocation List (CRL)
A repository that lists revoked digital certificates. Used to decommission a web server’s certificate.
Online Certificate Status Protocol (OCSP)
A protocol that performs a real-time lookup of a certificate’s status.
OCSP Stapling
Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake
