chapter1b

Question 1

Change Management

Answer 1

Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.

Question 2

Impact Analysis

Answer 2

The identification of all work products affected by a change, including an estimate of the resources needed to accomplish the change.

Question 3

Sandbox Testing

Answer 3

Isolated testing environment; no connection to the real world or production system; a technological safe space; use before making a change to production; try the upgrade, apply the patch; test and confirm before deployment; confirm the rollback plan; move everything back to the original; a sandbox can’t consider every possibility

Question 4

Maintenance Window

Answer 4

The time period in which a change is expected to be implemented.

Question 5

Technical Change Management

Answer 5

Put the change management process into action.; Execute the plan; There’s no such thing as a simple upgrade; Can have many moving parts; Separate events may be required; Change management is often concerned with ‘what’ needs to change; The technical team is concerned with ‘how’ to change it

Question 6

Allow/Deny list

Answer 6

A list of applications that can or cannot be used on the network. Applications can have known vulnerabilities and introduce security risks.

Question 7

Downtime

Answer 7

Refers to a period of time when a system is unavailable

Question 8

Legacy Applications

Answer 8

Some applications were here before you arrived; They’ll be here when you leave; Often no longer supported by the developer; You’re now the support team; Fear of the unknown; Face your fears and document the system; It may not be as bad as you think; May be quirky; Create specific processes and procedures; Become the expert

Question 9

Dependencies

Answer 9

The relationship between project activities. Changing one thing may affect many other processes.

Question 10

Version Control

Answer 10

Track changes to a file or configuration over time

Question 11

Public Key Infrastructure

Answer 11

Policies and procedures that are responsible for creating, distributing, managing, storing, and revoking as well as performing other processes associated with digital certificates.

Question 12

Symmetric Encryption

Answer 12

An encryption method whereby the same key is used to encode and to decode the message

Question 13

Asymmetric Encryption

Answer 13

Used in public key encryption, it is a scheme in which the key to encrypt data is different from the key to decrypt.

Question 14

Transparent Encryption

Answer 14

Encrypt all database information with a symmetric key

Question 15

Record level Encryption

Answer 15

Used when not all of the data is sensitive. Encrypting individual columns. Use separate symmetric keys for each column

Question 16

Transport Encryption

Answer 16

Protecting data traversing the network.

Question 17

Virtual Private Network (VPN)

Answer 17

A private data network that creates secure connections, or ‘tunnels,’ over regular Internet lines

Question 18

Key Stretching

Answer 18

A technique that is used to mitigate a weaker key by increasing the time needed to crack it. Uses Hashing, salting, and further encryption

Question 19

Key Exchange

Answer 19

Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.

Question 20

Out of Band Key exchange

Answer 20

Sending an encryption key to someone through telephone, courier, in person. Not over the web

Question 21

In band key exchange

Answer 21

Sending an encryption key through the network. The key must be protected with additional encryption.

Question 22

Session Key

Answer 22

A key that is used for a short period of time

Question 23

Trusted Platform Module (TPM)

Answer 23

A standardized piece of hardware designed to perform cryptographic operations. Found on most modern motherboards. Can be used to generate random numbers and cryptographic keys. Has keys that were created and burned into the persistent memory of the device.

Question 24

Hardware Security Module (HSM)

Answer 24

A device used to securely store thousands of cryptographic keys. Often used in clusters with power redundancies. Used in large environments like data centers.

Question 25

Key Management Systems

Answer 25

Used to manage many different keys from a single management console. Also keeps all the keys separate from the data that it is trying to protect.

Question 26

Secure Enclave

Answer 26

A protected area for our secrets that is isolated from the main processor. Has its own boot ROM and monitors the system boot process. Has a true random number generator. Can perform real-time encryption, has built-in root cryptographic keys, and performs AES encryption in hardware.

Question 27

Obfuscation

Answer 27

The action of making something obscure, unclear, or unintelligible

Question 28

Steganography

Answer 28

The art and science of hiding information by embedding messages within other, seemingly harmless messages

Question 29

Covertext

Answer 29

In Steganography, the container document or file that contains hidden info

Question 30

Tokenization

Answer 30

The process of replacing sensitive data with unique identification symbols. The original data and token are not mathematically related.

Question 31

Data Masking

Answer 31

Hiding parts of the original data

Question 32

Salt

Answer 32

Random data added during the hashing process.

Question 33

Rainbow table

Answer 33

A table of hash values and their corresponding plaintext values

Question 34

Blockchain Technology

Answer 34

A distributed ledger available for anyone to see, which keeps track of transactions.

Question 35

Public Key Certificate

Answer 35

Data that associates a public key with a specific owner, signed by a CA that attests to its correctness

Question 36

X.509

Answer 36

The most widely accepted format for digital certificates

Question 37

Root of Trust

Answer 37

Hardware or software components that are inherently trusted

Question 38

Certificate Authority (CA)

Answer 38

A trusted internal or third party authority that vouches for websites by digitally signing them

Question 39

Private Certificate Authority

Answer 39

An internal or digital certificate management system

Question 40

Wildcard Certificates

Answer 40

Allow all of the subdomains to use the same public key certificate and have it displayed as valid

Question 41

Subject Alternative Name (SAN)

Answer 41

Allows a certificate owner to specify additional domains and IP addresses to be supported. An extension to the X.509 Certificate

Question 42

Certificate Revocation List (CRL)

Answer 42

A repository that lists revoked digital certificates. Used to decommission a web server’s certificate.

Question 43

Online Certificate Status Protocol (OCSP)

Answer 43

A protocol that performs a real-time lookup of a certificate’s status.

Question 44

OCSP Stapling

Answer 44

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake