D1 Ch 2 Flashcards
FaaS stands for
Function as a Service
FaaS is AKA
Serverless
A cloud computing service where, instead of accessing an application, you instead access only the individual, autonomous functions of the application - the microservices.
This service is billed as an as-needed basis.
Serverless / FaaS
A process where multiple OSs are run on a single hardware system.
Virtualization
A process where multiple self-contained and isolated applications are run on the host OS.
Containerization
Containerization is AKA
Application-level virtualization
VDI stands for
Virtual Desktop Infrastructure
Infrastructure that runs a desktop OS on central hardware, and streams those desktops across the network to multiple systems.
VDI
Pros of serverless architecture (2)
It is billed as an as-needed basis, so it can keep costs down
Overhead costs for server maintenance/management are not needed
Cons of serverless architecture (2)
The organization is not in control of the security
Cloud computing requires complex security controls
Pros of virtualization (2)
Maximizes the efficiency of each system
Provides more control of resource usage
Pros of containerization (2)
More efficient than virtualization, since all containers are run on the host’s single OS
Because containerization hosts provide a consistent interface, containers can be easily moved between systems and accessed by different OSs
Containerization security concerns (8)
Containers must be isolated from each other
Containers must be addressed differently from the host OS
Threats to the host OS will impact the containers
Container image signing tools
Container monitoring and patching tools
System hardening
App and service monitoring
Auditing tools
5 methods of system hardening
Updating and patching
Removing unnecessary software/services
Restricting and logging admin access
Controlling the creation of new accts
Using capabilities like disk encryption and secure boot
Considerations before adopting security benchmarks
Consider whether you can adopt a benchmark while ensuring your critical functionality is not affected
If you must change the benchmark, consider why you need to be different, and whether that impacts your security
The database that contains Windows OS settings
Windows registry
Registry 5 main root keys
HKEY_CLASSES_ROOT (HKCR)
HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_USER (HKCU)
HKEY_CURRENT_CONFIG (HKCC)
Which registry root key contains COM object registration info, and associates files type with programs?
HKEY_CLASSES_ROOT (HKCU)
Which registry root key contains system info, including scheduled tasks and services?
HKEY_LOCAL_MACHINE (HKLM)
Which registry root key contains info about user accounts?
HKEY_USERS (HKU)
Which registry root key contains information about the currently logged in user?
HKEY_CURRENT_USER (HKCU)
Which registry root key contains current local hardware profile information storage?
HKEY_CURRENT_CONFIG (HKCC)
What is a hive and what is it made of, as it relates to the Windows registry?
A hive is a group of of keys and values that are connected with the root keys
The values can include strings, binary, numbers, links to other registry keys, and Windows-specific component data
What is the built-in Windows Registry editing tool?
regedit
Where is Windows config info stored, besides in the Registry? (3)
C:\ProgramData
C:\ProgramFiles
C:\Users\username\AppData
Where is Linux config info stored? (1)
/etc
The core processes for an OS are called…
These include the Windows Registry, memory compression, etc.
System processes
The Windows core system process is called…
This process has a PID of 1
NT kernel
Why synchronize time with all of your logging systems?
Without time synchronization, events won’t appear in the correct order, which can lead to misinterpretations of the data
NTP stands for
Network Time Protocol
Considerations when implementing log levels (2)
If you set a logging level that does not capture the data you need, you can miss important information
However, if you set an overly detailed log level, it can provide an overwhelming flood of detail that is not useful to most circumstances
General logging considerations (7)
No need to memorize these; just keep them in mind
Logs should contain enough info to be useful, and should be able to be interpreted in useful ways - so they must contain both meaning and context
Logs should be protected so they can’t be changed
Logs should be sent to a central location for storage, analysis, and reporting
Logs should be validated to ensure they contain necessary information
Logs should be checked regularly to ensure all systems that should send logs are doing so
Unnecessary log info should be avoided to conserve space and resources
Log retention policies and practices should be implemented as appropriate
This network architecture is comprised of routers, switches, security devices, cabling, and all other physical network components.
On-premises
This security solution controls traffic flow between networks and systems, providing perimeter security
Firewall
This security solution detects and alerts for suspicious or malicious activity
IDS
This security solution detects, alerts for, AND STOPS suspicious or malicious activity
IPS
This security solution controls what information passes through to protected devices
Content filtering and caching devices
This security solution controls which devices can connect to the network, and also assess the security state of devices requesting connection
NAC
This security solution identifies systems and gathers information about them, including the services they are running, patch level, and other details.
Network scanner
This security solution combines multiple other security services (IDS/IPS, firewall, content filtering, etc) into one device.
UTM
A type of network architecture where:
The underlying network environment is not accessible to the organization for configuration, testing, or control
Security is the burden of the provider, not the organization purchasing the service
Cloud
A type of cloud service where the client is allowed some access to the underlying network infrastructure.
IaaS
What steps can a client take when examining the level of security of a cloud provider? (3)
Request access to third-party security audit information
Conduct a security assessment themself
Ensure the contract covers any legal or regulatory issues that would impact their outsourced solution
VPC stands for
Virtual Private Cloud
A type of cloud service that provides an on-demand semi-isolated environment that exists on a private subnet, often with additional security
VPC
A type of network architecture that combines on-premises and cloud infrastructure.
Hybrid
Why would organizations have a hybrid infrastructure? Why not either one or the other?
A hybrid infrastructure allows an org to migrate from on-premises datacenters while also retaining some on-site services and systems.
A type of network architecture where different security zones are separated from each other
Network segmentation
A type of segmentation where different networks are run on separate physical infrastructure.
Often used to enforce air gaps.
Physical segmentation
A type of segmentation where virtualization and containerization are leveraged to separate functions.
Virtual segmentation
Pros of network segmentation (4)
The number of systems exposed to attackers is reduced
Limits the scope of regulatory compliance efforts by placing the systems that need to be regulated in a more easily maintained environment
Increases availability by limiting the scope of an attack
Increases network efficiency by reducing network congestion
What security solution is typically used between network segments with different levels of trust or functional requirements
Firewall
A system that resides in a segmented environment and is used to access and manage the devices in the segment where it resides.
Jump box
A type of networking that allows you to control networks centrally via APIs, which allows management of network resources and traffic with more intelligence than a traditional physical network infrastructure.
It makes networks programmable. This way, networks are flexible and manageable without making any physical changes.
SDN
SDN stands for
Software-Defined Networking
What technology does SDN use to make networks programmable?
API
Five technologies that enable network segmentation
Firewalls
Routers and switches
VLAN tagging
Jump boxes
VPN
How do firewalls enable network segmentation?
Used for security between different trust zones or zones with different functional requirements
How do routers and switches enable network segmentation?
They perform the actual separation between networks/zones
How does VLAN tagging enable network segmentation?
It is a service provided by routers and switches that tells computers from which VLAN a packet came from
How does a jump box enable network segmentation?
Used to access systems in high security zones
How do VPNs enable network segmentation?
Provides secure remote access to different segments
What is product diversity?
Using multiple brands of devices/services
Pros (1) and cons (2) of product diversity
Pros:
Prevents a single point of failure
Cons:
Increases overhead, maintenance, training, and support costs
May cause security issues
Security concerns of SDN (2)
Because SDN uses APIs, you must have:
Good API security
Secure code development practices
An SDN-driven service model where providers use SDN to provide network services
SD-WAN
Pros of SD-WAN (2)
Allows blended infrastructures that combines a variety of technologies behind the scenes to deliver network connectivity
Provides encryption
Types of risks that SD-WAN introduces (3)
Risks related to multivendor network paths and control
SDN orchestration platform vulnerabilities
Availability and integrity risks as traffic flows thru multiple paths
The security concept that requires each action requested and allowed to be verified and validated before being allowed to occur.
This moves away from the strong perimeter as the primary security - instead, it involves a more deeply layered security model where every individual device, application, and account are part of the security design.
Zero trust
SASE stands for (2, but they mean the same thing)
Secure Access Service Edge
or
Secure Access Secure Edge
A network architecture design that leverages SD-WAN and security functionality (like CASBs, zero trust, firewalls as a service, antimalware, etc.)
SASE
This concept focuses on ensuring security at the endpoint AND network layer, presuming that all organizations are decentralized and that datacenter-focused sec models are less useful in current organizations
SASE
Rather than having every client pass thru a VPN concentrator/firewall, this software is installed on every client. Each client can connect securely and directly thru that VPN to any cloud service they need, no matter what network or geographic area they reside in.
This consequently helps address the move to SaaS
SASE
The set of claims about an individual/account holder that are made about one party to another party
Identity
A service that holds an account is called a…
Subject
AAA stands for
Authentication, Authorization, and Accounting
The ongoing management of permissions given to users based on attributes is called…
Privilege management
FWaaS stands for
Firewall as a Service
A cloud-based firewall that offers NGFW features such as web and URL filtering, deep packet inspection, threat protection, and DNS security
FWaaS
A method of authentication that uses two or more different types of authentication factors
MFA
MFA stands for
Multifactor Authentication
4 types of authentication factors
Knowledge factor
Possession factor
Biometric factor
Location factor
How does passwordless authentication work?
Typically uses a username with a USB token, authenticator app, or other device.
It usually uses a SINGLE, more secure authentication process
Difference between SSO and shared authentication
SSO - After authenticating once, you do not need to login to the other sites
Shared authentication
You still need to reauthenticate to each service
Two methods of authentication that reduce password fatigue
SSO
Shared authentication
Pros of SSO and shared authentication
Reduces password fatigue
Reduces occurrence of password reuse
Reduces likelihood of credential exposure via 3rd party sites due to password reuse
Cost savings due to fewer password resets and support calls
Cons of SSO and shared authentication
Easier for attackers who obtain creds to access many services
Easier for attackers to exploit systems after controlling an authenticated user’s browser
How do you partially counter an attacker controlling an SSO-authenticated user’s browser?
Require reauthentication and MFA for critical systems
A type of authentication process that allows a user to use one domain’s identity and attributes to login to another domain. This relies on a trust relationship between the domains.
Federation
IDP stands for
Identity Provider
RP stands for
Relying Party
SP stands for
Service provider
What is the IDP’s security obligations in federated identity? (3)
Keep identities and related data secure
Validate identities and attributes to a level that fits the needs of the federation
Provide incident response coordination and communication between federation members
What is the RP/SP’s security obligations in federated identity? (1)
Handle data from both the users and the IDP securely
What is the consumer’s security obligations in federated identity? (2)
Must provide validation for information about identity claims
May be asked to make decisions about attribute release
A group of domains with established trust is called
Federation
4 steps to using federated identity (you don’t need to memorize it, just get the general idea)
- Consumer requests access from SP
- SP redirects consumer to IDP, where their ID is validated
- IDP provides token to consumer
- SP accepts the token and allows use of service
Using an existing federated IDP (like Google) is most appropriate when
You are not concerned that the person is actually who they say they are; just that they own the account
True/False
Immediate account provisioning after ID validation makes it more difficult to integrate with 3rd-party federated IDPs
False
It works best for integrating with 3rd party federated IDPs
True/False
Manual account provisioning provides greater security in federated identity, but causes more delays
True
4 major federated identity technologies
SMAL
OpenID
OAuth2
AD FS
SAML
Authorization capabilities:
Authentication capabilities:
Common uses:
Authorization - yes
Authentication - yes
Enterprise authentication and authorization, particularly Linux-based environments
OpenID
Authorization capabilities:
Authentication capabilities:
Common uses:
Authorization - no
Authentication - yes
Authentication
OAuth2
Authorization capabilities:
Authentication capabilities:
Common uses:
Authorization - yes
Authentication - partial
API and service authorization
AD FS
Authorization capabilities:
Authentication capabilities:
Common uses:
Authorization - yes
Authentication - yes
Enterprise authentication and authorization, particularly Windows-based environments
SAML potential security risks (3)
Message confidentiality
Protocol usage and processing risks
DoS
OpenID potential security risks (5)
Message confidentiality
Redirect manipulation
Replay attacks
CSRF/XSS
Phishing
OAuth2 potential security risks (3)
Message confidentiality
Redirect manipulation
Authorization/resource server impersonation
AD FS potential security risks (1)
Token attacks (replay, capture)
An XML-based language used to send authentication and authorization data between IDPs and SPs
SAML
Which federated identity technology is commonly used for SSO because it allows IDPs to make assertions about principals to SPs so they can make decisions about that user?
SAML
What 3 statements does SAML allow to be exchanged?
Authentication decision statements
Authorization decision statements
Attribute decision statements
Which federated identity technology is claims-based?
AD FS
AD FS stands for
Active Directory Federation Services
Which federated identity technology is used for AA in primarily Linux-based environments?
SAML
Which federated identity technology is used for AA in primarily Windows-based environments?
AD FS
AD FS authentication process
(you don’t need to memorize; just understand it)
User attempts to access an ADFS web app hosted by a remote resource partner web
ADFS agent on partner’s web server checks for ADFS cookie
If present, access is granted
If not, user is sent to ADFS server
Resource partner’s ADFS checks for a SAML token from the account partner
If not present, ADFS performs home realm discovery
Account partner provides a security token with ID info in the form of claims, then sends the user back to the resource partner’s ADFS server
Validation occurs normally; the ADFS server uses its trust policy to map account partner claims to claims that the web app supports
A new SAML token is created by ADFS server that contains the resource partner’s claims
This cookie is stored on the user’s computer
The user is redirected to the web app, where the web app reads the cookie and grants access based on the claims within
A method of identifying the federation server associated with the user, and then authenticating the user via that home realm
Home realm discovery
What is the ADFS snap-in called?
And what does it allow you to do? (5)
adfs.msc
It allows you to:
Add resource partners
Add acct partners
Map partner claims
Manage acct stores
Configure web apps that support federation
A federated identity technology that allows 3rd party applications to access HTTP-based services
OAuth
Which federated identity technology is used for access delegation?
OAuth
A service that allows service providers to perform actions on other sites on the user’s behalf
Access delegation
OAuth is usually paired with what authentication technology?
OpenID
What is the role of OpenID when paired with OAuth? How does it do that?
It provides authentication
It does this by allowing an authorization server to provide an ID token in addition to the authorization token provided by OAuth
PAM stands for
Privileged Access Management
The set of technology and practices that are used to manage and secure privileged accounts, access, and permissions for systems, users, and apps
PAM
What 3 things does PAM address?
Over-provisioning of privileges
Life cycle management
Privilege creep
CASB stands for
Cloud Access Security Broker
The security policy enforcement point for cloud resources/services
CASB
What 5 things does a CASB help with?
Data security
Antimalware functionality
Service usage
Access visibility
Risk management
PKI stands for
Public Key Infrastructure
Policies, procedures, hardware, software, and people that are responsible for creating, distributing, managing, storing, and revoking digital certificates
PKI
RA stands for
Registration Authority
CA stands for
Certificate Authority
CSR stands for
Certificate Signing Request
CMS stands for (about certificates)
Certificate management System
PLI certification request process
User sends a CSR to request a certificate from a CA
RA validates the user’s identity
RA approves the request to issue a certificate
CA signs and issues the certificate to the user
The 5 major components of the certificate request process
CA - Creates, stores, and signs certificates
RA - Verifies the identity of requesters
The directory that stores the keys
CMS - Supports access to and delivery of keys
The cert policy that states the practices and procedures that the PKI uses, and which is used to validate the PKI’s trustworthiness
CRL stands for
Certificate Revocation List
A list of invalid certificates due to expiration, compromise, or cancellation
CRL
A software platform designed to manage the lifecycle of digital certificates, including their creation, storage, distribution, renewal, and revocation - essentially acting as a centralized repository for securely handling and tracking certificates across an organization or system.
CMS
Certificate Management System
The process of intercepting and examining the content of SSL/TLS encrypted traffic.
SSL Inspection
Pros of SSL inspection (2)
Allows DLP to recognize sensitive data
Allows IDS/IPS/antimalware to detect malicious data
Cons of SSL inspection (4)
Requires time and effort to set up
Can cause network congestion
Exposes traffic that would otherwise have been encrypted
Uses more bandwidth
2 methods of performing SSL inspection
Inserting a monitoring device into the network for offline inspection
Intercepting connections and terminating them at inspection devices, and then passing the connection along to the original target
DLP stands for
Data Loss Prevention
Systems and software that protects sensitive data from leaving the organization or systems that are designed to hold that sensitive data
DLP
A complete DLP solution has 4 targets:
Data in motion
Data at rest
Data in use
Endpoints
DLP solutions must combine 2 technologies:
Endpoint software
A means of examining encrypted traffic
PII stands for
Personally Identifiable Information
Information that could reasonable identify an individual, either by direct or indirect means
PII
Financial/medical records, addresses, phone numbers, SSNs, passport numbers, and driver’s license numbers are all examples of
PII
CHD stands for
Card Holder Data
CHD data is AKA
PCI data
Credit card information, including PAN, card holder name, expiration date, CVV, data in the magnetic strip/chip, and PIN number
CHD
