Domain 2 Flashcards
What is the MTD metric
Maximum tolerable downtime
What is scalability
Capacity to increase resources to meet demand within similar cost ratios
What are the two types of scalability
Scale out to add more resources in parallel
Scale up to increase power of existing resources
What does elasticity refer to
The ability to handle scalability changes in real time
A power distribution unit is like what?
Like a surge protector
Raid 0
Striping performance gain no redundancy
Raid 1
1 disk failure redundancy in 2 disk setup
Con is low storage efficiency 50%
Raid 5
Min 3 disks
Striping with parity
One disk can fail
Raid 6
Min 4 disk
Double parity
Min 4 disks
Can have 2 disks fail
Raid 10 nested
Striped set of mirrored subgroups
Faster speeds
Each subgroup can have one failure disk
Raid 50
Min 6 drives
Striped set of parity subgroups
Each subgroup can lose one disk
Multipath provides what that raid doesn’t
Raid deals with drive failures
Multipath deals with storage path such as bus controllers and multiple network paths to storage devices
Geographical dispersal
Data replicating hot and warm sites physically distant from each other
3 2 1 backup rules
3 copies 2 different media 1 offline and 1 off-site
What is a master image
Copy that has os up to date, all patches, and software installed
What is automated build from template?
Build instructions for an instance
What does layered security provide
Defense in depth
What port does ldaps and ldap use?
Ldaps Port 636
Ldap port 389
Why is snmp v1 and v2c not secure
Sends community string in plaintext
What security benefit does snmp v3 provide
Supports encryption and strong user based authentication
What does tls 1.3 remove which makes it now more secure
Ability to downgrade to lower SSL levels
In Tpm can endorsement key be changed?
No it cannot be changed
What is difference between measured boot and boot attestation
Measured boot measures boot process to report on any potential malware
Boot attestation sends a log signed by Tpm to report any issues like unsigned drivers
In a cookie what does the httponly attribute do?
Prevents dom based attacks and client side scripting
In a cookie what does the same site attribute do
Control from where cookie may be sent protecting against request forgery attacks
What does hsts do in web browsers?
Prevents downgrading to http and sslstripping
What does content security policy csp do?
Mitigates click jacking, script injection, and other client side attacks
Why might you use cache control in a web app
Prevent caching attacks, make sure sensitive data isn’t stored
What are the forms of execution control
Allow and block list
What are the two available execution control options in Linux
Apparmor and selinux through Linux security modules
What is a bastion host
In a dmz running minimal services to reduce attack service
What is north south traffic
Refers to traffic coming in and out of data center
What is east west
Traffic between devices in network like servers
What does affinity and persistence do in load balancing
Keep connections connected to a specific web server
Affinity is layer 4 based on ip port
Persistence is based on cookie layer 7
What is latency
Time it takes transmission to reach recipient measured in ms
What is jitter
Variation in delay or inconsistent rate of packet delivery
What is a forward proxy?
Provides for protocol specific outbound traffic
Non transparent proxy
Client must be configured with proxy info to use
Transparent proxy and where is it usually setup ?
Intercepts client traffic without client configuration. Usually setup on router, switch, or some other inline device
Reverse proxy server
Protects servers from direct contact with client requests
What is static dynamic source nat
1 to 1 translation public to private ip
What is overloaded nat/napt/pat
Lots of private ips mapped to single public ip
What is one of the core features of a hids?
Fim file integrity monitoring
What does IPsec provide ?
Confidentiality by encrypting packets and integrity antireplay by signing each packet
Why isn’t IPsec ah used that often ?
Doesn’t provide confidentiality since payload isn’t encrypted, also fails in nat environments due to ip header fields in icv
What are features of IPsec esp
Provides confidentiality and integrity. Can be used to encrypt packet
What two modes can IPsec be used in and what do they do?
Transport mode used to secure communications between hosts esp doesn’t encrypt ip header but ah can be used to do that
Tunnel mode used for communications between vpn gateways esp can encrypt whole packet
What does ike do in ipsec
Handles authentication and key exchange referred to as security associations
What is big difference between ike v1 and v2
Version 1 for clients you still had to use something like l2tp but version 2 has added features where you can just use it to gain access to internal network resources
Each wap is identified by it’s Mac address which is also called what ?
Basic service set identifier
What technology has replaced wps in wifi
Easy connect using keys and qr codes
Eap defines framework for negotiating what
Authentication methods like smart cards
What security feature does a docker namespace provide
Prevent one container from reading or writing processes in another container
What security feature does a docker control group provide
Ensures one container can’t overwhelm others in an attack such as dos
In the cloud what does a resource policy do?
Acts as ACL for an object
What is a transit gateway in cloud computing ?
Allows vpc subnets and vpn gateways to talk to each other
Which 3 ways can casbs be implemented ?
Forward proxy
Reverse proxy
API
The comman name in certificate was replaced with what
San subject alternative name
What are the two different types of validations for certificate requests
Domain and extended validation
Extended validation doesn’t allow you to get what kind of certificate
Wildcard cert
What is escrow key storage in pki
Third party storing those keys
What is m of n control in pki
Means only m of the total n authorized users should be present to access the key
What is ocsp stapling
Web server caches ocsp response and provides it to clients
What is certificate pinning
A way for clients to bypass ca hierarchy and chain of trust to minimize mitm attacks when inspecting certificate
What is a pkcs 12 file
Allows export of private key with cert. Can be protected with password and in a binary format like pfx
What is the pkb 7 format in pki. Where is it usually used in?
Uses pkcs #7 allows to combine multiple certificate in a file such as chain. Usually used in s/mime to encrypt emails
