Domain 2: Architecture and Design (21%) Flashcards
*2.4 (AAA)
Authentication
when a person’s identity is established with proof and confirmed by a system.
Remember
something you know, something you are, something you have, something you do, and somewhere you are
*2.4 (AAA)
Authorization
occurs when a user is given access to a certain piece of data or certain areas of a building.
*2.4 (AAA)
Accounting
Tracking of data, computer usage, and network resources.
*2.8 Common use cases
non-repudiation
when you have proof that someone has taken an action.
You said it. You can’t deny it
*2.5 Backup types
Network Attached Storage (NAS)
Storage devices that connect directly to your organization’s network.
*File level access
NAS systems often implement RAID arrays to ensure high availability.
*2.5 Backup types
Storage Area Network (SAN)
Network designed specifically to perform block storage functions that may consist of NAS devices.
*Block level access
*2.6 Communication considerations
Subscriber Identity Module (SIM)
An integrated circuit that securely stores the international mobile subscriber
identity (IMSI) number and its related key.
*2.6 Embedded systems
Field-programmable gate array (FPGA)
-FPGA is an anti-tamper mechanism. (sealed aspirin bottle example, seal is anti-tamper mechanism)
-An anti-tamper mechanism is a method that makes it difficult for an attacker to alter the authorized execution of software.
if somebody tries to tamper with the system,
what these things will do is actually zero out your cryptographic key, which then can automatically wipe out the information on that system, making sure you know it’s been tampered with and therefore, nobody can get the information.
*2.2 Virtualization
VM sprawl avoidance
Occurs when virtual machines are created, used, and deployed without
proper management or oversight by the system admins.
The solution is Formal process and detailed documentation
– You should have information on every virtual object.
To avoid VM sprawl and maintain a manageable attack surface, it is important to set resource policies that limit users’ ability to dynamically allocate new resources on the fly. This also avoids the potential pitfall of the organization receiving a whopping bill after unknown or unplanned resources have been consumed.
*2.2 Virtualization
VM escape protection
An attack that allows an attacker to break out of a normally isolated VM
by interacting directly with the hypervisor.
Pretection: sandboxing, patching the hypervisor and continuous monitoring.
*2.3 Automation/scripting
Continuous integration
A software development method where code updates are tested and
committed to a development or build server/code repository rapidly
§ Continuous integration can test and commit updates multiple times per
day
§ Continuous integration detects and resolves development conflicts early
and often
*2.3 Automation/scripting
Continuous delivery
A software development method where application and platform
requirements are frequently tested and validated for immediate
availability
*2.3 Automation/scripting
Continuous deployment
A software development method where application and platform
updates are committed to production rapidly
§ Continuous delivery focuses on automated testing of code in order to get
it ready for release
§ Continuous deployment focuses on automated testing and release of
code in order to get it into the production environment more quickly
*2.2 Infrastructure as code
§ A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration
§ IaC allows for the use of scripted approaches to provisioning
infrastructure in the cloud
§ Robust orchestration can lower overall IT costs, speed up deployments,
and increase security
*2.4 Biometrics
False Acceptance
False Acceptance Rate (FAR): Rate that a system authenticates a user as authorized or valid when they
should not have been granted access to the system
2.4 *Biometrics
False Rejection
False Rejection Rate (FRR): Rate that a system denies a user as authorized or valid when they should
have been granted access to the system
2.4 *Biometrics
Crossover Error rate
Crossover Error Rate (CER):
An equal error rate (ERR) where the false acceptance rate and false
rejection rate are equal
§ CER measures the effectiveness of a biometric system
2.7 *Bollards/barricades
Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.
2.7 *Fire supression
§ Process of controlling and/or extinguishing fires to protect an
organization’s employees, data, equipment, and buildings
2.7 *Faraday Cages
Faraday Cage
Shielding installed around an entire room that prevents electromagnetic
energy and radio frequencies from entering or leaving the room
2.6 Heating, ventilation, air conditioning (HVAC)
Heating, Ventilation, and Air Conditioning
o Humidity should be kept around 40%
o HVAC systems may be connected to ICS and SCADA networks
2.6 *Internet of Things (IoT)
A group of objects (electronic or not) that are connected to the wider
Internet by using embedded electronic components
2.6 *System on Chip
A processor that integrates the platform functionality of multiple logical
controllers onto a single chip
System-on-Chip are power efficient and used with embedded systems
2.6 *Real-Time Operating System (RTOS)
A type of OS that prioritizes deterministic execution of operations to
ensure consistent response for time-critical tasks
Embedded systems typically cannot tolerate reboots or crashes and must
have response times that are predictable to within microsecond
tolerances
2.6 Embedded Systems
*Field-programmable gate array (FPGA)
A processor that can be programmed to perform a specific function by a
customer rather than at the time of manufacture
End customer can configure the programming logic to run a specific
application instead of using an ASIC
(application-specific integrated circuit)
2.6 *Industrial Control Systems (ICS)
A network that manages embedded devices.
ICS is used for electrical power stations, water suppliers, health services,
telecommunications, manufacturing, and defense needs.
2.6 *Supervisory Control and Data Acquisition (SCADA)
A type of industrial control system that manages large-scale,
multiple-site devices and equipment spread over geographic region
SCADA typically run as software on ordinary computers to gather data
from and manage plant devices and equipment with embedded PLCs
2.4 Authentication methods
*Time-based one-time password (HOTP)
A password is computed from a shared secret and current time
2.4 Authentication methods
HMAC-based One Time Password (HOTP)
A password is computed from a shared secret and is synchronized
between the client and the server
2.4 Authentication methods
*Attestation
A claim that the data presented in the report is valid by digitally
signing it using the TPM’s private key.
when a person’s identity is established with proof and confirmed by a system.
Remember
something you know, something you are, something you have, something you do, and somewhere you are
*2.4 (AAA)
Authentication
occurs when a user is given access to a certain piece of data or certain areas of a building.
*2.4 (AAA)
Authorization
Tracking of data, computer usage, and network resources.
*2.4 (AAA)
Accounting
when you have proof that someone has taken an action.
You said it. You can’t deny it
*2.8 Common use cases
non-repudiation
Storage devices that connect directly to your organization’s network.
*File level access
NAS systems often implement RAID arrays to ensure high availability.
*2.5 Backup types
Network Attached Storage (NAS)
Network designed specifically to perform block storage functions that may consist of NAS devices.
*Block level access
*2.5 Backup types
Storage Area Network (SAN)
An integrated circuit that securely stores the international mobile subscriber
identity (IMSI) number and its related key.
*2.6 Communication considerations
Subscriber Identity Module (SIM)
-FPGA is an anti-tamper mechanism. (sealed aspirin bottle example, seal is anti-tamper mechanism)
-An anti-tamper mechanism is a method that makes it difficult for an attacker to alter the authorized execution of software.
if somebody tries to tamper with the system,
what these things will do is actually zero out your cryptographic key, which then can automatically wipe out the information on that system, making sure you know it’s been tampered with and therefore, nobody can get the information.
*2.6 Embedded systems
Field-programmable gate array (FPGA)
Occurs when virtual machines are created, used, and deployed without
proper management or oversight by the system admins.
The solution is Formal process and detailed documentation
– You should have information on every virtual object.
To avoid VM sprawl and maintain a manageable attack surface, it is important to set resource policies that limit users’ ability to dynamically allocate new resources on the fly. This also avoids the potential pitfall of the organization receiving a whopping bill after unknown or unplanned resources have been consumed.
*2.2 Virtualization
VM sprawl avoidance
An attack that allows an attacker to break out of a normally isolated VM
by interacting directly with the hypervisor.
Pretection: sandboxing, patching the hypervisor and continuous monitoring.
*2.2 Virtualization
VM escape protection
A software development method where code updates are tested and
committed to a development or build server/code repository rapidly
§ Continuous integration can test and commit updates multiple times per
day
§ Continuous integration detects and resolves development conflicts early
and often
*2.3 Automation/scripting
Continuous integration
A software development method where application and platform
requirements are frequently tested and validated for immediate
availability
*2.3 Automation/scripting
Continuous delivery
A software development method where application and platform
updates are committed to production rapidly
§ Continuous delivery focuses on automated testing of code in order to get
it ready for release
§ Continuous deployment focuses on automated testing and release of
code in order to get it into the production environment more quickly
*2.3 Automation/scripting
Continuous deployment
§ A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration
§ IaC allows for the use of scripted approaches to provisioning
infrastructure in the cloud
§ Robust orchestration can lower overall IT costs, speed up deployments,
and increase security
*2.2 Infrastructure as code
False Acceptance Rate (FAR): Rate that a system authenticates a user as authorized or valid when they
should not have been granted access to the system
*2.4 Biometrics
False Acceptance
False Rejection Rate (FRR): Rate that a system denies a user as authorized or valid when they should
have been granted access to the system
2.4 *Biometrics
False Rejection
Crossover Error Rate (CER):
An equal error rate (ERR) where the false acceptance rate and false
rejection rate are equal
§ CER measures the effectiveness of a biometric system
2.4 *Biometrics
Crossover Error rate
Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.
2.7 *Bollards/barricades
§ Process of controlling and/or extinguishing fires to protect an
organization’s employees, data, equipment, and buildings
2.7 *Fire supression
Faraday Cage
Shielding installed around an entire room that prevents electromagnetic
energy and radio frequencies from entering or leaving the room
2.7 *Faraday Cages
Heating, Ventilation, and Air Conditioning
o Humidity should be kept around 40%
o HVAC systems may be connected to ICS and SCADA networks
2.6 Heating, ventilation, air conditioning (HVAC)
A group of objects (electronic or not) that are connected to the wider
Internet by using embedded electronic components
2.6 *Internet of Things (IoT)
A processor that integrates the platform functionality of multiple logical
controllers onto a single chip
System-on-Chip are power efficient and used with embedded systems
2.6 *System on Chip
A type of OS that prioritizes deterministic execution of operations to
ensure consistent response for time-critical tasks
Embedded systems typically cannot tolerate reboots or crashes and must
have response times that are predictable to within microsecond
tolerances
2.6 *Real-Time Operating System (RTOS)
A processor that can be programmed to perform a specific function by a
customer rather than at the time of manufacture
End customer can configure the programming logic to run a specific
application instead of using an ASIC
(application-specific integrated circuit)
2.6 Embedded Systems
*Field-programmable gate array (FPGA)
A network that manages embedded devices.
ICS is used for electrical power stations, water suppliers, health services,
telecommunications, manufacturing, and defense needs.
2.6 *Industrial Control Systems (ICS)
A type of industrial control system that manages large-scale,
multiple-site devices and equipment spread over geographic region
SCADA typically run as software on ordinary computers to gather data
from and manage plant devices and equipment with embedded PLCs
2.6 *Supervisory Control and Data Acquisition (SCADA)
A password is computed from a shared secret and current time
2.4 Authentication methods
*Time-based one-time password (HOTP)
A password is computed from a shared secret and is synchronized
between the client and the server
2.4 Authentication methods
HMAC-based One Time Password (HOTP)
A claim that the data presented in the report is valid by digitally
signing it using the TPM’s private key.
2.4 Authentication methods
*Attestation
Utilizes a keystream generator to encrypt data bit by bit using a
mathematical XOR function to create the ciphertext
2.8 Cipher suites
Stream Cipher
Breaks the input into fixed-length blocks of data and performs the
encryption on each block
Block ciphers are easier to implement through a software solution (Software Solution)
2.8 Cipher suites
Block Cipher
The science and art of hiding messages within other messages
§ …. is a form of obfuscation, not encryption
2.8 Steganography
A one-way cryptographic function which takes an input and produces a
unique message digest
2.8 Hashing
3.2 Database - Hashing
A technique that is used to mitigate a weaker key by increasing the time
needed to crack it
§ WPA, WPA2, PGP, bcrypt, and other algorithms utilize key stretching
2.8 Key Stretching
Adding random data into a one-way cryptographic hash to help protect
against password cracking techniques
§ A “nonce” is used to prevent password reuse
2.8 Salting
3.2 Database - Salting
prevent collisions from being used to spoof the integrity of a message
use either DSA, RSA, ECDSA, or SHA
2.8 Digital signatures
A digital signature is created by hashing a file and then taking that resulting hash digest and encrypting it with a private key.
Exposes the hard drive to a powerful magnetic field which in turn causes
previously-written data to be wiped from the drive
2.7 Secure data destruction
Degaussing
