Domain 2: Architecture and Design (21%) Flashcards
*2.4 (AAA)
Authentication
when a person’s identity is established with proof and confirmed by a system.
Remember
something you know, something you are, something you have, something you do, and somewhere you are
*2.4 (AAA)
Authorization
occurs when a user is given access to a certain piece of data or certain areas of a building.
*2.4 (AAA)
Accounting
Tracking of data, computer usage, and network resources.
*2.8 Common use cases
non-repudiation
when you have proof that someone has taken an action.
You said it. You can’t deny it
*2.5 Backup types
Network Attached Storage (NAS)
Storage devices that connect directly to your organization’s network.
*File level access
NAS systems often implement RAID arrays to ensure high availability.
*2.5 Backup types
Storage Area Network (SAN)
Network designed specifically to perform block storage functions that may consist of NAS devices.
*Block level access
*2.6 Communication considerations
Subscriber Identity Module (SIM)
An integrated circuit that securely stores the international mobile subscriber
identity (IMSI) number and its related key.
*2.6 Embedded systems
Field-programmable gate array (FPGA)
-FPGA is an anti-tamper mechanism. (sealed aspirin bottle example, seal is anti-tamper mechanism)
-An anti-tamper mechanism is a method that makes it difficult for an attacker to alter the authorized execution of software.
if somebody tries to tamper with the system,
what these things will do is actually zero out your cryptographic key, which then can automatically wipe out the information on that system, making sure you know it’s been tampered with and therefore, nobody can get the information.
*2.2 Virtualization
VM sprawl avoidance
Occurs when virtual machines are created, used, and deployed without
proper management or oversight by the system admins.
The solution is Formal process and detailed documentation
– You should have information on every virtual object.
To avoid VM sprawl and maintain a manageable attack surface, it is important to set resource policies that limit users’ ability to dynamically allocate new resources on the fly. This also avoids the potential pitfall of the organization receiving a whopping bill after unknown or unplanned resources have been consumed.
*2.2 Virtualization
VM escape protection
An attack that allows an attacker to break out of a normally isolated VM
by interacting directly with the hypervisor.
Pretection: sandboxing, patching the hypervisor and continuous monitoring.
*2.3 Automation/scripting
Continuous integration
A software development method where code updates are tested and
committed to a development or build server/code repository rapidly
§ Continuous integration can test and commit updates multiple times per
day
§ Continuous integration detects and resolves development conflicts early
and often
*2.3 Automation/scripting
Continuous delivery
A software development method where application and platform
requirements are frequently tested and validated for immediate
availability
*2.3 Automation/scripting
Continuous deployment
A software development method where application and platform
updates are committed to production rapidly
§ Continuous delivery focuses on automated testing of code in order to get
it ready for release
§ Continuous deployment focuses on automated testing and release of
code in order to get it into the production environment more quickly
*2.2 Infrastructure as code
§ A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration
§ IaC allows for the use of scripted approaches to provisioning
infrastructure in the cloud
§ Robust orchestration can lower overall IT costs, speed up deployments,
and increase security
*2.4 Biometrics
False Acceptance
False Acceptance Rate (FAR): Rate that a system authenticates a user as authorized or valid when they
should not have been granted access to the system
2.4 *Biometrics
False Rejection
False Rejection Rate (FRR): Rate that a system denies a user as authorized or valid when they should
have been granted access to the system
2.4 *Biometrics
Crossover Error rate
Crossover Error Rate (CER):
An equal error rate (ERR) where the false acceptance rate and false
rejection rate are equal
§ CER measures the effectiveness of a biometric system
2.7 *Bollards/barricades
Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.
2.7 *Fire supression
§ Process of controlling and/or extinguishing fires to protect an
organization’s employees, data, equipment, and buildings
2.7 *Faraday Cages
Faraday Cage
Shielding installed around an entire room that prevents electromagnetic
energy and radio frequencies from entering or leaving the room
2.6 Heating, ventilation, air conditioning (HVAC)
Heating, Ventilation, and Air Conditioning
o Humidity should be kept around 40%
o HVAC systems may be connected to ICS and SCADA networks
2.6 *Internet of Things (IoT)
A group of objects (electronic or not) that are connected to the wider
Internet by using embedded electronic components
2.6 *System on Chip
A processor that integrates the platform functionality of multiple logical
controllers onto a single chip
System-on-Chip are power efficient and used with embedded systems
2.6 *Real-Time Operating System (RTOS)
A type of OS that prioritizes deterministic execution of operations to
ensure consistent response for time-critical tasks
Embedded systems typically cannot tolerate reboots or crashes and must
have response times that are predictable to within microsecond
tolerances
2.6 Embedded Systems
*Field-programmable gate array (FPGA)
A processor that can be programmed to perform a specific function by a
customer rather than at the time of manufacture
End customer can configure the programming logic to run a specific
application instead of using an ASIC
(application-specific integrated circuit)
2.6 *Industrial Control Systems (ICS)
A network that manages embedded devices.
ICS is used for electrical power stations, water suppliers, health services,
telecommunications, manufacturing, and defense needs.
2.6 *Supervisory Control and Data Acquisition (SCADA)
A type of industrial control system that manages large-scale,
multiple-site devices and equipment spread over geographic region
SCADA typically run as software on ordinary computers to gather data
from and manage plant devices and equipment with embedded PLCs
