Domain 2: Architecture & Design Flashcards
Network Diagrams
Data flow across telecommunication hardware
Display the inner behaviors of your network, such as routing protocols and subnets, and reveal how information flows
Device Diagrams
Shows Individual cabling
Naming Conventions
Framework used for naming/labeling your files in a specific way
IP Schema
An IP address plan or model to avoid making duplicate IP addresses
Consistent addressing for network devices
Helps avoid duplicate IP addressing
Data Sovereignty
Data that resides in a country is subject to
the laws of that country
Data masking
Data obfuscation…Hide some of the original data
Data at-rest
Data on a storage device
Data in-transit
Data transmitted over the network…Also called data in-motion
TLS (Transport Layer Security) & IPsec (Internet Protocol Security) Provide transport encryption
Data in-use
Actively processing in memory (System RAM, CPU registers and cache)
Tokenization
Replace sensitive data with a non-sensitive placeholder
Commonly used in NFC payments and Credit card processing.
Uses a temporary token during payment…an attacker capturing the card numbers can’t use them later
Information Rights Management (IRM)
Control how data is used.
Restrict data access to unauthorized persons
Can prevent copy and paste, Control screenshots, Manage printing, & Restrict editing
Each user has their own set of rights
SSL/TLS inspection
Secure Sockets Layer/Transport Layer Security
Commonly used to examine outgoing SSL/TLS
API
Application Programming Interface
Mechanisms that enable two software components to communicate with each other using a set of definitions and protocols
Honeypots
Makes an attractive site for attackers and traps them there
Honeynets
More than one honeypot on a network
Telemetry
Data collected from a network environment that can be analyzed to monitor the health and performance, availability, and security of the network and its components
Can be fake
DNS sinkhole
A DNS that hands out incorrect IP addresses
Can be used for good or bad
MSP/MSSP
Managed service providers - A cloud service provider
Not all cloud service providers are MSPs
Network connectivity management
Backups and disaster recovery
Growth management and planning
Managed Security Service Provider – Firewall management, Patch management, security audits
Emergency response
Fog Computing
Decentralized computing infrastructure where the computing resources (e.g., applications) are placed between the cloud and data source
Edge computing
Distributed computing paradigm that brings computation and data storage closer to the sources of data.
Supposed to improve response times and save bandwidth.
Moves computer storage and processing (now often just called “compute”) to the edge of the network. This is where it is closest to users and devices and most critically, as close as possible to data sources
It is an architecture rather than a specific technology
Examples of edge use cases include self-driving cars, autonomous robots, smart equipment data and automated retail.
Thin client
A simple computer that has been optimized for establishing a remote connection with a server-based computing environment
Typically managed remotely with limited input from the end use
A computer that has no processing power
Container
Contains everything you need to run an application like code and dependencies
A standardized unit of software
Microservices/API
Monolithic applications
One big application that does everything
Serverless architecture
A way to build and run applications and services without having to manage infrastructure.
Cloud based
Service Integration and Management (SIAM)
An approach to managing multiple suppliers of services and integrating them to provide a single business-facing IT organization
Transit Gateway
Network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks
SDN (Software Defined Networking)
Infrastructure as code.
An approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network
Dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth,
Elasticity
Increase or decrease available resources as the
workload changes
Scalability
The ability to increase the workload in a
given infrastructure
Open Web Application Security Project (OWASP)
Worldwide nonprofit organization that focuses on improving software security.
Attestation
A claim that the data presented in the report is valid by digitally signing it using the TPM’s private key
A mechanism for software to prove it’s identity. The goal of attestation is to prove to a remote party that your operating system and application software are intact and trustworthy
HMAC-based one-time password (HOTP)
Hashed Message Authentication Code
An event-based OTP algorithm that uses a shared secret key and an event counter
Token
Physical or digital device that provides two-factor authentication (2FA) for a user to prove their identity in a login process
Additional authentication tools that allow’s one to prove identity electronically
Static Code Analysis
Method of computer program debugging that is done by examining the code without executing the program
Identifies defects before you run a program…finds buffer overflows effectively
Gait Analysis
An assessment of the way the body moves, usually by walking or running, from one place to another
Network Interface Card (NIC) teaming
Hardware component, typically a circuit board or chip, which is installed on a computer so it can connect to a network.
Teaming: The process of combining multiple network cards together for performance, load balancing, and redundancy reasons.
Storage Area Network (SAN)
Specialized, high-speed network that provides network access to block level storage
A high-speed network that provides multiple servers access to consolidated pools of shared, block-level storage
Full Backup
Copies all source files and folders every time you run the backup, regardless of whether the source files have been changed since the last backup
Incremental Backup
Starts with a full backup. It backs up anything that has changed since the last full or incremental backup
Differential Backup
Backs up anything that has changed since the last full backup
Snapshot
The state of a system at a particular point in time
Tape backup
The practice of periodically copying data from a primary storage device to a tape cartridge so the data can be recovered if there is a hard disk crash or failure
Disk Backup
Data backup and recovery method that backs data up to hard disk storage
Network Access Control (NAC)
The set of rules, protocols, and processes that govern access to network-connected resources
Can be configured on your network devices to deny access to clients that don’t have the latest antivirus signatures or that are running an older version of their operating system
An approach to computer security that attempts to unify endpoint security technology (such as anti-virus, HIP, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation
Persistance
When attacker discreetly maintains long-term access to systems despite disruptions such as restarts or changed credential
Non-persistent
Stateless. Environment is always in motion, and application instances can be created, changed, or removed at any time. Desktop state is automatically destroyed at regular intervals. Depending on company policy, it could be at each logoff, every night, or even once a week. Nothing is saved
If you shut down computer, all your data remains as-is on your hard drive, you have persistence. If you shut down computer, all the contents of your computer’s memory are erased, that’s non-persistence. With the growth of automation and public cloud, non-persistence has become more important. With non-persistence, you can more easily automate
Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions.
Raspberry Pi
Small single-board computer
Microcomputer
Field-programmable gate array (FPGA)
Integrated circuit designed to be configured by a customer or a designer after manufacturing
Programmable device…used within embedded systems
Electronic component used to build reconfigurable digital circuits
Arduino
Open-source electronics platform based on easy-to-use hardware and software
Refers to an open-source electronics platform or board and the software used to program it
A little computer you can program to do things
SCADA
Supervisory Control and Data Acquisition - Type of ICS (Industrial Control System) that manages large-scale, multi-site devices and equipment spread over a geographic region.
Commonly used in manufacturing companies
IoT
Internet of Things - Group of objects, and they could be electronic or not, and they all have to be connected to the wider Internet by using embedded electronic components
Ex. Smart watch, thermostat, smart refrigerator
VoIP
Digital phone service provided by software or hardware devices over a data network.
Technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line
Cheaper that PBX, more secure, takes a lot of bandwidth, becoming the replacement for PBC
MFD
Multi-Function Device - device that performs a variety of functions otherwise carried out by separate devices
Ex. All in one printer (MFP, Multi-Function Printer)
RTOS
Real-time operating system - Operating system for real-time applications that processes data and events that have critically defined time constraints
OS that guarantees real-time applications a certain capability within a specified deadline
Baseband Processor
Chip in a smartphone, tablet or other device that helps convert digital data into radio frequency signals (and vice-versa) which can then be transmitted over a RAN (Radio Access Network).
Manages all the wireless radio functions of a cellular device
Zigbee
Standards-based wireless technology developed to enable low-cost, low-power wireless machine-to-machine (M2M) and internet of things (IoT) networks
Access control vestibules/Man-trap
Part of a physical access control system that typically provides a space between two sets of interlocking doors
One set of the doors must close before the other one can be opened
Ex. Subway Turnstyle
Two-person integrity/control
TPI - form of Separation of Duties where the presence or action of two people are required to complete a specific task or action
Faraday cages
Enclosure used to block electromagnetic fields
Air Gap
Physical Separation that will require manual transport of files, patches, and other data between 2 environments.
Security measure that involves physically isolating a computer or network and preventing it from establishing an external connection
Screened subnet (DMZ zone)
Perimeter network that protects an organization’s internal local area network (LAN) from untrusted traffic
Network architecture where a single firewall is used with three network interfaces
Hot aisle/Cold aisle
lining up server racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other
Key stretching
Used in Cryptography to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key.
Converting a password to a longer and more random key for cryptographic purposes such as encryption.
ECC
Elliptic Curve Cryptography – key-based technique for encrypting data. Small key size but is still very secure
Used a lot in mobile devices. Asymmetric
Focuses on pairs of public and private keys for decryption and encryption of web traffic
Based on the algebraic structure of elliptic curves over finite fields.
Perfect forward secrecy
A style of encryption that enables short-term, private key exchanges between clients and servers
Produces temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. If one of these session keys is compromised, data from any other session will not be affected.
Quantum Computing
A computer that uses quantum mechanics to generate and manipulate quantum bits known as qubits in order to access enormous processing power
Harnesses the laws of quantum mechanics to solve problems too complex for classical computers.
Post-quantum cryptography
Refers to algorithms thought to have capabilities to secure against an attack by a quantum computer
Ephemeral
A cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type
*Diffie-Hellman
Block Chain
A system of recording information in a way that makes it difficult or impossible to change, hack, or cheat the system
*Public ledger
Peer to peer. The longer the blockchain usually the more secure
Cipher suite
A set of algorithms that help secure a network connection
Stream cipher
Symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream
Encryption technique that works byte by byte to transform plain text into code that’s unreadable to anyone without the proper key
Convert plaintext to ciphertext 1 byte at a time
Block cipher
Symmetric Takes a block of plaintext bits and generates a block of ciphertext bits, generally of same size
Block ciphers transform plaintext 1 block (64/128/256 bits) at a time
Slower than stream cipher
Symmetric
The use of a single shared secret to share encrypted data between parties
Uses the same shared key for encryption and decryption
Uses a public-private key pair where one key is used to encrypt and the other to decrypt
Shared keys. Same Key = Symmetric. 1 key between 2 people
Asymmetric
One key is used to encrypt and another is used to decrypt
2 Seperate keys
Uses private keys to decrypt and Public keys to encrypt…Public Keys can be shared but private keys can’t
The encryption key (also called the public key) and the corresponding decryption key (also called the private key) are different
Lightweight cryptography
Encryption method that features a small footprint and/or low computational complexity
Designed for resource-constrained devices
Steganography
The practice of hiding a secret message inside of (or even on top of) something that is not secret
The practice of hiding an image, message, or file within something that isn’t a secret
Hiding messages and data
Homomorphic encryption
Enables complex mathematical operations to be performed on encrypted data without compromising the encryption
The conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form
Encryption method that allows calculations to be performed on data without decrypting it first
Use cases
An attack scenario that a security control, policy, or guideline is intended to prevent or mitigate
Map with a detailed listing of steps that are clearly explained when what to use and how to use a particular product, service, or system
Entropy
Used to produce random numbers, which in turn are used to produce security keys to protect data while it’s in storage or in transit
The randomness collected by a system for use in algorithms that require random seeds. A lack of good entropy can leave a crypto system vulnerable and unable to encrypt data securely
The measure of unpredictability of information contained in a message
The measuring of randomness
