Domain 2.0: Architecture and Design Flashcards
Types of recovery sites
Hot site - operational ready-to go data center. Fastest recovery and highest cost
Cold backup site is the opposite. Longest recovery window with lower cost.
Warm site is a compromise of both.
Honeypot and Honeynet
Used to study actions of hackers and distract them from more valuable data
HSM
Hardware security module is a combination of hardware and software/firmware that is attached to or contained inside a computer to provide cryptographic functions for tamper protection and increased performance.
Type II hypervisor
Software that runs within an operation system environment. It’s also called hosted hypervisor.
DLP
Data Loss Prevention is a way of detecting and preventing confidential data from being exfiltrated physically or logically from an organization by accident or on purpose.
Public cloud
Shares shared resources over the Internet
Public Cloud models
SaaS, PaaS, IaaS
SaaS
Software as a Service involves the delivery of a licensed application to customers over the Internet for use as a service on demand
PaaS
Platform as a Service involves delivery of a computing platform often an operating system with associated services, over the Internet without downloads or installation.
IaaS
Infrastructure as a Service involves delivery of computer infrastructure in a hosted service model over the Internet.
Hypervisor
software or hardware layer program that permits the use of many instances of an operating system or instance of different operating systems on the same machine, independent of each other
Type I native
software that runs directly on a hardware platform. It’s also known as bare-metal hypervisor.
Scalability
Based on capability to handle the changing needs of a system within the confines of the current resources.
Elasticity
Capability to expand and reduce resources as needed at any given point in time
SDN
Software-defined networking is a method for organizations to manage network services through a decoupled underlying infrastructure, allowing quick adjustments to changing business requirements.
IAAS clouds
consists of workloads deployed across subn ets within one or more isolated availability zones that make up the VPC (virtual private cloud) deployed within a geographic region.
IaaS transit gateway
Allows for connection of on-premise networks to cloud-hosted networks
HIDS
Host Intrusion Detection System is implemented to monitor event and application logs, port access, and other running processes.
Authentication factors
Something you are
Something you have
Something you know,
Somewhere you are and
Something you do.
Biometrics
Iris scan, fingerprint are examples of physical access control
Identification
presenting credentials or key
Authentication
Verifying presented credentials
TOTP Algorithim
Relies on a shared secret and a moving factor or counter which is current time
HOTP algorithm
Relies on shared secret and a moving factor or counter.
Username and password
A most common form of authentication
Token-based authentication
Strong form requiring possession of the token item
Biometric authentication
Uses parts of human body for authentication
How is brute force attacks prevented
Password lockouts
Formal Backup types
Full, incremental and differential. Also, snapshots and copies meet requirement for certain backup use cases.
Differential backup
Includes all data that has cjhanged since the last full backup regardless of whether or when last differential backup was made. It does not reset the archive bit.
Different backup requires how many backups?
Two – last full backup and latest differential backup.
Incremental backup
Includes all data that has changed since the last incremental backup. It does reset archive bit.
Incremental backup require how many backups?
Last full backup and every incremental backup since the last full backup.
How does multiple disks and a RAID scheme help?
A system can stay up and run when a disk fails, as well as during the time the replacement disk is being installed and data is being restored.
RAID
Redundant Array of Independent Disk organizes multiple disk into large, high performance logical disks
Type of RAID
RAID 0 - Striped disk array without fault tolerance
RAID 1 - Mirroring and Duplexing
RAID 5 - Independent data disks with distributed parity blocks
RAID 10 - RAID 1 and RAID 0; require a minimum of four disks
CASB
Cloud Access Security Broker is a solution that addresses security requirements such as visibility, data protection, threat protection and compliance across public cloud services.
Network load balancers
Server configured in a cluster to provide scalability and high availability.
Common physical detective control typically includes what?
Motion detectors, CCTV monitors and alarms.
Access control vestibule is what?
Holding area between two entry points in which one door cannot be unlocked and opened until the other door has been closed and locked.
What two issues can occur with HVAC systems?
Overcooling causes condensation on equipment.
Too-dry environment lead to excessive static.
Two types of fire suppression systems
Wet-pipe fire suppression system - they use water to suppress fire.
Dry-pipe systems work in exact the same way as wet-pipe system except that the pipes are filled with pressurized air instead of water.
Fire classes and suppression remedies
Class A fires (trash, wood and paper) –> Water decrease the fire’s temperature and extinguishes its flames.
Class B fire (fueled by flammable liquid, gases and grease) —> foam is to extinguish the class B fire.
Class C fire (energized electrical equipment, electrical fires and burning wires) are put out using extinguishers based on carbon dioxide.
Class D fires involve combustible metals. The extinguishing agent for class D fires are sodium chloride and a copper-based dry powder.
What is PDS and its purpose?
Protected Distribution System is to make physical access difficult by enclosing equipment and to make electronic access difficult by using different cables and patch panels.
Data center and server farms makes use of alternative rows facing opposing directions. Question is why?
Fan intakes draw in cool air vented to racks facing the cold aisle, and then fan output of hot air is vented to the alternating hot aisles for removal from the data center.
EMI shielding
Seeks to reduce electronic signals that “leak” from computer and electronic equipment. The shielding can be local, can cover the entire room or can cover the whole building. Two types are TEMPEST shielding and Faraday cages.
Cryptographic technology provides what?
Confidentiality, integrity, nonrepudiation and autthentication
Exchanging key
Often happens securely “in band” during need to establish a secure session. Any type of out-of-band key exchange relies on having been shared in advance.
Encryption can be applied to data state which includes the following:
Data at rest
Data in transit
Data in use
Confusion refers to what?
Level of change from plaintext input to the ciphertext output which should be significant.
Diffusion would ensure what?
Any change, even minor, to the plaintext input results in significant change to the ciphertext output.
Symmetric Key Algorithm
It depends on single shared key for encryption and decryption.
What are examples of symmetric key algorithim?
DES, 3DES, RC5 and AES
Asymmetric key algorithms
Uses a public key for encryption and a private key for decryption.
What are examples of asymmetric key algorithms?
RSA, Diffie-Hellman, El Gamal, and elliptic curve cryptography standards.
Nonrepudiation
Ensures proof or orcin, submission, delivery and receipt.
Block ciphers
They are not as fast, but they encrypt on blocks of fixed length and have a higher level of diffusion compared to stream in which encryption is performed bit by bit.
What is elliptic curve cryptography used mostly in?
Mobile and wireless use cases
Hashing algorithm
Mathematical formula to verify data integrity. If hash values are different, the file has been modified.
What type of cryptographic technology should be used in implementations?
Proven and well known cryptographic technologies
ROT13
It is a substitution cipher. The first half of Roman alphabet corresponds to the second half, and it is inverse in nature.
What is perfect forward secrecy?
After a session is complete, when both sides in the communication process destroy the keys.
It is also known as just forward secrecy.
Ephemeral key agreement protocol
They provide perfect forward secrecy. DHE and ECDHE is an example of this.
Bcrypt and PBKDF2 is what?
Key derivation functions (KDFs) that are primarily used for key stretching which provides a means to “stretch” a key or password, making an existing key or password stronger.
Blockchains
Digital ledgers with transactions grouped into cryptographically linked blocks
Adding a salt would prevent what?
Rainbow table attack on password hashes.
