Domain 2.0: Architecture and Design

Question 1

Types of recovery sites

Answer 1

Hot site - operational ready-to go data center. Fastest recovery and highest cost

Cold backup site is the opposite. Longest recovery window with lower cost.

Warm site is a compromise of both.

Question 2

Honeypot and Honeynet

Answer 2

Used to study actions of hackers and distract them from more valuable data

Question 3

HSM

Answer 3

Hardware security module is a combination of hardware and software/firmware that is attached to or contained inside a computer to provide cryptographic functions for tamper protection and increased performance.

Question 4

Type II hypervisor

Answer 4

Software that runs within an operation system environment. It’s also called hosted hypervisor.

Question 5

DLP

Answer 5

Data Loss Prevention is a way of detecting and preventing confidential data from being exfiltrated physically or logically from an organization by accident or on purpose.

Question 6

Public cloud

Answer 6

Shares shared resources over the Internet

Question 7

Public Cloud models

Answer 7

SaaS, PaaS, IaaS

Question 8

SaaS

Answer 8

Software as a Service involves the delivery of a licensed application to customers over the Internet for use as a service on demand

Question 9

PaaS

Answer 9

Platform as a Service involves delivery of a computing platform often an operating system with associated services, over the Internet without downloads or installation.

Question 10

IaaS

Answer 10

Infrastructure as a Service involves delivery of computer infrastructure in a hosted service model over the Internet.

Question 11

Hypervisor

Answer 11

software or hardware layer program that permits the use of many instances of an operating system or instance of different operating systems on the same machine, independent of each other

Question 12

Type I native

Answer 12

software that runs directly on a hardware platform. It’s also known as bare-metal hypervisor.

Question 13

Scalability

Answer 13

Based on capability to handle the changing needs of a system within the confines of the current resources.

Question 14

Elasticity

Answer 14

Capability to expand and reduce resources as needed at any given point in time

Question 15

SDN

Answer 15

Software-defined networking is a method for organizations to manage network services through a decoupled underlying infrastructure, allowing quick adjustments to changing business requirements.

Question 16

IAAS clouds

Answer 16

consists of workloads deployed across subn ets within one or more isolated availability zones that make up the VPC (virtual private cloud) deployed within a geographic region.

Question 17

IaaS transit gateway

Answer 17

Allows for connection of on-premise networks to cloud-hosted networks

Question 18

HIDS

Answer 18

Host Intrusion Detection System is implemented to monitor event and application logs, port access, and other running processes.

Question 19

Authentication factors

Answer 19

Something you are

Something you have

Something you know,

Somewhere you are and

Something you do.

Question 20

Biometrics

Answer 20

Iris scan, fingerprint are examples of physical access control

Question 21

Identification

Answer 21

presenting credentials or key

Question 22

Authentication

Answer 22

Verifying presented credentials

Question 23

TOTP Algorithim

Answer 23

Relies on a shared secret and a moving factor or counter which is current time

Question 24

HOTP algorithm

Answer 24

Relies on shared secret and a moving factor or counter.

Question 25

Username and password

Answer 25

A most common form of authentication

Question 26

Token-based authentication

Answer 26

Strong form requiring possession of the token item

Question 27

Biometric authentication

Answer 27

Uses parts of human body for authentication

Question 28

How is brute force attacks prevented

Answer 28

Password lockouts

Question 29

Formal Backup types

Answer 29

Full, incremental and differential. Also, snapshots and copies meet requirement for certain backup use cases.

Question 30

Differential backup

Answer 30

Includes all data that has cjhanged since the last full backup regardless of whether or when last differential backup was made. It does not reset the archive bit.

Question 31

Different backup requires how many backups?

Answer 31

Two – last full backup and latest differential backup.

Question 32

Incremental backup

Answer 32

Includes all data that has changed since the last incremental backup. It does reset archive bit.

Question 33

Incremental backup require how many backups?

Answer 33

Last full backup and every incremental backup since the last full backup.

Question 34

How does multiple disks and a RAID scheme help?

Answer 34

A system can stay up and run when a disk fails, as well as during the time the replacement disk is being installed and data is being restored.

Question 35

RAID

Answer 35

Redundant Array of Independent Disk organizes multiple disk into large, high performance logical disks

Question 36

Type of RAID

Answer 36

RAID 0 - Striped disk array without fault tolerance

RAID 1 - Mirroring and Duplexing

RAID 5 - Independent data disks with distributed parity blocks

RAID 10 - RAID 1 and RAID 0; require a minimum of four disks

Question 37

CASB

Answer 37

Cloud Access Security Broker is a solution that addresses security requirements such as visibility, data protection, threat protection and compliance across public cloud services.

Question 38

Network load balancers

Answer 38

Server configured in a cluster to provide scalability and high availability.

Question 39

Common physical detective control typically includes what?

Answer 39

Motion detectors, CCTV monitors and alarms.

Question 40

Access control vestibule is what?

Answer 40

Holding area between two entry points in which one door cannot be unlocked and opened until the other door has been closed and locked.

Question 41

What two issues can occur with HVAC systems?

Answer 41

Overcooling causes condensation on equipment.

Too-dry environment lead to excessive static.

Question 42

Two types of fire suppression systems

Answer 42

Wet-pipe fire suppression system - they use water to suppress fire.

Dry-pipe systems work in exact the same way as wet-pipe system except that the pipes are filled with pressurized air instead of water.

Question 43

Fire classes and suppression remedies

Answer 43

Class A fires (trash, wood and paper) –> Water decrease the fire’s temperature and extinguishes its flames.

Class B fire (fueled by flammable liquid, gases and grease) —> foam is to extinguish the class B fire.

Class C fire (energized electrical equipment, electrical fires and burning wires) are put out using extinguishers based on carbon dioxide.

Class D fires involve combustible metals. The extinguishing agent for class D fires are sodium chloride and a copper-based dry powder.

Question 44

What is PDS and its purpose?

Answer 44

Protected Distribution System is to make physical access difficult by enclosing equipment and to make electronic access difficult by using different cables and patch panels.

Question 45

Data center and server farms makes use of alternative rows facing opposing directions. Question is why?

Answer 45

Fan intakes draw in cool air vented to racks facing the cold aisle, and then fan output of hot air is vented to the alternating hot aisles for removal from the data center.

Question 46

EMI shielding

Answer 46

Seeks to reduce electronic signals that “leak” from computer and electronic equipment. The shielding can be local, can cover the entire room or can cover the whole building. Two types are TEMPEST shielding and Faraday cages.

Question 47

Cryptographic technology provides what?

Answer 47

Confidentiality, integrity, nonrepudiation and autthentication

Question 48

Exchanging key

Answer 48

Often happens securely “in band” during need to establish a secure session. Any type of out-of-band key exchange relies on having been shared in advance.

Question 49

Encryption can be applied to data state which includes the following:

Answer 49

Data at rest
Data in transit
Data in use

Question 50

Confusion refers to what?

Answer 50

Level of change from plaintext input to the ciphertext output which should be significant.

Question 51

Diffusion would ensure what?

Answer 51

Any change, even minor, to the plaintext input results in significant change to the ciphertext output.

Question 52

Symmetric Key Algorithm

Answer 52

It depends on single shared key for encryption and decryption.

Question 53

What are examples of symmetric key algorithim?

Answer 53

DES, 3DES, RC5 and AES

Question 54

Asymmetric key algorithms

Answer 54

Uses a public key for encryption and a private key for decryption.

Question 55

What are examples of asymmetric key algorithms?

Answer 55

RSA, Diffie-Hellman, El Gamal, and elliptic curve cryptography standards.

Question 56

Nonrepudiation

Answer 56

Ensures proof or orcin, submission, delivery and receipt.

Question 57

Block ciphers

Answer 57

They are not as fast, but they encrypt on blocks of fixed length and have a higher level of diffusion compared to stream in which encryption is performed bit by bit.

Question 58

What is elliptic curve cryptography used mostly in?

Answer 58

Mobile and wireless use cases

Question 59

Hashing algorithm

Answer 59

Mathematical formula to verify data integrity. If hash values are different, the file has been modified.

Question 60

What type of cryptographic technology should be used in implementations?

Answer 60

Proven and well known cryptographic technologies

Question 61

ROT13

Answer 61

It is a substitution cipher. The first half of Roman alphabet corresponds to the second half, and it is inverse in nature.

Question 62

What is perfect forward secrecy?

Answer 62

After a session is complete, when both sides in the communication process destroy the keys.

It is also known as just forward secrecy.

Question 63

Ephemeral key agreement protocol

Answer 63

They provide perfect forward secrecy. DHE and ECDHE is an example of this.

Question 64

Bcrypt and PBKDF2 is what?

Answer 64

Key derivation functions (KDFs) that are primarily used for key stretching which provides a means to “stretch” a key or password, making an existing key or password stronger.

Question 65

Blockchains

Answer 65

Digital ledgers with transactions grouped into cryptographically linked blocks

Question 66

Adding a salt would prevent what?

Answer 66

Rainbow table attack on password hashes.