Domain 3 Flashcards
Infrastructure as a Service (Iaas)
Customer is responsible for configuring VM’s, Virtual network and guest OS security as if systems were on Premises. CSP is responsible for the physical components, internal network and tool provided.
Platform as a Service(Paas)
CSP is responsible for physical components, the internal network, and tools provided. Cheaper for customer but less control.
Software as a Service(Saas)
Customer is responsible for configuring access to the cloud service for their users as well as shared responsibility for data recovery.
Public Cloud
Everything run on the cloud providers hardware
Private Cloud
Cloud environment in your data centre
Hybrid Cloud
Combines Public and Private Cloud
Multi Cloud
2 or more public cloud providers
Multitenancy
Logical isolation in CSP
Infrastructure as a Code
Management of infrastructure (Networks, VM, load balancers and connection topology) described in code. It is a key DevOps practice and is used in conjunction with continuous integration and continuous delivery
Serverless Architecture
Cloud computing execution model where cloud provider dynamically manages the allocation and provisioning of servers
Microservices
Microservices are an architectural style in software development where a system is built as a collection of small, independent, and loosely coupled services. Each service is designed to perform a specific business function and communicates with other services through well-defined APIs.
Logical segmentation
Vlans ( Layer 2) - Logically segment a local area network into subnetworks
VPN
Creating an encrypted tunnel between devices or networks to pass traffic using protocols like IPsec
Virtual routing and forwarding
Allows a single router or switch to function as a multiple virtual router or switches.
Software Defined Network (SDN)
Network architecture approach that enables the network to be centrally controlled or programmed using software. Has a capacity to reprogram the data plane at any time. Use cases include SD-Lan and SD-Wan
Containerization
Lightweight portable way to package applications for multiple platforms
Virtualization
Server Virtualization the process of dividing a physical server into multiple unique and isolated virtual servers by means of software application (Hypervisor)
VM Escape
Where attacker gains access to a VM then attacks either the host machine that holds all the VMs, the hypervisor or any other VMs
VM Sprawl
Unmanaged VM on the network
IOT (Internet of Things)
Connected to the internet . Elective curve(Smaller keys). Limited Compute resources and Limited ability to patch
SCADA ( Supervisory Control and Data Acquisition)
Large amount of industrial equipment. Do not have direct access for greater security. Should be segmented
RTOS (Real time operating systems)
Smart devices like wearables and embedded systems Operate with very specific scheduling.
Embedded Systems
Technology component of an IOT devices . A full computer system embedded inside another larger system ( Examples - GPS, Drones, VoIP phones)
Availability
Ensuring a system or service is accessible to authorised users when needed
Resilience
System availability to handle disruptions
Responsiveness
Ability to respond to user request or events in a timely manner
Scalability
Ability to scale resources
Ease of deployment
Complexity and effort required implementation
Risk Transference
Security risks mitigated by transferring some responsibility to third parties
Internet
A Private network that is designed to host the information internal to the organisation
Extranet
Section of an organisation network that has been sectioned off to act as intranet for the private network but also serves information to external business partners
Screened Subnet
DMZ/ Perimeter network
Attack vectors
Consist of all the threat vectors that a system is exposed to
Fail-Open
Allows everything to pass through system when it fails. No security controls are enforced. There is no disruption in network activity
Fail- Closed
Nothing can pass through the system when it fails . No security controls are ignored, network traffic is disrupted
NIPS/NIDS - Inline
Place near the fire wall as an additional layer of security
NIPS/ NIDS - Tap ( Out of band)
replicates traffic. Active taps - require power to operate. Passive taps -does not require operate
Jump Server
Place on Screened Subnet allows admins to connect remotely to the network
Forward Proxy
Server that controls requests from clients seeking resources on the internet or an external network
Reverse Proxy
Placed on a screened subnet, performs the authentication and decryption of a secure session to enable it to filter the incoming traffic
IDS
Analyses whole packets, both headers and payload looking for known events. Known event is detected, a log is generated
IPS
Analyses whole packets both header and payload looking for known events. Know event is detected, packet is rejected
HIDS/HIPS
Host Based IDS/IPS - Monitor activity on a single system
NIDS/NIPS
Can monitor activity on a network
Behaviour based
Baseline of activity to identify normal behaviour
Signature Based
Uses Signature - Used for known attack methods
NIC
Network Interface Card - Dual network cards paired together to give maximum throughput
802.1x
Is a IEEE standard for port based network access control . It is Authentication process
EAP
Extensible Authentication Protocol - Allows for new authentication technologies to be compatible with existing wireless or point to point connection technologies
PEAP
Encapsulates EAP within a TLS tunnel
LEAP
LEAP is insecure
EAP-TLS
secure version of wireless authentication requires X.509 . Involves 3 parties
EAP- TTLS
Uses two phases
Static Packet - Filtering Firewall
Operate layer 3 - Filters traffic by examining data from a message header
Application Level Firewall
Operates at Layer 7 - Filters traffic based on a single internet service, protocol or application
Circuit Level Firewall
Layer 5 - Used to establish communication sessions between trusted partners
Stateful Inspection Firewall
Evaluates the state, session or the context of network traffic
Stateless Firewall
Watch network traffic . Block packets based on source and destination addresses or static values. Heavier traffic loads
Statefull
Can watch traffic streams from end to end
WAF (Web Application Firewall)
HTTP traffic ( Protects from XSS, CSRF, SQL injection)
NGFW ( Next Generation)
Deep Packet firewall. Adds Application level inspection, IPS and brings intelligence from outside. It is multifunctional
Deep Packet Inspection
Filters the header and payload
Unified Threat Management
Multifunction device (IDS, IPS, TLS/SSL proxy, web filtering, bandwidth throttling, NAT, VPN anchoring, antivirus
Split Tunnel
Traffic destined for corporate network only, Internet traffic direct through normal route
IPSEC Protocols
AH ( Authentication Header and ESP (Encapsulating Security Payload). AH does not perform encryption ESP provides data confidentiality, integrity, data origin authentication)
SD-WAN ( Software Define Wide Area Network)
Enables users in branch office to remotely connect to enterprise network. Security is based on IP Security, VPN tunnel, NGFW, micro segmentation
SASE (Secure Access Service Edge)
Related to Zero Trust Architecture - Brings together networking and security functions and delivers them as an integrated cloud service ( Includes Firewall, Antimalware, Secure web gateway, DLp, IPS , CASB
Regulated Data
Data Subjects to Specific laws and regulations governing its collection, storage and Use . Examples PHI, financial information, PII
Trade Secret
Intellectual property of inventor Eg: Formulas, product design
Intellectual Property
Creation of minds - Intangible assets Patents (20 Years), Copyrights, Trademarks (10 Years), Trade secret (must be disclosed), Copyright (70 years)
Financial Information
Financial Records (GLBA and PCI-Dss)
Public Data
Freely accessible information intended for general public
Private Data
Information about individual that should be kept Confidential (PII, PHI)
Confidential Data
Organisation intends to keep secret within a designated group
Restricted Data
Subject to external regulations or legal requirement
Sensitive Data
Information is not publicly known (includes private, confidential, restricted)
Restricted Data
Subject to external regulations or legal requirements that limit access and control its handling
Full Disk Encryption
Helps to encrypt Windows and Linux Iaas VM’s using Bitlocker for Windows and Dm-Crypt for Linux
Transparent Data Encryption
Helps to protect SQL database and data warehouses against threat of malicious activity with real time encryption and decryption of database
Data Sovereignty
Data is subject to the laws and regulation of the country in which it was created. It cannot be moved to another region. Data is subject to the laws of where it is stored
Geolocation
Use GPS to give the actual location of a mobile device - Somewhere you are
Encryption
Two way function ( Symmetric and Asymmetric)
Hashing
One way function that scrambles plain text to produce a unique message digest
Data Masking
Only partial data is left in a data field
Tokenization
Meaningful data is replaced with a token that is generated randomly and original data is held in a vault
Pseudonymization
De-identification procedure in which PII fields within a data record are replaced by one or more artificial identifiers or pseudonyms
Anonymization
process of removing all relevant data so that it is impossible to identify original subject or person
Obfuscation
Intentionally making data less readable or understandable
Segmentation
Method involving dividing data into smaller isolated segments
Clustering
Combines multiple servers into a single, highly available entity ensuring continuous service even when individual servers fail
Platform Diversity
Utilizing mix of different platforms
COOP (Continuity of Operations)
Procedures and Resources to maintain critical business functions
Cold Site
A data centre space
Warm Site
Preventative site
HOT site
Hot site allows you to keep servers and a live backup site up and running
Capacity Planning
Process of proactively assessing and ensuring an organisation has sufficient resources
Tabletop
Structured Walkthrough _ Paper based, hypothetical (Talking Only)
Failover
Shut down primary site and test recovery site
Simulation
Test the plans in a simulated operational environment
Parallel Processing
Activating it during the test
Onsite/ Offsite
Onsite - Physical location, Offsite - Separate locations
Snapshot
Point in time copies of data at a specific moment - Common in VM
Recovery
Restoring data from a backup to its original location or a new location
Replication
Creating identical copies of data in multiple location
Journaing
Transaction logging, records all changes made to data in a sequential log file
UPS (Uninterrupted Power Supply)
Self charging battery - Primary power fails it provides power
Generator
Standby power source that is powered by diesel, gasoline, propane or natural gas for extended period of time
