Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Comptia Security+ > Domain 3: Security Architecture > Flashcards

Domain 3: Security Architecture Flashcards

1
Q

Architecture models

Object 3.1

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cloud service models

A
  • three dominant models used in cloud services:
    • Software-as-a-Service (SaaS)
    • Platform-as-a-Service (PaaS)
    • Infrastructure-as-a-Service (IaaS)
  • each model provides more or less management on the part of the cloud customer or client
  • each model shifts responsibility from cloud to client or from client to cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SaaS

A
  • Software-as-a-Service (SaaS)
    • cloud service model where the provider manages the entire cloud infrastructure, including network, servers, operating systems, storage and application capabilities
    • Client simply pays for the service and accesses the application, typically via a website or A Program interface (API)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

PaaS

A
  • Platform-as-a-Service (PaaS)
    • cloud service model which lies between SaaS and IaaS, where the provider manages all hardware components of the cloud infrastructure (network, servers, storage) and provides a basic web application or data base platform
    • in order to turn this platform into a product, software development is required on the part of the cloud client
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IaaS

A
  • Infrastructure-as-a-Service (IaaS)
    • cloud service model, which gives the greatest amount of responsibility to the customer. The cloud providers supplies only cloud, infrastructure components (hardware), such as servers, storage and networking.
    • clients are responsible for provisioning virtual machines on the hosted servers, creating databases, building applications and everything besides managing the infrastructure components
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cloud deployment models

A
  • a private cloud is one where an organization owns the entire cloud infrastructure and uses it internally. Hosted private means a third-party provides that organization with the cloud infrastructure.
  • a public cloud is hosted by a third-party and anyone with an Internet connection can access and subscribe to it
  • a hybrid cloud is one that mixes public and private access, combining multiple cloud deployment models into one
  • a community cloud is a private cloud that is shared with multiple organizations 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Virtualization

A
  • Operating several virtual machines on one discrete computer
  • Software-defined networking (SDN)
    • Firewall, switches and servers were traditionally required hardware. Inside, they are just dedicated computer running software. Why not virtualize them too? By being virtualized, allowing puppies to save on cost in space.
  • Containerization
    • Applications can be packaged into a virtual environment, reducing the risk of back in security breaches. Since developers know exactly what environment the application will be running, they are able to easily perform test and thus have a higher level of confidence in the security of the application in the environment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Infrastructure-as-code

A
  • utilizing automation to create teardown virtual machines and configure/alter software – define networking instances
  • Reduces need to be “hands-on” with data center operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Serverless

A
  • Serverless architecture (also known as serverless computing or function as a service, FaaS) is a software design pattern where applications are hosted by a third-party service, eliminating the need for server software and hardware management by the developer
  • Applications are broken up into individual functions that can be invoked and skilled individually
  • Hosting an application on the Internet, usually involves managing some kind of server infrastructure. Typically, this means a virtual or physical server that needs to be managed, as well as the operating system and other web server hosting processes required for your application to run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Microservers and APIs

A
  • Microservices
    • architectural style for web applications, where the functionality is divided up across small web services
    • software development technique, a variant of the service-oriented architecture (SOA) architectural style structures an application as a collection of loosely coupled services
    • Microservices are often connected via API and can leverage some of the same services and tools
  • APIs (A Program Interface)
    • Set of subroutine definitions, communication protocols and tools for building software
    • framework through which developers can interact with a web application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network infrastructure

A
  • physical isolation
    • Airgapped
  • Logical segmentation
  • On-premises
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Software – defined networking

A
  • using software to manage a network by separating control and traffic forwarding. Typically utilizes cloud computing.
  • Addresses the widespread use of mobile devices, virtualization and cloud computing. The dynamic nature of modern networks makes the traditional hierarchical approach less effective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Embedded systems

Slide 167

A
  • An embedded system is an operating system with a dedicated function, such as a smart washer/dryer, thermostat or traffic light
  • embedded systems have traditionally been built with low levels of security, and in users are often unaware of the need for changing default, credentials, and/or performing updates on these types of devices
  • Examples of embedded platforms:
    • Raspberry Pi
    • Arduino
    • ESP32
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Embedded systems continued

A

-Industrial Control Systems (ICS)

  • Used to monitor, connect and control, large industrial equipment
  • If there’s a valve to turn, gauge to read or meter to read, chances are it’s an ICS these days

-SCADA systems

  • supervisory control and data acquisition (SCADA) systems
  • these devices and their networks should be shielded from outside connections, as they often control systems critical to and areas infrastructure
  • ex: the stuxnet worm was used to attack an airgapped SCADA system at the Iranian NATANZ nuclear facility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Embedded systems continued

Slide 170

A
  • Real-time operating system (RTOS)
    • Used to control devices that need to respond in real time and minimize reboot/crashes
    • Example: an aircraft autopilot or fly-by-wire controls. If a flight correction is needed, the operating system cannot afford to wait for other process to end. It must immediately make the necessary corrections
  • Special purpose
    • Medical devices, vehicles, smart meters and unmanned aerial vehicles (UAVs) are all special-purpose devices
    • Like any other device they have firmware/operating systems that could be compromised
      • The level of data sensitivity that is compromised can prove disastrous
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Embedded architecture considerations

Slide 171

A
  • Availability
  • Resilience
  • Cost
  • Responsiveness
  • Scalability
  • Ease of deployment
  • Ease of recovery
  • Patch availability
  • inability to patch
  • power
  • Compute
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Enterprise Security

Objective 3.2

A

Slide 172

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Failure modes

A
  • Things go wrong. When something fails, what is the best method for handling the outage?
  • two choices when considering security controls:
    • Fail-open - allow access in the event of a system failure
    • Fail-closed - deny access in the event of the system failure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Inline security

A
  • Inline detection
    • performed by having the packets pass through the detection system
    • Allows for active prevention of an attack as it occurs (e.g., NIPS)
  • passive detection
    • Inspect traffic from an outside view. System is tapped into the network, but not part of the network connectivity.
    • Action taken is reactive, as it must happen after rather than during the detection (NIDS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Network appliances

A

• Jump server

• Proxy server

• IDS/IPS

• Load balancer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Jump server or jump box

Slide 176

A

• System used to manage devices on a separate security zone

• Jump servers are hardened and monitored between separate security zones and provides, and a controlled means between them

• Also known as a jump box or Bastian host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Proxy server

A

Proxy
- an application that breaks the connection between client and server

  • communications are processed by the proxy when entering or leaving a network and are then forwarded to this recipient if accepted by the proxy

Forward versus reverse

  • A forward proxy is usually referred to simply as a proxy. A proxy proxies for clients, meaning that the proxy makes request and receives responses on behalf of internal clients.
  • A reverse proxy does the opposite. Proxies on behalf of the server, receiving request and forwarding responses on behalf of internal servers. 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Proxy server (continued)

A

Transparent proxy

  • A proxy that receives and for traffic without modifying it (similar to how looking through a clear window does not modify of a view)
  • uses include cashing, filtering and acting as a gateway
  • conversely, a non-transparent proxy is one which modifies traffics sent through it 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Intrusion detection system (IDS)

A

Network Intrusion Detection System (NIDS)

  • monitors network, traffic, looking for malicious activity
  • If malicious activity is found, a NIDS logs and reports the activity without taking direct action (passive detection)
  • essentially a packet sniffer which it identifies and logs, malicious traffic, a NIDS is connected in such a way that it monitors traffic, but traffic does not flow through it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Intrusion Protection System (IPS)

A

Network Intrusion Prevention System (IPS)

  • monitors network traffic looking for malicious activity and is connected in line, so that traffic must flow through the NIPS device
  • Malicious activity is found, a NIPS can take action immediately to remediate the threat, as well as prevent it in the future (inline detection)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Load balancer

A

• uses a scheduling algorithm to distribute client request among a pool of available servers, ensuring individual servers don’t receive too much traffic

• clients connect to the load balancer, and it chooses which server to assign with the request

• allows for fault tolerance; if one server fails, client request can simply be sent to a different server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Load balancer (continued)

A

Round robin

  • Method of scheduling where the server notes are set into a certain order and each incoming request is simply passed onto the next server in the list. Once the end of the list is reached, loop back to the beginning of the order.

Other methods of scheduling

  • Select this server, which currently has the fewest number of connections
  • select this server which responds fastest 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Load balancer (continued)

A

Affinity (sticky session)

  • If using affinity, once a client is matched with a server, it will remain with that same server for the remainder of his communication session
  • Clients are “stuck” with their server
  • Can be accomplished by cashing client, IP addresses and/or by using a session identifier
29
Q

Load balancer (continued)

A

Active-action vs. active-passive configuration

  • Active-action• all load bouncing servers are active and used to process responses• if a server fails, it’s workload gets pushed onto the remaining servers, resulting in each server having a higher workload
  • Active-passive• uses a redundant inactive (passive) server in addition to those which are active.• if an active server fails, it’s workload is pushed onto the passive server, and the performance of the other servers is not affected• more costly, as it requires an unused system to be running and standby in case of failure
30
Q

Sensors

Slide185

A

• monitor and/or record network traffic such as packet sniffer

• search data flows into the sensor via mirrored switch port or an inline TAP

• sensor can be part of surveillance or use for investigation

• logging and storing packets can eat up a normal amount of storage

  • sure, it’s nice “just in case”, but do you need everything?
31
Q

Port security

A

• switches have the ability to control who will be able to communicate over a report (MAC filtering)

• using extensible authentication protocol (EAP), the switch requires devices to provide correct authentication data before activating a port

• can be used to prevent Dynamic Host Configuration Protocol (DHCP) snooping

• disable unused ports

32
Q

Firewalls

A

• filter data entering and exiting the organizations network

33
Q

Firewalls (continued)

A

Access Control Lists

  • List of rules that allow or deny traffic based on conditions, including:• source IP address• destination, IP address• source port number• destination, port number• protocol
  • Top to bottom
  • last rule is often and “implicit deny”• if it hasn’t explicitly been or denied in previous rules, deny everything else 
34
Q

Firewalls (continued)

A

Web Application Firewall (WAF)

  • specific type of application firewall with the purpose of protecting web servers by filtering traffic and blocking attacks using signatures and pattern matching
  • Generally used to prevent injection and denial of service attacks
  • Can be utilized to protect the backend database associated with the web server, as well as the web server itself

Next Generation Firewall (NGFW)

  • Combines, traditional, firewall technology with network device filtering functions, such as an application firewall with deep package inspection
  • Can also use TLS/SSL encrypted traffic, inspection, web, filtering, bandwidth management, etc.
35
Q

Endpoint detection and response (EDR)

A

Endpoint Detection and Response (EDR)

  • and integrated monitoring and collection of endpoint data with continuous monitoring and collection of endpoint data with rule base, automated response, and analysis capability

Unified Threat Management (UTM)

  • service or appliance that offers protection against a wide variety of threats through a single platform, rather than having separate products for different security functions
  • Typically contains some mix of firewall, IDS/IPS/DLP/SIEM and proxy capabilities
36
Q

Virtual Private Networks

A

Remote access

  • clients use their local network to connect to the VPN, typically by authenticating at a VPN gateway (work from home model)
  • Software installed on end users computer
  • User authenticates when connecting
  • One computer

Site-to-site

  • VPN gateways tunnel traffic for entire networks
  • Hardware installed on network, transparent to users
  • many computers
37
Q

Virtual Private Networks (continued)

A
  • Tunneling
    • transport layer security (TLS)
      • a cryptographic protocol which provides privacy and data integrity between communicating applications
      • design to encapsulate other protocols, such as HTTP
      • TLS is the successor to secure socket player (SSL), which is insecure and has been deprecated
  • Internet protocol security (IPSec)
    • encrypts the entire packet and appends a new IP header
    • used to used to send communications on nonsecure networks
38
Q

Software-defined wide area network

A

• creates software-defined (SD) network over long range links (WAN), typically between data centers

• leverages, multiple technologies, each link, authenticated and secure

• governed by a network management SD-WAN controller

39
Q

Secure Access Service Edge (SASE)

A
  • the totality of cloud, security apparatus between services and in users
    • comprised of SD-WAN and a security service edge (SSE)
  • Security Service Edge (SSE)
    • Cloud access security broker (CASB)
    • Secure web gateway (SWG)
    • zero-trust architecture
    • Firewall
40
Q

Data Protection

Objective 3.3

Slide 195

A
41
Q

Data type

A

• Regulated

• Trade secret

• Intellectual property

• Legal information

• Financial information

• Human- and non-human-readable

42
Q

Data classifications

A

Categorize the data based on the level of clearance needed to access:

public (unclassified)

  • No restrictions. Anyone can know this information. Public knowledge or available for public inspection.

Confidential (secret)

  • Only available to approved individuals or trusted third parties operating under a non-disclosure agreement (NDA)

Critical (top secret)

  • restricted to a limited number of individuals. Extremely valuable. Cannot afford to be leaked. 
43
Q

Data classifications (continued)

A

Categorize the databased on the information is still:

Proprietary

  • information owned by one individual organization, business values, target for competitors

Private or personally identifiable information (PII)

  • name, address, Social Security number, financial information, health, information, etc.

Sensitive

  • Troublesome if leaked. GDP list such information as religious and political beliefs, gender, and sexual orientation.

Restricted

  • strict security controls. Could cause significant harm if leaked. (National secrets, identity of foreign agents, etc..)
44
Q

States of data

A

Data-in-transit

  • any data sent across the network

Data-at-rest

  • any data currently located in memory, including databases and backups

Data-in-use

  • any data being actively used by a process 
45
Q

Data sovereignty

A

• when storing data in a country/state, you need to follow the local laws and respond to legal request

• this is true for both backup and recovery sites and is known data sovereignty (e.g., data stored anywhere in the EU may be subject to GDPR compliance)

• the severity of data laws may heavily influence the decision to pick a particular location 

46
Q

Geolocation

A

• where did is collected and where it resides matters

• that is subject to the laws of those jurisdictions

• beneficial to consider location of data centers when planning network operations

47
Q

Securing data

A

• geographic restrictions

• encryption

• hashing

• masking

• tokenization

• obfuscation

• segmentation

• permission restrictions

48
Q

Resilience and disaster recovery

Objective 3.4
Slide 203

A
49
Q

High availability

A

load balancing

Clustering

50
Q

Recovery sites

A

• location, which provide an organization with the capability to continue operations and event of an attack or natural disaster, shutting down their main site

recovery sites can be prepared in three different different ways:

  • hot
  • warm
  • cold
51
Q

Hot site

A

• fully operational facility, equipped with all standard hardware and software used by the organization

• most expensive recovery site option, as they are basically copies of the main working location and can’t put into immediate operation with no setup time required

• high carrying cost

• low change over time

52
Q

Warm site

A

• like somewhere between a hot side and a cold side in terms of operational readiness (as the name suggests)

• require an intermediate level of cost to maintain, as they have all the hardware needed for full operation, but need to be provided with the most recent data in order to be brought up to speed

• medium carrying cost

• medium change over time

53
Q

Cold site

A

• back up facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place

• cold side is not ready for immediate operation and typically takes a few days to get up and run. However, it is the least expensive type of recovery site to maintain.

• low carrying cost

• high changeover time

54
Q

Diversity

A

• diversifying your organizations, technologies, vendors, cryptographic protocols, information security controls

• relying on a single vendor for security can be problematic

  • example: if a zero day is found that affects the specific software, your entire security implementation could be compromised. Instead, consider different software in different areas of your environment, ensuring organization security is not complete managed by a single software.

• this is not always the most cost-effective choice; it is a trade-off

  • many vendors will offer discounts for bundling various tools
55
Q

Multi-cloud

A

• diversifying risk of one cloud provider having an outage

• spread operations over various cloud providers and/or locations (zones)

• strengthen security by implementing unique security features provided by each cloud provider

56
Q

Continuity of operations (COOP)

A

alternate business practices

  • techniques used to keep an organizations workflow into the event of the system failure
  • For example, if there is a failure across point-of-sale, an alternative business practice would be used a pin and paper register to record and process sales

• Providing redundancy, backups and alternatives to support business operations in light of an outage 

57
Q

Capacity planning

A

• analyzing organizational requirements to meet business objectives

• if we need to, can we? What is needed? We can’t grow, why not? What is stopping us?

People

  • Assuring personnel have the skill set necessary to succeed

technology

  • Ensuring technology isn’t placed to support business needs

infrastructure

  • Ensuring infrastructure is resilient to handle throughput and demands
58
Q

Tabletop exercises and simulations

A

a tabletop is a discussion based exercise where personnel go through their disaster, recovery rules and responsibilities. A tabletop exercise is done in classroom setting to familiarize staff with the recovery procedures without actually simulating a disaster.

• it is also possible to create disaster like conditions to run fully simulated and in-depth test of the recovery process, though these are often difficult to set up safely

59
Q

Failover

A

• the capability to switch over automatically to a redundant system, known as an alternate processing site, upon the failure of the regularly active system

• used to prevent loss of service in the event of failures

60
Q

Backups

A

Off-site backups

  • backups should be stored off site, as they need to be protected from any attacks/disasters, which may affect data on the main site
  • it is recommended to place offsite backups in an entirely separate geographic location. The necessary distance from the main site depends on the type of disaster you need to accommodate.
  • For example, offsite backups become a critical F a disaster, such as fire, causes a loss of data
  • and important consideration when choosing and configuring a back up, location is security. To be effective, backup systems must have a complete copy of the organizations of records, sensitive data that may be protected by regulations or laws. Backup system should be protected at the same time as an organizations primary systems to minimize the probability that they are compromised in a breach. 
61
Q

Backup frequency

A

• what type of backup and how often is performed will depend on the organization, the budget allocated for back ups, and method used

three types of backup

  • Full
  • Differential
  • Incremental
62
Q

Full backup

A
63
Q

Differential backup

A

backs up only data which has changed since the last full backup

• restoring from a differential backup, requires first restoring the fully backed up data and then restoring changes made since the full back up with a differential

  • Back up is slightly faster as it only involves modified files
  • Restoring takes longer than with a full back up, as both full and different backups must be restored

• medium backup time, medium restored time

64
Q

Incremental backup

A

Back up only data, which has changed since the last backup of any kind

• restoring from an incremental backup means you restored from the initial full back up and then proceeded to restore from each incremental back up in chronological order

  • Backing up is faster as changes will be fewer between each back up
  • Restoring data is slow, as the full backup must be restored along with every incremental backup taken

• low back up time, high restore time

65
Q

Snapshots

A

• doesn’t matter what state the system was in previously before being shut down

• not exactly back up, more of a saved state of operation

66
Q

Replication

A

• duplicating data to prevent data laws at one location

• automatic copying between two information systems

Synchronous

  • Copy data simultaneously across two peered systems
  • Changes in one are reflected immediately in the occur

Asynchronous

  • Copy data from a primary to a secondary location
  • Changes in the primary are reflected in the secondary for safekeeping, failover
67
Q

Journaling

A

• when data is being moved around and operating system, it gets stored in RAM (short term, volatile storage) before being written to the hard (long-term, non-volatile storage)

• if moving data from one location on the drive to another, data is taken from the hard drive to ram and then from ram to hard drive

• if power outage occurs during transfer, data will be lost

• journaling file systems keep a ledger on the hard drive of data being moved around the system. Each move operation recorded in the journal. In the event of an outage, the data is stored in a journal to prevent data loss.

68
Q

Power back up

A

Generators

  • Fossil fuel or renewable power engine engine produces AC electricity to power power critical infrastructure needs
  • Generally, support whole facility or critical systems within the facility for a long-term power out ( more than a few seconds or a few minutes)
69
Q

Power backup (continued)

A

uninterruptible power supply (UPS)

  • battery back up to maintain critical systems in the event of a momentary power loss
  • Can be stand alone or wreck mounted
  • Generally support single computers for a short-term power outage (lasting less than a few seconds or a few minutes)

Comptia Security+ (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions