Domain 3 (Security Architecture) Flashcards
Practice questions unofficial sources
When computing resources are delivered to a remote customer over a network
Cloud computing (simple definition)
This is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
Cloud computing (NIST definition)
This is the business that offers cloud computing services for sale to third parties
Cloud service provider
The consumers of cloud computing services who use the services as the infrastructure, platforms, and/or applications that help them run their own business
Cloud customer
Third-party companies who offer some product or service that interacts with the primary offerings of a cloud service provider
Cloud service partner
Cloud service providers who offer a managed identity and access management service to cloud customers
Cloud access security broker (CASB)
This adds more servers to the pool to meet increased user demand
Horizontal scaling
This adds more resources (such as CPU or memory) to existing servers to meet increased demand
Vertical scaling
This refers to both increasing and decreasing capacity as short-term needs fluctuate
Elasticity
Paying only for what you consume
Measured Service
Many different customers share use of the same computing resources
Multitenancy
Multitenancy cloud users don’t impact each other; one customer should never be able to see data belonging to another
Principle of Isolation
Sold capacity exceeds actual capacity; cloud providers can oversell because customer use varies at different times, different peaks
Oversubscription
CPU and memory shared among users; in the physical environment they are shared among many different users and can be reassigned as needed
Resource pooling
Vendors that provide security services for other organizations
Managed Security Service Providers (MSSPs)
This term may also describe Managed Security Service Providers when the service being performed has more of a software as a service feel; almost like a subcategory of MSSP but people blur the lines
Security as a Service (SECaaS)
A category of security service that add a third party security layer to the interactions that users have with other cloud services
Cloud Access Security Brokers (CASBs)
Security service where the broker sits in between the users and the cloud service, monitoring requests and watching for potential violations of security policy, broker blocks requests if necessary
Network-Based CASB
Security service where the broker does not sit in the line of communication, uses API to interact with the cloud service. Broker may be unable to block requests, and the service entirely in the cloud
API-Based CASB
When the hypervisor runs directly on top of the hardware, and then hosts guest operating systems on top of that; the most common form of virtualization found in data centers
Type 1 Hypervisor (Bare Metal Hypervisor)
In the past decade we have a shift in the computing landscape from the client/server model to _____ technology
Virtualization
_____ technology allows many virtual servers to make use of the same underlying hardware, easily shifting processing power to wherever it’s needed at the time
Virtualization
When the physical machine runs an operating system of its own and the hypervisor runs as a program on top of the operating system; commonly used on personal computers; virtual boxes and parallels
Type 2 hypervisor
In virtualization, the ___ tricks each guest into thinking it runs on its own dedicated hardware
Hypervisor
An attack where the attacker breaks out of the guest system in a virtualized environment, trying to access the memory and storage of the other virtualized machines
VM escape attack
Where there are large numbers of unused and abandoned virtual servers on the network, creating a security risk as they are not maintained
VM sprawl
Applies virtualization to desktop technology; provides network-based access to a desktop computing environment
Virtual Desktop Infrastructure (VDI)
Storage that allocates a large chunk of storage for access as a disk volume managed by the operating system; large chunk of storage is partitioned into volumes; commonly used to create virtual disk drives for cloud servers
Block storage
Storage that stores files as individual objects managed by the cloud service provider; used to maintain files for a website, build large data stores, etc.
Object Storage
Classes of block storage
magnetic drives or solid state drives
Classes of object storage
premium level of service that is available for immediate use, or archival storage
These allow you to directly connect VPCs to each other and to other cloud-based services without requiring that the traffic travel on the open internet
VPC endpoints
SDN
Software Defined Networking
Allows you to automate your cloud networking in an infrastructure as code approach by integrating the cloud provider’s API into your operations stack
SDV
Software Defined Visibility
Allows you to use the provider’s API to gain visibility into network traffic through the use of virtual tapping, virtual net flow, etc.
VDI
Virtual Desktop Infrastructure
This streams applications to the user’s desktop
Application Virtualization
Before the 1980’s the enterprise IT landscape was based on ___ technology
mainframe
During the 1980s and 1990s the enterprise IT landscape was based on _____ technology
client-server model
MSPs
Managed Service Providers
They offer information technology services to customers, a broader term
MSPs, Managed Service Providers
CASB
Cloud Access Security Broker
API
Application Programming Interfaces
This creates automated workflows for managing cloud environments; allows cloud administrators to quickly and easily create workloads, shift operations between environments, etc
Cloud Orchestration
The idea that administrators should never build or manage resources using the command line or graphical interfaces, they should write code that performs those actions for them, as that code is then reusable
Infrastructure as Code
A lightweight way to package up an entire application and make it portable so that it can easily move between hardware platforms; lightweight application virtualization; “the next evolution of virtualization”
Containers
A design philosophy that encourages organizations to create discreet services that may be accessed by customers and other users in a black box fashion
Service-Oriented Architecture (SOA)
A standards body for architecture
The Open Group
A modern adaptation of SOA to the world of cloud enabled computing; fine grain services that provide small and discreet functions to other services
Microservices
This is published by the ISO; lays out a common terminology framework that assists cloud service providers, customers, and partners in communicating about roles and responsibilities; a starting point for organizations
Cloud reference architecture
ISO
International Organization for Standarization
Activities: Use cloud services, perform service trials, monitor services, administer security, provide billing and usage reports, handle problem reports, administer tenancies, perform business administration, select and purchase service, request audit reports
ISO cloud reference architecture customer activities
Activities: Prepare systems and services, monitoring and administering services, managing assets, providing audit data, manage customer relationships, preform peering, ensure compliance, provide connectivity, etc.
ISO cloud reference architecture provider activities
Activities: design create and maintain services, test services, perform audits, set up legal agreements, acquire and assess customers, assess the marketplace
ISO cloud reference architecture partner activities
The ISO cloud reference architecture aligns nicely with ____, which is designed to help cloud providers and customers understand the detailed security controls that may be used to achieve cloud security objectives
Cloud Security Alliance’s Cloud Controls Matrix
Cloud deployment model providing flexibility, scalability, agility, and cost-effectiveness of the cloud while not sharing computing resources with other organizations; organization builds and runs its own cloud infrastructure
Private Cloud
Cloud deployment model using the multitenancy model, where cloud providers build massive infrastructures in their own data centers and then make those resources available to all users; physical hardware may be running workloads for many different customers at the same time
Public Cloud
Cloud deployment model that uses a combination of public and private cloud computing, different clouds for different workloads likely depending on data sensitivity concerns
Hybrid Cloud
Cloud deployment model not open to the general public, but are shared amongst several organizations that are related to each other in a common community
Community cloud
Security in the public cloud follows the ____ model.
Shared responsibility model
XaaS
_____ as a service
Cloud services come in a variety of different categories and can be described using the term __
XaaS, _ as a Service
Cloud service model where the public cloud provider delivers an entire application to the customers. Customer doesn’t worry about processing, storage, networking, and other infrastructure details; Providers get everything running for customers; usually accessed through a standard web browser
Software as a Service (SaaS)
Cloud service model where customers purchase basic computing resources from vendors and put them together for customized IT solutions. Vendors might provide data storage, compute capacity, etc.
Infrastructure as a Service (IaaS)
Cloud service model where vendors provide customers with a platform to run their own application code without worrying about server configuration. A middle ground between IaaS and SaaS; customer doesn’t worry about managing servers but is running their own code
Platform as a Service (PaaS)
Three major IaaS vendors
Amazon Web Services, Microsoft Azure, Google Compute
Could be considered fourth goal of cybersecurity
Privacy
This goal protects the confidentiality rights of individuals whose information we store, process, or transmit;
Privacy
Ensures effective oversight of cloud use in an organization; ensures cloud partners comply with security, legal, business, and other constraints
Governance
An important component of governance; verifies that cloud service providers are fulfilling their security and operational obligations
Auditability
This term describes how cloud providers serving regulated customers must support compliance efforts; providers are subject to things such as HIPAA just as on-premises computing is; organizations must make sure that their cloud providers allow them to remain compliant
Regulatory Oversight
A principle stating that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed; storing data in multiple locations subjects it to multiple jurisdictions
Data Sovereignty
The ability of the cloud infrastructure to withstand disruptive events
Resiliency
Using a redundant server to protect against the failure of a single server is an example of __
Resiliency
How well a cloud service stand up to the demands that we place on it is described as ___
Performance
Written agreements with vendors documenting vendor obligations
Service Level Agreements (SLAs)
The idea that if something goes wrong operationally, technically, or financially, we can roll back operations to the original state prior to cloud transition
Reversibility
The design principle saying that workloads should be designed with the ability to move between cloud vendors, workloads shouldn’t leverage vendor specific features
Portability
Design principle asking if cloud solutions from different vendors are compatible to work together, can services integrate; Especially important for SaaS and PaaS products
Interoperability
OSI model layer 1
Physical layer
OSI model layer 2
Data link layer
OSI model layer 3
Network layer
OSI model layer 5
Session layer
OSI model layer 4
Transport layer
OSI model layer 6
Presentation layer
OSI model layer 7
Application layer
These serve as IaaS firewalls; similar to firewall rules and allow you to control the traffic that’s passed from the internet to your virtualized systems, even between systems operating in the virtual environments
Network Security Groups
These are security control offered by cloud providers that tightly integrate with the provider’s service offerings; likely easy to use, but not work across multiple cloud platforms
Cloud-Native Controls
These are security controls offered by third-party vendors that integrate with cloud providers through their API and may work across multiple cloud platforms; often more expensive
Third-Party Controls
Policies that place limits on the actions that may be taken by users with direct access to your cloud environment
Resource Policy
Tools that allow you to store encryption keys and other sensitive credentials in a manner that allows you and your applications to access them, but keeps them safe from prying eye; can be expensive; such as cloud hardware security modules
Secret Management
This creates secure connections VPCs running in the cloud and VLANs on your local network, like cloud routers that provide strongly-encrypted connections; Links on-premises and cloud networks; An important control for organizations in a hybrid cloud environment
Transit Gateway
TCP/IP
Transmission Control Protocol/Internet Protocol
Two of the main protocols that make up all modern networks
TCP and IP
Protocol responsible for routing information across networks, provides an addressing scheme that uniquely identifies computers on a network, delivers information in chunks (packets) from their source to the correct destination; a network layer protocol that supports transport layer protocols
Internet Protocol (IP)
Two main transport layer protocols
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
Protocol responsible for the majoritiy of network traffic, a connection-oriented protocol, connection between systems is established before data is transferred; reliable and guarantees delivery through destination receipt acknowledgment ; widely used for critical applications
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
TCP three way handshake flag that identifies packets that are requesting a new connection
SYN flag
TCP three way handshake flag that identifies packets that are requesting the closure of an existing connection
FIN flag
TCP three way handshake flag that acknowledges a SYN or FIN request
ACK flag
TCP three way handshake
SYN, SYN/ACK, ACK
Protocol that is not connection-oriented, systems send data off to each other without establishing connection, no acknowledgments when received so no guarantee of delivery; may be used for voice and video applications
User Datagram Protocol
OSI model
Open Systems Interconnection model
OSI layer that sends bits over the network using wires, radio waves, fiber optics, etc.
OSI Layer 1 Physical
OSI Layer that transfers data between two nodes connected to the same physical network
OSI Layer 2 Data Link
OSI Layer that creates connections between systems and transfers data in a reliable manner; TCP and UDP work here
OSI Layer 4 Transport
OSI Layer that expands networks to many different nodes; where Internet Protocol works
OSI Layer 3 Network Layer
OSI Layer that manages the exchange of communications between systems
OSI Layer 5 Session
OSI Layer that translates data so that it may be transmitted on a network; it describes how to represent a character in terms of bits and performs encryption and decryption
OSI Layer 6 Presentation
OSI Layer that determines how users interact with data using web browsers or other client applications
OSI Layer 7 Application
The addressing scheme used by Internet Protocol
IP addresses
IP address numbers can range from _ to _
0 - 255
The IP address includes the __ and the __
network address and host address
IP version using the dotted quad notation
IPv4
IPv4 uses __ bits
32 bits
IPv6 uses __ bits
128 bits
IP addresses that are manually assigned to systems by an administrator. They must be unique and within the appropriate range for the network; user is responsible for choosing a unique address; typically used for servers
Static IPs
Protocol that allows the automatic assignment of IP addresses from an administrator-configured pool
Dynamic Host Configuration Protocol (DHCP)
DNS
Domain Name System
DNS functions over UDP port __
port 53
This protocol adds a digital signature to DNS
DNSSEC protocol
Attacks where attackers may attempt to insert false DNS records into intermediate DNS servers in an attempt to fool unsuspecting clients into accessing fake sites
DNS poisoning attacks
These are particular locations on a system associated with a specific application; they guide traffic to the correct final destination
Network Ports
Network ports are represented using a __ bit binary number
16 bit
The well-known ports;
these are reserved for common applications that are assigned by internet authorities
ports 0-1,023
Web server port number
Port 80
Secure web server port number
Port 443
The registered ports; where application vendors may register their applications for use
Ports 1,024 - 49,151
FTP File Transfer Protocol (FTP) port used to transfer data between systems
Port 21
Secure Shell Protocol (SSH) used for encrypted administrative connections to servers
Port 22
Remote Desktop Protocol (RDP) used for encrypted administrative connections to servers
Port 3389
Windows systems ports used for network communications using the NetBIOS protocol
Ports 137, 138, 139
Port used by all systems for DNS lookup
Port 53
Simple Mail Transfer Protocol (SMTP) port used to exchange email between servers
Port 25
Post Office Protocol (POP) port that allows clients to retrieve mail
Port 110
Internet Message Access Protocol (IMAP) port used to access mail
Port 143
Hypertext Transfer Protocol (HTTP) port used for unencrypted web communications
Port 80
Secure Hypertext Transfer Protocol (HTTPS) port used for encrypted web communications
Port 443
ICMP
Internet Control Message Protocol
The housekeeping protocol of the internet that performs a variety of important administrative functions, such as the ping command
Internet Control Message Protocol (ICMP)
This command is a basic network troubleshooting command; a system sends this command over the network and the receiving system will respond with an acknowledgement; uses the ICMP protocol
Ping command
Packet that is sent to ask another system “are you there?” during the ping command
ICMP Echo request
Packet that is sent to tell another system “I am here” during the ping command
ICMP Echo reply
This command performs more detailed troubleshooting by showing you whether a system is alive on the network and showing the path over the network between the two systems; uses the ICMP protocol
Traceroute command
These typically have three network interfaces to connect three different security zones together. One interface connects to the internet or other untrusted network, another to the Intranet,
Network Border Firewall
The interface zone that connects to untrusted networks; is the interface between the protected networks and the outside world
Internet Zone
The interface zone that connects to the organization’s intranet, the internal network where most systems reside
Intranet zone
Segments for endpoint network, wireless network, guest network, data center networks
Intranet Zone segments
The interface zone that is a network where you can place systems that must accept connections from the outside world, such as a mail server; also referred to as a DMZ
Screened Subnet zone
A security philosophy where systems do not gain privileges based solely on their network location
Zero Trust
Special purpose networks that are special intranet segments that are accessible by outside parties
Extranet
Special purpose networks that are decoy networks designed to attract attackers; they appear lucrative to attackers but don’t really contain any sensitive information
Honeynet
Special purpose network that spring up whenever someone sets up a wired or wireless network outside of your standard security design; often planned to be temporary, can be a security risk as they might not have the usual security controls
Ad Hoc Network
This is network traffic between systems in the same data center
East-West traffic
This is network traffic between systems in the data center and systems located on the internet
North-South traffic
These allow us to logically group together related systems regardless of where they exist on the network; they extend the broadcast domain, allowing users on the same VLAN to directly connect to each other as if they were connected to the same switch
Virtual LANS (VLANs)
This allows you to monitor network traffic by duplicating all of the traffic from a single switch port; ideal for monitoring traffic to or from a single device
Port Mirrors
These are hardware devices used to aggregate inbound network connections from employees and other users who require remote access
VPN concentrators
These handle the tough cryptographic work of setting up an TLS connection on behalf of a web server, allowing the web server to focus on delivering web content; they are designed to boost service performance; in the DMZ
SSL Accelerators
These allocate the load of inbound user requests among a pool of servers, allowing the organization to scale a service quickly; in the DMZ
Load Balancers
SDN
Software Defined Networking
This is a technology that allows network administrators to treat the functionality and implementation details of a network as separate and distinct functions
Software Defined Networking (SDN)
This is responsible for the routing and switching decisions that determine how data flows around a network; determines how network devices interact with each other
The control plane
This consists of the mechanics of moving packets around in a network; it carries out the instructions of the control plane
The data plane
Devices that network engineers use to connect devices to networks; contain a large number of network ports; normally hidden away in wiring closets
Switches
Devices that contain radios that send and receive network signals to mobile devices; this device is wired back to the switch, but other devices connect to it wirelessly; uses radio-based wireless networks
Wireless Access Points (WAPs)
Switches operate at level __ of the OSI model, where they work with MAC addresses only
Level 2
(sometimes 3)
Switches sometimes operate at level __ of the OSI model, where they can interpret IP addresses; has some of the function of routers at this level
Level 3
Device that connects networks together by serving as a central aggregation point for network traffic heading to or from a large network; they connect networks to each other, making intelligent packet routing decisions; uses access control lists
Routers
Devices that connect two networks together, uses MAC addresses
Bridges
These devices analyze all attempts to connect to systems on a network and determining whether the request should be allowed or denied; often at the network perimeter in between routers and the internet
Firewalls
A technique that is an older version, they evaluate each packet separately; is inefficient and doesn’t allow the device to make decisions
Stateless Firewall
A modern technique that allows users to keep track of established connections; doesn’t have to reevaluate every incoming packet as it knows they are from the same origin
Stateful Inspection
Stateful inspection uses layer __ of the OSI model
Layer 4
Rule stating that if a firewall receives traffic not explicitly allowed by a firewall rule, then that traffic must be blocked
Implicit Deny (default deny)
These firewalls incorporate contextual information into their decision-making; devices capable of incorporating some contextual information into their decision-making process; work at all levels of the OSI model
Next-generation firewalls (NGFWs)
aka layer 7 firewalls
Devices that inspect HTTP requests made to a web server and watch for any signs of a potential attack occurring against the application
Web Application Firewall (WAFs)
A deployment model
Hardware WAF
A deployment model