Security Flashcards
SHA (Sha)
SHA stands for Secure Hash Algorithm, a family of cryptographic hash functions designed to keep data secure. Developed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST), SHA is widely used in security applications and protocols, including SSL/TLS, SSH, and digital certificates.
Here’s a quick breakdown of SHA versions:
SHA-1: The first version, now considered outdated and vulnerable to attacks. It produces a 160-bit hash and was widely used for verifying data integrity until it was found to be insecure.
SHA-2: An improved version with multiple variants, like SHA-224, SHA-256, SHA-384, and SHA-512, where the numbers indicate the length (in bits) of the resulting hash. SHA-256 is especially popular and widely used in encryption, digital signatures, and certificates.
SHA-3: The latest version, different from SHA-1 and SHA-2, as it uses the Keccak algorithm instead of the Merkle–Damgård construction. It provides a high level of security and is designed to be more resilient against certain types of attacks.
IPv4 (Internet Protocol version 4)
Developed in 1983, IPv4 is the fourth version of the Internet Protocol and is currently widely used for routing most internet traffic.
Address Format: IPv4 uses a 32-bit address format (e.g., 192.168.0.1), which provides about 4.3 billion unique addresses.
Limitation: The rapid expansion of internet-connected devices has depleted the IPv4 address space, creating the need for a more robust solution.
IPv6 (Internet Protocol version 6)
Developed in the late 1990s as a long-term solution to IPv4’s limitations.
Address Format: IPv6 uses a 128-bit address format (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), providing 340 undecillion (3.4 x 10^38) unique addresses, effectively solving the address exhaustion problem.
Benefits:
Larger address space to accommodate more devices.
Built-in security features (e.g., IPsec).
Efficient routing and packet processing.
Simplified network configuration with auto-configuration capabilities.
Sidecar
In the security context, a sidecar is a specialized component or container that runs alongside a primary application, providing security services and functionalities without modifying the application itself. It’s commonly used in microservices and containerized environments, like Kubernetes, to enforce security policies, manage network traffic, and add security layers to applications in a transparent and non-intrusive way.
Key Uses of a Sidecar in Security:
Service Mesh Security: In a service mesh (e.g., Istio or Linkerd), sidecars are typically used to control and secure network traffic between services. Each service has a sidecar proxy that manages security aspects, such as mutual TLS (mTLS) encryption, access control, and traffic policies.
Authentication and Authorization: Sidecars can handle user authentication and enforce access control policies, verifying identity and permissions before requests reach the main application.
Data Encryption: Sidecars can encrypt data in transit between microservices or from the application to an external service, ensuring that sensitive data remains secure.
Monitoring and Logging: A security-focused sidecar can capture logs and metrics, forwarding them to centralized monitoring and logging systems. This setup allows for audit trails, intrusion detection, and forensic analysis without modifying the core application.
Intrusion Detection and Prevention: Some sidecars include IDS/IPS (Intrusion Detection and Prevention Systems) capabilities, monitoring for suspicious activity, and alerting or blocking malicious traffic in real time.
Rate Limiting and Traffic Filtering: Sidecars can implement rate limiting to protect against denial-of-service attacks or filter requests to enforce security policies.
Benefits of Sidecars in Security:
Isolation: By separating security functions from the main application, sidecars isolate security processes, making it harder for an attacker to compromise both application logic and security components.
Scalability: Sidecars can be added to individual services, allowing security to scale alongside the application.
Transparency: Sidecars work without modifying the application code, which reduces the risk of introducing bugs or vulnerabilities.
Zero Trust
Zero Trust
A security model based on the principle of “never trust, always verify.” It assumes threats could come from inside or outside the network and requires strict identity verification for every user and device.
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR)
A tool that continuously monitors and responds to advanced threats on endpoint devices (laptops, desktops, mobile devices), helping detect and mitigate attacks in real-time.
Extended Detection and Response (XDR)
Extended Detection and Response (XDR)
An evolution of EDR that integrates multiple security products into a cohesive detection and response ecosystem, going beyond just endpoints to include network, server, and cloud data.
Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE)
A cloud-native security framework that combines network security and wide-area networking (WAN) capabilities, such as Zero Trust, SWG, and firewall-as-a-service, under a single umbrella to provide secure access.
Intrusion Detection System (IDS) & Intrusion Prevention System (IPS)
Intrusion Detection System (IDS) & Intrusion Prevention System (IPS)
IDS monitors network traffic for suspicious activity or known threats and alerts the admin, while IPS takes proactive steps to block or prevent threats from spreading.
Firewall as a Service (FWaaS)
Firewall as a Service (FWaaS)
A cloud-based firewall solution that provides scalable security policies and protects cloud environments without requiring hardware.
7. Managed Detection and Response (MDR)
Outsourced security operations with active monitoring, threat intelligence, and response capabilities, often used by organizations lacking in-house security resources.
8. Cloud Access Security Broker (CASB)
A security checkpoint between users and cloud services that enforces security policies, monitors access, and helps manage data loss.
9. Ransomware
A form of malware that encrypts files or systems, demanding payment (usually in cryptocurrency) to restore access.
10. Phishing & Spear Phishing
Phishing: A fraudulent attempt to obtain sensitive information, typically through fake emails.
Spear Phishing: A targeted form of phishing aimed at specific individuals, often using personalized information.
11. Dark Web Monitoring
Surveillance of hidden websites (typically .onion sites) on the dark web to identify when compromised data or credentials from an organization appear.
12. Multi-Factor Authentication (MFA)
An extra layer of protection beyond passwords, requiring two or more verification methods (such as a password plus a code sent to a mobile device).
13. Security Information and Event Management (SIEM)
Centralized platform for gathering, analyzing, and managing security events and logs, helping detect and respond to potential threats.
14. Identity and Access Management (IAM)
Solutions and policies for managing user identities and controlling access to critical resources, often with tools like Single Sign-On (SSO) and MFA.
15. Data Loss Prevention (DLP)
Strategies and technologies to prevent unauthorized access, use, or sharing of sensitive data, especially across endpoints, networks, and the cloud.
16. Encryption and Cryptography
The process of converting data into a coded format to protect it from unauthorized access, especially important for sensitive data in transit and at rest.
17. Artificial Intelligence in Cybersecurity (AI/ML)
Use of AI and machine learning to automate threat detection, predict attack patterns, and respond to incidents.
18. Penetration Testing (Pen Testing)
Simulated cyberattack on a system to identify vulnerabilities that an attacker might exploit.
19. Advanced Persistent Threat (APT)
A long-term, highly targeted cyberattack where an attacker gains access to a network and remains undetected to exfiltrate data or monitor activity.
20. Red Team / Blue Team
Red Team: The team that simulates an attack on the organization to test defenses.
Blue Team: The defense team that detects, responds, and mitigates these simulated attacks.
21. Vulnerability Management
The practice of identifying, evaluating, and addressing security vulnerabilities in systems and applications.
22. Threat Intelligence
Information and analysis regarding current and emerging threats, providing insights into attacker tactics, techniques, and procedures (TTPs).
23. Blockchain in Security
Using blockchain’s decentralized and transparent nature for applications in authentication, secure transactions, and data integrity.
24. Insider Threat
Security risk posed by employees, former employees, or business partners who have inside access and could harm an organization’s security.
25. Distributed Denial of Service (DDoS)
Attack that floods a system with traffic to overwhelm resources, causing a service outage.
Sandboxing
. Sandboxing
Isolating code or applications in a controlled environment (the “sandbox”) to safely analyze and test potentially malicious files without risking the main network or system.
27. Endpoint Protection Platform (EPP)
An integrated security solution that combines antivirus, anti-malware, and other endpoint security tools to protect devices from various threats.
28. Security Orchestration, Automation, and Response (SOAR)
A platform that helps security teams respond to threats quickly by automating routine security tasks and centralizing threat intelligence and response processes.
29. Key Management
Refers to handling cryptographic keys throughout their lifecycle, ensuring they’re securely generated, stored, distributed, and eventually destroyed.
30. Attack Surface
The totality of an organization’s possible vulnerabilities that attackers can target, including endpoints, networks, applications, and cloud resources.
31. Threat Modeling
A structured approach for identifying potential threats and vulnerabilities to systems, prioritizing them, and determining mitigation strategies.
32. File Integrity Monitoring (FIM)
A process that checks files and system logs for unexpected changes, which could indicate malicious activity or unauthorized access.
33. Certificate Authority (CA)
An entity that issues digital certificates to verify the authenticity of encryption keys and support secure communication over networks (e.g., SSL certificates for websites).
34. Social Engineering
Manipulative tactics used by attackers to trick individuals into divulging confidential information, often through phishing or impersonation.
35. Privilege Escalation
A cyberattack technique where attackers gain elevated access to resources within a system, allowing them to perform actions beyond their initial permissions.
36. Kill Chain
A model used to describe the stages of a cyberattack, from initial reconnaissance to data exfiltration, helping defenders identify weak points to disrupt an attack.
37. Container Security
Protecting applications in containers (like Docker) from security risks, including vulnerabilities within the container images or orchestrators (e.g., Kubernetes).
38. Air-Gapped Network
A network completely isolated from unsecured networks (like the internet) to protect critical systems from cyber threats, often used in highly sensitive environments.
39. Reverse Engineering
Analyzing software to understand its components, functionality, and possible vulnerabilities—often used to dissect malware and build defenses.
40. DNS Security
Securing the Domain Name System to prevent hijacking, spoofing, or phishing attacks that can redirect users to malicious sites or intercept data.
41. Risk Assessment
Identifying and evaluating security risks to prioritize which threats to address and to develop response and mitigation strategies accordingly.
42. Biometric Authentication
Using unique biological characteristics (e.g., fingerprints, facial recognition) as a method of secure identity verification, especially in multi-factor authentication setups.
43. Red Team Exercise
A simulation where a security team acts as an adversary, using real-world tactics to identify vulnerabilities in an organization’s defenses.
A certificate issue with TLS (Transport Layer Security)
typically refers to problems with the digital certificates used to establish secure, encrypted connections over a network. TLS certificates are critical for verifying the identity of servers and clients and for encrypting data transmitted between them. When there’s a certificate issue, it can prevent a secure connection, potentially exposing data or causing users to see security warnings. Here are some common types of certificate issues with TLS:
- Expired Certificate
TLS certificates are issued for a specific duration, usually 1 to 2 years. When a certificate expires, the connection is no longer trusted, resulting in security warnings. Regular monitoring and renewal of certificates are essential to avoid this issue. - Self-Signed Certificate
A self-signed certificate is generated and signed by the server itself rather than a trusted Certificate Authority (CA). While useful for internal testing, self-signed certificates aren’t trusted by most browsers and applications, leading to warnings unless explicitly accepted. - Certificate Not Trusted by a CA
If a certificate isn’t issued by a trusted CA, or the CA’s root certificate isn’t in the device’s trust store, the connection will not be considered secure. This can happen with certificates from less reputable CAs or if the root CA has been removed. - Certificate Chain Issues
A certificate chain (or certification path) links the TLS certificate back to a trusted root certificate. If any intermediate certificate is missing or incorrect, the browser or client won’t be able to verify the chain, resulting in an error. - Mismatched Domain Name (Common Name Mismatch)
Each certificate is bound to a specific domain name (Common Name or CN). If the certificate’s domain name doesn’t match the website’s URL, it will generate a mismatch error, commonly seen when connecting to subdomains without properly configured Subject Alternative Names (SANs). - Revoked Certificate
Certificates can be revoked if they’re compromised or otherwise invalidated by the issuing CA. A browser or client performs a revocation check (using CRL or OCSP) to confirm a certificate’s status. If it’s revoked, the connection is rejected. - Weak or Deprecated Encryption Algorithms
Certificates and protocols using outdated algorithms (e.g., SHA-1 or early versions of TLS) may be flagged as insecure. Modern standards require stronger algorithms like SHA-256 and TLS 1.2 or higher for security. - Improper Configuration
Misconfigured certificates, such as incorrect key usage, extended validation (EV) settings, or unsupported encryption methods, can prevent secure connections and cause errors during the TLS handshake.
Addressing Certificate Issues
Each type of issue has a different solution. For example, renewing certificates, updating to trusted CAs, or configuring server settings can usually resolve these problems. For public-facing services, organizations often use tools and monitoring services to detect and alert on certificate issues to ensure continuous and trusted access.
Grouped Query Attention (GQA)
Grouped Query Attention (GQA) is a mechanism introduced in transformer-based architectures to optimize the attention computation, primarily for improving efficiency and scalability in large-scale models. It modifies the standard attention mechanism by grouping queries together, which reduces computational and memory requirements while maintaining strong model performance.
Key Features of Grouped Query Attention:
Query Grouping:
Instead of computing attention for each query independently, GQA groups similar queries and computes attention collectively for each group.
This approach exploits redundancy among queries to save computational resources.
Shared Attention Context:
Within a group, queries share a common attention context, which reduces the total number of attention computations.
Efficiency:
The grouping mechanism reduces the computational complexity of attention from
O
(
N
2
)
O(N
2
) (in standard transformers) to something closer to
O
(
N
⋅
G
)
O(N⋅G), where
G
G is the number of groups.
This is particularly useful for large input sequences.
Preserved Expressiveness:
By carefully choosing the grouping strategy, GQA aims to maintain the representational power of the model despite the computational approximations.
Applications:
Commonly used in models that require handling long sequences or operating in resource-constrained environments, such as efficient NLP tasks or edge-device deployments.
Use Cases:
Long-sequence processing: Models like Longformer or BigBird may integrate similar concepts to reduce attention costs.
Large-scale pretraining: Helps in training large language models by making the attention mechanism more scalable.
Real-time inference: Useful for scenarios requiring fast inference times.
SwiGLU (Switched Gated Linear Units)
SwiGLU (Switched Gated Linear Units) is an activation function used in neural networks, particularly in transformer-based models, as an enhancement to traditional activation layers like ReLU or GeLU. It was introduced in the paper “Scaling Laws for Neural Language Models” by OpenAI and is designed to improve model efficiency and expressiveness.
Key Features of SwiGLU:
-
Architecture:
SwiGLU modifies the feed-forward network (FFN) block in transformers. It combines two linear transformations (weights) with a gating mechanism:
[
\text{SwiGLU}(X) = (XW_1) \odot \sigma(XW_2)W_3
]- (W_1, W_2, W_3): Weight matrices.
- (X): Input to the layer.
- (\odot): Element-wise multiplication.
- (\sigma): Activation function, often a sigmoid.
-
Components:
- Linear Transformation: Captures complex feature interactions.
- Gating Mechanism: Adds non-linearity and allows selective feature activation.
- Activation Function: Often uses the sigmoid ((\sigma)) to decide which features to activate.
-
Advantages:
- Efficiency: SwiGLU requires fewer parameters and computations compared to some traditional FFN blocks while achieving similar or better performance.
- Expressiveness: It enables more nuanced feature interactions by combining linear transformations with a gating mechanism.
- Scalability: Works well in large-scale language models, making it a popular choice in state-of-the-art transformers.
-
Comparison to GeLU and ReLU:
- SwiGLU outperforms simpler activation functions like GeLU (Gaussian Error Linear Unit) and ReLU (Rectified Linear Unit) in many transformer-based architectures.
- It offers a better balance of expressiveness and computational cost.
-
Use Cases:
- Primarily used in natural language processing (NLP) models.
- Can be applied to other deep learning tasks, such as vision and speech processing, where transformer architectures are effective.
SwiGLU is part of the ongoing effort to improve the efficiency and effectiveness of transformer-based models, making it a critical innovation for scaling large language models and reducing their computational footprint.
