Security+ 3.0 Architecture and Design

Question 1

Ad Hoc

Answer 1

Ad Hoc - zone is created when two or more wireless devices connect to one another creating an on-demand network.

Question 2

Intranet

Answer 2

Intranet- is a private company zone established to allow employees the ability to share content and communicate more effectively.

Question 3

extranet

Answer 3

extranet is a zone created to allow authorized users access to company assets, separate from the intranet.

Question 4

VLAN

Answer 4

Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments.

Question 5

Aggregation switches

Answer 5

Aggregation switches – a network device that combines multiple ports into a single link in order to enhance redundancy and increase bandwidth

can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router.

Question 6

Air gap

Answer 6

Air gap -a type of network isolation that physically separates a network from all other networks.

Question 7

Application Containers

Answer 7

Application Containers - a virtualization method where applications run in isolated containers on the host operating system instead of in separate VMS

Question 8

Containers

Answer 8

Containers use the kernel as a host but do not host an operating system. A container isolates and protects applications from other parts of the system. They require fewer resources than a Type II hypervisor

Question 9

Deprovisioning

Answer 9

Deprovisioning- is the act of removing or disabling access to a resource. Since the application has been replaced, the application should be deprovisioned to preserve resources.

Question 10

Provisioning

Answer 10

Provisioning is the process of procuring, configuring and making available an application or system on certain services. Provisioning an application allows it to run on its intended platform. Since the new version has already been released in this scenario, this step has already taken place.

Question 11

DMZ-

Answer 11

DMZ- a small section of a private network that tis located behind one firewall or between 2 firewalls and made available for public use.

is between the two firewalls providing a layer of protection for the internet facing servers. It is an area of a network that is designed for public and company use. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN.

Question 12

DNS

Answer 12

DNS- - Domain Name System- the service that maps names of IP addresses on most TCP/IP networks, including the internet.

Question 13

Elasticity-

Answer 13

Elasticity- the property by which a computing environment can instantly react to both increasing and decreasing demands in a workload.

Question 14

EMI

Answer 14

EMI- electromagnetic interference- a disruption of electrical current that occurs when a magnetic field around one electrical circuit interferes with the signal being carried on an adjacent circuit.

Question 15

EMP

Answer 15

EMP- electromagnetic pulse- a short burst of electrical interference caused by an abrupt and rapid acceleration of charged particles, which can short circuit and damage electronic components

are radio frequencies emitted by external sources, such as power lines and lights that disturb data signals.

Question 16

Extranet

Answer 16

Extranet- a private network that provides some access to outside parties, particularly vendors, partners and select customers.

Question 17

Fault Tolerance

Answer 17

Fault Tolerance- the ability of a computing environment to withstand a foreseeable component failure and continue to provide an acceptable level of service.

Question 18

Distributive allocation

Answer 18

Distributive allocation provides that multiple nodes are configured to work together on complex problems. A central processor divides the task into smaller pieces and coordinates tasking the nodes.

Question 19

SED

Answer 19

A self-encrypting drive (SED) includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption. SED requires credentials to be entered for decryption.

Question 20

FDE

Answer 20

FED-Full disk encryption- a storage technology that encrypts an entire storage drive at the hardware level.

Full device encryption (FDE) provides encryption for a whole disk and protects the confidentiality of the data.

Question 21

Firewalls

Answer 21

Firewalls- a software or hardware device that protects a system or network by blocking unwanted network traffic.

Firewalls allow the network administrator to divide the network into different network segments known as zones. A firewall filters traffic. It can be used for a single host or between networks. It regulates both inbound and outbound traffic, providing a layer of security inbound and out.

Question 22

Wireless

Answer 22

The wireless topology is used to extend a wired local area network through the use of an antenna.

Question 23

Guest Network

Answer 23

Guest Network- a wireless network used to provide non-employees or guests with internet access. This access is limited to certain functions, such as internet surfing and email.

Question 24

Hardware root of Trust

Answer 24

Hardware root of trust- is a known secure starting point by embedding a private key in the system. The key remains private until the public key is matched.

Question 25

Root of trust

Answer 25

Root of Trust- technology that enforces hardware platforms trusted computing architecture through encryption mechanisms designed to keep data confidential and to prevent tampering

Question 26

High availability

Answer 26

High availability – the property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.

High availability refers to a service that needs to remain operational with minimum downtime. A group of servers are referred to as a node. If one node fails, another can take over to reduce or eliminate downtime. Failover cluster

High availability refers to a service that needs to remain operational with minimum downtime. A group of servers are referred to as a node. If one node fails, another can take over to reduce or eliminate downtime.

Question 27

Distributive allocation

Answer 27

Distributive allocation provides that multiple nodes are configured to work together on complex problems. A central processor divides the task into smaller pieces and coordinates tasking the nodes.

Question 28

Honeynet

Answer 28

Honeynet- an entire dummy network used to lure attackers.

Question 29

HSM

Answer 29

HSM- hardware security module- a physical device that provides root of trust capabilities

A Hardware Security Module (HSM) is a device used to generate, maintain and store cryptographic keys. It is an external device and can easily be added to a system as needed.

Question 30

IAAS

Answer 30

IAAS- Infrastructure as a service- a computing method that uses the cloud to provide any or all infrastructure needs.

provides companies the ability to “rent” hardware and services in a cloud environment. The service provider owns, maintains and manages the equipment while the company pays per use.

Question 31

Immutable systems

Answer 31

Immutable systems – a system that is not upgraded in place, but is programmatically destroyed and then recreated from scratch every time the configuration changes.

Question 32

Infrastructure as code

Answer 32

Infrastructure as code – an information technology strategy that asserts that the organizations infrastructure can be quickly configured and deployed as desired through programming scripts and other code files rather than through standard software tools.

Question 33

Integrity-

Answer 33

Integrity- the fundamental security goal of keeping organizational information accurate, free of errors and without unauthorized modifications

Question 34

Intranet

Answer 34

Intranet- a private network that is only accessible by the organizations own personnel

Question 35

Load balancers-

Answer 35

Load balancers-a network device that distributes the network traffic or computing workload among multiple devices in a network.

Load balancers can equalize the traffic load between servers, eliminating unscheduled downtimes. Load balancing uses multiple servers to support a single service. Load balancing can ensure system availability.

Question 36

Mantrap-

Answer 36

Mantrap- a physical security control system that has a door at each end of a secure chamber.

Question 37

NAT

Answer 37

NAT- Network address translation- a simple form of internet security that conceals internal addressing schemes from public internet by translating between a single public address on the external side of a router and private non-routable addresses internally.

Question 38

Static NAT

Answer 38

Static NAT uses a one-to-one approach for disguising IP’s. NAT on the internet facing firewall protects private computers from outside threats.

Question 39

Dynamic NAT

Answer 39

Dynamic NAT- uses multiple IP addresses to map one private IP to many public IP’s. It chooses which IP to use based on the load presented.

Question 40

Non-persistence

Answer 40

Non-persistence- the property by which a computing environment is discarded once it has finished its assigned task.

Question 41

PAAS

Answer 41

PAAS Platform as a service- a computing method that uses the cloud to provide any platform type services.

provides preconfigured services for developing and managing environments. This service provides on-demand computing.

Question 42

Port Mirror

Answer 42

Port mirror - used to monitor network traffic. It forwards a copy of each packet from one switch port to another.

Question 43

Provisioning

Answer 43

Provisioning- Provisioning is the process of procuring, configuring and making available an application or system on certain services. Provisioning an application allows it to run on its intended platform. Since the new version has already been released in this scenario, this step has already taken place.

Question 44

Proxy

Answer 44

Proxy – a device that acts on behalf of one end of a network connection when communicating with the other end of the connection. A proxy server mediates the communications between a client and another server. It can filter communications and provide caching services to improve performance.

A proxy server can be a caching intermediary to improve the network performance for users visiting the same websites. This is more applicable for internal use so employees may improve their Internet speeds.

Question 45

RAID-

Answer 45

RAID- Redundant array of independent disks- a set of vendor-independent specifications that support redundancy and fault tolerance for configurations on multiple-device storage systems.

Question 46

RAID-0

Answer 46

RAID-0 offers striping only where data is split across the drives. It does not provide redundancy. RAID-0 has the worst data protection of all of the RAID concepts.

Question 47

RAID-10

Answer 47

RAID-10 combines mirroring and striping in a single system. It provides better write performance than any other RAID level providing data protection.

Question 48

Redundancy

Answer 48

Redundancy – the property by which a computing environment keeps one or more sets of additional resources in addition to the primary sets of resources.

Question 49

RTOS

Answer 49

RTOS- real time operating system- a specialized operating system that uses more consistent processor scheduler than a standard system.

Question 50

SAAS

Answer 50

SAAS- software as a service- a computing method that uses the cloud to provide application services to users.

is a full-service product and is pay as you go. It is accessed directly over the internet.

Question 51

Sandboxing

Answer 51

Sandboxing- The sandbox is an isolated environment that is often used for testing. Security, patches, and critical updates can be tested in a sandbox without touching the system before implementation.

Question 52

staging environment

Answer 52

staging environment mimics that of production and allows for an environment to practice deployment. In the event deployment fails in this environment, it can roll back to the test and development environments.

Question 53

production environment

Answer 53

production environment is the final stage of the deployment effort. Testing in this environment would be too late, given it is the operational environment.

Question 54

development environment

Answer 54

development environment is a place for creation. Requirements are turned into reality in this environment. It is not a complete copy of production, but just the beginning of an application.

Question 55

SCADA

Answer 55

SCADA- supervisory control and data acquisitions- a type of industrial control system that monitors and controls industrial processes such as manufacturing and fabrication, infrastructure processes such as power transmission and distribution and facility processes such as energy consumption and HVAC.

Question 56

Scalability

Answer 56

Scalability- the property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

Question 57

Attestation

Answer 57

Attestation is the process of checking and validating system files during a boot process.

Question 58

Secure boot

Answer 58

Secure boot- A UIEFI feature that prevents unwanted processes from executing during the boot operation

a process that validates system files during the startup process to ensure they have not been modified.

Question 59

Proper input validation

Answer 59

Proper input validation-limiting what a user can input into specific fields

Question 60

Normalization

Answer 60

Normalization- a software development technique that tries to repair invalid input to strip any special encoding and automatically convert the input to a specific format that the application can handle

Normalization is used to optimize database performance by removing duplicates, use of primary keys, and related data contained in separate tables. A database is normalized when it meets the first three forms.

Question 61

Stored procedures

Answer 61

Stored procedures – set of pre-compiled database statements that can be used to validate input to a database. Limits kind and format of statements that the user can successfully submit. Stored procedures can deny a user access to the underlying data and force them to work within the procedure itself.

Question 62

Code signing

Answer 62

Code signing – a form of digital signature that guarantees source code and application binaries are authentic and have not been tampered with. Helps users verify the legitimacy of app.

Question 63

Encryption

Answer 63

Encryption – vital in apps that store and transmit sensitive data.

Question 64

Obfuscation

Answer 64

Obfuscation- technique that essentially hides or camouflages code so that it is harder to read by unauthorized users. Attempts to mitigate reverse engineering of software.

Question 65

Compiling code

Answer 65

Compiling code occurs when a compiler is necessary to make the files executable. The compiler checks the code for errors, and if an error is found, it will not allow the code to execute.

Question 66

Runtime

Answer 66

Runtime is when the application is actually running in its normal state. The code has already been executed and errors can be checked.

Question 67

Server side execution and validation

Answer 67

Server side execution and validation- occur on the web server or back-end, and take more time to complete. It ensures the application does not receive invalid data. Server side validation is more secure than client side validation.

Server-side validations occur on the web server or back-end and take more time to complete. Validation on the server side is more secure than client-side validation.

Question 68

Client-side execution and validation

Answer 68

Client-side execution and validation- Client-side input validation verifies data is valid upon entry to the system. Proper input validation uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry.

Client-side input validation verifies data is valid upon entry to the system. Proper input validation uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry.

Question 69

Memory management-

Answer 69

Memory management- must be aware if the language you’re coding in manages memory automatically or if it needs to be considered in the code.

Question 70

Fuzzing

Answer 70

Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.

Question 71

static code analyzer

Answer 71

static code analyzer examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development for continued code quality checks, or once the code is in its finalization stages.

Question 72

Continuous integration

Answer 72

Continuous integration allows for the merging of code changes into a central repository. The code is built and tested each time it is checked into the environment, providing a more efficient method to code production.

Continuous Integration in a Secure DevOps project allows for the merging of code changes into a central repository. The code is built and tested each time it is checked into the environment providing a more efficient method to code production.

Question 73

immutable system

Answer 73

immutable system is the ability to create a secure image and test it in a controlled DevOps environment.

Question 74

Automating security testing

Answer 74

Automating security testing in a DevOps environment ensures defects are not introduced in systems. As new code is introduced to an application, security testing is important to check for bugs and vulnerabilities.

Question 75

SECaaS

Answer 75

Security as a service -SECaaS- a computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.

Question 76

CASB

Answer 76

A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company’s network and cloud provider, enforcing security policies.

Question 77

Security automation-

Answer 77

Security automation- the ability to easily configure, generate and deploy baselines for computer systems in the organization.

Question 78

Snapshots-

Answer 78

Snapshots- the state of a virtual machine at a specific point in time

Question 79

SSL accelerators

Answer 79

SSL accelerators - A Secure Socket Layer (SSL) Accelerator is designed to offload tasks from servers allowing network load to be distributed. It can provide a seamless service to consumers of network applications while balancing out session requests.

Question 80

SSL decryptor

Answer 80

SSL decryptor provides protection from malicious threats over secure connections and would be placed in the DMZ.

Question 81

SSL/TLS accelerator

Answer 81

SSL/TLS accelerator- a hardware interface that helps offload the resource intensive encryption calculations in SSL/TLS to reduce overhead for a server.

Question 82

Software Defined Network (SDN)

Answer 82

Software Defined Network (SDN) separates data and control planes in a network. It uses virtualization to route traffic to its intended destination, instead of using proprietary hardware.

Question 83

Network Taps

Answer 83

Network Taps – creates a copy of network traffic to forward to a sensor or monitor like an IDS. Often enabled through port mirroring functionality on switches. If you want to monitor any potentially malicious traffic from external sources, place taps outside or alongside the perimeter firewall. Very noisy however. To monitor malicious traffic that may have already made its way into the private network, placed taps alongside switches that provide end-user

Question 84

TPM

Answer 84

TPM- trusted platform module- a specification that includes the use of crypto processors to create a secure computing environment

A TPM keeps hard drives locked until proper authentication occurs.

is a hardware-based encryption solution that is embedded in the system and provides secure key storage for full disk encryption. TPM supports secure boot processes.

Question 85

TOS

Answer 85

Trusted OS-TOS- The operating system component of the TCB (Trusted computing base) that protects the resources from applications

Question 86

TCB

Answer 86

TCB- the hardware, firmware and software components of a computer system that implement the security policy of a system

Question 87

Tunneling

Answer 87

Tunneling- a data transport technique in which a data packet is encrypted and encapsulated in another data another order to conceal the information of the packet inside.

Question 88

Type 1 hypervisor

Answer 88

Type 1 hypervisor - run directly on the hosts hardware when managing the guest virtual environments.

virtualization solutions that run directly on system hardware. They do not require operating system involvement in order to run.

Question 89

Type 2 hypervisor

Answer 89

Type 2 hypervisor – run as an application on top of the host machines OS. Adds another level between the hypervisor and hardware. Typically, slower than type 1 and add an extra layer of complexity to VM

are virtualization solutions that run as software and do require a host operating system.

Typically slower than type 1 and add an extra layer of complexity to VM

Question 90

BIOS

Answer 90

BIOS- Basic input/ output systems- a firmware interface that initialized hardware for an operating system boot.

is a combination of hardware and software used to adjust settings in a computer

Question 91

UEFI

Answer 91

UEFI—Unified extensible firmware interface- a firmware interface that initializes hardware for an operating system boot.

is a specification for a software program that connects a computer’s firmware to its operating system. UEFI is the replacement for BIOS (Basic Input/output System) and has many advancements to include provisions for secure booting.

Question 92

Virtualization

Answer 92

Virtualization- the process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.

Question 93

VPN-

Answer 93

VPN- virtual private network- a method of extending a private network by tunneling through a public network, such as the internet.

Question 94

Site-to-site VPN

Answer 94

Site-to-site- connects 2 private networks together.

A site to site Virtual Private Network (VPN) connects multiple networks versus one. Remote users can access both locations as if they were onsite without noticing the location separation.

Question 95

Split tunnel

Answer 95

Split tunnel is means of encrypting connection on demand for VPN’s. It will only encrypt outbound traffic to private IP addresses.

Question 96

Always on VPNs

Answer 96

Always on VPNs allow for a continued connection between the geographically separated servers and the employee.

Question 97

VPN Concentrators

Answer 97

VPN Concentrators – a single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels

Question 98

VDI

Answer 98

VDI-Virtual desktop infrastructure- uses virtualization to separate the personal computing environment from the users’ physical machine. A desktop OS and applications are run inside the VM that are hosted on servers in the virtualization infrastructure.

Question 99

VDE

Answer 99

VDE- virtual desktop environment- a VM that runs a desktop OS

Question 100

CASB

Answer 100

A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company’s network and cloud provider, enforcing security policies.