Security concepts in enterprise environment

Question 1

Configuration management

Answer 1

Diagrams
Baseline configuration
Standard naming conventions
Internet protocol (IP) schema

The process through which an organization’s information systems components are kept in a controlled state that meets the organization’s requirements, including those for security and compliance.

Question 2

Diagrams

Answer 2

Diagrams are the best way to capture the complex relationships between network elements. Diagrams can be used to show how CIs are involved in business workflows, logical (IP) and physical network topologies, and network rack layouts. Remember, it is not sufficient simply to create the diagram, you must also keep the diagram up to date.

Question 3

Baseline configuration

Answer 3

A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
A baseline configuration is the template of settings that a device, VM instance, or other CI was configured to, and that it should continue to match. You might also record performance baselines, such as the throughput achieved by a server, for comparison with monitored levels.

Question 4

Standard naming conventions

Answer 4

A Configuration Item (CI) is an asset that requires specific management procedures for it to be used to deliver the service. Each CI must be identified by some sort of label, ideally using a standard naming convention. CIs are defined by their attributes and relationships, which are stored in a configuration management database (CMDB).

Question 5

Internet protocol (IP) schema

Answer 5

The Internet addressing scheme consists of Internet Protocol (IP) addresses and two special cases of IP addresses: broadcast addresses and loopback addresses.

Question 6

Data sovereignty

Answer 6

In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

Refers to a jurisdiction preventing or restricting processing and storage from taking place on systems do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service.

Question 7

Data protection

Answer 7

Data loss prevention (DLP)
Masking
Encryption
At rest
In transit/motion
In processing
Tokenization
Rights management

Question 8

Data loss prevention (DLP)

Answer 8

A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.

Question 9

Data Masking

Answer 9

A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

Can mean that all or part of the contents of a field are redacted, by substituting all character strings with “x” for example. A field might be partially redacted to preserve metadata for analysis purposes. For example, in a telephone number, the dialing prefix might be retained, but the subscriber number redacted. Data masking can also use techniques to preserve the original format of the field. Data masking is an irreversible deidentification technique.

Question 10

Data Encryption

Answer 10

Applying encryption at the table, field, or record level via a database management system rather than via the filesystem.

Question 11

At rest

Answer 11

Information that is primarily stored on specific media, rather than moving from one medium to another.

Question 12

In transit/motion

Answer 12

Information that is being transmitted between two hosts, such as over a private network or the Internet.

Question 13

In processing

Answer 13

Information that is present in the volatile memory of a host, such as system memory or cache.

Question 14

Tokenization

Answer 14

A deidentification method where a unique token is substituted for real data.

Means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.

Question 15

Rights management

Answer 15

Information Rights Management (IRM) feature in their Office productivity suite, SharePoint document collaboration services, and Exchange messaging server. IRM works with the Active Directory Rights Management Services (RMS) or the cloud-based Azure Information Protection. These technologies provide administrators with the following functionality:

Assign file permissions for different document roles, such as author, editor, or reviewer.
Restrict printing and forwarding of documents, even when sent as file attachments.
Restrict printing and forwarding of email messages.

Question 16

Geographical considerations

Answer 16

Geographic access requirements fall into two different scenarios:

Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow choice of data centers for processing and storage, ensuring that information is not illegally transferred from a particular privacy jurisdiction without consent.
Employees needing access from multiple geographic locations. Cloud-based file and database services can apply constraint-based access controls to validate the user’s geographic location before authorizing access.

Question 17

Response and recovery controls

Answer 17

Response and recovery controls refer to the whole set of policies, procedures, and resources created for incident and disaster response and recovery. These controls are critical to cybersecurity, but they become increasingly difficult to provision at scale. Effective response and recovery depend heavily on how well-organized IT systems are at the site level. Without effective organizational policies to govern change and configuration management, response and recovery is much harder.

Question 18

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection

Answer 18

While the acronym SSL is still used, the Transport Layer Security versions are the only ones that are safe to use. A server can provide support for legacy clients, but obviously this is less secure. For example, a TLS 1.2 server could be configured to allow clients to downgrade to TLS 1.1 or 1.0 or even SSL 3.0 if they do not support TLS 1.2.

A downgrade attack is where a man-in-the-middle tries to force the use of a weak cipher suite and SSL/TLS version.

TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. There are also changes to the handshake protocol to reduce the number of messages and speed up connections.

Question 19

Hashing

Answer 19

A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.

Question 20

API considerations

Answer 20

HTTP is now used less to serve static web pages, and more to create web applications, often as part of a cloud product. An enterprise might use both public web applications over the Internet and private ones. The primary means of configuring and managing a web application is via its application programming interface (API). For example, an application might allow a user account to be created via a URL:

https://example.foo/api/users?api_key=123456

The developer uses the POST method to submit data to the URL with the required parameters coded into the request body, often in JavaScript Object Notation (JSON).

Question 21

Site resiliency

Answer 21

Hot Site
Cold Site
Warm Site

Enterprise-level networks often provision resiliency at the site level. An alternate processing or recovery site is a location that can provide the same (or similar) level of service. An alternate processing site might always be available and in use, while a recovery site might take longer to set up or only be used in an emergency.

Operations are designed to failover to the new site until the previous site can be brought back online. Failover is a technique that ensures a redundant component, device, application, or site can quickly and efficiently take over the functionality of an asset that has failed.

Question 22

Hot Site

Answer 22

A fully configured alternate network that can be online quickly after a disaster.

Question 23

Cold Site

Answer 23

A predetermined alternate location where a network can be rebuilt after a disaster.

Question 24

Warm Site

Answer 24

A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

Question 25

Deception and disruption

Answer 25

Honeypots
Honeyfiles
Honeynets
Fake telemetry
DNS sinkhole

Question 26

Honeypots

Answer 26

A host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

Question 27

Honeyflies

Answer 27

a honeyfile, which is convincingly useful, but actually fake, data. This honeyfile can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to resuse or exploit it can be traced.

Question 28

Honeynets

Answer 28

Honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

Question 29

Fake telemetry

Answer 29

Deception strategy that returns spoofed data in response to network probes.

Question 30

DNS sinkhole

Answer 30

Temporary DNS record that redirects malicious traffic to a controlled IP address.