Security concepts in enterprise environment Flashcards
Configuration management
Diagrams
Baseline configuration
Standard naming conventions
Internet protocol (IP) schema
The process through which an organization’s information systems components are kept in a controlled state that meets the organization’s requirements, including those for security and compliance.
Diagrams
Diagrams are the best way to capture the complex relationships between network elements. Diagrams can be used to show how CIs are involved in business workflows, logical (IP) and physical network topologies, and network rack layouts. Remember, it is not sufficient simply to create the diagram, you must also keep the diagram up to date.
Baseline configuration
A collection of security and configuration settings that are to be applied to a particular system or network in the organization.
A baseline configuration is the template of settings that a device, VM instance, or other CI was configured to, and that it should continue to match. You might also record performance baselines, such as the throughput achieved by a server, for comparison with monitored levels.
Standard naming conventions
A Configuration Item (CI) is an asset that requires specific management procedures for it to be used to deliver the service. Each CI must be identified by some sort of label, ideally using a standard naming convention. CIs are defined by their attributes and relationships, which are stored in a configuration management database (CMDB).
Internet protocol (IP) schema
The Internet addressing scheme consists of Internet Protocol (IP) addresses and two special cases of IP addresses: broadcast addresses and loopback addresses.
Data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
Refers to a jurisdiction preventing or restricting processing and storage from taking place on systems do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service.
Data protection
Data loss prevention (DLP) Masking Encryption At rest In transit/motion In processing Tokenization Rights management
Data loss prevention (DLP)
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
Automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.
Data Masking
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
Can mean that all or part of the contents of a field are redacted, by substituting all character strings with “x” for example. A field might be partially redacted to preserve metadata for analysis purposes. For example, in a telephone number, the dialing prefix might be retained, but the subscriber number redacted. Data masking can also use techniques to preserve the original format of the field. Data masking is an irreversible deidentification technique.
Data Encryption
Applying encryption at the table, field, or record level via a database management system rather than via the filesystem.
At rest
Information that is primarily stored on specific media, rather than moving from one medium to another.
In transit/motion
Information that is being transmitted between two hosts, such as over a private network or the Internet.
In processing
Information that is present in the volatile memory of a host, such as system memory or cache.
Tokenization
A deidentification method where a unique token is substituted for real data.
Means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate to the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.
Rights management
Information Rights Management (IRM) feature in their Office productivity suite, SharePoint document collaboration services, and Exchange messaging server. IRM works with the Active Directory Rights Management Services (RMS) or the cloud-based Azure Information Protection. These technologies provide administrators with the following functionality:
Assign file permissions for different document roles, such as author, editor, or reviewer.
Restrict printing and forwarding of documents, even when sent as file attachments.
Restrict printing and forwarding of email messages.
Geographical considerations
Geographic access requirements fall into two different scenarios:
Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow choice of data centers for processing and storage, ensuring that information is not illegally transferred from a particular privacy jurisdiction without consent.
Employees needing access from multiple geographic locations. Cloud-based file and database services can apply constraint-based access controls to validate the user’s geographic location before authorizing access.
Response and recovery controls
Response and recovery controls refer to the whole set of policies, procedures, and resources created for incident and disaster response and recovery. These controls are critical to cybersecurity, but they become increasingly difficult to provision at scale. Effective response and recovery depend heavily on how well-organized IT systems are at the site level. Without effective organizational policies to govern change and configuration management, response and recovery is much harder.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection
While the acronym SSL is still used, the Transport Layer Security versions are the only ones that are safe to use. A server can provide support for legacy clients, but obviously this is less secure. For example, a TLS 1.2 server could be configured to allow clients to downgrade to TLS 1.1 or 1.0 or even SSL 3.0 if they do not support TLS 1.2.
A downgrade attack is where a man-in-the-middle tries to force the use of a weak cipher suite and SSL/TLS version.
TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the removal of the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. There are also changes to the handshake protocol to reduce the number of messages and speed up connections.
Hashing
A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
API considerations
HTTP is now used less to serve static web pages, and more to create web applications, often as part of a cloud product. An enterprise might use both public web applications over the Internet and private ones. The primary means of configuring and managing a web application is via its application programming interface (API). For example, an application might allow a user account to be created via a URL:
https://example.foo/api/users?api_key=123456
The developer uses the POST method to submit data to the URL with the required parameters coded into the request body, often in JavaScript Object Notation (JSON).
Site resiliency
Hot Site
Cold Site
Warm Site
Enterprise-level networks often provision resiliency at the site level. An alternate processing or recovery site is a location that can provide the same (or similar) level of service. An alternate processing site might always be available and in use, while a recovery site might take longer to set up or only be used in an emergency.
Operations are designed to failover to the new site until the previous site can be brought back online. Failover is a technique that ensures a redundant component, device, application, or site can quickly and efficiently take over the functionality of an asset that has failed.
Hot Site
A fully configured alternate network that can be online quickly after a disaster.
Cold Site
A predetermined alternate location where a network can be rebuilt after a disaster.
Warm Site
A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
Deception and disruption
Honeypots Honeyfiles Honeynets Fake telemetry DNS sinkhole
Honeypots
A host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.
Honeyflies
a honeyfile, which is convincingly useful, but actually fake, data. This honeyfile can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to resuse or exploit it can be traced.
Honeynets
Honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.
Fake telemetry
Deception strategy that returns spoofed data in response to network probes.
DNS sinkhole
Temporary DNS record that redirects malicious traffic to a controlled IP address.
