SY0-701: 3.0 (Security Architecture) Flashcards
Data Classifications (Companies) (3.3)
Sensitive
Confidential
Public
Restricted
Private
Critical
Sensitive Data (3.3)
Has minimal impact if released (e.g. organizations financial data)
Confidential Data (3.3)
Contains items such as trade secrets, intellectual property data, and source code that affect the business if disclosed (only viewed by approved personnel)
Public Data (3.3)
Has no impact on the company if released and is often posted in an open-source environment
Restricted Data (3.3)
Proprietary data including trade secrets
Private Data (3.3)
Contains data that should only be used within the organization (e.g. personnel records, salaries. etc.)
Critical Data (3.3)
Contains valuable data (e.g. credit card #’s
Data Classifications (Government) (3.3)
Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret
Unclassified data (3.3)
Data that can be released to the public or under the Freedom of Information Act
Sensitive but Unclassified (3.3)
Data that would not hurt national security if released but could impact those whose data was being used (e.g. medical records)
Confidential Data (3.3)
Data that could seriously affect the government if unauthorized disclosures happen
Secret Data (3.3)
Data that could seriously damage national security if disclosed
Top Secret (3.3)
Data that would gravely damage national security if disclosed
Data at Rest (3.3)
Refers to any data stored in databases, file systems, or other storage systems (prime target for threat actors)
Methods to secure data at rest (3.3)
Full disk encryption- Encrypts entire hard drive
Partition encryption- Encrypts specific partition of drive
File encryption- Encrypts individual files
Volume encryption- Encrypts a set of selected files/directories
Database encryption- Encrypts data stored in database (table, row, column)
Record encryption- Encrypts specific record in database
Data in Transit/Data in Motion (3.3)
Data that is actively moving from one location to another, such as across the Internet or through a private network
Methods to secure data in transit/motion (3.3)
SSL (Secure Socket Layer) and TLS (Transport Layer Security)
VPNs (Virtual Private Networks)
IPSec (Internet Protocal Security)
SSL/TLS (3.3)
Secure Socket Layer/Transport Layer Security
Cryptographic protocols designed to provide secure communication over a computer network
VPN (3.3)
Virtual Private Network
Technology that creates a secure connection over a less secure network (e.g. over the Internet)
IPSec (3.3)
Internet Protocal Security
Protocol suite used to secure IP communications by authenticating and encrypting each IP packet in a data stream
Data in Use (3.3)
Data that is in the process of being created, retrieved, updated, or deleted
Methods of securing data in use (3.3)
Encryption at application level
Access controls
Secure Enclave (dedicated secure subsystem integrated into Apple System on Chip- SoC)
Intel software guard (encrypts data in memory)
Data Types (3.3)
Regulated Data
Trade Secrets
Intellectual Property
Legal Information
Financial Information
Human Readable vs Non-Human Readable Data
Regulated Data (3.3)
Information controlled by laws, regulations, or industry standards (e.g. GDPR- General Data Protection Regulation, HIPAA- Health Insurance Portability and Accountability Act)
Trade Secrets (3.3)
Type of confidential business information that provides a company with a competitive edge
Intellectual Property (IP) (3.3)
Creations of the mind, such as inventions, literary and artistic works, designs, and symbols
Legal Information (3.3)
Includes and data related to legal proceedings, contracts, or regulatory compliance
Financial Information (3.3)
Data that is related to an organizations financial transactions, such as sales records, invoices, tax documents, and bank statements
Human Readable and Non-Human Readable Data (3.3)
Information that a human can read and information a human cannot read (e.g. encrypted, ciphertext, etc.)
Data Sovereignty (3.3)
The concept that digital information is subject to the laws of the country in which it is stored, collected, or processed
Data Geolocation Considerations (3.3)
If data is stored in another county the organization must abide by those laws (e.g. Europe’s GDPR has strict laws granting individuals rights over their personal data)
Methods for Securing Data- General (3.3)
Geographic restrictions
Encryption
Hashing
Masking
Tokenization
Obfuscation
Segmentation
Permission restrictions / Access control
Geographic restrictions (Securing Data) (3.3)
Involves setting up virtual boundaries to restrict data access based on geographic location (geofencing)
Encryption (Securing Data) (3.3)
Fundamental data security method that transforms readable data (plaintext) into unreadable data (ciphertext) using an algorithm and an encryption key
Hashing (Securing Data) (3.3)
Technique that convert data into a fixed size of numerical or alphanumeric characters, known as a hash value or hash digest
Masking (Securing Data) (3.3)
Involves replacing some or all of the data in a field with a placeholder, such as “x” to conceal original content
Tokenization (Securing Data) (3.3)
Replaces sensitive data with non-sensitive substitutes, known as tokens (e.g. payment processing to protect credit card information)
Obfuscation (Securing Data) (3.3)
Involves making data unclear or unintelligible, making it difficult for unauthorized users to understand (e.g. encryption, masking, pseudonyms)
Segmentation (Securing Data) (3.3)
Involves dividing a network into separate segments, each with its own security controls
Permission Restrictions (Securing Data) (3.3)
Involves defining who has access to specific data and what they can do with it (e.g. RBAC- Role Based Access Control)
High Availability (3.4)
The ability of a service to be continuously available by minimizing the downtime to the lowest amount possible
Uptime (3.4)
The number of minutes or hours that the system remains online over a given period, and the uptime is usually expressed as a percentage (9’s of availability, e.g. 99.999% = five nines)
Load Balancing (3.4)
The process of distributing workloads across multiple computing resources
Clustering (3.4)
The use of multiple computers, multiple storage devices, and redundant network connections that all work together as a single system to provide high levels of availability, reliability, and scalability
Redundancy (3.4)
The duplication of critical components or functions of a system with the intention of increasing the reliability of the system
RAID 0 (3.4)
Provides data striping across multiple disks to increase performance; used for performance as opposed to data protection
RAID 1 (3.4)
Mirrors data for redundancy across two drives
RAID 5 (3.4)
Stripes data with parity, using at least three storage devices (can lose 1 disk w/o data loss)
RAID 6 (3.4)
Uses data striping across multiple devices with two pieces of parity data (can lose 2 disks w/o data loss)
RAID 10 (3.4)
Combines RAID 1 and RAID 0 featuring mirrored array in a striped setup (can lose 1 disk per mirrored array)
Failure-Resistant (3.4)
Use of redundant storage to withstand hardware malfunctions (RAID 1 or RAID 10)
Fault-Tolerant (3.4)
Use of RAID 1, 5, 6, and 10 for uninterrupted operation during hardware failures (no downtime)
Disaster-Tolerant (3.4)
Protects data from catastrophic events (RAID 1 and RAID 10 due to having full mirrors)
Capacity Planning (3.4)
Crucial strategic planning to meet future demands cost-effectively
People (Capacity Planning) (3.4)
Involves analyzing current skills and forecasting future needs for hiring or training (e.g. seasonal positions)
Technology (Capacity Planning) (3.4)
Involves assessing current resources, utilization, and anticipating future technological needs
Infrastructure (Capacity planning) (3.4)
Involves considering physical space and utilities to support organizational operations
Process (Capacity Planning) (3.4)
Aims to optimize business processes to handle demand fluctuations
Surge (Power) (3.4)
A small and unexpected increase in the amount of voltage that is being provided
Spike (Power) (3.4)
A short transient voltage that is usually caused by a short circuit, a tripped circuit breaker, a power outage, or a lightning strike
Sag (Power) (3.4)
A small and unexpected decrease in the amount of voltage that is being provided
Undervoltage Event (Power) (3.4)
Occurs when the voltage is reduced to lower levels and usually occur for a longer period of time than a sag
Power Loss Event (3.4)
Occurs when there is a total loss of power for a given period of time
Line Conditioner (3.4)
Used to overcome any minor fluctuations in the power being received by the given system
UPS (3.4)
Uninterruptible Power Supply- A device that provides emergency power to a system when the normal input power source has failed
PDC (3.4)
Power Distribution Center- Acts as a central hub where power is received and then distributed to all systems in the data center
Data Backup (3.4)
The process of creating duplicate copies of digital information to protect against data loss, corruption, or unavailability
Data Backup considerations (3.4)
Onsite / Offsite
Frequency
Encryption
Snapshots
Recovery
Replication
Journaling
Frequency (Data Backup) (3.4)
How much data are you willing to lose?
How frequently does the data change?
Encryption (Data Backup) (3.4)
Data-at-rest encryption as well as data-in-transit encryption
Snapshots (3.4)
Point-in-time copies of the data that capture a consistent state that is essentially a frozen in time copy of the data
Journaling (3.4)
Maintaining a meticulous record of every change made to an organizations data over time
Data Recovery Process (3.4)
Selection of the backup
Initiating the recovery process
Data validation
Testing and validation
Documentation and reporting
Notification
Continuity of Operations Plan (3.4)
Ensures an organizations ability to recover from disruptive events or disasters
BCP (3.4)
Business Continuity Plan- Addresses responses to disruptive events; 2 parts
1. BCP (Deals w/ incidents)
2. DRP (Deals w/ disasters)
DRP (3.4)
Disaster Recovery Plan- Considered as a subset of the BCP, it focuses on how to resume operations swiftly after a disaster
Site Considerations (3.4)
Hot Site- Fully equipped backup facility
Warm Site- Partially equipped, operational w/i days
Cold Site- No immediate equipment
Mobile Site- Can be hot, warm, or cold; independent mobile site; self sufficient
Virtual Site- Utilizes cloud-based environments and is highly flexible; hot, warm, and cold
Hybrid Model- Critical staff=hot, the rest=warm
Platform Diversity (3.4)
A vital aspect in redundant site design that uses different platforms to prevent single points of failure in disaster recovery (e.g. cloud provider platform diversity = spreading resources across multiple cloud providers reducing the risk of a single platform outage)
Recovery Testing (3.4)
Evaluates the systems ability to return to regular functioning following a disruptive incident; Tests efficiency to recover from multiple failure points
Tabletop Exercise (3.4)
A simulated discussion to improve crisis readiness without deploying resources
Failover Test (3.4)
Verifies seamless system transition to a backup for uninterrupted functionality during disasters
Simulation (3.4)
Computer-generated representations of real-world scenarios
Resilience Testing (3.4)
Assesses the systems capacity to endure and adjust to disruptive occurrences; Tests ability to handle multiple failure scenarios
Parallel Processing (3.4)
Replicates data and processes onto a secondary system, running both in parallel
Cloud Computing (3.1)
Offering computing services over the Internet, such as..
Servers
Storage
Databases
Networking
Software Analytics
Intelligence
Responsibility Matrix (3.1)
Outlines the division of responsibilities between the cloud service provider and the customer
Third-Party Vendors (3.1)
Provide specialized services that enhance the functionality, security, and efficiency of cloud solutions
Hybrid Solutions (3.1)
Combine on-premise infrastructure, private cloud services, and public cloud services
On-Premise Solutions (3.1)
Computing infrastructure that’s physically located on-site at a business
Shared Physical Server Vulnerabilities (3.1)
Can lead to vulnerabilities if one users data is compromised
Virtualization (3.1)
Technology that allows for the emulation of servers
Containerization (3.1)
Lightweight alternative to full machine virtualization; Entails encapsulating an application in a container within its own operating environment (e.g. Docker, Kubernetes, Red Hat OpenShift)
Type 1 Hypervisor (3.1)
aka bare metal or native hypervisor; runs directly on the host hardware and functions similarly to an operating system (e.g. Hyper-V, XenServer, ESXi, VSphere); Generally faster and more efficient than a type 2 hypervisor
Type 2 Hypervisor (3.1)
Operates within a standard operating system, such as Windows, Mac, or Linux (e.g. Virtualbox)
Virtual Machine Escape (3.1)
Occurs when an attacker is able to break out of a normally isolated virtual machine
Privilege Elevation (3.1)
Occurs when a user is able to gain the ability to run functions as a higher level user
Live Migration of Virtual Machines (3.1)
When a virtual machine needs to move from one physical host to another
Resource Reuse (3.1)
Concept in computing where system resources like memory or processing power are reused
Serverless Computing (3.1)
Model where the responsibility of managing servers, databases, and some application logic is shifted away from developers (AWS Lambda, Google Cloud Functions)
Vendor Lock-in (3.1)
One of the most significant risks of serverless computing; it is difficult to switch service providers
Microservices (3.1)
A software architecture where large applications are broken down into smaller and independent services (e.g. Netflix has microservices which handle recommendations, user signups, video encoding, etc.)
Microservices Advantages (3.1)
Scalability- Each service can be scaled individually based on demand
Flexibility- Each can be run in different programming languages and managed by different teams
Resilience- If one service fails it does not affect the entire system
Faster deployment/Updates- Each can be deployed and updated independently
Microservices Disadvantages (3.1)
Complexity
Data Management
Network Latency
Security
Physical Separation / Air Gapping (3.1)
Isolation of a network by removing any direct or indirect connections from other networks
Logical Separation (3.1)
Creates boundaries within a network, restricting access to certain areas (e.g. VLANs); not as secure as air gapping but is more flexible
SDN (3.1)
Software defined network; Enables efficient network configuration to improve performance and monitoring
Data Plane (SDN) (3.1)
aka Forwarding Plane; Responsible for handling packets and makes decisions based on protocols (when sending an email the data plane carries that email from one device to the other)
Control Plane (SDN) (3.1)
The brain of the network that decides where traffic is sent and is centralized in SDN (dictates traffic flow)
Application Plane (SDN) (3.1)
The plane where all network applications interacting with the SDN controller reside
IaC (3.1)
Infrastructure as Code; a method in which IT infrastructures are defined in code files that can be versioned, tested, and audited; uses YAML, JSON, or HashiCorp Configuration Language (HCL)
Snowflake System (3.1)
A configuration that lacks consistency and might introduce risks, so it has to be eliminated
Idempotence (3.1)
Fundamental to IaC; the ability of an operation to produce the same results as many times as it is executed
IaC Advantages (3.1)
Speed and Efficiency
Consistency and Standardization
Scalability
Cost Savings
Auditability and Compliance
IaC Disadvantages (3.1)
Learning Curve
Complexity
Security Risks
Centralized Architecture (3.1)
All the computing functions are coordinated and managed from a single location or authority
Centralized Architecture Advantages (3.1)
Efficiency and control
Consistency
Cost Effectiveness
Centralized Architecture Disadvantages (3.1)
Single point of failure
Scalability Issues
Security Risks
Decentralized Architecture (3.1)
Computing functions are distributed across multiple systems or locations
Decentralized Architecture Advantages (3.1)
Resiliency
Scalability
Flexibility
Decentralized Architecture Disadvantages (3.1)
Security Risks
Management Challenges
Data Inconsistency
IoT (3.1)
Internet of Things; Refers to the network of physical items with embedded systems that enables connection and data exchange
Hub (IoT) (3.1)
The central point connecting all IoT devices and sends commands to them
Smart Devices (3.1)
Everyday objects enhanced with computing capabilities and Internet connectivity
Wearables (3.1)
Subset of smart devices designed to be worn on the body
Sensors (3.1)
Detect changes in the environment and transform them into analyzable data
IoT Disadvantages (3.1)
Weak Defaults
Poorly configured network services
ICS (3.1)
Industrial Control Systems- Control systems used to monitor and control industrial processes ranging from simple systems to complex systems
SCADA (3.1)
Supervisory Control and Data Acquisition- A type of ICS used to monitor and control geographically dispersed industrial processes
DCS (3.1)
Distributed Control Systems- Used to control production systems within a single location
PLC (3.1)
Programmable Logic Controllers- Used to control specific processes such as assembly lines
Embedded System (3.1)
Specialized computing component designed to perform dedicated functions within a larger structure
RTOS (3.1)
Real-Time Operating System- Ensures data processing in real-time and is crucial for time-sensitive applications
Securing embedded systems (4 key strategies) (3.1)
Network Segmentation
Wrappers
Firmware Code Control
Inability to Patch
Network Segmentation (Securing embedded systems) (3.1)
Divides a network into multiple segments or subnets, limiting potential damage in case of a breach
Wrappers (Securing embedded systems) (3.1)
Show only the entry and exit points of the data when travelling between networks (IPSec)
Firmware Code Control (Securing embedded systems) (3.1)
This can be achieved through secure coding practices, code reviews, and automated testing
Inability to Patch (Securing embedded systems) (3.1)
Strategies like over-the-air (OTA) updates, where patches are delivered and installed remotely, can be applied
Firewall (3.2)
Safeguards networks by monitoring and controlling traffic based on predefined security rules
Screened Subnet
aka Dual-Homed Host; Acts as a security barrier between external untrusted networks and internal trusted networks, using a protected host with security measures like a packet-filtering firewall
Packet Filtering Firewall (3.2)
aka Layer 4 Firewall; Checks packet headers for traffic allowance based on IP addresses and port numbers; most efficient but least secure
Stateful Furewall (3.2)
Monitors all inbound and outbound network connections and requests
Proxy Firewall (3.2)
Acts as an intermediary between internal and external connections, making connections on behalf of other endpoints
Circuit Level Proxy Firewall (3.2)
Operates at the layer 5 of the OSI model (e.g. SOCKS firewall)
Application Level Proxy Firewall (3.2)
aka Layer 7 Firewall; Conducts various proxy functions for each type of application at the layer 7 of the OSI model
Kernel Proxy Firewall (3.2)
aka 5th Generation Firewall; Has minimal impact on network performance while thoroughly inspecting packets across all layers
NGFW (3.2)
Next-Generation Firewall; Aims to address the limitations of traditional firewalls by being more aware of applications and their behaviors
1. Conducts deep packet inspection for traffic
2. Operates fast with minimal network performance
3. Offers full-stack traffic visibility
4. Integrates with various security products
UTM (3.2)
Unified Threat Management Firewall; Provides the ability to conduct multiple security functions in a single appliance…
1. Network firewalls
2. Network intrusion prevention systems
3. Gateway antivirus and antispam
4. Virtual private network concentration
5. Content filtering
6. Load Balancing
7. Data loss prevention
UTM Disadvantage (3.2)
- Single point of failure
- Lacks the breadth of tools offered by more specialized equipment
- Sometimes they are less efficient than specialized tools
UTM Advantages (3.2)
- Lower upfront costs, maintenance, and power consumption
- Simplified installation and configuration
- Full integration with multiple benefits
WAF (3.2)
Web Application Firewall; Focuses on the inspection of the HTTP traffic
1. Inline Configuration- Device sits between the network firewall and the web servers
2. Out-of-Band Configuration- Device receives a mirrored copy of web server traffic
IDS (3.2)
Intrusion Detection System- Responsible for detecting unauthorized network access or attacks; detects, reports, logs, and/or alerts; Provides passive detection; Types:
1. NIDS- Network Intrusion Detection System
2. HIDS- Host Intrusion Detection System
3. WIDS- Wireless Intrusion Detection System
IPS (3.2)
Intrusion Prevention System- Scans traffic to look for malicious activity and takes action to stop it; installed right behind firewall on edge of network so it can block traffic when needed; provides active protection
NIDS (3.2)
Network Intrusion Detection Systems- Monitors the traffic coming in and out of a network; Installed on a mirrored port off backbone switch so it can analyze all traffic
HIDS (3.2)
Host-based Intrusion Detection System- Looks at suspicious network traffic going to or from a single server or endpoint
WIDS (3.2)
Wireless-based Intrusion Detection System- Detects attempts to cause a denial of service attack on a wireless network
Signature-based IDS (3.2)
Signature-based Intrusion Detection System- Analyzes traffic based on defined signatures and can only recognize attacks based on previously identified attacks in its database
Pattern-Matching (Signature-based Intrusion Detection System) (3.2)
Looks for a specific pattern of steps; Common in NIDS and WIDS
Stateful-Matching (Signature-based Intrusion Detection System) (3.2)
Compares against a known system baseline; Common in HIDS
Anomaly-Based IDS (3.2)
Anomaly-Based Intrusion Detection System (aka Behavioral-Based)- Analyzes traffic and compares it to a normal baseline of traffic to determine whether a threat is occurring
Anomaly-Based IDS Types (3.2)
Statistical
Protocol
Traffic
Rule / Heuristic
Application-Based
HIPS / WIPS (3.2)
Work the same way as HIDS / WIDS but also responds to threat as opposed to just detecting it
Network Appliance (3.2)
Dedicated hardware device with pre-installed software that is designed to provide specific networking services
Load Balancer (3.2)
Crucial component in any high-availability network or system that is designed to distribute network or application traffic across multiple servers
ADC (3.2)
Application Delivery Controller- Special type of load balancer which provides additional services such as:
SSL Termination
HTTP Compression
Content Caching
Proxy Server (3.2)
Intermediary between a client and a server to provide various functions like content caching, request filtering, and login management
Network Sensor (3.2)
Designed to monitor, detect, and analyze traffic and data flow across a network in order to identify any unusual activities, potential security breaches, or performance issues
Jump Server / Jump Box (3.2)
Dedicated gateway used by system administrators to securely access devices located in different security zones within the network; they restrict direct access to protected devices or servers
Port Security (3.2)
Common security feature found on network switches that allows administrators to restrict which devices can connect to a specific port based on the network interface cards MAC address
CAM Table (3.2)
Content Addressable Memory Table- Used to store information about the MAC addresses that are available on any given port of the switch
Persistent MAC Learning (3.2)
aka Sticky MAC- Feature in network port security where the switch automatically learns and associates MAC addresses with specific interfaces
802.1x Protocol (3.2)
Standardized framework that is used for port-based authentication for both wired and wireless networks; uses RADIUS or TACACS+
EAP (3.2)
Extensible Authentication Protocol (it is a framework)
EAP-MD5 (3.2)
Variant of EAP that utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication
EAP-TLS (3.2)
Form of EAP that uses public key infrastructure with a digital certificate being installed on both the client and the server as the method of authentication
EAP-TTLS (3.2)
Variant of EAP that requires a digital certificate on the server, but not on the client
EAP-FAST (3.2)
FAST = Flexible Authentication via Secure Tunneling; Variant of EAP that uses a protected access credential, instead of a certificate, to establish mutual authentication between devices
PEAP (3.2)
Protected EAP- Variant of EAP that supports mutual authentication by using server certificates and the Microsoft Active Directory databases for it to authenticate a password from the client
LEAP (3.2)
Variant of EAP that only works on Cisco-based devices
VPN (3.2)
Virtual Private Network- Extends a private network over a public one, enabling users to securely send and receive data
Site-to-site VPN (3.2)
Establishes secure tunnels over the public Internet for interconnecting remote sites; secure but slows transmission speeds since data is detoured through VPN
Client-to-Site VPN (3.2)
Connects individual devices directly to the organizations headquarters, enabling remote users to access the network
Full Tunnel VPN (3.2)
Maximizes security by encrypting all traffic to the headquarters while integrating clients with the network; more secure than split tunnel but slower speeds
Split Tunnel VPN (3.2)
Divides traffic and network requests and then routes them to the appropriate network; Only VPN traffic goes over the VPN; less secure than full tunnel but faster since not all traffic is going over the VPN
Clientless VPN (3.2)
Secures remote access through browser-based VPN tunnels without needing client software or hardware configuration
TLS (3.2)
Transport Layer Security- A protocol that provides cryptographic security for secure connections and is used for secure web browsing and data transfer
TCP (3.2)
Transmission Control Protocol- Used by TLS to establish secure connections between a client and a server, but it may slow down the connection
DTLS (3.2)
Datagram Transport Layer Security- A UDP-based version of TLS protocol that offers the same security level as TLS while maintaining faster operations
IPSec (3.2)
A protocol suite for secure communication through authentication and data encryption in IP networks; most popular for VPNs because it provides:
Confidentiality
Integrity
Authentication
Anti-Replay
IKE (3.2)
Internet Key Exchange
VPN Connection Creation Steps (3.2)
- Request to start Internet Key Exchange
-PC1 initiates traffic to PC2, triggering IPSec tunnel creation by router 1 - IKE Phase 1
-Routers 1 and 2 negotiate security associations for the IPSec IKE Phase 1 tunnel, aka ISAKMP - IKE Phase 2
-Establishes a tunnel within the tunnel - Data transfer
-Data transfer between PCs 1 and 2 takes place securely - Tunnel termination
-Tunnel termination, including the deletion of IPSec security associations
Transport Mode (IPSec) (3.2)
Employs the original IP header, ideal for client-to-site VPNs, and is advantageous when dealing with MTU constraints
Tunnel Mode (IPSec) (3.2)
Employed for site-to-site VPNs and adds an extra header that can increase packet size and exceed the MTU
MTU (3.2)
Maximum Transmission Unit- Set only at 1500 bytes and may cause fragmentation an VPN problems
AH (3.2)
Authentication Header- Offers connectionless data integrity and data origin authentication for IP datagrams using cryptographic hash as identification information
ESP (3.2)
Encapsulating Security Payload- Employed for providing authentication, integrity, replay protection, and data confidentiality by encrypting the packets payload
SD-WAN (3.2)
Virtualized approach to managing and optimizing wide area network connections to efficiently route traffic between remote sites, data centers, and cloud environments
SASE (3.2)
Secure Access Service Edge- Used to consolidate numerous networking and security functions into a single cloud-native service to ensure that secure and access for end-users can be achieved
Security Zone (3.2)
Distinct segment within a network, often created by logically isolating the segment using a firewall or other security device
Screened Subnet (3.2)
Used to be referred to as De-Militarized Zone or DMZ- Hosts public facing services such as web servers, email servers, and DNS servers and safeguards against security breaches by preventing attackers from gaining direct access to the sensitive core internal network
Attack Surface of a Network (3.2)
Refers to all the points where an unauthorized user can try to enter data to or extract data from an environment
Connectivity (3.2)
Refers to hw different components of a network communicate with each other and with other external networks
Control (3.2)
A protective measure put in place to reduce potential risks and safeguard an organizations assets
Least Privilege (3.2)
Users or systems are granted only the necessary access rights to perform their duties, reducing the attack surface
Defense in depth (3.2)
Emphasizes the use of multiple layers of security to mitigate threats even if one control fails
Risk-Based Approach (3.2)
Prioritizing controls based on potential risks and vulnerabilities specific to the infrastructure to make efficient use of resources
Lifecycle Management (3.2)
Regularly reviewing, updating, and retiring controls to adapt to evolving threat landscapes
Open Design Principle (3.2)
Ensuring transparency and accountability through rigorous testing and scrutiny of infrastructure and controls
