SY0-701: 3.0 (Security Architecture)

Question 1

Data Classifications (Companies) (3.3)

Answer 1

Sensitive
Confidential
Public
Restricted
Private
Critical

Question 2

Sensitive Data (3.3)

Answer 2

Has minimal impact if released (e.g. organizations financial data)

Question 3

Confidential Data (3.3)

Answer 3

Contains items such as trade secrets, intellectual property data, and source code that affect the business if disclosed (only viewed by approved personnel)

Question 4

Public Data (3.3)

Answer 4

Has no impact on the company if released and is often posted in an open-source environment

Question 5

Restricted Data (3.3)

Answer 5

Proprietary data including trade secrets

Question 6

Private Data (3.3)

Answer 6

Contains data that should only be used within the organization (e.g. personnel records, salaries. etc.)

Question 7

Critical Data (3.3)

Answer 7

Contains valuable data (e.g. credit card #’s

Question 8

Data Classifications (Government) (3.3)

Answer 8

Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret

Question 9

Unclassified data (3.3)

Answer 9

Data that can be released to the public or under the Freedom of Information Act

Question 10

Sensitive but Unclassified (3.3)

Answer 10

Data that would not hurt national security if released but could impact those whose data was being used (e.g. medical records)

Question 11

Confidential Data (3.3)

Answer 11

Data that could seriously affect the government if unauthorized disclosures happen

Question 12

Secret Data (3.3)

Answer 12

Data that could seriously damage national security if disclosed

Question 13

Top Secret (3.3)

Answer 13

Data that would gravely damage national security if disclosed

Question 14

Data at Rest (3.3)

Answer 14

Refers to any data stored in databases, file systems, or other storage systems (prime target for threat actors)

Question 15

Methods to secure data at rest (3.3)

Answer 15

Full disk encryption- Encrypts entire hard drive
Partition encryption- Encrypts specific partition of drive
File encryption- Encrypts individual files
Volume encryption- Encrypts a set of selected files/directories
Database encryption- Encrypts data stored in database (table, row, column)
Record encryption- Encrypts specific record in database

Question 16

Data in Transit/Data in Motion (3.3)

Answer 16

Data that is actively moving from one location to another, such as across the Internet or through a private network

Question 17

Methods to secure data in transit/motion (3.3)

Answer 17

SSL (Secure Socket Layer) and TLS (Transport Layer Security)
VPNs (Virtual Private Networks)
IPSec (Internet Protocal Security)

Question 18

SSL/TLS (3.3)

Answer 18

Secure Socket Layer/Transport Layer Security
Cryptographic protocols designed to provide secure communication over a computer network

Question 19

VPN (3.3)

Answer 19

Virtual Private Network
Technology that creates a secure connection over a less secure network (e.g. over the Internet)

Question 20

IPSec (3.3)

Answer 20

Internet Protocal Security
Protocol suite used to secure IP communications by authenticating and encrypting each IP packet in a data stream

Question 21

Data in Use (3.3)

Answer 21

Data that is in the process of being created, retrieved, updated, or deleted

Question 22

Methods of securing data in use (3.3)

Answer 22

Encryption at application level
Access controls
Secure Enclave (dedicated secure subsystem integrated into Apple System on Chip- SoC)
Intel software guard (encrypts data in memory)

Question 23

Data Types (3.3)

Answer 23

Regulated Data
Trade Secrets
Intellectual Property
Legal Information
Financial Information
Human Readable vs Non-Human Readable Data

Question 24

Regulated Data (3.3)

Answer 24

Information controlled by laws, regulations, or industry standards (e.g. GDPR- General Data Protection Regulation, HIPAA- Health Insurance Portability and Accountability Act)

Question 25

Trade Secrets (3.3)

Answer 25

Type of confidential business information that provides a company with a competitive edge

Question 26

Intellectual Property (IP) (3.3)

Answer 26

Creations of the mind, such as inventions, literary and artistic works, designs, and symbols

Question 27

Legal Information (3.3)

Answer 27

Includes and data related to legal proceedings, contracts, or regulatory compliance

Question 28

Financial Information (3.3)

Answer 28

Data that is related to an organizations financial transactions, such as sales records, invoices, tax documents, and bank statements

Question 29

Human Readable and Non-Human Readable Data (3.3)

Answer 29

Information that a human can read and information a human cannot read (e.g. encrypted, ciphertext, etc.)

Question 30

Data Sovereignty (3.3)

Answer 30

The concept that digital information is subject to the laws of the country in which it is stored, collected, or processed

Question 31

Data Geolocation Considerations (3.3)

Answer 31

If data is stored in another county the organization must abide by those laws (e.g. Europe’s GDPR has strict laws granting individuals rights over their personal data)

Question 32

Methods for Securing Data- General (3.3)

Answer 32

Geographic restrictions
Encryption
Hashing
Masking
Tokenization
Obfuscation
Segmentation
Permission restrictions / Access control

Question 33

Geographic restrictions (Securing Data) (3.3)

Answer 33

Involves setting up virtual boundaries to restrict data access based on geographic location (geofencing)

Question 34

Encryption (Securing Data) (3.3)

Answer 34

Fundamental data security method that transforms readable data (plaintext) into unreadable data (ciphertext) using an algorithm and an encryption key

Question 35

Hashing (Securing Data) (3.3)

Answer 35

Technique that convert data into a fixed size of numerical or alphanumeric characters, known as a hash value or hash digest

Question 36

Masking (Securing Data) (3.3)

Answer 36

Involves replacing some or all of the data in a field with a placeholder, such as “x” to conceal original content

Question 37

Tokenization (Securing Data) (3.3)

Answer 37

Replaces sensitive data with non-sensitive substitutes, known as tokens (e.g. payment processing to protect credit card information)

Question 38

Obfuscation (Securing Data) (3.3)

Answer 38

Involves making data unclear or unintelligible, making it difficult for unauthorized users to understand (e.g. encryption, masking, pseudonyms)

Question 39

Segmentation (Securing Data) (3.3)

Answer 39

Involves dividing a network into separate segments, each with its own security controls

Question 40

Permission Restrictions (Securing Data) (3.3)

Answer 40

Involves defining who has access to specific data and what they can do with it (e.g. RBAC- Role Based Access Control)

Question 41

High Availability (3.4)

Answer 41

The ability of a service to be continuously available by minimizing the downtime to the lowest amount possible

Question 42

Uptime (3.4)

Answer 42

The number of minutes or hours that the system remains online over a given period, and the uptime is usually expressed as a percentage (9’s of availability, e.g. 99.999% = five nines)

Question 43

Load Balancing (3.4)

Answer 43

The process of distributing workloads across multiple computing resources

Question 44

Clustering (3.4)

Answer 44

The use of multiple computers, multiple storage devices, and redundant network connections that all work together as a single system to provide high levels of availability, reliability, and scalability

Question 45

Redundancy (3.4)

Answer 45

The duplication of critical components or functions of a system with the intention of increasing the reliability of the system

Question 46

RAID 0 (3.4)

Answer 46

Provides data striping across multiple disks to increase performance; used for performance as opposed to data protection

Question 47

RAID 1 (3.4)

Answer 47

Mirrors data for redundancy across two drives

Question 48

RAID 5 (3.4)

Answer 48

Stripes data with parity, using at least three storage devices (can lose 1 disk w/o data loss)

Question 49

RAID 6 (3.4)

Answer 49

Uses data striping across multiple devices with two pieces of parity data (can lose 2 disks w/o data loss)

Question 50

RAID 10 (3.4)

Answer 50

Combines RAID 1 and RAID 0 featuring mirrored array in a striped setup (can lose 1 disk per mirrored array)

Question 51

Failure-Resistant (3.4)

Answer 51

Use of redundant storage to withstand hardware malfunctions (RAID 1 or RAID 10)

Question 52

Fault-Tolerant (3.4)

Answer 52

Use of RAID 1, 5, 6, and 10 for uninterrupted operation during hardware failures (no downtime)

Question 53

Disaster-Tolerant (3.4)

Answer 53

Protects data from catastrophic events (RAID 1 and RAID 10 due to having full mirrors)

Question 54

Capacity Planning (3.4)

Answer 54

Crucial strategic planning to meet future demands cost-effectively

Question 55

People (Capacity Planning) (3.4)

Answer 55

Involves analyzing current skills and forecasting future needs for hiring or training (e.g. seasonal positions)

Question 56

Technology (Capacity Planning) (3.4)

Answer 56

Involves assessing current resources, utilization, and anticipating future technological needs

Question 57

Infrastructure (Capacity planning) (3.4)

Answer 57

Involves considering physical space and utilities to support organizational operations

Question 58

Process (Capacity Planning) (3.4)

Answer 58

Aims to optimize business processes to handle demand fluctuations

Question 59

Surge (Power) (3.4)

Answer 59

A small and unexpected increase in the amount of voltage that is being provided

Question 60

Spike (Power) (3.4)

Answer 60

A short transient voltage that is usually caused by a short circuit, a tripped circuit breaker, a power outage, or a lightning strike

Question 61

Sag (Power) (3.4)

Answer 61

A small and unexpected decrease in the amount of voltage that is being provided

Question 62

Undervoltage Event (Power) (3.4)

Answer 62

Occurs when the voltage is reduced to lower levels and usually occur for a longer period of time than a sag

Question 63

Power Loss Event (3.4)

Answer 63

Occurs when there is a total loss of power for a given period of time

Question 64

Line Conditioner (3.4)

Answer 64

Used to overcome any minor fluctuations in the power being received by the given system

Question 65

UPS (3.4)

Answer 65

Uninterruptible Power Supply- A device that provides emergency power to a system when the normal input power source has failed

Question 66

PDC (3.4)

Answer 66

Power Distribution Center- Acts as a central hub where power is received and then distributed to all systems in the data center

Question 67

Data Backup (3.4)

Answer 67

The process of creating duplicate copies of digital information to protect against data loss, corruption, or unavailability

Question 68

Data Backup considerations (3.4)

Answer 68

Onsite / Offsite
Frequency
Encryption
Snapshots
Recovery
Replication
Journaling

Question 69

Frequency (Data Backup) (3.4)

Answer 69

How much data are you willing to lose?
How frequently does the data change?

Question 70

Encryption (Data Backup) (3.4)

Answer 70

Data-at-rest encryption as well as data-in-transit encryption

Question 71

Snapshots (3.4)

Answer 71

Point-in-time copies of the data that capture a consistent state that is essentially a frozen in time copy of the data

Question 72

Journaling (3.4)

Answer 72

Maintaining a meticulous record of every change made to an organizations data over time

Question 73

Data Recovery Process (3.4)

Answer 73

Selection of the backup
Initiating the recovery process
Data validation
Testing and validation
Documentation and reporting
Notification

Question 74

Continuity of Operations Plan (3.4)

Answer 74

Ensures an organizations ability to recover from disruptive events or disasters

Question 75

BCP (3.4)

Answer 75

Business Continuity Plan- Addresses responses to disruptive events; 2 parts
1. BCP (Deals w/ incidents)
2. DRP (Deals w/ disasters)

Question 76

DRP (3.4)

Answer 76

Disaster Recovery Plan- Considered as a subset of the BCP, it focuses on how to resume operations swiftly after a disaster

Question 77

Site Considerations (3.4)

Answer 77

Hot Site- Fully equipped backup facility
Warm Site- Partially equipped, operational w/i days
Cold Site- No immediate equipment
Mobile Site- Can be hot, warm, or cold; independent mobile site; self sufficient
Virtual Site- Utilizes cloud-based environments and is highly flexible; hot, warm, and cold
Hybrid Model- Critical staff=hot, the rest=warm

Question 78

Platform Diversity (3.4)

Answer 78

A vital aspect in redundant site design that uses different platforms to prevent single points of failure in disaster recovery (e.g. cloud provider platform diversity = spreading resources across multiple cloud providers reducing the risk of a single platform outage)

Question 79

Recovery Testing (3.4)

Answer 79

Evaluates the systems ability to return to regular functioning following a disruptive incident; Tests efficiency to recover from multiple failure points

Question 80

Tabletop Exercise (3.4)

Answer 80

A simulated discussion to improve crisis readiness without deploying resources

Question 81

Failover Test (3.4)

Answer 81

Verifies seamless system transition to a backup for uninterrupted functionality during disasters

Question 82

Simulation (3.4)

Answer 82

Computer-generated representations of real-world scenarios

Question 83

Resilience Testing (3.4)

Answer 83

Assesses the systems capacity to endure and adjust to disruptive occurrences; Tests ability to handle multiple failure scenarios

Question 84

Parallel Processing (3.4)

Answer 84

Replicates data and processes onto a secondary system, running both in parallel

Question 85

Cloud Computing (3.1)

Answer 85

Offering computing services over the Internet, such as..
Servers
Storage
Databases
Networking
Software Analytics
Intelligence

Question 86

Responsibility Matrix (3.1)

Answer 86

Outlines the division of responsibilities between the cloud service provider and the customer

Question 87

Third-Party Vendors (3.1)

Answer 87

Provide specialized services that enhance the functionality, security, and efficiency of cloud solutions

Question 88

Hybrid Solutions (3.1)

Answer 88

Combine on-premise infrastructure, private cloud services, and public cloud services

Question 89

On-Premise Solutions (3.1)

Answer 89

Computing infrastructure that’s physically located on-site at a business

Question 90

Shared Physical Server Vulnerabilities (3.1)

Answer 90

Can lead to vulnerabilities if one users data is compromised

Question 91

Virtualization (3.1)

Answer 91

Technology that allows for the emulation of servers

Question 92

Containerization (3.1)

Answer 92

Lightweight alternative to full machine virtualization; Entails encapsulating an application in a container within its own operating environment (e.g. Docker, Kubernetes, Red Hat OpenShift)

Question 93

Type 1 Hypervisor (3.1)

Answer 93

aka bare metal or native hypervisor; runs directly on the host hardware and functions similarly to an operating system (e.g. Hyper-V, XenServer, ESXi, VSphere); Generally faster and more efficient than a type 2 hypervisor

Question 94

Type 2 Hypervisor (3.1)

Answer 94

Operates within a standard operating system, such as Windows, Mac, or Linux (e.g. Virtualbox)

Question 95

Virtual Machine Escape (3.1)

Answer 95

Occurs when an attacker is able to break out of a normally isolated virtual machine

Question 96

Privilege Elevation (3.1)

Answer 96

Occurs when a user is able to gain the ability to run functions as a higher level user

Question 97

Live Migration of Virtual Machines (3.1)

Answer 97

When a virtual machine needs to move from one physical host to another

Question 98

Resource Reuse (3.1)

Answer 98

Concept in computing where system resources like memory or processing power are reused

Question 99

Serverless Computing (3.1)

Answer 99

Model where the responsibility of managing servers, databases, and some application logic is shifted away from developers (AWS Lambda, Google Cloud Functions)

Question 100

Vendor Lock-in (3.1)

Answer 100

One of the most significant risks of serverless computing; it is difficult to switch service providers

Question 101

Microservices (3.1)

Answer 101

A software architecture where large applications are broken down into smaller and independent services (e.g. Netflix has microservices which handle recommendations, user signups, video encoding, etc.)

Question 102

Microservices Advantages (3.1)

Answer 102

Scalability- Each service can be scaled individually based on demand
Flexibility- Each can be run in different programming languages and managed by different teams
Resilience- If one service fails it does not affect the entire system
Faster deployment/Updates- Each can be deployed and updated independently

Question 103

Microservices Disadvantages (3.1)

Answer 103

Complexity
Data Management
Network Latency
Security

Question 104

Physical Separation / Air Gapping (3.1)

Answer 104

Isolation of a network by removing any direct or indirect connections from other networks

Question 105

Logical Separation (3.1)

Answer 105

Creates boundaries within a network, restricting access to certain areas (e.g. VLANs); not as secure as air gapping but is more flexible

Question 106

SDN (3.1)

Answer 106

Software defined network; Enables efficient network configuration to improve performance and monitoring

Question 107

Data Plane (SDN) (3.1)

Answer 107

aka Forwarding Plane; Responsible for handling packets and makes decisions based on protocols (when sending an email the data plane carries that email from one device to the other)

Question 108

Control Plane (SDN) (3.1)

Answer 108

The brain of the network that decides where traffic is sent and is centralized in SDN (dictates traffic flow)

Question 109

Application Plane (SDN) (3.1)

Answer 109

The plane where all network applications interacting with the SDN controller reside

Question 110

IaC (3.1)

Answer 110

Infrastructure as Code; a method in which IT infrastructures are defined in code files that can be versioned, tested, and audited; uses YAML, JSON, or HashiCorp Configuration Language (HCL)

Question 111

Snowflake System (3.1)

Answer 111

A configuration that lacks consistency and might introduce risks, so it has to be eliminated

Question 112

Idempotence (3.1)

Answer 112

Fundamental to IaC; the ability of an operation to produce the same results as many times as it is executed

Question 113

IaC Advantages (3.1)

Answer 113

Speed and Efficiency
Consistency and Standardization
Scalability
Cost Savings
Auditability and Compliance

Question 114

IaC Disadvantages (3.1)

Answer 114

Learning Curve
Complexity
Security Risks

Question 115

Centralized Architecture (3.1)

Answer 115

All the computing functions are coordinated and managed from a single location or authority

Question 116

Centralized Architecture Advantages (3.1)

Answer 116

Efficiency and control
Consistency
Cost Effectiveness

Question 117

Centralized Architecture Disadvantages (3.1)

Answer 117

Single point of failure
Scalability Issues
Security Risks

Question 118

Decentralized Architecture (3.1)

Answer 118

Computing functions are distributed across multiple systems or locations

Question 119

Decentralized Architecture Advantages (3.1)

Answer 119

Resiliency
Scalability
Flexibility

Question 120

Decentralized Architecture Disadvantages (3.1)

Answer 120

Security Risks
Management Challenges
Data Inconsistency

Question 121

IoT (3.1)

Answer 121

Internet of Things; Refers to the network of physical items with embedded systems that enables connection and data exchange

Question 122

Hub (IoT) (3.1)

Answer 122

The central point connecting all IoT devices and sends commands to them

Question 123

Smart Devices (3.1)

Answer 123

Everyday objects enhanced with computing capabilities and Internet connectivity

Question 124

Wearables (3.1)

Answer 124

Subset of smart devices designed to be worn on the body

Question 125

Sensors (3.1)

Answer 125

Detect changes in the environment and transform them into analyzable data

Question 126

IoT Disadvantages (3.1)

Answer 126

Weak Defaults
Poorly configured network services

Question 127

ICS (3.1)

Answer 127

Industrial Control Systems- Control systems used to monitor and control industrial processes ranging from simple systems to complex systems

Question 128

SCADA (3.1)

Answer 128

Supervisory Control and Data Acquisition- A type of ICS used to monitor and control geographically dispersed industrial processes

Question 129

DCS (3.1)

Answer 129

Distributed Control Systems- Used to control production systems within a single location

Question 130

PLC (3.1)

Answer 130

Programmable Logic Controllers- Used to control specific processes such as assembly lines

Question 131

Embedded System (3.1)

Answer 131

Specialized computing component designed to perform dedicated functions within a larger structure

Question 132

RTOS (3.1)

Answer 132

Real-Time Operating System- Ensures data processing in real-time and is crucial for time-sensitive applications

Question 133

Securing embedded systems (4 key strategies) (3.1)

Answer 133

Network Segmentation
Wrappers
Firmware Code Control
Inability to Patch

Question 134

Network Segmentation (Securing embedded systems) (3.1)

Answer 134

Divides a network into multiple segments or subnets, limiting potential damage in case of a breach

Question 135

Wrappers (Securing embedded systems) (3.1)

Answer 135

Show only the entry and exit points of the data when travelling between networks (IPSec)

Question 136

Firmware Code Control (Securing embedded systems) (3.1)

Answer 136

This can be achieved through secure coding practices, code reviews, and automated testing

Question 137

Inability to Patch (Securing embedded systems) (3.1)

Answer 137

Strategies like over-the-air (OTA) updates, where patches are delivered and installed remotely, can be applied

Question 138

Firewall (3.2)

Answer 138

Safeguards networks by monitoring and controlling traffic based on predefined security rules

Question 139

Screened Subnet

Answer 139

aka Dual-Homed Host; Acts as a security barrier between external untrusted networks and internal trusted networks, using a protected host with security measures like a packet-filtering firewall

Question 140

Packet Filtering Firewall (3.2)

Answer 140

aka Layer 4 Firewall; Checks packet headers for traffic allowance based on IP addresses and port numbers; most efficient but least secure

Question 141

Stateful Furewall (3.2)

Answer 141

Monitors all inbound and outbound network connections and requests

Question 142

Proxy Firewall (3.2)

Answer 142

Acts as an intermediary between internal and external connections, making connections on behalf of other endpoints

Question 143

Circuit Level Proxy Firewall (3.2)

Answer 143

Operates at the layer 5 of the OSI model (e.g. SOCKS firewall)

Question 144

Application Level Proxy Firewall (3.2)

Answer 144

aka Layer 7 Firewall; Conducts various proxy functions for each type of application at the layer 7 of the OSI model

Question 145

Kernel Proxy Firewall (3.2)

Answer 145

aka 5th Generation Firewall; Has minimal impact on network performance while thoroughly inspecting packets across all layers

Question 146

NGFW (3.2)

Answer 146

Next-Generation Firewall; Aims to address the limitations of traditional firewalls by being more aware of applications and their behaviors
1. Conducts deep packet inspection for traffic
2. Operates fast with minimal network performance
3. Offers full-stack traffic visibility
4. Integrates with various security products

Question 147

UTM (3.2)

Answer 147

Unified Threat Management Firewall; Provides the ability to conduct multiple security functions in a single appliance…
1. Network firewalls
2. Network intrusion prevention systems
3. Gateway antivirus and antispam
4. Virtual private network concentration
5. Content filtering
6. Load Balancing
7. Data loss prevention

Question 148

UTM Disadvantage (3.2)

Answer 148

1. Single point of failure
2. Lacks the breadth of tools offered by more specialized equipment
3. Sometimes they are less efficient than specialized tools

Question 149

UTM Advantages (3.2)

Answer 149

1. Lower upfront costs, maintenance, and power consumption
2. Simplified installation and configuration
3. Full integration with multiple benefits

Question 150

WAF (3.2)

Answer 150

Web Application Firewall; Focuses on the inspection of the HTTP traffic
1. Inline Configuration- Device sits between the network firewall and the web servers
2. Out-of-Band Configuration- Device receives a mirrored copy of web server traffic

Question 151

IDS (3.2)

Answer 151

Intrusion Detection System- Responsible for detecting unauthorized network access or attacks; detects, reports, logs, and/or alerts; Provides passive detection; Types:
1. NIDS- Network Intrusion Detection System
2. HIDS- Host Intrusion Detection System
3. WIDS- Wireless Intrusion Detection System

Question 152

IPS (3.2)

Answer 152

Intrusion Prevention System- Scans traffic to look for malicious activity and takes action to stop it; installed right behind firewall on edge of network so it can block traffic when needed; provides active protection

Question 153

NIDS (3.2)

Answer 153

Network Intrusion Detection Systems- Monitors the traffic coming in and out of a network; Installed on a mirrored port off backbone switch so it can analyze all traffic

Question 154

HIDS (3.2)

Answer 154

Host-based Intrusion Detection System- Looks at suspicious network traffic going to or from a single server or endpoint

Question 155

WIDS (3.2)

Answer 155

Wireless-based Intrusion Detection System- Detects attempts to cause a denial of service attack on a wireless network

Question 156

Signature-based IDS (3.2)

Answer 156

Signature-based Intrusion Detection System- Analyzes traffic based on defined signatures and can only recognize attacks based on previously identified attacks in its database

Question 157

Pattern-Matching (Signature-based Intrusion Detection System) (3.2)

Answer 157

Looks for a specific pattern of steps; Common in NIDS and WIDS

Question 158

Stateful-Matching (Signature-based Intrusion Detection System) (3.2)

Answer 158

Compares against a known system baseline; Common in HIDS

Question 159

Anomaly-Based IDS (3.2)

Answer 159

Anomaly-Based Intrusion Detection System (aka Behavioral-Based)- Analyzes traffic and compares it to a normal baseline of traffic to determine whether a threat is occurring

Question 160

Anomaly-Based IDS Types (3.2)

Answer 160

Statistical
Protocol
Traffic
Rule / Heuristic
Application-Based

Question 161

HIPS / WIPS (3.2)

Answer 161

Work the same way as HIDS / WIDS but also responds to threat as opposed to just detecting it

Question 162

Network Appliance (3.2)

Answer 162

Dedicated hardware device with pre-installed software that is designed to provide specific networking services

Question 163

Load Balancer (3.2)

Answer 163

Crucial component in any high-availability network or system that is designed to distribute network or application traffic across multiple servers

Question 164

ADC (3.2)

Answer 164

Application Delivery Controller- Special type of load balancer which provides additional services such as:
SSL Termination
HTTP Compression
Content Caching

Question 165

Proxy Server (3.2)

Answer 165

Intermediary between a client and a server to provide various functions like content caching, request filtering, and login management

Question 166

Network Sensor (3.2)

Answer 166

Designed to monitor, detect, and analyze traffic and data flow across a network in order to identify any unusual activities, potential security breaches, or performance issues

Question 167

Jump Server / Jump Box (3.2)

Answer 167

Dedicated gateway used by system administrators to securely access devices located in different security zones within the network; they restrict direct access to protected devices or servers

Question 168

Port Security (3.2)

Answer 168

Common security feature found on network switches that allows administrators to restrict which devices can connect to a specific port based on the network interface cards MAC address

Question 169

CAM Table (3.2)

Answer 169

Content Addressable Memory Table- Used to store information about the MAC addresses that are available on any given port of the switch

Question 170

Persistent MAC Learning (3.2)

Answer 170

aka Sticky MAC- Feature in network port security where the switch automatically learns and associates MAC addresses with specific interfaces

Question 171

802.1x Protocol (3.2)

Answer 171

Standardized framework that is used for port-based authentication for both wired and wireless networks; uses RADIUS or TACACS+

Question 172

EAP (3.2)

Answer 172

Extensible Authentication Protocol (it is a framework)

Question 173

EAP-MD5 (3.2)

Answer 173

Variant of EAP that utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication

Question 174

EAP-TLS (3.2)

Answer 174

Form of EAP that uses public key infrastructure with a digital certificate being installed on both the client and the server as the method of authentication

Question 175

EAP-TTLS (3.2)

Answer 175

Variant of EAP that requires a digital certificate on the server, but not on the client

Question 176

EAP-FAST (3.2)

Answer 176

FAST = Flexible Authentication via Secure Tunneling; Variant of EAP that uses a protected access credential, instead of a certificate, to establish mutual authentication between devices

Question 177

PEAP (3.2)

Answer 177

Protected EAP- Variant of EAP that supports mutual authentication by using server certificates and the Microsoft Active Directory databases for it to authenticate a password from the client

Question 178

LEAP (3.2)

Answer 178

Variant of EAP that only works on Cisco-based devices

Question 179

VPN (3.2)

Answer 179

Virtual Private Network- Extends a private network over a public one, enabling users to securely send and receive data

Question 180

Site-to-site VPN (3.2)

Answer 180

Establishes secure tunnels over the public Internet for interconnecting remote sites; secure but slows transmission speeds since data is detoured through VPN

Question 181

Client-to-Site VPN (3.2)

Answer 181

Connects individual devices directly to the organizations headquarters, enabling remote users to access the network

Question 182

Full Tunnel VPN (3.2)

Answer 182

Maximizes security by encrypting all traffic to the headquarters while integrating clients with the network; more secure than split tunnel but slower speeds

Question 183

Split Tunnel VPN (3.2)

Answer 183

Divides traffic and network requests and then routes them to the appropriate network; Only VPN traffic goes over the VPN; less secure than full tunnel but faster since not all traffic is going over the VPN

Question 184

Clientless VPN (3.2)

Answer 184

Secures remote access through browser-based VPN tunnels without needing client software or hardware configuration

Question 185

TLS (3.2)

Answer 185

Transport Layer Security- A protocol that provides cryptographic security for secure connections and is used for secure web browsing and data transfer

Question 186

TCP (3.2)

Answer 186

Transmission Control Protocol- Used by TLS to establish secure connections between a client and a server, but it may slow down the connection

Question 187

DTLS (3.2)

Answer 187

Datagram Transport Layer Security- A UDP-based version of TLS protocol that offers the same security level as TLS while maintaining faster operations

Question 188

IPSec (3.2)

Answer 188

A protocol suite for secure communication through authentication and data encryption in IP networks; most popular for VPNs because it provides:
Confidentiality
Integrity
Authentication
Anti-Replay

Question 189

IKE (3.2)

Answer 189

Internet Key Exchange

Question 190

VPN Connection Creation Steps (3.2)

Answer 190

1. Request to start Internet Key Exchange
   -PC1 initiates traffic to PC2, triggering IPSec tunnel creation by router 1
2. IKE Phase 1
   -Routers 1 and 2 negotiate security associations for the IPSec IKE Phase 1 tunnel, aka ISAKMP
3. IKE Phase 2
   -Establishes a tunnel within the tunnel
4. Data transfer
   -Data transfer between PCs 1 and 2 takes place securely
5. Tunnel termination
   -Tunnel termination, including the deletion of IPSec security associations

Question 191

Transport Mode (IPSec) (3.2)

Answer 191

Employs the original IP header, ideal for client-to-site VPNs, and is advantageous when dealing with MTU constraints

Question 192

Tunnel Mode (IPSec) (3.2)

Answer 192

Employed for site-to-site VPNs and adds an extra header that can increase packet size and exceed the MTU

Question 193

MTU (3.2)

Answer 193

Maximum Transmission Unit- Set only at 1500 bytes and may cause fragmentation an VPN problems

Question 194

AH (3.2)

Answer 194

Authentication Header- Offers connectionless data integrity and data origin authentication for IP datagrams using cryptographic hash as identification information

Question 195

ESP (3.2)

Answer 195

Encapsulating Security Payload- Employed for providing authentication, integrity, replay protection, and data confidentiality by encrypting the packets payload

Question 196

SD-WAN (3.2)

Answer 196

Virtualized approach to managing and optimizing wide area network connections to efficiently route traffic between remote sites, data centers, and cloud environments

Question 197

SASE (3.2)

Answer 197

Secure Access Service Edge- Used to consolidate numerous networking and security functions into a single cloud-native service to ensure that secure and access for end-users can be achieved

Question 198

Security Zone (3.2)

Answer 198

Distinct segment within a network, often created by logically isolating the segment using a firewall or other security device

Question 199

Screened Subnet (3.2)

Answer 199

Used to be referred to as De-Militarized Zone or DMZ- Hosts public facing services such as web servers, email servers, and DNS servers and safeguards against security breaches by preventing attackers from gaining direct access to the sensitive core internal network

Question 200

Attack Surface of a Network (3.2)

Answer 200

Refers to all the points where an unauthorized user can try to enter data to or extract data from an environment

Question 201

Connectivity (3.2)

Answer 201

Refers to hw different components of a network communicate with each other and with other external networks

Question 202

Control (3.2)

Answer 202

A protective measure put in place to reduce potential risks and safeguard an organizations assets

Question 203

Least Privilege (3.2)

Answer 203

Users or systems are granted only the necessary access rights to perform their duties, reducing the attack surface

Question 204

Defense in depth (3.2)

Answer 204

Emphasizes the use of multiple layers of security to mitigate threats even if one control fails

Question 205

Risk-Based Approach (3.2)

Answer 205

Prioritizing controls based on potential risks and vulnerabilities specific to the infrastructure to make efficient use of resources

Question 206

Lifecycle Management (3.2)

Answer 206

Regularly reviewing, updating, and retiring controls to adapt to evolving threat landscapes

Question 207

Open Design Principle (3.2)

Answer 207

Ensuring transparency and accountability through rigorous testing and scrutiny of infrastructure and controls