Security Plus SY0-701: Section 3

Serverless Architecture

A cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers.

FaaS

function as a service, a cloud service model that supports server-less software architecture by provisioning runtime containers in which code is executed in a particular programming language

API

Application Programming Interface, a library of procedures and a description of how to call each procedure.

VLAN

Virtual local area network. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. It is possible to create multiple VLANs with a single switch.

SDN

Software defined network. A method of using software and virtualization technologies to replace hardware routers. SDNs separate the data and control planes.

Infrastructure/Data plane

Part of SDN:

Process the network frames and packets

Forwarding, trunking, encrypting, NAT

Control Layer (Control Plane)

Part of SDN:

Manages the actions of the data plane

Routing tables, session tables, NAT tables

Dynamic routing protocol updates

Application Layer/Management Plane

Part of SDN:

Configure and manage the device - SSH, browser, API

SCADA

Supervisory control and data acquisition. Typically industrial control systems within large facilities such as power plants or water treatment facilities. SCADA systems are often contained within isolated networks that do not have access to the Internet, but are still protected with redundant and diverse security controls. SCADA systems can be protected with NIPS systems and VLANs.

ICS

Industrial Control Systems

RTOS

Real-time operating system: A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks. No time to wait for other processes

IPS

Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

Fail-Open

A security control configuration that ensures continued access to the resource in the event of failure

Fail-Closed

A security control configuration that blocks access to a resource in the event of failure

Active Monitoring

- System is connected inline

- Data can be blocked in REAL TIME as it passes by

- Intrusion prevention is commonly active

Passive Monitoring

- A copy of the network traffic is examined using a tap or port monitor

- Data cannot be blocked in real-time

- Intrusion detection is commonly passive more IDS

SPAN

Switch port analyzer

Jump Server

A system on a network used to access and manage devices in a separate security zone

Proxy Server

A server that acts as an intermediary between a user and the Internet. Receives the user request and sends the request on the behalf of the user. Useful for URL filtering, access control, and content scanning

Application Level Proxy

a device or software that recognizes application-specific commands and offers granular control over them

NAT

Network Address Translation. A service that translates public IP addresses to private and private IP addresses to public. It hides addresses on an internal network.

Forward Proxy

A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.

Reverse Proxy

A type of proxy server that protects servers from direct contact with client requests that come from the internet. Inbound traffic from the internet to your internal service

Open Proxy

- A third-party, uncontrolled proxy

- Can be a significant security concern

- Often used to circumvent existing security controls

Active/Active Load Balancing

all servers are active and load balancer can use any of the servers at any time. (Round robin and affinity are referred to this type)

Can also: TCP offload (protocol over head), SSL encryption/decryption, caching, prioritization

Active/passive load balancing

When one server in a load balancing system is active and the others are stand-by.

EAP

Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include LEAP and PEAP and 802.1x

NAC

Network Access Control

Network-based Firewall

filters by port number, can encrypt traffic into/out of the network

protect traffic between sites

can be configured as layer 3 device (routers)

Layers of a Network

Physical (Layer 1)

Data Link

Network

Transport (Layer 4) - Filters by port number or application

Session

Presentation

Application (Layer 7) - NGFW

UTM

Unified threat management. A group of security controls combined in a single solution. UTM appliances can inspect data streams for malicious content and block it. Handles many different services all at the same time. All-in-one security appliance

NGFW

Next Generation FireWall. NGFW means a very smart firewall that understands Application Layer (layer 7) protocols. Does advanced decoding, every packet must be analyzed and categorized before making a security decision

WAF

Web application firewall. A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server, can detect malicious content, and block it. Not a normal firewall, can allow or deny based on expected input and recognize SQL injection and even XSS

VPN

Virtual Private Network, Allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected. Uses SSL/TLS

Concentrator

Encryption/decryption access device - Often integrated into a firewall or VPN

TLS

Transport Layer Security. Used to encrypt traffic on the wire. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs

SSL

Secure Sockets Layer. Used to encrypt traffic on the wire. SSL is used with HTTPS to encrypt HTTP traffic on the Internet using both symmetric and asymmetric encryption algorithms. SSL uses port 443 when encrypting HTTPS traffic

IPSec

Protocol suite for securing Internet Protocol communications.

Site-to-site IPsec VPN

• Always-on

• Or almost always

• Firewalls often act as VPN concentrators

• Probably already have firewalls in place

SD-WAN

• Software Defined Networking in a Wide Area Network

- A WAN built for the cloud

• The data center used to be in one place

- The cloud has changed everything

• Cloud-based applications communicate directly to the cloud

- No need to hop through a central point

SASE

Secure Access Service Edge

SASE combines SD-WAN with computer security functions, including cloud access security brokers (CASB), Secure Web Gateways (SWG), antivirus/malware inspection, virtual private networking (VPN), firewall as a service (FWaaS), and data loss prevention (DLP), all delivered by a single cloud service at the network edge. Security for cloud based services that are hosted through SD-WAN

Data Types - Regulated

Managed by a third party, government laws and statutes

Data Types - Trade Secrets

An organizations secret formulas often unique to an organization

Data Types - Intellectual Preoperty

May be publicly visible, copyright and trademark restrictions

Data Types - Legal Information

Court records and documents, judge and attorney information, PII and other sensitive details may be stored in another format or on different systems

Data Types - Financial Information

Company financial details, customer finances, payment records, credit card data, bank records, etc

Data Types - Human-Readable

Humans can understand the data

Data Types - Non-human readable

not easily understood by humans, encoded data, barcodes, images

Data Classification - Proprietary

Data that is property of an organization, may also include trade secrets, often unique to the organization

Data Classification - PII

Personally Identifiable Information, data that can be used to identify an individual

Data Classification - PHI

Protected health information, Health information associated with an individual. Contains health status, health care records, payments, etc

Data at rest

Any data stored on media. It's common to encrypt sensitive data-at-rest.

Data in transit

Any data sent over a network. It's common to encrypt sensitive data-in-transit

Data in use

Any data currently being used by a computer. Because the computer needs to process the data, it is not encrypted while in use.

Data sovereignty

A term that refers to the legal implications of data stored in different countries. It is primarily a concern related to backups stored in alternate locations via the cloud.

Geolocation

The identification of the location of a person or object using technology.

ciphertext

A string of text that has been converted to a secure form using encryption

Obfuscation

the action of making something obscure, unclear, or unintelligible

Segmentation

divide the total market into smaller segments, data segmentation could look like using many smaller databases than one big one

Server Clustering

A technique that links multiple servers together to act as a single server

Hot site

A separate and fully equipped facility where the company can move immediately after a disaster and resume business

Warm site

A separate facility with computer equipment that requires installation and configuration

cold site

A separate facility that does not have any computer equipment, but is a place where employees can move after a disaster

Geographic dispersion

A resiliency mechanism where processing and data storage resources are replicated between physically distant sites.

COOP

Continuity of Operations Plan. A COOP site provides an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communications capabilities of the primary site with all the data up to date. A hot site can take over for a failed primary site within an hour. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site.

journaling

The process of tracking changes to a file so that a file can be repaired or restored in case of file corruption or data loss.

UPS

Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. UPS provide short-term power giving the system enough time to shut down smoothly, or to transfer to generator power. Generators provide long-term power in extended outages.

Offline/Standby UPS

Only goes online if you lose the main source power.

Line-interactive UPS

A variation of a standby UPS that shortens switching time by always keeping the inverter that converts AC to DC working, so that there is no charge-up time for the inverter.

Online/Double Conversion UPS

continuous power where power is always routed through batteries