Sec+ 3

Hybrid cloud

more than one public or private cloud

infrastructure as code

Define servers, networks, and apps as code

FaaS

Function as a Service means applications are separated into individual autonomous functions

Monolithic architecture

is one big application that does everything

API

Application programming interfaces break an application into microservices to extend the use of an app

Physical Isolation

Air gap meaning physically separating infrastructure.

SDN

Software Defined Networking has data, control and management planes

Data plane

An infrastructure layer that forwards traffic. Also, where encryption and Network address translation (NAT) happen.

Control plane

Manages the actions of the data plane. Routing tables, session tables, and NAT tables.

Application Layer

Configure the management to the device, SSH, Browser, API

On premises security

Control of all data makes security better as you have your own.

Decentralized

having data in many locations. Makes it difficult to manage. Some have a centralized console to manage this. Has a single point of failure

Container

Running multiple apps on the OS directly. Can not interact with other apps

SCADA

Supervisory control and data acquisition system hardware for factories.Has no access to the outside

RTOS

A real-time operating system is an OS that focuses on one process at a time. When you hit your brakes really hard

Embedded Systems

hardware designed for a specific function

High availability

Means there is always something available in case of failure. not redundancy

Availability

have the most uptime as possible

Resilience

How much time something can recover. MTTR, mean time to repair, is how long it will take to repair something.

Cost

How much does everything costs

Responsiveness

How quickly does the app respond

Scalability

How quickly and easily can we increase or decrease capacity. Also called elasticity

Ease of Deployment

If the infrastructure and software are easily deployable

Risk transference

methods to minimize risk 

Ease of recovery

how ealy can you recover

Patch Availability

How often can you update an OS or app

Inability to patch

for embedded systems, so add additional security like a firewall if connected to a network

Power

Need power for everything to function. UPS (uninterruptible power supply) as a backup

Compute

What does the processing for the hardware

Device placement

devices are placed specifically in a network, firewalls, honeypots, etc

Security zones

trusted and untrusted zones that allow and disallow IP address ranges

Attack surface

patching all openings in your network

Connectivity

secure cabling, app-level encryption, VPN

IPS

intrusion prevention system prevents harmful info from getting in

IDS

intrusion detection systems stop it before it gets into the network

Fail open

When a system fails, data continues to flow 

Fail closed

When a system fails, data does not flow

Active monitoring

Analyzing of traffic.Usally IPS. 

Passive monitoring

Normal network, but copies of traffic are sent to IPS. If the company doesn’t want the IPS to filter out everything

Jump Server 

A server that restricts and reroutes traffic to specific servers 

Proxy server

A server that sends and receives requests for users. If the request was already made, it provides the same response to multiple users

Application proxy

Like HTTP,or HTTPS

Port Security

Connecting to a wired or wireless network or switches with a password.

EAP

Extensible Authentication Protocol is away to authenticate

IEE 802.1x/NAC

Network Access Control provides access to the network if EAP says the authentication is successful

Supplicant

The client who sends a request to the authenticator, who asks for login credentials (EAP request), then sends an EAP response, Ask for anything extra and logs in.

Authenticator

the device that provides access

authentication server

validates clients credentials

Network Based Firewalls

controls through purpose-built client. Older use OSI layer 4 vs newer use OSI layer 7. Can also have VPNs and operate as routers (OSI 3)

UTM

older firewalls that combine mutiple services like URL filtering, malware inspection, spam filtering, router, and IDS.IPS, bandwidth, and more. OSI layer 4

NGFW

Next Generation Firewalls operate on OSI layer 7. See everything over a network

WAF

Web Application Firewall is designed to analyze input in web-based applications. Catch SQL injections

VPN

Send encrypted data over a public network

Concentrator

encryption device often integrated with VPN and firewalls

Headers

add headers to a packet specifically ipsec header and trailer to encrypt it

SSL/TLS VPN

Secure socket layer/ transport layer VPN uses tcp443 giving easy access through firewalls.

Site to Site VPN

Firewall that act as VPNs. They are on both side of the tunnel

SD-WAN

Software-defined Networking is a WAN built for the cloud. Can communicate with the data center or straight to the cloud.

SASE

Secure Access Service Edge is a VPN that allows communication to the cloud.

Regulated data

3rd party controls how your data is protected.

Legal Information

Legal records of data are stored in different systems, usually within the court itself.

Human readable

Data types humans can read

Non-Human readable

Data humans can’t read, barcode, images, encoded

human and non human

XML, JSON, CSV are a mix of non-human and human data

Proprietary data

Data that is property of a specific organization

PII

Personally Identifiable Information is data that can be tied to a specific person. Name, date of birth, mother’s maiden name biometric information.

PHI

Protected Health Information is all health data of an individual

Sensitive data

lowest tier, Intellectual property, PII, PHI

Confidential

2nd tier, must be approved to view

Public/ Unclassified data

No restrictions on viewing of data

Private/ Classified/ Restricted

3rd tier, may require you to sign an NDA

Critical

Data that should always be accessible

Data at rest

Any data on SSD, Flash Drive, Hard Drive. Should be encrypted with permissions

Data in Transit

Any data going over a network. Needs to be encrypted over a network like a firewall and IPS. To encrypt the data themselves, use TLS and IPsec

Data in Use

Data that is being processed by your CPU and by RAM. Almost always non-encrypted and the most vulnerable.

Data Sovereignty

Data laws specific to a country. Where it’s stored and how it’s transported

Geolocation data

802.11, GPS can give info about yourself to apps and companies.

Geographic restrictions

Restrict access to certain data through geography, called geofencing. IP subnet for wired. Geolocation for wireless.

Cyphertext

encrypted data usually with a key. Can be decrypted

SHA256

Hashing Algorithm that outputs 256 bits in 64 hexadecimal characters

Masking

only shows a part of the data hides the rest. Full data may be in storage

Segmentation

Separates data into multiple databases in different locations

Permission restrictions

logins and file permissions based on what kind of user you are

High availability

Everything is running, and if one system fails, another system will run. More expensive due to higher quality and more power

Server Clustering

combines servers to make one big server. Can increase or decrease capacity by adding or removing servers. All servers know each other

load balancing

A device distributes data through servers. Other servers don’t know they exist. Also remove a broken server

Hot Site

Exact copy of your data center, but nothing is running.

Cold Site

An empty building that needs hardware

Warm Site

A mix between hot and cold has some infrastructure and info, but more is needed

Geographic dispersion

Have recovery sites spaced but not to far from each other.

Platform Diversity

Have different OS for different purposes to limit vulnerabilities.

COOP

Continuity of operations planning is a plan in case something goes wrong to continue operations. Give paper receipts instead of automated receipts

People

Based on how many employees and where they are needed to control capacity

Technology

What technology do we need the most of based on demand? Web services or database services

Infrastructure

How much memory, CPU, Storage, etc do we need

Tabletop Exercise

going through the steps of a disaster recovery plan. Changes and critiques can be made here

Fail Over

See if redundant configurations can work when the main ones shut off

Simulation

test phishing, password requests, and data breaches. Test if automated systems and people work

Parallel Processing

Using multiple CPUs to handle transactions, if one fails, it can bounce onto another

On site Backup

Backup is stored on location and easier to access. Used for short term