Architecture & Design Flashcards

Question

Define HaaS

Answer 1

* Hardware as a Service * Another, less common, name for IaaS

Answer 2

* Anything as a Service * A broad description of all cloud models * Usually describes services delivered over the Internet, not locally hosted or managed * Usually associated with a flexible, pay-what-you-use subscription-based pricing models with no up-front costs * Any IT function can be changed into such a service

Answer 3

* Managed Security Service Provider * A specialized type of MSP that focuses on security * Firewall management, patch management, security audits, emergency response, etc.

Answer 4

* Public - available to everyone on the Internet (though your own data is still private) * Community - several organizations share the same resources * Private - your own virtualized data center * Hybrid - a mix of public and private

Answer 5

* Typically used of IoT devices * The application processes its data on the actual device itself * Nothing is stored or processed in the cloud * E.g. You control a thermostat from an app on your phone, and the app communicates directly with that thermostat. The thermostat stores and processes data on its own device.

Answer 6

* A cloud that is close to your data. * Usually in reference to IoT * A distributed cloud architecture * Immediate and sensitive data can stay local, but some data and long-term analysis can be performed in the cloud

Answer 7

* Desktop as a Service * Usually for thin clients * A form of VDI (Virtual Desktop Infrastructure), but DaaS is specifically a cloud-based service

Answer 8

* A traditional application; large and does everything it needs within itself as a single application * The application contains all decision-making processes * User interface, logic, input and output are all in one application

Answer 9

* A newer architecture for applications where its various services are separated into distinct "microservices" * Each microservice is containerized, independent * The microservices communicate to each other through APIs

Answer 10

* Scalable - can scale only the specific services that are needed * Resilient - outages are contained to the specific microservice that fails * Security and compliance - containment is built-in * Coding - simpler because each microservice is coded and updated independently.

Answer 11

* Applications are separated into individual, autonomous functions * No OS needed, the app communicates directly to specialized processors * The processors are known as "stateless compute containers" - processors designed to respond to API requests * Since they are containerized, they can be scaled and removed as needed with little effort

Answer 12

* Function as a Service * Another name for Serverless Architecture provided as a cloud service

Answer 13

* Connects multiple VPCs to each other, and connects users to VPCs * Essentially, a "cloud router" * Commonly, users connect to their VPCs by using a VPN connection to the Transit Gateway

Answer 14

* Policies for assigning permissions to cloud resources * Ex., restricting data or API resources to a list of users or IP addresses

Answer 15

* Deploying a cloud application to multiple cloud service providers for purposes of high availability * If one provider goes down, your application stays up

Answer 16

* Service Integration and Management * A management console that integrates multiple cloud service provider's platforms into a single interface * Beneficial when multisourcing * Every cloud provider has different processes for managing, deploying, etc., and the SIAM streamlines the process

Answer 17

* Servers, networks, and applications described as code, so they can be deployed instantly without the need for configuration * An important part of cloud computing

Answer 18

* Software Defined Networking * An approach to network management that enables programmatic configuration * Separates control pane from data pane * Changes can be made dynamically, on the fly, no hardware changes or reboots needed. * Centrally managed, open standards, vendor neutral * Makes networking more like cloud computing than traditional network management

Answer 19

* Software Defined Visibility * Provides visibility and real-time metrics to traffic flows in cloud computing * Can include next-generation firewalls, web app firewalls, and a SIEM * Needs to be aware of encapsulated and encrypted data, microservices, etc.

Answer 20

* The tendency for too many separate VMs to be running, since they are so easy to create * Becomes difficult to deprovision when documentation is poor. Which VM is related to which application?

Answer 21

* An event or attack wherein a VM is able to interact with the host operating system or hardware, or other guest VMs * VMs are supposed to be isolated and this should never happen. They rarely happen and are major security problems.

Answer 22

* The stage of application development after QA checks but before Production * The application is deployed to a production-like environment, perhaps working with a copy of production data * Performance, usability, and features are all tested

Answer 23

* Defines an application's security environment: what is required to secure and maintain the security of the app * All application instances must follow this baseline * Firewall settings required for it to work and still be secure; patch levels of the application and OS; etc.

Answer 24

* procedure that confirms that an application and its production environment match the security baseline * Should be performed often, and errors should be immediately corrected

Answer 25

• The ability for application instance(s) to increase the workload in a given infrastructure

Answer 26

• The ability for application instance(s) to increase and decrease available resources and instances as a workload changes

Answer 27

* The automation of provisioning and deprovisioning * For application instances, servers, networks, switches, firewalls, and policies * The automation can follow defined rules such as workload, schedule, etc.

Answer 28

* Removal of an application instance * When deprovisioning, all security policies must be reverted: firewall rules, etc.

Answer 29

* When an application makes a database call, instead of sending the actual call (such as a SQL query), it only sends a "stored procedure." * The stored procedure is pre-configured on the database server, and the server uses it to produce the actual database call / query. * This prevents a client from discovering the exact query, and potentially making any modifications to it. * To really be secure, a stored procedure must be used for every possible database call that an application can perform.

Answer 30

* Code that exists in an application that performs some process but isn't utilized * Often a result of copying / reusing code, and not removing unnecessary parts * All code is an opportunity for a security problem, so dead code should be removed

Answer 31

* A developer deliberately making code difficult for humans to read, even though it performs the same function as a much simpler, readable code * Helps prevent the search for security holes by making it more difficult to figure out what the code is doing.

Answer 32

* modifying the format of input to bring it into a standardized format * ex. adding and/or removing typed characters from a phone number so it gets stored in the following format, regardless of how it was typed in: (800) 555-1234

Answer 33

* Input validation can be performed either client-side, server-side, or both * Using both is ideal * If only using one, server-side is more secure because it prevents changes from being made after a client-side validation completes * Client-side validation may be faster since it doesn't require waiting for a response from the server.

Answer 34

* Software Development Kit * Third-party code to extend the functionality of a programming language or provide pre-programmed functions * Added by developers to their own code to speed up the process * A security risk since the code was written by someone else. Requires extensive testing.

Answer 35

* Systems and software that are functionally the same, but use different binary * Makes them less susceptible to malware. It may infect one, but can't infect all others in the same way. * Accomplished by using varying complier paths when producing the binary

Answer 36

* Continuous Integration * A process where code is constantly being written and worked on, merged into a central repository throughout the day * Requires the use of automated security checks to keep up with the constant changes

Answer 37

Continuous Delivery: * When the process of testing and releasing code / applications is automated. * Automated security checks are performed during testing process, and the application is deployed into production with the click of a button. * "Continuous Deployment," also "CD," is when it doesn't even require human interaction to deploy into production, that is also automatic as long as security checks are passed.

Answer 38

* Providing network access to users based on a third-party's authentication * The third-party must have a trust relationship established * Ex. logging into a third-party site by using your Facebook or Google account

Answer 39

* Method of validating a device's trusted identity. * Ex., to confirm a remote user is on their company-assigned laptop when they try to connect via VPN * Device provides a report to a verification server. Usually signed with the device's TPM, and may include an IMEI or other unique hardware component identifier

Answer 40

* Time-based One-Time Password * Uses a secret key to generate codes based on the current time * usually used for MFA

Answer 41

* HMAC-based One-Time Password algorithm * Single use passcode, usually used for MFA * Similar to TOTP, but each code is only used once and goes to the next code in sequence, rather than being time-based

Answer 42

* A code that never changes (at least not automatically). * Ex., a PIN, such as for an ATM * Traditional passwords are also examples of static codes

Answer 43

* False Acceptance Rate * The likelihood that a biometic system will incorrectly approve an unauthorized user * A high rate means that the sensitivity must be increased

Answer 44

* False Rejection Rate * The likelihood that a biometic system will incorrectly reject an authorized user * A high rate means that the sensitivity must be decreased

Answer 45

* Crossover Error Rate * Defines the overall accuracy of a biometric system * The rate at which FAR and FRR are equal

Answer 46

* Authorization, Authentication, and Accounting * The "Triple-A Framework" * Identification (who are you: usually a username) * Authentication (prove you are who you say you are: password and other authentication factors) * Authorization (based on the last two, what access do you have) * Accounting (logging activity and resources used)

Answer 47

* Something you know (password) * Something you have (phone, TOTP generator) * Something you are (biometric)

Answer 48

* Somewhere you are (IP address, GPS data) * Something you can do (handwriting, signature) * Something you exhibit (gait analysis, typing analysis) * Someone you know (Web of trust, digital signature)

Answer 49

* A form of redundancy in network-based storage systems * Multiple network routes exist to get to the storage * Ex. Multiple Fibre Channel interfaces with multiple switches

Answer 50

* Long-term power backup * Requires fuel * May be enough to power an entire building, or at least particular outlets marked as generator-powered * Takes a few minutes to run once power is lost; use a battery UPS for the interim.

Answer 51

* Power Distribution Unit * Provides multiple power outlets, usually in a rack * Often networked and includes monitoring and control * Remotely manage power capacity and remotely enable/disable individual outlets

Answer 52

* NAS is file-level access, SAN is block-level access * SAN acts similar to a local storage device * NAS requires overwriting an entire file if one part of it changes

Answer 53

* The ability for applications (usually cloud) to be built and torn down continuously * Involves the ability to take snapshots, and revert or rollback to a known state

Answer 54

* The order that must be followed when restoring an application or data * Example, a database may need to be started up before an application can be * Or, in backup, full backups and incremental backups must follow the correct restore order

Answer 55

* The use of different technologies, OSs, vendors, controls, cryptographic ciphers, and CAs * For the purpose of hardening security. Gives you options and makes you less prone to a single type of attack.

Answer 56

* Hardware and software designed together for a specific function * Built with only one task in mind * Often running on a SoC * Ex. traffic light controllers; smart watches; medical devices

Answer 57

* Field Programmable Gate Array * An integrated circuit that can be configured and reconfigured after manufacturing * Common in embedded systems * An array of logic blocks that can be software-controlled, allowing a device to be reprogrammed without needing to replace hardware * Common in infrastructure, such as switches, firewalls, and routers.

Answer 58

* Supervisory Control and Data Acquisition System * System allowing a PC to control industrial equipment * Ex. for power generation systems, manufacturing, industrial devices, etc. * Networked, but only internally. Requires extensive segmentation with no external access.

Answer 59

* Industrial Control System * Essentially, another name for SCADA * System allowing a PC to control industrial equipment * Networked, but only internally. Requires extensive segmentation with no external access.

Answer 60

* IoT devices * SCADA / ICS Systems * Vehicle internal network and controls * HVAC * Drones * Printers, scanners, faxes * Surveillance systems

Answer 61

* Plain Old Telephone Service * A new term for the same old, traditional, analog phone service

Answer 62

* Real-Time Operating System * An OS with a deterministic processing schedule * Typically used in certain types of embedded systems * For systems that cannot wait for other processes, but must react immediately to live sensor data, and cannot be overridden * Ex. anti-lock brake systems, industrial equipment, military environments * Sensitive to security issues, as you must ensure the security does not interfere with or delay the process. * It's also difficult to know what kind of security is in place and running on such a system.

Answer 63

* International Mobile Subscriber Identity * Often contained in a SIM card * Allows a mobile service provider to recognize the SIM card and add it to the cellular network * provides authentication and contact information

Answer 64

* The use of a narrow range of frequencies rather than the full broadband signal * Allows communication over a longer distance, and conserves frequency use * Often used by IoT devices and SCADA equipment, particularly those that must communicate over long distances

Answer 65

* The use of a single frequency to communicate, rather than a narrow or broadband * Usually done over a single cable connection. * Because it is a single frequency, the signal uses all bandwidth. Utilization is always either 0% or 100%. * Therefore it is half-duplex. Communication can be bidirectional, but not at the same time on the same wire.

Answer 66

* It is often over Ethernet, with the following standards: * 100BASE-TX * 1000BASE-TX * 10GBASE-T * The "BASE" in the Ethernet standard indicates baseband.

Answer 67

* An Open Standard for IoT networking * An alternative to Wi-Fi and Bluetooth * Longer range than Bluetooth, less power consumption than Wi-Fi * All devices mesh together, to hop connections through each other to reach network infrastructure

Answer 68

* The IEEE designation for Zigbee | * PAN indicates "Personal Area Network"

Answer 69

* In the USA, it uses the ISM Band (Industrial, Scientific, and Medical) * 900 MHz and 2.4 GHz frequencies

Answer 70

* They usually have very limited resources and features * Compute capability is very limited; therefore cryptographic capabilities * Communication options are limited; networking requirements may be very specific * Power is a common constraint, as they are often in the field and may not have access to a main power source * Upgrade options are usually very limited or impossible

Answer 71

* Adding or changing cryptography functionality may not be possible * Ability to update / patch is usually very limited or not possible * Security features are often an after-thought * Authentication requirements may be non-existent, or very limited * Direct access to the OS and software is often very limited or impossible, thus security cannot be verified

Answer 72

• a post that is put in the middle or at the end of a road to keep vehicles off or out of a particular area

Answer 73

• an alarm that is triggered by a panic button or similar method

Answer 74

• Concealing an secure facility in plain sight, blending it into the local environment and leaving it unmarked.

Answer 75

• Self-explanatory, but yes, they apparently exist, and they are on the exam.

Answer 76

* Method of guarding, where no single person has access to a physical asset * Requires two people to grant access, which minimizes exposure to an attack

Answer 77

Another term for Two-Person Integrity

Answer 78

* An attack on devices that use the same cable for both charging and transferring data (typically USB) * A malicious device appears as a power charging source, but while charging, it is actually communicating with your device * Either to steal data, or install malware

Answer 79

* A USB adapter cable that allows voltage but prevents any data transfer * i.e., your device can charge over this USB cable, but not communicate * Prevents juice-jacking

Answer 80

* Only use your own power adapters | * Use a USB Data Blocker

Answer 81

* No all signal types can be blocked | * If access to mobile networks are restricted, then contingencies must be in place for emergency calls

Answer 82

* Apparently, the new name for a DMZ, though no one has ever heard anyone use this term. * In reality, it's just some bullshit that CompTIA is trying to invent to exert control. * To quote Mean Girls, "Stop trying to make 'fetch' happen. It's NOT going to happen."

Answer 83

* Protected Distribution System * A physically secured cabled network. * Prevents cable taps * Prevents a physical DoS of cutting cables

Answer 84

* A physical separation between networks * Whereas most network environments are shared, and may only have virtualized or software separation, air gaps provide complete physical separation.

Answer 85

* airplanes * nuclear plants * stock market networks * power systems/SCADA

Answer 86

* The process of using a strong electromagnetic field to destroy data magnetically stored on a hard drive, rendering the drive unusable * Also destroys the drive configuration data, so not only is the drive unreadable, it can never be reused

Answer 87

* Placing shredded paper into a large tank to remove ink and break the paper down into pulp. * Creates recycled paper, and ensures information on the original paper is unrecoverable.

Answer 88

* Confidentiality * Authentication / access control * Non-repudiation * Integrity

Answer 89

• The particular algorithm used to encrypt and/or decrypt

Answer 90

* The art of cracking encryption * Not just a job for the bad guys; researchers also work to find weaknesses in ciphers, as a flawed cypher is bad for everyone.

Answer 91

* The secret information that is added to a cipher in order to encrypt plaintext * Though ciphers are publicly known, the keys are secret * The key is then required to decrypt the ciphertext * Using larger keys, and/or multiple keys, increases the security of the cryptography

Answer 92

* The process of making a weak key stronger by performing multiple encryption processes with it * I.e., hashing a password, then hashing the hash of the password, and so on. * Makes brute force attacks more difficult, as the attack would require reversing each stage of the hashes * Adds security without needing a larger key.

Answer 93

• Another term for Key Stretching

Answer 94

* New technology still in the process of development. * Method of cryptography that has lower demands on CPU and power. * Designed with IoT devices in mind.

Answer 95

* Typically, encrypted data must be decrypted, then perform the function, then encryption is re-applied to the answer. * Homomorphic Encryption is the process of using and performing calculations on data while it remains in an encrypted state. * Allows data to remain securely stored in the cloud while still being utilized * Allows users to utilize the data without being able to view it.

Answer 96

* The same key is used to encrypt and decrypt * Faster, less overhead than asymmetric encryption * Does not scale well, and difficult to securely share the key

Answer 97

* A public key is used to encrypt, and a private key is used to decrypt. * The keys are mathematically related, but the private key cannot be derived from the public key * Requires significant work from the CPU

Answer 98

* You can combine your private key with a recipient's public key to create a new, symmetric key * That recipient likewise combines their private key with your public key, and produces that same symmetric key * You now both have the same symmetric key, and can use symmetric encryption, without ever having to share your private keys or any symmetric key. * This process is used by the Diffie-Hellman key exchange

Answer 99

* Elliptic Curve Cryptography * Uses curves instead of numbers to generate asymmetric encryption keys * The keys are smaller than non-ECC encryption * Smaller storage and transmission requirements * Ideal for mobile and IoT devices

Answer 100

* A way to represent data as a short string of text, serving as a digital signature of that data * A one-way trip, the data cannot be derived from the hash * May be used to verify a downloaded file * May be used to store passwords, so that your actual password is never stored in plaintext and can't be derived

Answer 101

* A method of web server encryption that uses a different private key for every TLS session * This way, if the private key is compromised, an attacker cannot decrypt all data for all sessions * Uses Elliptic curve or Diffie-Hellman ephemeral * The browser must support PFS (most modern browsers do)

Answer 102

* Hiding information inside something else * From Greek for "concealed writing" * Not truly secure, but a form of "Security through obscurity" * May be hidden in an image, an audio file, within other network traffic, etc.

Answer 103

• In Steganography, the container image, document, or file for a hidden message.

Answer 104

* Computers based on quantum physics * An emerging technology * Uses qubits instead of bits, which are super-positioned bits of 1s, 0s, and any combination in-between, at the same time * Allows for searching, indexing, and simulating extremely quickly * Theoretically will be able to quickly brute force all traditional cryptography.

Answer 105

* If qubits are examined, they are changed. Therefore, you can be aware if your communication has been intercepted and observed. * Especially useful for distribution of encryption keys. Both sides can verify they key. If it was observed en route, then it will have changed and won't match what was sent.

Answer 106

* Encryption performed one bit or byte at a time. * High-speed, low demands on resources * Randomization is challenging, especially if multiple bytes are identical, so an IV is often added.

Answer 107

* Encrypts a fixed-length block of bytes at a time, often 64- or 128-bits in size * If the final block does not fit, padding is added * Each block is encrypted and decrypted separately * Different methods of encrypting blocks are referred to as "Modes of operation"

Answer 108

* Electronic codebook * Cipher Block Chaining * Counter Mode * Galois/Counter Mode

Answer 109

* A mode of Block Ciphering | * Each block is encrypted with the same key; too simple for most use cases

Answer 110

* A mode of Block Ciphering * Each plaintext block is XORed with the previous cipher block * (the first block uses an IV)

Answer 111

* A mode of Block Ciphering | * Encrypts successive values of a counter, using the plaintext as part of the XOR to create the ciphertext

Answer 112

* A mode of Block Ciphering that also applies authentication * Combines Counter Mode with Galois authentication * Very efficient at encrypting, and authenticates where the data came from * Commonly used in packetized data, wireless communication, IPsec communication, TLS

Answer 113

* Payment processing * Digital identification * Supply chain monitoring * Digital voting

Answer 114

* Open Web Application Security Project * International non-profit organization * Provides free materials to promote and support web application security

Answer 115

* specialized processors designed to respond to API requests * utilized in serverless architectures