Section 2 - Architecture and Design

Question 1

Baseline configuration

Answer 1

Is a group of settings placed on a system before it is approved for production. Using baselines is a technique that evolved from administration checklists to ensure systems were set up correctly for their intended purpose.
In case of workstations, it would be an OS image with pre-installed software.

Question 2

Data sovereignty

Answer 2

Often refers to the understanding that data which are stored outside of an organization’s host country and still subject to the laws in the country where the data are stored

Question 3

Data masking

Answer 3

Is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.

Question 4

Data tokenization

Answer 4

Is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system.

Question 5

Hardware security module (HSM)

Answer 5

Is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

Question 6

Cloud access security broker (CASB)

Answer 6

Is cloud-hosted software or on-premises software or hardware that act as an intermediary between users and cloud service providers. It combines and interjects enterprise security policies as cloud-based resources are accessed.

Question 7

System resilience

Answer 7

The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

Question 8

Cold site

Answer 8

A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.

Question 9

Hot site

Answer 9

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

Question 10

Warm site

Answer 10

An environmentally conditioned work space that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption.

Question 11

Infrastructure-as-a-Service (IaaS)

Answer 11

Is a form of cloud computing that delivers fundamental compute, network, and storage resources to consumers on-demand, over the internet, and on a pay-as-you-go basis. IaaS enables end users to scale and shrink resources on an as-needed basis, reducing the need for high, up-front capital expenditures or unnecessary “owned” infrastructure, especially in the case of “spiky” workloads. In contrast to PaaS and SaaS (even newer computing models like containers and serverless), IaaS provides the lowest-level control of resources in the cloud.

Question 12

Software as a Service (SaaS)

Answer 12

SaaS utilizes the internet to deliver applications, which are managed by a third-party vendor, to its users. A majority of SaaS applications run directly through your web browser, which means they do not require any downloads or installations on the client side.

Question 13

Platform as a Service (PaaS)

Answer 13

Provides software developers with on-demand platform—hardware, complete software stack, infrastructure, and even development tools—for running, developing, and managing applications without the cost, complexity, and inflexibility of maintaining that platform on-premises.

With PaaS, the cloud provider hosts everything—servers, networks, storage, operating system software, middleware, databases—at their data center.

Question 14

Everything as a Service (XaaS)

Answer 14

Describes a general category of services related to cloud computing and remote access. It recognizes the vast number of products, tools, and technologies that are now delivered to users as a service over the internet.
Essentially, any IT function can be transformed into a service for enterprise consumption. The service is paid for in a flexible consumption model rather than as an upfront purchase or license.

Question 15

Cloud deployment models

Answer 15

Public cloud is cloud computing that’s delivered via the internet and shared across organizations.
Private cloud is cloud computing that is dedicated solely to your organization.
Hybrid cloud is any environment that uses both public and private clouds.

Question 16

Fog computing

Answer 16

Places a decentralized enterprise computing layer between the source of data and a central cloud platform. Like edge computing, fog computing also brings the processing power closer to where the data is extracted from. While fog computing enhances efficiency, it can also be leveraged for cybersecurity and regulatory compliance.

Question 17

Edge computing

Answer 17

Brings processing and storage systems as close as possible to the application, device, or component that generates and collects data. This helps minimize processing time by removing the need for transferring data to a central processing system and back to the endpoint

Question 18

Containerization

Answer 18

Is a form of virtualization where applications run in isolated user spaces, called containers, while using the same shared operating system (OS).

Question 19

Microservices

Answer 19

Are component parts of an application that are designed to run independently. A microservices-based application is a collection of loosely coupled services that are lightweight and independently deployable and scalable

Question 20

Kubernetes

Answer 20

Is a container orchestration tool—an open-source, extensible platform for deploying, scaling, and managing the complete life cycle of containerized applications across a cluster of machines.

Question 21

Infrastructure as code (IaC)

Answer 21

Is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

Question 22

Software-Defined Networking (SDN)

Answer 22

Is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network.

Question 23

Software Defined Visibility (SDV)

Answer 23

Is a framework that allows customers, security and network equipment vendors, as well as managed service providers, to control and program Gigamon’s Visibility Fabric via REST-based Application Program Interfaces (APIs). By writing programs that utilize Gigamon’s APIs, critical functions previously requiring manual intervention can be automated to improve responsiveness, enhance analysis and increase protection of key resources and information assets.

Question 24

Serverless architecture

Answer 24

Is a software design pattern where we host our applications on a third-party service.

Question 25

Virtualization sprawl (VM sprawl)

Answer 25

Is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where administrators can no longer manage them effectively

Question 26

VM escape

Answer 26

Is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system.

Question 27

Provisioning vs Deprovisioning

Answer 27

Provisioning is the process of making information technology (IT) systems available to users. Deprovisioning is the process of removing user access to software and network services.

Question 28

Database normalization

Answer 28

Refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance.

Question 29

Stored procedure

Answer 29

This is the practice of storing business logic, rules, algorithms and data within a database. These procedures can be run at any time by the database, rather than being triggered when a user tries to access the logic.

Question 30

Code Obfuscation/Camouflage

Answer 30

Is the process of making code more difficult to understand. This is typically done by replacing certain words and phrases in the code with numbers. There are several methods for obfuscating code, and most can eventually be reverse engineered, but it does add one more layer of protection.

Question 31

Code Reuse

Answer 31

Reusing code can be risky, though, if the code being used isn't secure and gets spread throughout the application. It can also be a problem if the reused code doesn't work well in the new environment or if the changes aren't as secure as they would have been had the code been written expressly for the purpose at hand.

Question 32

Dead Code

Answer 32

Refers to code that's non-executable at runtime. Sometimes, it means source code that's executed but not used in any other computation, making it obsolete. It's more secure to remove any dead code. If it doesn't exist, it can't be exploited.

Question 33

Memory management

Answer 33

Most common memory vulnerabilities are unchecked buffer-copy input size, incorrectly calculated buffer size, and uncontrolled format strings.

Question 34

Data exposure

Answer 34

Involves unintended exposure of personal and confidential data. This can come from weak or non-existent encryption, coding flaws, or misapplied database uploads.

Question 35

Open Web Application Security Project (OWASP)

Answer 35

Is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation.

Question 36

Elasticity in devops

Answer 36

The purpose of elasticity is to match the resources allocated with the actual amount of resources needed at any given point in time.

Question 37

Scalability in devops

Answer 37

Handles the changing needs of an application within the confines of the infrastructure via statically adding or removing resources to meet applications demands if needed.

Question 38

Time-based one-time password (TOTP)

Answer 38

Is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. It's an extension of the HMAC-based one-time password algorithm (HOTP).

Question 39

HMAC-based one-time password (HOTP)

Answer 39

Is a one-time password (OTP) algorithm, that provides a method of authentication by symmetric generation of human-readable passwords, or values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value. Parties intending to use HOTP must establish some parameters: A cryptographic hash method H (default is SHA-1) A secret key K, which is an arbitrary byte string and must remain private A counter C, which counts the number of iterations A HOTP value length d (6–10, default is 6, and 6–8 is recommended) Both parties compute the HOTP value derived from the secret key K and the counter C.

Question 40

HMAC

Answer 40

HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

Question 41

Types of biometrics

Answer 41

DNA Ear Eyes - Iris (color patterns) Eyes - Retina (veins) Eyes - Scleral vein Face Finger geometry Fingerprint Gait - way of walking Hand geometry Hertbeat Keystrokes - typing Odour Signatures Vascular - vein picture Voice

Question 42

Crossover Error Rate (CER)

Answer 42

Describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.

Question 43

Identification (IAAA)

Answer 43

Your name, username, ID number, employee number, SIN etc.

Question 44

Authentication (IAAA)

Answer 44

Is the (prove who you are) stage to verify the given identification: Something you know, such as a password or pin. Something you have, such as an identification device, smart-card or token. Something you are, such as biometrics e.g. fingerprint or facial recognition. Something you do, such as a mandatory action to complete authentication. Somewhere you are, such as your geolocation.

Question 45

Authorization (IAAA)

Answer 45

Is the process of specifying user access rights and privileges using models such as DAC (Discretionary Access Control) , MAC (Mandatory Access Control) and RBAC (Role-based Access Control).

Question 46

Accountability (IAAA)

Answer 46

Is ensuring the actions performed by a user are traceable to prove responsibility, this is also referred to as non-repudiation.

Question 47

Geographical dispersal

Answer 47

Refers to placing physical distances between duplicate systems so the organization can avoid damages to both the primary and alternate resources from the same disaster.

Question 48

Types of backup

Answer 48

Full backup: The most basic and comprehensive backup method, where all data is sent to another location. Incremental backup: Backs up all files that have changed since the last backup occurred. Differential backup: Backs up only copies of all files that have changed since the last full backup.

Question 49

Backup (archive) bit

Answer 49

The archive bit is a file component that is activated when a file is created or changed. It indicates whether the file has been backed up since it was last modified. A full backup resets the archive bit. A differential backup copies those files that have changed since the full backup. However, it does not reset the archive bit, meaning it will copy them again the next day. An incremental backup copies changed files and resets the archive bit so that it does not copy the file unless it changes again.

Question 50

Non-persistence

Answer 50

Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions.

Question 51

RAID 0

Answer 51

implements block striping, where data is broken into logical blocks and is striped across several drives. - no facility. - the total disk capacity is equivalent to the sum of the capacities of all drives in the array. - highest performance.

Question 52

RAID 1

Answer 52

Implements disk mirroring, where a copy of the same data is recorded onto two drives.

Question 53

RAID 10

Answer 53

Combines RAID 0 (strip) and RAID 1 (mirror) to offer mirroring and disk striping. If four or more disk drives are chosen for a RAID 1 logical drive, RAID 1+0 is performed automatically.

Question 54

RAID 5

Answer 54

Implements multiple-block striping with distributed parity. This RAID level offers redundancy with the parity information distributed across all disks in the array. Data and its parity are never stored on the same disk. In the event that a disk fails, original data can be reconstructed using the parity information and the information on the remaining disks.

Question 55

RAID 3

Answer 55

Implements block striping with dedicated parity. This RAID level breaks data into logical blocks, the size of a disk block, and then stripes these blocks across several drives. One drive is dedicated to parity. In the event that a disk fails, the original data can be reconstructed using the parity information and the information on the remaining disks.

Question 56

RAID 6

Answer 56

similar to RAID 5, but uses two parity bits (extra drive).

Question 57

Information assurance (IA)

Answer 57

Is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data.

Question 58

Nonrepudiation (IA)

Answer 58

Ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information. It also cannot deny the authenticity of its signature on a document.

Question 59

Data integrity (IA)

Answer 59

Is the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so. Data integrity describes data that's kept complete, accurate, consistent and safe throughout its entire lifecycle

Question 60

Data availability (IA)

Answer 60

Is a term used by computer storage manufacturers and storage service providers to describe how data should be available at a required level of performance in situations ranging from normal through disastrous. In general, data availability is achieved through redundancy involving where the data is stored and how it can be reached.

Question 61

Authentication (IA)

Answer 61

Is the process of determining whether someone or something is, in fact, who or what it says it is.

Question 62

Confidentiality (IA)

Answer 62

Is roughly equivalent to privacy. Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts.

Question 63

Symmetric vs Asymmetric encryption

Answer 63

Symmetric: the message is encrypted by using a key and the same key is used to decrypt the message (less secure, requires a safe method to transfer the key). Fast, provides confidentiality. Asymmetric: is based on public and private key encryption techniques. It uses two different key to encrypt and decrypt the message. Slow, provides confidentiality, authenticity, and non-repudiation.

Question 64

Stream vs Block cipher

Answer 64

Block transform 1 block (64/128/256 bits) at a time, while stream ciphers convert plaintext to ciphertext 1 byte at a time. Stream ciphers utilize only the confusion principle, block ciphers use data diffusion and confusion. Stream ciphers use a XOR on the plaintext to create ciphertext. Block ciphers encrypt more bits at a time, making the decryption comparatively complex.

Question 65

Confusion vs diffusion principles of cryptography

Answer 65

Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two. Diffusion means that if we change a single bit of the plaintext, then about half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then about half of the plaintext bits should change.

Question 66

DES

Answer 66

The Data Encryption Standard is a symmetric-key algorithm. Its short key length of 56 bits makes it too insecure for modern applications, it was cracked in 1999.

Question 67

3DES

Answer 67

Triple DES, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. A CVE released in 2016 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by the end of 2023.

Question 68

IDEA algorithm

Answer 68

International Data Encryption Algorithm is a symmetric-key block cipher, first described in 1991. IDEA was used in Pretty Good Privacy (PGP) v2.0 and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA operates on 64-bit blocks using a 128-bit key and consists of a series of 8 identical transformations (a round).

Question 69

Blowfish

Answer 69

Blowfish is a symmetric-key block cipher, designed in 1993. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. Blowfish has a 64-bit block size and a variable key length from 32 bits up to 448 bits, 16 rounds.

Question 70

Skipjack

Answer 70

This algorithm was initially classified SECRET. The government did state that it used an 80-bit key, that the algorithm was symmetric, and that it was similar to the DES algorithm. Declassified in 1998, no longer certified for gov use since 2016. Used for the "Clipper chip" - a chipset that was developed and promoted by the NSA as an encryption device that secured "voice and data messages" with a built-in backdoor.

Question 71

RC2

Answer 71

Also known as ARC2, is a symmetric-key block cipher designed by Ron Rivest in 1987. RC2 is a 64-bit block cipher with a variable size key.

Question 72

RC4

Answer 72

RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR) is a stream cipher. RC4 became part of some commonly used encryption protocols and standards, such as WEP in 1997 and WPA in 2003/2004 for wireless cards; and SSL in 1995 and its successor TLS in 1999, until it was prohibited for all versions of TLS by RFC 7465 in 2015.

Question 73

RC5

Answer 73

Is a symmetric-key block cipher. RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to 255).

Question 74

AES

Answer 74

Is a symmetric type of encryption, Even though the key length of this encryption method varies (128, 192 and 256 bits), its block size - 128-bits - stays fixed. It also uses the SPN (substitution permutation network) algorithm, applying multiple rounds to encrypt data. These encryption rounds are the reason behind the impenetrability of AES, as there are far too many rounds to break through.

Question 75

Twofish

Answer 75

Is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the AES contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

Question 76

RSA

Answer 76

(Rivest–Shamir–Adleman) is a public-key asymmetric cryptosystem that is widely used for secure data transmission. Publicly described in 1977. Key sizes: 2,048 to 4,096 bit typical

Question 77

Diffie–Hellman key exchange

Answer 77

Key exchange scheme (symmetric key exchange algorithm), each party generates a public/private key pair and distributes the public key. After obtaining an authentic copy of each other's public keys, they can compute a shared secret offline. The shared secret can be used, for instance, as the key for a symmetric cipher.

Question 78

Elliptic-curve cryptography (ECC)

Answer 78

Is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security

Question 79

Digital signature

Answer 79

The result of a cryptographic transformation of data which, when properly implemented, provides the services of: origin authentication, data integrity, and signer non-repudiation.

Question 80

Steganography

Answer 80

Is an additional step that can be used in conjunction with encryption in order to conceal or protect data. Steganography is a means of concealing secret information within (or even on top of) an otherwise mundane, non-secret document or other media to avoid detection. Can be divided into five types: Text, Image, Video, Audio, Network.

Question 81

Key Stretching

Answer 81

Techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. Another way is to use cryptographic hash functions that have large memory requirements.

Question 82

Perfect Forward Secrecy (PFS)

Answer 82

Also called forward secrecy (FS), refers to an encryption system that changes the keys used to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.

Question 83

Homomorphic encryption

Answer 83

Is a form of encryption that permits users to perform computations on its encrypted data without first decrypting it.

Question 84

Ephemeral key

Answer 84

The key that is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once, within a single session (e.g., in broadcast applications) where the sender generates only one ephemeral key pair per message and the private key is combined separately with each recipient's public key.

Question 85

Block Cipher Mode of Operation

Answer 85

A block cipher mode of operation defines how the different blocks of a multi-block plaintext should be encrypted and decrypted. ECB mode is the simplest, fastest, but keeps the patterns (penguin pic). Its approach to multi-block plaintexts is to treat each block of the plaintext separately. CBC mode eliminates this problem by carrying information from the encryption or decryption of one block to the next. Turns block into stream cipher.

Question 86

Lightweight cryptography

Answer 86

Also known as lightweight encryption, is a form of encryption designed for resource-constrained devices. Lightweight encryption technology uses less memory, fewer computing resources, and a smaller amount of power to provide secure solutions for limited resources in a network.

Question 87

Data at rest vs in transit

Answer 87

Data at rest is safely stored on an internal or external storage device. Data in transit, also known as data in motion, is data that is being transferred between locations over a private network or the Internet.

Question 88

Telemetry

Answer 88

Data collected from a network environment that can be analyzed to monitor the health and performance, availability, and security of the network

Question 89

DNS sinkhole

Answer 89

A mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address.

Question 90

Attestation

Answer 90

To be able to prove that the hardware that they’re connecting with is really the hardware we’re expecting

Question 91

Federation

Answer 91

Instead of maintaining your own database of usernames and passwords, you can use authentication information that’s already contained at a different site

Question 92

Supervisory control and data acquisition (SCADA) / Industrial control system (ICS)

Answer 92

Computer-based system for gathering and analyzing real-time data to monitor and control equipment that deals with critical and time-sensitive materials or events.

Question 93

Real-Time Operating System (RTOS)

Answer 93

OS with two key features: predictability and determinism. Repeated tasks are performed within a tight time boundary. We know how long a task will take, and that it will always produce the same result.

Question 94

Data destruction and media sanitization

Answer 94

● Pulping – Reduces paper to liquid slurry. Can then be safely recycled. ● Pulverizing – Using hydraulic or pneumatic action to reduce the materials to loose fibers and shards. Disadvantage – cost. ● Degaussing – Using a large magnet to remove data from magnetic storage media such as hard drives and magnetic tapes. ● Purging – Removing files and all traces of data. Sanitization ● Wiping – Overwriting data. Data is replaced (often with random 0’s & 1’s) and then removed.