Security Architecture Flashcards
Domain 3, Chapters 10-13
Cloud computing
Cloud computing is a flexible and scalable technology that allows access to and storage of data and applications over the internet.
Third-party vendors: Integrating external services into the cloud environment*
Chapter 10
What is a cloud responsibility matrix?
*Responsibility matrix: Defining roles and responsibilities in cloud management
When utilizing cloud services, you shift some security responsibilities to your cloud provider. The extent of your direct responsibility and what you delegate can vary based on the type of service you use.
Chapter 10
What is a hybrid-cloud model?
Hybrid considerations: Balancing on-premises and cloud resources
With a hybrid-cloud model, an organization maintains a presence both on-premise and in the cloud.
Chapter 10
What are the four considerations regarding utilizing 3rd party vendors in a hybrid-cloud?
Data Breaches: Perhaps the most notorious risk, a vendor’s lax security practices can lead to data breaches, compromising sensitive customer or organizational information. Such breaches can result in financial losses, reputational damage, and regulatory repercussions.
Security Vulnerabilities: Vendors may introduce security vulnerabilities into an organization’s systems through the software or services they provide. These vulnerabilities can become potential entry points for cybercriminals seeking unauthorized access. An example of
security vulnerabilities introduced by vendors could be a software update that inadvertently opens a backdoor for hackers.
Compliance Challenges: When vendors fail to adhere to industryspecific regulations or legal requirements, organizations may find themselves unwittingly non-compliant and therefore subject to fines and potentially embroiled in legal disputes.
Operational Disruption: Dependence on a vendor for critical services or products can result in operational disruption if the vendor experiences downtime or operational issues. A single point of failure, such as a failure of the power system, can have far-reaching consequences.
Chapter 10
Infrastructure as code (IaC)
Automating infrastructure provisioning and management
The practice of defining and managing IT infrastructure through machine-readable code or
scripts. IaC is written in languages such as YAML and JSON. Gone are the days of manual, error-prone infrastructure provisioning or configuration. With IaC, infrastructure components (from servers and networks to databases and storage) are defined in code, enabling automation, scalability, and repeatability.
Chapter 10
What is Serverless computing?
Leveraging serverless computing for scalable applications
In a serverless environment, there’s no need to provision, configure, or manage servers as the cloud provider handles all these aspects of server management, including scaling resources up or down to meet demand.
Chapter 10
What is Microservices architecture?
Building applications as small, independent services
Microservices architecture involves breaking down an application into a collection of smaller, self-contained services that communicate with each other through well-defined APIs. Each
microservice is responsible for a specific business capability, such as user authentication, payment processing, or data retrieval. These services operate independently, enabling developers to work on them separately without disrupting the entire application.
Chapter 10
What is phsical isolation in Network infrastructure?
Designing and securing cloud network architecture
Physical isolation: Separating resources physically for enhanced security
Air-gapped: Isolating systems from external networks for security
Reminder: In an air-gapped network, each computer has no connectivity and data is placed on and taken off the computer using removable devices.
Chapter 10
Describe the two types of Logical Segmentation.
Subnetting: Subnetting is the process of breaking down a network into smaller networks called subnets. This can give you a higher level of security by reducing the broadcast domain, the area where devices can broadcast to each other. Imagine a fast-spreading virus. Using subnets can help contain the virus and prevent it from affecting too many devices.
Virtual Local Area Network (VLAN): A VLAN is established through the software on a network switch. It allows you to group multiple network ports together, effectively creating a distinct and separate network within the larger network. This method of network division
aids in controlling traffic flow and segregating communications for distinct functions or device groups. Each individual VLAN has an identification tag, which is readable by switches. Data packets include the VLAN identification tag so that when traffic arrives at the switch, the switch knows where to direct it.
Chapter 10
Software-Defined Networking (SDN)
Software-defined networking (SDN):Implementing flexible network management in the cloud
Management Plane: The management plane orchestrates network intelligence effortlessly by monitoring the network traffic.
**Control Plane: **The control plane, often embodied by an SDN controller, serves as the network’s “brain.” It is a centralized entity that makes high-level decisions about traffic routing, network policies, and resource allocation, based on a set of rules set by administrators. This
abstraction provides network administrators with a global, bird’s-eye view of the network and a single point from which to apply changes.
Data Plane: The data plane consists of network devices such as switches, routers, and access points. It is responsible for forwarding data packets based on the instructions received from the control plane. Unlike traditional networking, where control and data planes are tightly
integrated, SDN separates them, allowing for programmable and dynamic control over the network’s behavior, including that of both resource allocation and security.
Chapter 10
Industrial Control Systems (ICS) /Supervisory Control and Data Acquisition (SCADA)
IoT: Integrating Internet of Things devices into on-premises systems Industrial control systems (ICS)/supervisory control and data acquisition (SCADA): Managing critical infrastructure and data acquisition systems
Supervisory Control and Data Acquisition (SCADA) systems are sophisticated automated industrial control systems (ICS) that encompass various stages of production. These systems play a pivotal role in monitoring, managing, and controlling industrial processes, allowing for seamless coordination and oversight across different phases of production, from raw material handling to product assembly and quality control. The SCADA system runs on the same software as client computers and is vulnerable to the same threats.
Chapter 10
Real-Time Operating System (RTOS)
Operating systems designed for real-time, mission-critical tasks
RTOS is a specialized OS designed for applications for which timing is of paramount importance, such as light control or navigation systems, where everything happens in real time.
Unlike general-purpose operating systems such as Windows or Linux, which prioritize tasks based on priority levels, RTOS ensures that high-priority tasks are executed within a
predetermined time frame.
Chapter 10
Embedded Systems
Incorporating specialized computing into hardware devices
Embedded systems are specialized computing systems designed for specific tasks within a broader system or product.
Chapter 10
What are 12 Considerations for your infrastructure?
`
Availability: You must ensure that data remains available at all times.
Resilience: Preparing for and recovering from disruptions or failures
Cost: Managing expenses and optimizing cloud spending
Responsiveness: Achieving quick and efficient system responses
Scalability: Adapting resources to accommodate changing demands
Ease of deployment: Simplifying the process of launching new services
Risk transference: Shifting or mitigating risks through cloud services
Ease of recovery: Streamlining recovery processes after failures or incidents
Patch availability: Ensuring timely access to software updates and patches
Inability to patch: Addressing challenges when patches cannot be applied.
Power: Managing power requirements for cloud infrastructure
Compute: Optimizing and balancing computational resources in the cloud
Chapter 10
Infrastructure considerations
Key network design factors
Chapter 11
Device placement: what are the three zones?
Where devices are located
The network is divided into three separate zones, Local Area Network (LAN), screened subnet, and Wide Area Network (WAN), and your devices should be placed in these zones depending on the security requirements,
Chapter 11
Security zones
Network segments with distinct security policies
Each of these zones possesses its own security policies, access controls, and trust levels. These zones compartmentalize a network, dividing it into manageable segments and reducing the extent of access and privileges granted to users, devices, or systems.
Reminder: Ensure that you know your network appliances and where they reside on the network.
Chapter 11
What are 7 Attack surfaces?
Vulnerable points exposed to threats
Endpoints: Devices such as computers, smartphones, and IoT devices that connect to the network are primary targets. Vulnerabilities in endpoint operating systems, software, or configurations can provide a foothold for attackers.
Network services: Services such as web servers, email servers, and VPN gateways expose themselves to the internet, becoming potential entry points. Inadequate patching, misconfigurations, or outdated software can lead to exploitation.
Ports and protocols: Open ports and protocols on network devices create opportunities for attackers to probe and exploit weaknesses. Unnecessary open ports or unused services should be closed or disabled.
**User accounts and credentials: **Weak or compromised passwords pose a significant security risk as attackers may employ brute-force attacks or phishing to obtain legitimate credentials and gain unauthorized access.
Third-party integrations: Integrations with external services or thirdparty applications can introduce vulnerabilities. Regular security assessments and audits are crucial.
Cloud services: As organizations migrate to the cloud, cloud-based assets become potential targets. Misconfigured cloud resources can expose sensitive data.
Human factor: Employees, whether through ignorance or malicious intent, can inadvertently contribute to the attack surface. Security awareness training is an essential preventative measure.
Chapter 11
Connectivity
Network connections between devices
Connectivity is more than just wires, cables, and data packets. It defines how devices, systems, and people interact within a networked ecosystem. It encompasses wired and wireless
connections, cloud integrations, remote access, and the intricate web of pathways through which information flows.
Chapter 11
Failure modes
*How devices respond to failures
Fail-open: Device allows traffic on failure
Fail-closed: Device blocks traffic on failure*
Remember that fail-open mode may result in a security vulnerability.
Chapter 11
Device attribute: Device characteristics
Active vs. passive: Device interaction level
Inline vs. tap/monitor: Traffic handling approach
Active devices: Active devices are a proactive force within your network security arsenal. They actively intervene and act when potential threats are detected. These devices can block or mitigate threats in real time, helping to maintain the integrity and security of your network.
Examples of active devices include firewalls (which actively block unauthorized access attempts) and IPSs, which actively detect and prevent known attack patterns.
Passive devices: Passive devices are observers. They monitor network traffic, analyze patterns, and provide insights into potential threats and vulnerabilities. Unlike active devices, passive devices do not take immediate action to block threats; they are instead focused on visibility and analysis. An example of a passive device is an IDS, which has sensors and collectors that analyze network traffic for suspicious behavior without actively blocking it.
**Inline: **Inline devices are placed directly in the data path of network traffic. They actively process traffic as it flows through the network, making real-time decisions about whether to allow or block data packets. Examples of inline devices include firewall appliances, which
actively control inbound and outbound traffic, and load balancers, which distribute network traffic across multiple servers and IPSs.
Tap/monitor: Tap or monitor devices, as the name suggests, do not interfere with the flow of network traffic. Instead, they “tap” into the traffic and duplicate it for analysis or monitoring purposes. These devices provide visibility without affecting the original data flow. An
example of a tap/monitor device is a network packet analyzer (packet sniffer), which captures and analyzes network traffic for troubleshooting or security analysis.
Chapter 11
Network appliances: Devices with specific functions
Jump server: Secure access intermediary
Proxy server: Intermediary for client-server requests
A proxy server is a server that acts as an intermediary between clients seeking resources on the internet or an external network. It serves as a go-between, making requests on behalf of clients while ensuring that external servers do not have direct knowledge of the requesting host. The proxy server maintains a log file of these requests to allow administrators to track users’ internet usage.
Reverse proxy server: The flow of traffic from a reverse proxy is incoming traffic from the internet coming into your company network. The reverse proxy is placed in a boundary network called the screened subnet. It performs the authentication and decryption of a secure session to enable it to filter the incoming traffic.
IPS/IDS: Intrusion prevention and detection
IPS: An IPS protects the network by identifying suspicious activities, but it also takes swift action to actively block or mitigate threats, ensuring that the network remains resilient against potential threats. The IPS is placed very close to the firewall and is known as inline as the
data traffic flows through the network.
IDS: The IDS is passive as it uses sensors and collectors to detect suspicious or unauthorized activities, sounding the alarm when potential threats are discovered. Both the IPS and IDS can be network-based, though, in these instances, they are known as NIDS and NIPS and can
protect the network but not the host. The host versions of these systems are HIDS and HIPS. As expected, they can only protect the host and not the network.
Load balancer: Distributes network traffic evenly
As its name suggests, a network load balancer is a device that is used to balance the load when there is a high volume of traffic coming into the company’s network or web server. It does this by using information in the data packets to make decisions about where to forward traffic. The Layer 4 load balancer only forwards the traffic by using the information in the packet header, such as the destination address or port number. The more sophisticated Layer 7 load balancer
can forward the traffic based on content-based routing, making it highly suitable for load balancing web applications, APIs, and services that require application-level awareness.
Chapter 11
Sensors
Monitor network traffic for anomalies
What are the four ways to protect physical network ports?
Sticky MAC: Sticky MAC addresses simplify the port security process by storing the MAC addresses of authorized devices. When a device connects to a port, its MAC address is recorded and associated with that port. Subsequent connections from the same device are automatically permitted. If a different device attempts to connect to the same port, it is
denied access as its MAC address does not match the recorded “sticky” MAC address.
Disabling ports: In a proactive approach to network security, the administrator regularly reviews port security settings, occasionally disabling ports or removing patch panel cables that lead to unused areas of the building to ensure that potential vulnerabilities remain tightly
controlled.
802.1x authentication: 802.1x offers a more flexible and secure method of network access control and introduces an authentication process (using a RADIUS server) that occurs before a connection is established. This process involves the identity verification of the user or
device seeking network access, employing the concepts of “supplicants” (devices seeking access), “authenticators” (network devices), and an “authentication server” (which verifies supplicant credentials). Authentication is typically achieved through certificates, which ensure
that only authorized devices can connect to the network. One key advantage of 802.1x is that it doesn’t disable switch ports but rather selectively permits or denies access based on authentication status. This preserves the full functionality of the switch while maintaining robust security.
Extensible Authentication Protocol (EAP): EAP enhances the security concepts of 802.1x by ensuring that authentication processes are standardized and interoperable across various network devices and platforms. EAP allows organizations to choose from various
authentication methods, such as EAP-TLS (TLS stands for Transport Layer Security), EAP-PEAP (PEAP stands for Protected Extensible Authentication Protocol), and EAP-MD5.
Chapter 11
