SY0-701: 3.0 (Security Architecture) Flashcards

Question

Trade Secrets (3.3)

Answer 1

Type of confidential business information that provides a company with a competitive edge

Answer 2

Creations of the mind, such as inventions, literary and artistic works, designs, and symbols

Answer 3

Includes and data related to legal proceedings, contracts, or regulatory compliance

Answer 4

Data that is related to an organizations financial transactions, such as sales records, invoices, tax documents, and bank statements

Answer 5

Information that a human can read and information a human cannot read (e.g. encrypted, ciphertext, etc.)

Answer 6

The concept that digital information is subject to the laws of the country in which it is stored, collected, or processed

Answer 7

If data is stored in another county the organization must abide by those laws (e.g. Europe's GDPR has strict laws granting individuals rights over their personal data)

Answer 8

Geographic restrictions Encryption Hashing Masking Tokenization Obfuscation Segmentation Permission restrictions / Access control

Answer 9

Involves setting up virtual boundaries to restrict data access based on geographic location (geofencing)

Answer 10

Fundamental data security method that transforms readable data (plaintext) into unreadable data (ciphertext) using an algorithm and an encryption key

Answer 11

Technique that convert data into a fixed size of numerical or alphanumeric characters, known as a hash value or hash digest

Answer 12

Involves replacing some or all of the data in a field with a placeholder, such as "x" to conceal original content

Answer 13

Replaces sensitive data with non-sensitive substitutes, known as tokens (e.g. payment processing to protect credit card information)

Answer 14

Involves making data unclear or unintelligible, making it difficult for unauthorized users to understand (e.g. encryption, masking, pseudonyms)

Answer 15

Involves dividing a network into separate segments, each with its own security controls

Answer 16

Involves defining who has access to specific data and what they can do with it (e.g. RBAC- Role Based Access Control)

Answer 17

The ability of a service to be continuously available by minimizing the downtime to the lowest amount possible

Answer 18

The number of minutes or hours that the system remains online over a given period, and the uptime is usually expressed as a percentage (9's of availability, e.g. 99.999% = five nines)

Answer 19

The process of distributing workloads across multiple computing resources

Answer 20

The use of multiple computers, multiple storage devices, and redundant network connections that all work together as a single system to provide high levels of availability, reliability, and scalability

Answer 21

The duplication of critical components or functions of a system with the intention of increasing the reliability of the system

Answer 22

Provides data striping across multiple disks to increase performance; used for performance as opposed to data protection

Answer 23

Mirrors data for redundancy across two drives

Answer 24

Stripes data with parity, using at least three storage devices (can lose 1 disk w/o data loss)

Answer 25

Uses data striping across multiple devices with two pieces of parity data (can lose 2 disks w/o data loss)

Answer 26

Combines RAID 1 and RAID 0 featuring mirrored array in a striped setup (can lose 1 disk per mirrored array)

Answer 27

Use of redundant storage to withstand hardware malfunctions (RAID 1 or RAID 10)

Answer 28

Use of RAID 1, 5, 6, and 10 for uninterrupted operation during hardware failures (no downtime)

Answer 29

Protects data from catastrophic events (RAID 1 and RAID 10 due to having full mirrors)

Answer 30

Crucial strategic planning to meet future demands cost-effectively

Answer 31

Involves analyzing current skills and forecasting future needs for hiring or training (e.g. seasonal positions)

Answer 32

Involves assessing current resources, utilization, and anticipating future technological needs

Answer 33

Involves considering physical space and utilities to support organizational operations

Answer 34

Aims to optimize business processes to handle demand fluctuations

Answer 35

A small and unexpected increase in the amount of voltage that is being provided

Answer 36

A short transient voltage that is usually caused by a short circuit, a tripped circuit breaker, a power outage, or a lightning strike

Answer 37

A small and unexpected decrease in the amount of voltage that is being provided

Answer 38

Occurs when the voltage is reduced to lower levels and usually occur for a longer period of time than a sag

Answer 39

Occurs when there is a total loss of power for a given period of time

Answer 40

Used to overcome any minor fluctuations in the power being received by the given system

Answer 41

Uninterruptible Power Supply- A device that provides emergency power to a system when the normal input power source has failed

Answer 42

Power Distribution Center- Acts as a central hub where power is received and then distributed to all systems in the data center

Answer 43

The process of creating duplicate copies of digital information to protect against data loss, corruption, or unavailability

Answer 44

Onsite / Offsite Frequency Encryption Snapshots Recovery Replication Journaling

Answer 45

How much data are you willing to lose? How frequently does the data change?

Answer 46

Data-at-rest encryption as well as data-in-transit encryption

Answer 47

Point-in-time copies of the data that capture a consistent state that is essentially a frozen in time copy of the data

Answer 48

Maintaining a meticulous record of every change made to an organizations data over time

Answer 49

Selection of the backup Initiating the recovery process Data validation Testing and validation Documentation and reporting Notification

Answer 50

Ensures an organizations ability to recover from disruptive events or disasters

Answer 51

Business Continuity Plan- Addresses responses to disruptive events; 2 parts 1. BCP (Deals w/ incidents) 2. DRP (Deals w/ disasters)

Answer 52

Disaster Recovery Plan- Considered as a subset of the BCP, it focuses on how to resume operations swiftly after a disaster

Answer 53

Hot Site- Fully equipped backup facility Warm Site- Partially equipped, operational w/i days Cold Site- No immediate equipment Mobile Site- Can be hot, warm, or cold; independent mobile site; self sufficient Virtual Site- Utilizes cloud-based environments and is highly flexible; hot, warm, and cold Hybrid Model- Critical staff=hot, the rest=warm

Answer 54

A vital aspect in redundant site design that uses different platforms to prevent single points of failure in disaster recovery (e.g. cloud provider platform diversity = spreading resources across multiple cloud providers reducing the risk of a single platform outage)

Answer 55

Evaluates the systems ability to return to regular functioning following a disruptive incident; Tests efficiency to recover from multiple failure points

Answer 56

A simulated discussion to improve crisis readiness without deploying resources

Answer 57

Verifies seamless system transition to a backup for uninterrupted functionality during disasters

Answer 58

Computer-generated representations of real-world scenarios

Answer 59

Assesses the systems capacity to endure and adjust to disruptive occurrences; Tests ability to handle multiple failure scenarios

Answer 60

Replicates data and processes onto a secondary system, running both in parallel

Answer 61

Offering computing services over the Internet, such as.. Servers Storage Databases Networking Software Analytics Intelligence

Answer 62

Outlines the division of responsibilities between the cloud service provider and the customer

Answer 63

Provide specialized services that enhance the functionality, security, and efficiency of cloud solutions

Answer 64

Combine on-premise infrastructure, private cloud services, and public cloud services

Answer 65

Computing infrastructure that's physically located on-site at a business

Answer 66

Can lead to vulnerabilities if one users data is compromised

Answer 67

Technology that allows for the emulation of servers

Answer 68

Lightweight alternative to full machine virtualization; Entails encapsulating an application in a container within its own operating environment (e.g. Docker, Kubernetes, Red Hat OpenShift)

Answer 69

aka bare metal or native hypervisor; runs directly on the host hardware and functions similarly to an operating system (e.g. Hyper-V, XenServer, ESXi, VSphere); Generally faster and more efficient than a type 2 hypervisor

Answer 70

Operates within a standard operating system, such as Windows, Mac, or Linux (e.g. Virtualbox)

Answer 71

Occurs when an attacker is able to break out of a normally isolated virtual machine

Answer 72

Occurs when a user is able to gain the ability to run functions as a higher level user

Answer 73

When a virtual machine needs to move from one physical host to another

Answer 74

Concept in computing where system resources like memory or processing power are reused

Answer 75

Model where the responsibility of managing servers, databases, and some application logic is shifted away from developers (AWS Lambda, Google Cloud Functions)

Answer 76

One of the most significant risks of serverless computing; it is difficult to switch service providers

Answer 77

A software architecture where large applications are broken down into smaller and independent services (e.g. Netflix has microservices which handle recommendations, user signups, video encoding, etc.)

Answer 78

Scalability- Each service can be scaled individually based on demand Flexibility- Each can be run in different programming languages and managed by different teams Resilience- If one service fails it does not affect the entire system Faster deployment/Updates- Each can be deployed and updated independently

Answer 79

Complexity Data Management Network Latency Security

Answer 80

Isolation of a network by removing any direct or indirect connections from other networks

Answer 81

Creates boundaries within a network, restricting access to certain areas (e.g. VLANs); not as secure as air gapping but is more flexible

Answer 82

Software defined network; Enables efficient network configuration to improve performance and monitoring

Answer 83

aka Forwarding Plane; Responsible for handling packets and makes decisions based on protocols (when sending an email the data plane carries that email from one device to the other)

Answer 84

The brain of the network that decides where traffic is sent and is centralized in SDN (dictates traffic flow)

Answer 85

The plane where all network applications interacting with the SDN controller reside

Answer 86

Infrastructure as Code; a method in which IT infrastructures are defined in code files that can be versioned, tested, and audited; uses YAML, JSON, or HashiCorp Configuration Language (HCL)

Answer 87

A configuration that lacks consistency and might introduce risks, so it has to be eliminated

Answer 88

Fundamental to IaC; the ability of an operation to produce the same results as many times as it is executed

Answer 89

Speed and Efficiency Consistency and Standardization Scalability Cost Savings Auditability and Compliance

Answer 90

Learning Curve Complexity Security Risks

Answer 91

All the computing functions are coordinated and managed from a single location or authority

Answer 92

Efficiency and control Consistency Cost Effectiveness

Answer 93

Single point of failure Scalability Issues Security Risks

Answer 94

Computing functions are distributed across multiple systems or locations

Answer 95

Resiliency Scalability Flexibility

Answer 96

Security Risks Management Challenges Data Inconsistency

Answer 97

Internet of Things; Refers to the network of physical items with embedded systems that enables connection and data exchange

Answer 98

The central point connecting all IoT devices and sends commands to them

Answer 99

Everyday objects enhanced with computing capabilities and Internet connectivity

Answer 100

Subset of smart devices designed to be worn on the body

Answer 101

Detect changes in the environment and transform them into analyzable data

Answer 102

Weak Defaults Poorly configured network services

Answer 103

Industrial Control Systems- Control systems used to monitor and control industrial processes ranging from simple systems to complex systems

Answer 104

Supervisory Control and Data Acquisition- A type of ICS used to monitor and control geographically dispersed industrial processes

Answer 105

Distributed Control Systems- Used to control production systems within a single location

Answer 106

Programmable Logic Controllers- Used to control specific processes such as assembly lines

Answer 107

Specialized computing component designed to perform dedicated functions within a larger structure

Answer 108

Real-Time Operating System- Ensures data processing in real-time and is crucial for time-sensitive applications

Answer 109

Network Segmentation Wrappers Firmware Code Control Inability to Patch

Answer 110

Divides a network into multiple segments or subnets, limiting potential damage in case of a breach

Answer 111

Show only the entry and exit points of the data when travelling between networks (IPSec)

Answer 112

This can be achieved through secure coding practices, code reviews, and automated testing

Answer 113

Strategies like over-the-air (OTA) updates, where patches are delivered and installed remotely, can be applied

Answer 114

Safeguards networks by monitoring and controlling traffic based on predefined security rules

Answer 115

aka Dual-Homed Host; Acts as a security barrier between external untrusted networks and internal trusted networks, using a protected host with security measures like a packet-filtering firewall

Answer 116

aka Layer 4 Firewall; Checks packet headers for traffic allowance based on IP addresses and port numbers; most efficient but least secure

Answer 117

Monitors all inbound and outbound network connections and requests

Answer 118

Acts as an intermediary between internal and external connections, making connections on behalf of other endpoints

Answer 119

Operates at the layer 5 of the OSI model (e.g. SOCKS firewall)

Answer 120

aka Layer 7 Firewall; Conducts various proxy functions for each type of application at the layer 7 of the OSI model

Answer 121

aka 5th Generation Firewall; Has minimal impact on network performance while thoroughly inspecting packets across all layers

Answer 122

Next-Generation Firewall; Aims to address the limitations of traditional firewalls by being more aware of applications and their behaviors 1. Conducts deep packet inspection for traffic 2. Operates fast with minimal network performance 3. Offers full-stack traffic visibility 4. Integrates with various security products

Answer 123

Unified Threat Management Firewall; Provides the ability to conduct multiple security functions in a single appliance... 1. Network firewalls 2. Network intrusion prevention systems 3. Gateway antivirus and antispam 4. Virtual private network concentration 5. Content filtering 6. Load Balancing 7. Data loss prevention

Answer 124

1. Single point of failure 2. Lacks the breadth of tools offered by more specialized equipment 3. Sometimes they are less efficient than specialized tools

Answer 125

1. Lower upfront costs, maintenance, and power consumption 2. Simplified installation and configuration 3. Full integration with multiple benefits

Answer 126

Web Application Firewall; Focuses on the inspection of the HTTP traffic 1. Inline Configuration- Device sits between the network firewall and the web servers 2. Out-of-Band Configuration- Device receives a mirrored copy of web server traffic

Answer 127

Intrusion Detection System- Responsible for detecting unauthorized network access or attacks; detects, reports, logs, and/or alerts; Provides passive detection; Types: 1. NIDS- Network Intrusion Detection System 2. HIDS- Host Intrusion Detection System 3. WIDS- Wireless Intrusion Detection System

Answer 128

Intrusion Prevention System- Scans traffic to look for malicious activity and takes action to stop it; installed right behind firewall on edge of network so it can block traffic when needed; provides active protection

Answer 129

Network Intrusion Detection Systems- Monitors the traffic coming in and out of a network; Installed on a mirrored port off backbone switch so it can analyze all traffic

Answer 130

Host-based Intrusion Detection System- Looks at suspicious network traffic going to or from a single server or endpoint

Answer 131

Wireless-based Intrusion Detection System- Detects attempts to cause a denial of service attack on a wireless network

Answer 132

Signature-based Intrusion Detection System- Analyzes traffic based on defined signatures and can only recognize attacks based on previously identified attacks in its database

Answer 133

Looks for a specific pattern of steps; Common in NIDS and WIDS

Answer 134

Compares against a known system baseline; Common in HIDS

Answer 135

Anomaly-Based Intrusion Detection System (aka Behavioral-Based)- Analyzes traffic and compares it to a normal baseline of traffic to determine whether a threat is occurring

Answer 136

Statistical Protocol Traffic Rule / Heuristic Application-Based

Answer 137

Work the same way as HIDS / WIDS but also responds to threat as opposed to just detecting it

Answer 138

Dedicated hardware device with pre-installed software that is designed to provide specific networking services

Answer 139

Crucial component in any high-availability network or system that is designed to distribute network or application traffic across multiple servers

Answer 140

Application Delivery Controller- Special type of load balancer which provides additional services such as: SSL Termination HTTP Compression Content Caching

Answer 141

Intermediary between a client and a server to provide various functions like content caching, request filtering, and login management

Answer 142

Designed to monitor, detect, and analyze traffic and data flow across a network in order to identify any unusual activities, potential security breaches, or performance issues

Answer 143

Dedicated gateway used by system administrators to securely access devices located in different security zones within the network; they restrict direct access to protected devices or servers

Answer 144

Common security feature found on network switches that allows administrators to restrict which devices can connect to a specific port based on the network interface cards MAC address

Answer 145

Content Addressable Memory Table- Used to store information about the MAC addresses that are available on any given port of the switch

Answer 146

aka Sticky MAC- Feature in network port security where the switch automatically learns and associates MAC addresses with specific interfaces

Answer 147

Standardized framework that is used for port-based authentication for both wired and wireless networks; uses RADIUS or TACACS+

Answer 148

Extensible Authentication Protocol (it is a framework)

Answer 149

Variant of EAP that utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication

Answer 150

Form of EAP that uses public key infrastructure with a digital certificate being installed on both the client and the server as the method of authentication

Answer 151

Variant of EAP that requires a digital certificate on the server, but not on the client

Answer 152

FAST = Flexible Authentication via Secure Tunneling; Variant of EAP that uses a protected access credential, instead of a certificate, to establish mutual authentication between devices

Answer 153

Protected EAP- Variant of EAP that supports mutual authentication by using server certificates and the Microsoft Active Directory databases for it to authenticate a password from the client

Answer 154

Variant of EAP that only works on Cisco-based devices

Answer 155

Virtual Private Network- Extends a private network over a public one, enabling users to securely send and receive data

Answer 156

Establishes secure tunnels over the public Internet for interconnecting remote sites; secure but slows transmission speeds since data is detoured through VPN

Answer 157

Connects individual devices directly to the organizations headquarters, enabling remote users to access the network

Answer 158

Maximizes security by encrypting all traffic to the headquarters while integrating clients with the network; more secure than split tunnel but slower speeds

Answer 159

Divides traffic and network requests and then routes them to the appropriate network; Only VPN traffic goes over the VPN; less secure than full tunnel but faster since not all traffic is going over the VPN

Answer 160

Secures remote access through browser-based VPN tunnels without needing client software or hardware configuration

Answer 161

Transport Layer Security- A protocol that provides cryptographic security for secure connections and is used for secure web browsing and data transfer

Answer 162

Transmission Control Protocol- Used by TLS to establish secure connections between a client and a server, but it may slow down the connection

Answer 163

Datagram Transport Layer Security- A UDP-based version of TLS protocol that offers the same security level as TLS while maintaining faster operations

Answer 164

A protocol suite for secure communication through authentication and data encryption in IP networks; most popular for VPNs because it provides: Confidentiality Integrity Authentication Anti-Replay

Answer 165

Internet Key Exchange

Answer 166

1. Request to start Internet Key Exchange -PC1 initiates traffic to PC2, triggering IPSec tunnel creation by router 1 2. IKE Phase 1 -Routers 1 and 2 negotiate security associations for the IPSec IKE Phase 1 tunnel, aka ISAKMP 3. IKE Phase 2 -Establishes a tunnel within the tunnel 4. Data transfer -Data transfer between PCs 1 and 2 takes place securely 5. Tunnel termination -Tunnel termination, including the deletion of IPSec security associations

Answer 167

Employs the original IP header, ideal for client-to-site VPNs, and is advantageous when dealing with MTU constraints

Answer 168

Employed for site-to-site VPNs and adds an extra header that can increase packet size and exceed the MTU

Answer 169

Maximum Transmission Unit- Set only at 1500 bytes and may cause fragmentation an VPN problems

Answer 170

Authentication Header- Offers connectionless data integrity and data origin authentication for IP datagrams using cryptographic hash as identification information

Answer 171

Encapsulating Security Payload- Employed for providing authentication, integrity, replay protection, and data confidentiality by encrypting the packets payload

Answer 172

Virtualized approach to managing and optimizing wide area network connections to efficiently route traffic between remote sites, data centers, and cloud environments

Answer 173

Secure Access Service Edge- Used to consolidate numerous networking and security functions into a single cloud-native service to ensure that secure and access for end-users can be achieved

Answer 174

Distinct segment within a network, often created by logically isolating the segment using a firewall or other security device

Answer 175

Used to be referred to as De-Militarized Zone or DMZ- Hosts public facing services such as web servers, email servers, and DNS servers and safeguards against security breaches by preventing attackers from gaining direct access to the sensitive core internal network

Answer 176

Refers to all the points where an unauthorized user can try to enter data to or extract data from an environment

Answer 177

Refers to hw different components of a network communicate with each other and with other external networks

Answer 178

A protective measure put in place to reduce potential risks and safeguard an organizations assets

Answer 179

Users or systems are granted only the necessary access rights to perform their duties, reducing the attack surface

Answer 180

Emphasizes the use of multiple layers of security to mitigate threats even if one control fails

Answer 181

Prioritizing controls based on potential risks and vulnerabilities specific to the infrastructure to make efficient use of resources

Answer 182

Regularly reviewing, updating, and retiring controls to adapt to evolving threat landscapes

Answer 183

Ensuring transparency and accountability through rigorous testing and scrutiny of infrastructure and controls