Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
65 Cards in this Set
- Front
- Back
What is layered Security? |
an approach to securing systems and their data against attack that incorporates many different avenues of defense. |
|
Defense in depth? |
Layered approach to security that if any one element is breached, other secure systems can defend.
-Ex. Think prison example. |
|
What is Data Security? |
- |
|
What some data Security vulnerabilities? |
- Increased cloud computing - Lack of restricted access to data systems - Lack of user awareness |
|
What are some common Data Storage Methods? |
- Direct-attach storage (DAS) - Network-attached storage (NAS) - Storage area networks (SANs) - Cloud-based storage |
|
What is direct-attached storage (DAS)? |
Storage that is plug in directly to a computer. |
|
Storage area networks (SANs) |
- |
|
Network-attached storage (NAS) |
Any storage available to the network. |
|
Cloud-based storage |
Outside party is provides storage. |
|
What are some Data Encryption Methods? |
-Full Disk -Database -File -Removable media -Mobile device -Voice |
|
How does Full Disk encryption work? |
Encrypts an entire disk and all the data stored in it. |
|
Database encryption |
Encrypts sensitive data stored in the database. |
|
File Encryption |
protects individual files that contain private or confidential data. |
|
Removable media encryption |
Encryption on external storage devices. |
|
Mobile device encryption |
protects any data stored on smartphones or other mobile devices. |
|
Voice Encryption |
protects voice communications and data across a network. |
|
Email Encryption |
protects emails and attachments from being read by unauthorized users. |
|
Hardware-Based Encryption Devices |
- are devices that enforces encryption, decryption, and access control using an Hardware Security Module (HSM). - Denies execution of external programs. |
|
What are some benefits of Hardware-based Encryption? |
- Prevents unauthenticated storage mapping. - Prevents copying data without the assigned HSM. - Self-governed; not affected by malicious code or other OS issues. - Proves that all computers are encrypted. |
|
Types of Hardware-Based Encryption Devices |
- Trusted Platform Module (TPM) - Hardware Security Module (HSM) - USB encryption - Hard drive encryption |
|
What does "Data at rest" mean? |
This referes to data in storage, whether in a database, on a disk, or on another storage medium. |
|
What are some Data at rest encryption methods? |
- PGP Whole Disk Encryption - Microsoft Windows BitLocker disk encryption - OS X FileVault - Database encryption for database systems such as MySQL and Oracle - TrueCrypt |
|
Data in transit |
refers to data that is moving across a network, including data for web applications, mobile device apps, and instant messaging. |
|
What are some data in transit encryption methods (transport encryption)? |
- HTTPS/Secure Sockets Layer/Transport Layer Security (SSL/TLS) - Wi-Fi Protected Access 2 (WPA2) - Virtual private networks (VPNs) - Internet Protocol Security (IPSec) - Secure Shell (SSH) |
|
What is an Access Control List (ACL)? |
A list that enables you to restrict access to resources like files and folders. |
|
What is "Big Data"? |
Data collections that are so large and complex that they are difficult for traditional database tools to manage. |
|
Data Policies |
- Normally covered under AUP and other general corporate security polices.
- Can also be developed as a separate policy to guarantee protection of personal data. |
|
What are some types of Data Policies? |
-Wiping -Disposing -Retention -Storage |
|
What are some Guidelines for Managing Data Security? |
- Consider implementing layered security. - Identify forms of data storage, and select security controls to protect each type. - Consider implementing controls to protect data in transit, in use, and at rest. - Consider developing and enforcing data policies that protect data while allowing the correct level of accessibility. |
|
What is Application Security? |
- |
|
What is Patch Management? |
The practice of monitoring for, obtaining, evaluating, testing, and deploying software patches and updates. |
|
Application Security Methods |
- Configuration baseline - Application hardening - Patch management |
|
Configuration baseline |
a basleline composed of the minimum security requirements needed for an application to be complete. |
|
Application hardening |
process used to configure a default application to prevent security threats and vulnerabilities.
"Making the application harder to break." |
|
Patch Management |
- |
|
Input validation |
ensuring that the data entered into a field or variable in an application is within acceptable bounds for the object that will receive the data. |
|
Input validation vulnerabilities |
- Any type of software - Websites and applications are popular targets. - Requires careful coding to avoid. |
|
Client-Side Validation |
- Input validation and error recovery at the browser. - JavaScript, AJAC, VBScript, and HTML 5 attributes. - For enhanced user experience. |
|
Server-side validation |
- Input validation and error recover at the server - Perl, PHP, ASP, and other scripting languages - For enhanced security. |
|
cross-stie scripting (XSS) attack |
- The attacker takes advantage of scripting and input validation vulnerabilities in an interactvive website to attack legitimate users in two different ways. Stored attack and Reflected attack. |
|
What are some cross-site attack prevention methods? |
- Restrict HTML formatting in form fields. - Use input validation. - Restrict cookie information - Encrypt data communications. - Advise on the Remember Me option. |
|
Cross-site Request Forgery (XSRF) attack |
when an attacker takes advantage of the trust established between an authorized user of a website and the website itself. |
|
What is fuzzing? |
A testing method used to identify vulnerabilities and weaknesses in applications by sending the application a range of random or unusual input data and noting any failures and crashes that result. |
|
What are some features of Web Browser Security? |
- Pop-up blocker - Parental controls - Automated updating - Encryption - Proxy support - Web content - Advanced security |
|
What are the internet Zones? (Inside of your internet options) |
-Internet -Intranet -Trusted Sites -Restricted Sites |
|
Proxy is on test |
find in internet explorer |
|
NoSQL Databases |
- Organize and group data by non-relational means: Key-value stores, Document stores, Graph Stores, and Column Stores - Used for web applications, agile applications, and big data projects.
|
|
What are the guidelines for Managing Application Security? |
- Establish security configuration baseline. - Harden applications, especially web browsers. - Implement patch management for applications. - Implement input validation. - Consider implementing a combination of client-side validation and server-side validation. - Implement error and exception handling for applications developed in-house. - Protect against XSS and XSRF attacks. - Protect databases and associated. |
|
Hardening |
- Reducing the attack surface. |
|
What are some Operating System Security Setting? |
- Manage services - Configure firewall - Configure Internet Security - Manage automatic updates - Enable auditing and logging |
|
What is the difference between Application Blacklisting and Whitelisting? |
Blacklisting: preventing identified programs from running.
Whitelisting: allowing only identified programs to run. |
|
What are the types of anti-malware software? |
- Antivirus - Anti-spam - Anti-spyware - Pop-up blockers - Host-based firewalls |
|
What are some Virtualization Security Techniques? |
- Establish a patch management system. - Apply the least privilege concept. - Establish log requirements. - Establish secure design for virtual components. - Take consistent snapshots of virtual environments. - Ensure that virtual hosts are consistently available and elastic. - Leverage virtual sandboxes for security testing. |
|
Hardware Security Controls |
- Logoff and shutdown procedures - Wireless device approval - Properly secured mobile devices - Cable Locks - Strong password policies |
|
Non-standard Host |
Hosts and devices with static environments |
|
What are some examples of Non-standard Hosts? |
- SCADA - Embedded-software systems - Mainframe Computers - Some Mobile devices |
|
What are some security controls for Non-Standard Hosts? |
- Layered Security: Network segmentation & Application Firewalls - Manual updates: Android & iOS - Firmware version control: SCADA systems & Embedded system - Wrappers - Controlling redundancy and diversity. |
|
What are some examples of Mobile Device Security Controls? |
- Enable screen lock. - Enforce access control. - Track assets and keep inventory. - Require strong passwords. |
|
What are some "Bring Your Own Device (BYOD)" Controls? |
- Corporate and acceptable use policies - On-boarding and off-boarding - Data/support ownership - Patch and antivirus management - Architecture and infrastructure needs - Forensics - Privacy - Control for on-board camera, microphone, and video use |
|
What are some Network Devices? |
- Router - Switch - Proxy Server - Firewall - Load Balancer - All-in-one security appliance |
|
Name some Network Analysis Tools |
- Sniffers - Spam filters - Protocol analyzers |
|
Telephony Components |
- VoIP - Private Branch exchange - CTI |
|
Cloud Computing Deployment Models |
- Private - Public - Community - Hybrid |
|
What are some Cloud Computing Service Types? |
- SaaS - PaaS (Platform As A Service) - IaaS |
|
What are the difference between the 802.11 Standards? |
- 802.11 - 802.11a - 802.11b - 802.11g - 802.11n - 802.11ac |