6 TECHNICAL SECURITY Flashcards

Question

port 20/21

Answer 1

Ports 20 and 21: file transfer protocol (FTP), used for transferring files between a client and a server, but is insecure. Secure FTP (SFTP) should be used and run as a subsystem of SSH

Answer 2

secure shell protocol (SSH) is a tunnelling protocol that creates secure network connections.

Answer 3

Port 25: simple mail transfer protocol (SMTP) is used for sending email.

Answer 4

Port 53: domain name system (DNS) matches the domain names (bbc.co.uk or amazon.com) to an IP address – bbc.co.uk, for instance, is 212.58.237.1 (in Windows command prompt, type nslookup bbc.co.uk) – enabling users to load websites and applications without having to remember an IP address. Note that the BBC address can change.

Answer 5

hypertext transfer protocol (HTTP) is the original protocol that made the World Wide Web possible, and has been largely replaced by the secure (HTTPS) protocol, which should be used where possible.

Answer 6

Port 88: Used by Kerberos and Microsoft, the single sign on (SSO) system is used to authenticate clients and servers. A user authenticates and then gets admittance to what they have been given permission to access.

Answer 7

network time protocol (NTP) is used to synchronise clocks within devices on a network.

Answer 8

HTTP secure is the encrypted version of HTTP. It adds transport layer security (TLS) to HTTP to make a secure connection.

Answer 9

remote desktop protocol (RDP) enables users to remotely connect to their desktop computers from another device.

Answer 10

Copper wires/fibre or wireless connecting switches, routers, firewalls and intrusion detection, before reaching endpoint devices, such as servers, computers and printers.

Answer 11

Bandwidth is a crucial element and is the amount, or flow, of traffic the network can carry. A low bandwidth is like a straw: the amount of water you can get through it is limited. A higher bandwidth is like a hosepipe, with a much greater amount of water being able to flow through. In both cases, you can think of download speed as which one would fill a bucket faster.

Answer 12

A switch is a network device that receives traffic from another source, such as a router. It has a series of network ports, commonly on the front, to attach cables to. A switch allows individual devices such as computers or printers to be individually connected so they can send and receive information. The switch helps with network efficiency by only sending traffic to the device for which it is intended. It also prevents devices listening in to traffic intended for another device.

Answer 13

An enterprise router is not like the router you may have at home for your broadband connection. The device you have at home is a unified device with a router, firewall, WLAN, LAN and a switch all built into a single unit. An enterprise router does the single task of routing traffic to various areas of the network, such as from the network backbone to individual segments or organisation units, for example HR or finance.

Answer 14

A firewall is a security component, and its role is to prevent unwanted or malicious traffic entering the network and to provide control between network segments. There are several types of firewalls to secure different parts of the network, and we will discuss them in more detail in the Network Security section

Answer 15

: An IDS is designed to monitor network or system activities for malicious activities or policy violations. It analyses traffic patterns to detect potential threats and alerts administrators to suspicious activity. The IDS can be either network-based (NIDS) or host-based (HIDS), depending on where it is deployed.

Answer 16

An IPS is a more advanced version of an IDS that not only detects but also prevents identified threats. It sits inline with network traffic and can take immediate action, such as blocking malicious traffic, dropping packets or resetting connections, to stop attacks in real-time.

Answer 17

wireless networks connect home hub/routers allow agile working, hot desking Wi-Fi refers to WLANs based on the IEEE 802.11 standard, which allows devices to access the network from anywhere within the range of an access point (AP). secure connection standards

Answer 18

WPA2 (Wi-Fi protected access) was released in 2004. It is still considered strong and widely in use. WPA2 Personal uses a setup password (preshared key – PSK) to protect unauthorised network accesses. In PSK mode, each wireless network device encrypts the password exchange using a 128-bit key, which is derived from a passphrase of 8 to 63 ASCII characters. WPA2 Enterprise uses centralised client authentication using multiple authentication methods, such as token cards, Radius and Kerberos. Users are assigned login credentials by a centralised server, which they must use to access the network.

Answer 19

WPA3, released in 2019, is an advanced implementation of WPA2 providing improved protocols. Adoption is slow due to the extra cost and WPA2 still being considered secure. WPA3 Personal is a PSK based authentication using the simultaneous authentication of equals protocol, also known as Dragonfly Key Exchange, for secure key exchange. WPA3 is resistant to offline dictionary attacks and key recovery attacks. WPA3 Enterprise protects sensitive data using several cryptographic algorithms. It provides authenticated encryption.

Answer 20

security risk from sniffers, unencrypted traffic through Wireshark use VPNs to avoid

Answer 21

where an adversary sets up a fake wireless AP that mimics a legitimate one, often using the same network name to deceive users. This fake AP is designed to lure unsuspecting users into connecting to it instead of the real network. Once connected, the attacker can intercept and capture sensitive information transmitted by the victim, such as login credentials, emails and other personal data. The evil twin attack exploits the trust users place in recognised Wi-Fi network

Answer 22

a security device designed to detect and also prevent attacks. It can be software based and installed on devices such as a server, when it is called a HID, and if placed inline in a network it’s called a NID. More sophisticated detection devices or software can also prevent the intrusion. These are called host intrusion prevention (HIP) and network intrusion prevention (NIP). There is also wireless intrusion prevention, known as WIP.

Answer 23

a security device designed to detect and also prevent attacks. It can be software based and installed on devices such as a server, when it is called a HID, and if placed inline in a network it’s called a NID. More sophisticated detection devices or software can also prevent the intrusion. These are called host intrusion prevention (HIP) and network intrusion prevention (NIP). There is also wireless intrusion prevention, known as WIP.

Answer 24

A proxy firewall is an early type of firewall. It serves as the gateway from one network to another. Proxy firewalls can also provide additional functionality, such as security, by preventing direct connections from outside the network coming in or inside going out.

Answer 25

A stateful inspection firewall blocks or allows traffic based on its state, port and protocol. It monitors all activity from when the connection is opened until it is closed. It can make filtering decisions based on rules as well as context. It uses information from previous connections and packets that belonged to the same connection.

Answer 26

A unified threat management firewall typically **combines** the functions of a stateful inspection firewall with intrusion prevention and anti-virus. It may also include additional services and cloud management.

Answer 27

are a very evolved firewall and used to block modern threats such as advanced malware and application-layer attacks.

Answer 28

intelligence-based access control with stateful inspection; integrated IPS; application awareness and control to see and block risky apps; upgrade paths to include future information feeds; techniques to address evolving security threats; URL filtering based on geolocation and reputation. While these capabilities are increasingly becoming the standard for most companies, NGFWs can do more.

Answer 29

IPsec (internet protocol security) group of protocols for creating a secure connection between devices mainly used as VPN works by encryption of IP packets +authentication of source adds security by encrypting the payload in the packet (transport mode) or both the packet and IP address (tunnel mode)

Answer 30

Internet protocol is the main protocol used on the internet for data flow using IP addresses. IPsec adds security either by encrypting the payload in the packet (transport mode) or both the packet and IP address (tunnel mode).

Answer 31

In networking, a protocol is a set of standard rules to format data so any device on the network can understand the process and interpret the data.

Answer 32

**Authentication header (AH): ** The AH protocol is used to ensure data packets are from a trusted source and that the data has not been tampered with. The headers do not provide encryption and are a tamper-proof seal. **Encapsulating security protocol (ESP):** ESP encrypts the IP header and the payload of each packet unless transport mode is used. If transport mode is used, only the data payload is encrypted. **Security association (SA): **SA is used for negotiating encryption keys and algorithms. Internet key exchange (IKE) is the most commonly used SA protocol.

Answer 33

Transport layer security (TLS) is used for privacy and data security of internet communication, an example being the encryption of traffic between web applications and servers, such as web browsers loading a website. TLS can be used to encrypt other communications, such as voice over IP (VOIP), email and messaging. HTTPS is an implementation of TLS, which added security to the insecure HTTP protocol for data exchange used to fetch websites.

Answer 34

TLS replaced SSL in 1999. SSL was originally developed by Netscape in 1994. SSL is now deprecated and considered insecure, but is still used in books and industry to describe TLS. The change of name to TLS was due to SSL being the intellectual property of Netscape, and they no longer wanted to be involved, so the IETF took over and created TLS

Answer 35

Its latest iteration is TLS 1.3 (released in 2018), a shortened handshake protocol that resists rollback and key compromise attacks. It can enforce a set cryptographic level and remove obsolete cipher suites to prevent downgrade attacks. TLS 1.0 and 1.1 are now deprecated and should not be used.

Answer 36

Data loss prevention set of strategies and tools used to ensure that sensitive or critical information does not go outside the organisation network. The primary goal of DLP = to prevent data breaches and unauthorised access to sensitive data.

Answer 37

The most critical factor is identifying and classifying data. sensitivity and criticality

Answer 38

DLP solutions can identify and categorise sensitive data, such as PII, financial data, intellectual property and other confidential information. Once data is identified, it is classified based on its sensitivity and criticality, which helps in applying appropriate policies and controls

Answer 39

DLP tools help enforce policies monitor data

Answer 40

continuously monitor data in use (endpoints), data in motion (network traffic) and data at rest (stored data) to detect any anomalies or unauthorised access attempts. enforce policies that prevent unauthorised sharing, copying or transferring of sensitive data, which can include encryption, access controls and other protective measures. Instead of waiting to check security after a new feature is developed, tested and released into production, it’s more effective to perform security testing at every phase. This allows for immediate resolution of security issues as they arise

Answer 41

The most critical factor is identifying and classifying data. data monitoring and protection. Incident response and reporting

Answer 42

When a potential data breach or policy violation is detected, the DLP system generates alerts and detailed reports for administrators to review. DLP tools can trigger automated responses, such as blocking the transfer of data, quarantining affected files or notifying security teams for further investigation.

Answer 43

DLP is often integrated with other security solutions for a more comprehensive security posture. This includes anti-virus, firewalls, intrusion IDS/IPS and SIEM solutions.

Answer 44

DLP helps compliance and risk management by ensuring the organisation complies with regulatory requirements such as GDPR, HIPAA, PCI DSS and others by confirming that sensitive data is adequately protected. By preventing data breaches and ensuring data protection, it can reduce the overall risk to the organisation.

Answer 45

Network DLP monitors and protects data in motion across the network. Endpoint DLP monitors and protects data in use on endpoint devices such as laptops, desktops and mobile devices. Storage DLP protects data at rest stored in databases, file servers and other storage systems. Cloud DLP extends DLP capabilities to data stored in and transmitted to/from cloud services

Answer 46

protects intellectual property by preventing the theft or unauthorised sharing of trade secrets and proprietary information. prevents data breaches by detecting and blocking unauthorised data transfers. compliance with data protection regulations, helping organisations avoid hefty fines. enhances data visibility by providing better visibility into data flows and usage within the organisation improves the overall security posture by integrating with other security measures.

Answer 47

complex, resource intensive to implement/manage balance: data protection with user privacy accurate detection to minimise false positives/negatives cruxial improperly configured DLP tools can impact system

Answer 48

A false positive occurs when there is an incorrect indication to the presence of a condition or attribute that is not actually present. For example, an IDS might flag legitimate network traffic as malicious, resulting in an unnecessary alert.

Answer 49

A false negative occurs when there is an incorrect indication to a condition or attribute that is actually present. For example, IDS might fail to detect actual malicious activity, allowing an attack to proceed unnoticed.

Answer 50

subnetwork in a network that contains public-facing resources such as web servers for company websites DMZ isolates public-facing resources from enterprise's private local LAN Additional layer of network security- traffic from internet other locations outside the enterprise domain boundary should be terminated, inspected and authenticated

Answer 51

PERIMETER NETWORK/SCREENED SUBNET

Answer 52

Internet → [Firewall → Web and Mail Server (DMZ) → Firewall] → Internal Network where []=DMZ

Answer 53

CIAN and protect anonymity

Answer 54

Specifically, each party must usually ensure that, with regard to any information that passes between them: It is kept secret, assuming that this is a key requirement of the relationship (confidentiality). It is not changed by third parties while in transit (integrity). The origin of the information (person or system) is assured (authentication). The originator cannot deny having sent the information (non-repudiation). It can, if required, protect the identity of the user (anonymity).

Answer 55

1) secure info stored in a system against unauthorised access (password protection or encryption of files/disk) 2) secure info while in transit between sender/recipient so interceptor unable to understand

Answer 56

In order to provide confidentiality, information or ‘plaintext’ may be encrypted – changed into ‘ciphertext’ so that the original plaintext cannot be read or inferred – and then sent to the recipient, who reverses the process by decrypting the message to recover the original plaintext.

Answer 57

encrypt information during transfer from one computer to another used to encrypt a number of files on computer media may be used to encrypt an entire hard disk drive, including the operating system, applications and configuration information as well as the data.

Answer 58

(STREAM CIPHER)Encrypted effectively one bit (as in binary digit) at a time and each encrypted bit is transmitted to the recipient, who decrypts it in real-time. e.g. mobile phones in which the speech, text or application data are encrypted in the handset and transmitted to the point in the mobile network where decryption takes place. The speech or text is then delivered to the recipient as plain speech, text or data. The same key is used to encrypt and decrypt the data, so it is ‘symmetric’ as it is a single key.

Answer 59

A stream cipher is a type of encryption algorithm that encrypts data one bit or byte at a time, typically used for real-time communications or scenarios where data arrives in a continuous stream.

Answer 60

An example would be WEP (wired equivalent privacy), a deprecated standard for wireless connection which uses the RC4 stream cipher.

Answer 61

information is encrypted in one or more blocks (normally 64 bits) of data and the entire message is sent as these blocks to the recipient. Decryption need not be in real-time, but may take place sometime later, and is carried out on the blocks of encrypted data. Examples of block ciphers are Triple-Data Encryption Standard (Triple-DES), Blowfish and Advanced Encryption Standard (AES).

Answer 62

information is encrypted in one or more blocks (normally 64 bits) of data and the entire message is sent as these blocks to the recipient. Decryption need not be in real-time, but may take place sometime later, and is carried out on the blocks of encrypted data.

Answer 63

This method of encryption is referred to as a block cipher. Examples of block ciphers are Triple-Data Encryption Standard (Triple-DES), Blowfish and Advanced Encryption Standard (AES).

Answer 64

Plain text → encrypted using an encryption key. Result is encrypted text. Encrypted text → decrypted using a decryption key (same as encryption key). Output is the original plain text.

Answer 65

algorithm and key

Answer 66

weeds out weaker algorithm in attacks against to recover plaintext

Answer 67

used in cryptography symmetric Both sender and recipient keep the symmetric encryption key as a shared secret changed at intervals to resist decryption by exhaustive key search

Answer 68

bits greater length, keyspace and stronger BRUTE FORCE attacks always work but timescale differ stolen key > brute force for attacker

Answer 69

minimum time for which the information must remain secret. attacker brute force key in less than the cover time, a stronger key is needed

Answer 70

DES used a 56-bit key, which has 2^56 combinations broken by exhaustive key search< 1 week

Answer 71

Tripling the key length to become Triple-DES using a 168-bit key (2^168 combinations). now superseded by AES

Answer 72

superseded triple DES even stronger and also a block cipher. The usual key AES lengths are 128, 192 and 256. AES is now the most used symmetric cipher and can be found in IPSEC, TLS, WPA2 and 3 and BitLocker, to name a few.

Answer 73

attacker has managed to recover the message key by exhaustive key search. If the sender included the new key with a message encrypted with the old key, the new key would already be compromised, so another method must be found that will permit the new key to be sent securely. BETTER USE PUBLIC KEY CRYPTOGRAPHY: The recipient can be assured that the new key has originated from a trusted source and not from a man-in-the-middle attacker.

Answer 74

mathematics that make public key infrastructure (PKI) possible (RSA Security) SOLVES KEY EXCHANGE PROBLEM public key and private key mathematically linked but not similar confidentiality digital signature of hash = identity

Answer 75

IKE stands for Internet Key Exchange — it's a protocol used to set up a secure, authenticated communication channel between two parties, typically in VPNs (Virtual Private Networks).

Answer 76

in public key cryptography sender and the recipient need to authenticate the owner of the public key they are about to use to make sure it is not a ‘masquerade attack’ where the actual recipient pretends to be somebody else. The recipient also needs to be able to check that any digital signature of the message, signed using the sender’s private key, really does belong to the claimed identity of the sender. This defends against both impersonation and a man-in-the-middle attack.

Answer 77

in Public key cryptography provide proof of message integrity, authentication of identity and non-repudiation of the sending of the message acceptable in legally binding document message digest encrypted with private key can be decrypted with public key and compared

Answer 78

hash used for PKI is known as a message digest messaged passed through algorithm create widely different value

Answer 79

SHA-256 and MD5 (now deprecated due to hash collision). They are two of the most common hashing algorithms currently used for digitally signing documents and messages.

Answer 80

[Plain Text] ─▶ [Hash Function] ─▶ [Hash] │ ▼ [Plain Text] (unchanged)

Answer 81

PKI (Public Key Infrastructure) uses public key and private for messages hashing in digital signatures digital certificates to authenticate identity of owner

Answer 82

used in PKI: authenticating the identity of the owner of a key pair, which is done using a digital certificate participant obtains from CA certifies that the digital certificate signed with the applicant’s private key authenticates the entity’s public key by signing it with a key of their own that can be checked as being genuine

Answer 83

The participants must obtain a digital certificate from a certification authority (CA), of which there are a number of commercial organisations. They must provide the CA with proof of identity, similar to that required to obtain a passport, in order to obtain a digital certificate. In return, the CA certifies that the digital certificate signed with the applicant’s private key authenticates the entity’s public key by signing it with a key of their own that can be checked as being genuine.

Answer 84

anyone can apply for a digital certificate – governments, commercial organisations or private individuals. They simply must provide the appropriate proof of identity. It allows the user’s certificate to be verified as being issued by a genuine CA and confirms that they are who they claim to be. This equates more or less to the situation in which a notary witnesses the written signature of a person on a legal document and by doing so certifies that the person has proved his identity to the notary by using a passport or equivalent identity document.

Answer 85

**the message, encrypted** with a symmetric key, providing confidentiality of the information to be transmitted; **the symmetric key itself**, encrypted with the recipient’s public key, providing confidentiality of the message key; **the message digest**, encrypted with the sender’s private key, providing an integrity check on the encrypted message, an authentication check on the sender and non-repudiation of the information transmitted; optionally, a **digital certificate**, providing **authentication of the sender** and non-repudiation for the message sent.

Answer 86

The certificate chaining process establishes trust in the identity of the holder of the certificate.

Answer 87

Symmetric key cryptography can be processed very quickly, especially if implemented in dedicated hardware. Asymmetric key cryptography, on the other hand, uses complex and repetitive mathematics to encrypt and decrypt information and this takes longer to carry out, especially on computer systems with relatively slow processing capability.

Answer 88

Cryptography is therefore used for encrypting and decrypting shorter items of information such as keys and message digests, as previously discussed, leaving symmetric key cryptography to encrypt and decrypt larger volumes of information.

Answer 89

"PKI can be used to securely distribute the symmetric keys, solving the key distribution problem." PKI uses asymmetric encryption (public/private key pairs) to securely distribute the symmetric key: 1) Sender generates a symmetric key to encrypt the message. 2) Sender encrypts the symmetric key using the recipient’s public key. 3) Only the recipient’s private key can decrypt it. 4) The encrypted message and encrypted key are sent together. This way: The message is encrypted with a fast symmetric algorithm. The key is securely delivered using PKI (asymmetric encryption). No need to pre-share the symmetric key manually.

Answer 90

form of encryption that allows computations to be performed on encrypted data without decrypting it, ensuring data remains confidential even while being processed. computation results should match to plaintext results e.g. we can do stats on encrypted data w/o knowledge and then decrypt result gives us result had we done on plaintext

Answer 91

🔄 Traditional Approach: Data must be decrypted before analysis. Risk: Exposure during processing, violating privacy laws (e.g., GDPR, HIPAA). ✅ Homomorphic Encryption Approach: Patients’ data is encrypted using a homomorphic scheme. The hospital performs statistical analysis directly on encrypted data: Compute averages, correlations, etc. The result (still encrypted) is decrypted only at the end. The decrypted result matches what you’d get if you had used plaintext. 🔐 Benefits: No exposure of raw data during processing. Compliance with privacy regulations. Enables outsourcing computation to cloud providers without revealing data

Answer 92

data privacy, as it ensures that sensitive data can be processed without exposure areas of high confidentiality supports operations on encrypted data, which can include addition, multiplication or both, depending on the type of homomorphism.

Answer 93

supports operations on encrypted data, which can include addition, multiplication or both, depending on the type of homomorphism. Partially homomorphic somewhat homomorphic encryption and fully homomorphic encryption (FHE)

Answer 94

Partially homomorphic encryption supports either addition or multiplication, s

Answer 95

somewhat homomorphic encryption supports limited operations with constraints

Answer 96

fully homomorphic encryption (FHE) supports arbitrary computations, allowing both addition and multiplication to be performed an unlimited number of times.

Answer 97

The security of homomorphic encryption is complex mathematical problems that are difficult to solve, such as lattice-based cryptography, which we will discuss in Chapter 9, making it resistant to conventional cryptographic attacks.

Answer 98

secure data analysis, enabling analysis of sensitive data without exposing the raw data, cloud computing, allowing encrypted data to be processed while maintaining privacy, and encrypted search, facilitating searching over encrypted data without revealing the content or search queries.

Answer 99

computationally intensive and slower compared to traditional encryption methods due to the complex mathematical operations required Developing and implementing homomorphic encryption systems is complex and requires a deep understanding of cryptography and mathematics FHE provides the most flexibility, it is not yet practical for all applications due to its high computational overhead. Ongoing development aims to make it more efficient and practical for broader use, though.

Answer 100

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Answer 101

This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Answer 102

many hosted email, photo sharing, streaming of video and music and social media cloud for storage, third-party service or replication of the entire network Operational expenditure paid for monthly

Answer 103

Access to powerful computing tools that would previously have been out of their financial reach. These include such offerings as Microsoft’s Office 365®, in which, rather than buying multiple copies of the MS Office suite of programs, individual users, small organisations and large organisations can subscribe to the online service, which includes an element of cloud storage and information sharing between teams.

Answer 104

on-demand self service; distributed storage; rapid elasticity; automated management; broad network access; resource pooling; measured service; virtualisation technology.

Answer 105

Cloud consumer: Cloud broker Cloud provider Cloud auditor Cloud carrier privacy:

Answer 106

Cloud consumer: A person or organisation that uses cloud computing services.

Answer 107

Cloud provider: A person or organisation providing services to interested parties.

Answer 108

Cloud carrier privacy: An intermediary for providing connectivity and transport services between cloud consumers and providers.

Answer 109

Cloud auditor: A party for making independent assessments of cloud service controls.

Answer 110

Cloud broker: An entity that manages cloud services in terms of use, performance and delivery, and maintains the relationship between cloud providers and consumers.

Answer 111

IaaS PaaS SaaS

Answer 112

Infrastructure as a service (IaaS) provides virtual machines and other hardware including OS, which may be controlled through a service API. Examples are Amazon EC2, Microsoft Azure.

Answer 113

Platform as a service (PaaS) offers development tools, configuration management and deployment platforms on-demand that can be used by subscribers to develop custom applications such as Google App Engine, Microsoft Azure, Oracle Cloud Platform, AWS Lambda or Salesforce.

Answer 114

Software as a service (SaaS) offers software to subscribers on-demand over the internet, such as web-based office applications Google Docs, Zoom, Adobe Creative Cloud, Shopify.

Answer 115

public community private

Answer 116

Public cloud services are over a network that is open for public use, the cloud infrastructure.

Answer 117

Community cloud is a shared infrastructure between several organisations with common concerns of security and collaborating on a common goal.

Answer 118

Private cloud is where all hardware and software resources are used exclusively and accessible only by a single customer.

Answer 119

Component / On-Premise / IaaS / PaaS / SaaS Application / B / B / B / C Data / B / B / B / C Runtime / B / B / C / C Middleware / B / B / C / C Operating System / B / B / C / C 🔑 Key: B = Organisation manages C = Cloud provider manages

Answer 120

is a distributed decentralised computing model in which data processing is performed close to edge devices. It helps in building automation systems that perform fast processing and it enables efficient, real-time applications. Examples include autonomous vehicles, industrial automation and control, kiosks, military and defence ✅ Example: A smart traffic light uses edge computing to detect vehicles and change signals instantly — no need to send data to a remote server..

Answer 121

is a distributed and independent digital environment in which applications and data storage are positioned between data sources and a cloud service. It acts as an intermediary between the hardware and remote servers. It is used for enhanced data processing, storage and analysis in a quick and efficient manner by processing data closer to where it was created. ✅ Example: A smart city uses fog computing to collect data from thousands of sensors (traffic, pollution, weather), process it locally in fog nodes, and send summaries to the cloud for long-term analysis.

Answer 122

technology, policy, procedures and security controls that are used to address internal and external security. ensure the privacy of data and address security concerns of the organisation around cloud usage, controlling cloud access of users, devices and software.

Answer 123

I heard of an incident where a third party accidentally left customer data in a test environment that was publicly accessible. An organisation that created applications accidentally pushed an application in development into production, and it contained a cloud admin password. After 20 seconds the developer realised and pulled the application down; however, within 15 seconds attackers had gained access to the organisation’s cloud and started to set up a bitcoin mining operation.

Answer 124

**R1 Accountability and data ownership**: Using the public cloud for hosting organisation services can cause severe risk for the recoverability of data. **R2 User identity federation**: Creating multiple user identities for different cloud providers makes it complex to manage multiple user IDs and credentials. **R3 Regulatory compliance**: There is a lack of transparency, and there are different regulatory laws in different countries. **R4 Organisation continuity and resiliency**: There can be organisation risk or monetary loss if the cloud provider handles the organisation continuity improperly. **R5 User privacy and secondary usage of data**: The default share feature in social websites can jeopardise the privacy of users’ personal data. **R6 Service and data integration**: Unsecured data in transit is susceptible to eavesdropping and interception attacks. **R7 Multi-tenancy and physical security**: Poor logical segregation may lead to tenants interfering with the security features of other tenants. **R8 Incidence analysis and forensic support**: Due to the distributed storage of logs across the cloud, law enforcement agencies may face problems in forensics recovery. **R9 Infrastructure security**: Misconfiguration of infrastructure may allow network scanning for vulnerable applications and services. **R10 Non-production environment exposure**: Using non-production environments increases the risk of unauthorised access, information disclosure and information modification.

Answer 125

It is also worth noting that attackers have generally relied upon stolen credentials and access tokens that did not require MFA to gain initial access to cloud and hybrid environments. With the adoption of MFA and increased security awareness, there has been a shift towards social engineering with targeted campaigns to lure users into providing credentials, and some highly innovative methods to circumvent MFA or exploit weaknesses in its implementation.

Answer 126

Attack The attackers gained access to the cloud service by taking advantage of a weak password. They then quickly set up the cloud service to mine for bitcoin. Bitcoin mining uses large amounts of resources and can be costly. Impact In a month, the attackers ran up a £500,000 bill with the cloud provider to undertake their bitcoin mining operation. Response The school was only alerted by a bill from their cloud provider. They quickly got their cloud account locked and ejected the bitcoin miners. Impact The school was unable to get back the £500,000 worth of cloud resources used, as they had failed to properly secure their account. Lessons learnt Ensure that access to a cloud environment is secure with MFA and a strong password with logging and monitoring, and implement PAM for admin accounts. Set a suitable spending limit and have alerts when there is high resource consumption. Always make use of recommended security settings provided by the cloud provider. Ensure admin accounts are kept secure and only those that require access have access.

Answer 127

Containers are lightweight packages of software that run anywhere, from a private data centre to the public cloud, or on a developer’s laptop. A container has the application including all its dependencies, such as OS, library files, configuration files, binaries and other resources, encapsulated. These run independently of other processes in the environment. They can be quickly spun up when required and spun down when not required. This isolation ensures that applications run the same way regardless of where they are deployed, reducing compatibility issues and conflicts between dependencies. can be easily moved and run across different environments, such as on-premises servers, public clouds or hybrid cloud setups. This portability makes it simpler to develop, test and deploy applications consistently

Answer 128

A container is a lightweight, standalone, and executable software package that includes everything needed to run an application: Code Runtime System tools Libraries Settings Think of it like a sealed box that contains an app and all its dependencies, so it can run consistently across different environments—whether on a developer’s laptop, a test server, or a production cloud platform.

Answer 129

Microservices is an architectural style that structures an application as a collection of small, autonomous services, each designed to perform a single function or a set of related functions. CLOSELY RELATED to containers as can be used together: containers encapsulate microservices with dependencies so that it runs consistently across environments

Answer 130

Microservices is an architectural style where a large application is broken down into a collection of small, independent services, each responsible for a specific business function. Each microservice: Is autonomous and self-contained. Communicates with others via APIs (usually HTTP/REST or messaging). Can be developed, deployed, and scaled independently.

Answer 131

containers encapsulating microservices and dependencies: helps to maintain independence of each microservice, preventing conflicts and making deployments more predictable Containers can be easily scaled up or down, facilitating the horizontal scaling of microservices. Each microservice can be scaled independently based on its load, optimising resource utilisation. Containers provide a lightweight, portable environment that can run on any system. This portability aligns with the microservices principle of being able to deploy services independently across different environments.

Answer 132

Microservices / | \ 3 Microservices V V V Virt. Containers. Public Cloud (where V =up and down arrows)

Answer 133

Answer 134

open-source platform that allows developers to build, deploy, run, update and manage containers similar in concept to virtual machines. Instead of running an entirely separate operating system, with its large overhead and resource consumption, Docker runs containers each container spun up/down quickly, only using resources when running creation/testing of containers from a third party should ideally be integrated into the DevSecOps process covered in ch5

Answer 135

Each container can be spun up or down quickly, so only uses resources when running, unlike a virtual machine, which must run constantly. This in turn saves resources and therefore running costs, especially in the cloud.

Answer 136

Impetuous image creation Unreliable third-party resources Unauthorised access Insecure container runtime configurations Data exposure in Docker files Embedded malware Non-updated images Hijacked repository and infected resources Hijacked image registry Exposed services due to open ports Exploited applications Mixing of workload sensitivity levels

Answer 137

Careless creation of images by not considering the security safeguards or control aspects, using unsafe or untested code

Answer 138

Untrusted third-party resources make the resources vulnerable to malicious attacks.

Answer 139

Gaining access to the user accounts leads to privilege escalation attacks.

Answer 140

Improper handling of the configuration option and mounting sensitive directories on the host can cause faulty and insecure runtime configurations.

Answer 141

Docker images exposing sensitive information such as passwords and SSH encryption keys can be exploited to compromise the security of the container.

Answer 142

A container image may be embedded with malware after creation, or hard-coded functions may download malware after image deployment.

Answer 143

Outdated images may contain security loopholes and bugs that compromise the security of images.

Answer 144

Security misconfiguration and bugs may allow attackers to gain unauthorised access to the repository so that they can poison the resources by altering or deleting files.

Answer 145

Mismanaged configurations and vulnerabilities can be exploited to compromise the registry and image hubs.

Answer 146

Misconfiguration of an application may allow open ports that expose sensitive information upon port scanning

Answer 147

Vulnerable applications can be exploited using various techniques such as SQLi, XXS and RFI.

Answer 148

Orchestrators place workloads having different sensitivity levels on the same host. One of the containers hosting a public webserver with vulnerabilities may pose a threat to the container processing sensitive information.

Answer 149

Containers in the cloud are typically managed and orchestrated using container orchestration platforms such as Kubernetes, Docker Swarm or Amazon Elastic Container Service (ECS). These platforms provide tools and services for deploying, scaling and managing containerised applications in a cloud environment

Answer 150

An open-source orchestration platform that automates the deployment, scaling and management of containerised applications. Kubernetes clusters can run on various cloud providers, including Google Cloud, AWS and Azure.

Answer 151

A clustering and orchestration tool for Docker containers, which allows developers to manage a cluster of Docker nodes as a single virtual system.

Answer 152

A fully managed container orchestration service by AWS that supports Docker containers and allows users to run and scale containerised applications on AWS infrastructure.

Answer 153

Think of a container like a shipping container for software. Just as a shipping container holds goods and can be moved easily between ships, trains, and trucks—software containers hold applications and everything they need to run, so they can be moved easily between computers, data centres, or cloud platforms. Why Use Containers? 1. Portability Containers can run anywhere—on a developer’s laptop, in a test environment, or in the cloud—without needing changes. 2. Speed They start up quickly, making it easier to launch new services or recover from failures. 3. Efficiency Containers use fewer resources than traditional virtual machines, so we can run more applications on the same hardware. 4. Scalability We can scale individual parts of an application up or down based on demand, improving performance and cost-efficiency. 5. Consistency They ensure that software behaves the same way in every environment, reducing bugs and deployment issues. What Are the Risks? 1. Security of the Container Image If the container is built from untrusted or outdated sources, it may contain vulnerabilities or malware. 2. Misconfiguration Poor setup (e.g., open ports or exposed secrets) can lead to data leaks or unauthorised access. 3. Shared Infrastructure Risks Containers share the same operating system. If one is compromised, others might be at risk too. 4. Complexity at Scale Managing hundreds of containers requires orchestration tools (like Kubernetes), which add complexity and new security considerations.

Answer 154

Zero trust is a security strategy NOT a product/service approach for designing/implementing a set of security principles sees network= hostile, compromised, not trusted Any device connected to the network should not have access to everything. Each and every request to access data has to be authenticated and authorised in line with the access policy. If the connection does not meet the access policy requirements, the connection is terminated.

Answer 155

A zero trust approach applies to the entire digital estate and should be part of the security end-to-end strategy.

Answer 156

**Verify explicitly** Always authenticate and authorise each connection every time they connect. **Use least privilege access** Limit user access with just-in-time (JIT) and just-enough-access approach, which aligns with data protection and access policy.

Answer 157

[Request to Connect] ↓ "Never trust..." ↓ "...Always verify" ↓ [Authentication] ↓ [Control & Visibility] ↓ [Users] [Devices] [Data] [Cloud]

Answer 158

Define the attack surface Implement controls around network traffic Build the architecture Create a zero trust policy Monitor your network

Answer 159

The attack surface of the network needs to be considered. Having full visibility of all assets is essential in ensuring necessary protection is put in place. Then break up the network to focus on areas where the most protection is required, such as the most valuable assets. This can be done by implementing polices and tools that meet the security requirements of the security strategy.

Answer 160

Traffic flows throughout the network and the dependencies will be a driver for how controls are implemented. An example would be a central database that holds data required by several systems across the organisation.

Answer 161

A zero trust network is designed around the needs of the organisation in support of security. All networks are different, but some common aspects likely include NGFW, which helps to segment the network; MFA is another critical aspect to access control.

Answer 162

Create a zero trust policy: With architecture in place, zero trust policies need to be developed. You can use the ‘Kipling Method’, which involves asking who, what, when, where, why and how for every user, device and network that requires access.

Answer 163

Monitor your network: Network monitoring alerts you to IoC or issues as well as helping to optimise network performance.

Answer 164

Microsoft now has the Rapid Modernisation Plan (RaMP) to support rapid adoption of zero trust. It is essentially a technical zero trust deployment guide for organisations to follow.

Answer 165

**Initiative** Steps **Top priority** Critical security modernisation initiatives **User access and productivity** Explicitly validate trust for all: - access requests; - identities; - endpoints (devices); - apps; - network. **Data, compliance and governance** Ransomware recovery readiness Data protection **Modernise security operations** Streamline response Unify visibility Reduce manual effort **As required** Additional initiatives based on OT or IoT usage, on-premises and cloud adoption and security for in-house app development **OT and Industrial IoT** - Discover - Protect - Monitor **Datacentre and DevOps security** - Security hygiene - Legacy risk reduction - DevOps integration - Micro segmentation

Answer 166

Figure is a large diagram with many connections/nodes **Identities → Zero trust policies **Endpoints** → Zero trust policies Threat protection → Zero trust policies Zero trust policies → Network Network → connects to: *Data* *Apps* *Infrastructure* These three feedback into Policy Optimisation and threat protection (Policy optimisation→ zero trust policies → threat protection )

Answer 167

Privileged access management is a security solution for monitoring, detecting and preventing unauthorised privileged access to critical areas such as admin or service accounts. organisation technology,relies on people, process and technology visibility on who has access and is accessing privileged accounts and what they are doing with those accounts. limits those that have access to admin accounts with additional layers to prevent attackers getting into those accounts.

Answer 168

provides JIT access to critical resources; allows secure remote access with the use of password vaulting and with removal of password use; monitors privileged access; detects any unusual privileged activity; ensures all privileged account events are logged for compliance audits; reports on privileged user access and activity.

Answer 169

JIT (Just-In-Time) A security model or access control approach where permissions are granted only when needed, for a limited time, and only to the resources required. Helps reduce standing privileges and limits exposure to attacks.

Answer 170

PAM enforces security procedures and controls to limit and monitor privileged account access. It is made up of secure authentication, authorisation and auditing. This is to ensure only those that have the correct authorisation can access privileged accounts that contain sensitive data. PAM should also support session monitoring to quickly flag any strange behaviour or use of these accounts.

Answer 171

Stop targeted attacks Manage insider threats Secure virtual environments Secure cloud environments Enable compliance

Answer 172

1 Conduct a thorough assessment 2 Define a clear PAM strategy 3 Implement least privilege principle 4 Use MFA 5Deploy a PAM solution 6Automate and secure password management 7 Monitor and audit privileged access 8 Implement session management 9 Regularly review and update policies 10 Provide training and awareness 11 Implement IR plans

Answer 173

Identify privileged accounts: Start by discovering all privileged accounts, including local admin accounts, domain admin accounts, service accounts and application accounts. Assess risks: Evaluate the risks associated with each privileged account and the potential impact of a breach.

Answer 174

Set objectives: Define clear objectives and goals for your PAM implementation. Understand what you aim to protect and the compliance requirements you need to meet. Create policies: Develop comprehensive PAM policies that outline how privileged access will be managed and monitored.

Answer 175

Minimise access: Ensure users only have the minimum level of access necessary to perform their jobs. Regularly review and adjust access levels as needed. Time-based access: Grant privileged access only for the time needed to complete a task (JIT access).

Answer 176

Add layers of security: Implement MFA for all privileged accounts to add an extra layer of security beyond just passwords.

Answer 177

Choose the right tool: Select a PAM solution that fits organisation needs. Key features should include session recording, credential management and automated workflows. Integrate with existing systems: Ensure the PAM solution integrates well with existing IT infrastructure and security tools.

Answer 178

Use password vaulting: Store privileged credentials in a secure vault and automate password changes to ensure they are regularly updated and strong. Eliminate hard-coded passwords: Replace hard-coded passwords in scripts and applications with dynamic, vault-managed credentials.

Answer 179

Continuous monitoring: Implement continuous monitoring of privileged accounts to detect and respond to suspicious activities. Audit trails: Maintain comprehensive audit trails of all privileged access activities to support forensic investigations and compliance reporting.

Answer 180

Session recording: Record all privileged sessions to provide a detailed account of user actions for auditing purposes. Real-time monitoring: Monitor privileged sessions in real-time to detect and respond to unauthorised activities promptly

Answer 181

Periodic reviews: Conduct regular reviews of PAM policies, user access levels and privileged accounts to ensure they remain effective and aligned with current security threats. Update policies: Update PAM policies as needed to address emerging threats and changes in the IT environment.

Answer 182

Educate users: Train all users, especially those with privileged access, on the importance of PAM and secure practices. Foster a security culture: Promote a culture of security awareness throughout the organisation to ensure everyone understands their role in protecting sensitive information.

Answer 183

Prepare for breaches: Develop and test IR plans specifically for privileged account breaches. Quick remediation: Ensure you have the tools and processes in place to quickly revoke privileged access and mitigate damage in case of a breach.

Answer 184

A user connects via SSH to a central PAM system. **The PAM system includes: Key management Credential vaulting servers Monitoring** It interacts with: UNIX/Linux servers (for access control) SIEM/Syslog systems (for logging and auditing

Answer 185

exchange of data over network protected CIA Cryptography and security protocols can be used to perform this function for data in transit. ensure that all parties protect the data to the same standard. WEAK LINK =easy target and the additional protection at the other locations will count for nothing.

Answer 186

once data arrives, it must be checked for any signs of malware or compromise before being allowed access or given any credence as legitimate traffic. This should be conducted in the DMZ, before passing through into the inner network.

Answer 187

security architects must remember that the users of web services and ecommerce are often members of the public, and so organisations have no control over the configuration and integrity of the PC being used to access the service being provided. websites are normally public-facing and therefore open to attack by anyone with an internet connection.

Answer 188

It is estimated that as many as one in three of all websites have been compromised with malware at some time. Protection must be present to stop attackers from extracting data, entering false data and adding their own code to the site, either for propaganda purposes or to add malware that is downloaded by any visitors.

Answer 189

electronic data interchange (EDI) occurs degree of risk level of trust must be established before EDI organisation-organisation lower risk

Answer 190

TSL or SSL

Answer 191

when a user connects to the website, their browser and the website set up a SSL channel to protect the data from being read by a third party as they travel across the internet, providing the encryption for access to websites, especially ecommerce, to protect financial data such as credit card numbers. **SSL was updated some years ago to become TLS,

Answer 192

which offers a more robust level of security for data being exchanged during transactions. Additionally, the secure hypertext transfer protocol (HTTPS) is increasingly used where websites are secured by an SSL or TLS certificate.

Answer 193

In organisations, the increase in mobile working has caused a steady rise in the need for VPNs, also described earlier in this chapter. This is another way of encrypting (protecting) traffic that travels over a public connection, which could be the internet, fixed or wireless broadband connections. As mentioned earlier, the risk is an untrusted system over which the user’s data must pass. It is possible for a third party to compromise the channel and eavesdrop on traffic in transit.

Answer 194

The system uses VPN client software on the remote system to contact the host server over a public channel. The user has to identify and authenticate themselves in the usual manner. This is all done in plaintext but, once the ID&A is complete, the host and client agree on a secret key and the encryption process starts. From then on, the body of the data is encrypted and protected from eavesdroppers. The concept of the VPN can also be used to separate internal network traffic, as described in the previous section, to ensure it cannot be read by those without a need to know. VPNs are becoming used more often on private computers as an additional means of ensuring privacy of connections over the wider internet.

Answer 195

increase hybrid working, travelling new tech=improved remote access

Answer 196

While still supporting the older services, such as Global System for Mobile Communications (GSM; 2G), General Packet Radio Service (GPRS), Universal Mobile Telecommunications Service (UMTS; 3G), High-Speed Downlink Packet Access (HSDPA) and Enhanced Data Rates for GSM Evolution (EDGE), the mobile phone companies have rolled out 4G and long-term evolution (LTE) services, which deliver considerably greater bandwidth. The next (fifth) generation, or 5G service, is now being deployed, and, while it promises to deliver much greater capacity and functionality, it will also potentially dramatically increase the security issues, not least with the 5G technology itself, which has been the subject of intense debate as to whether some of the manufacturers of the 5G core and radio networks are able to intercept voice and data transfers and pass the traffic to foreign powers.

Answer 197

the connection uses network infrastructure that does not belong to the company, so traffic can be more easily viewed, altered or deleted by an attacker; the users take their IT and communications equipment away from company premises, making it more vulnerable to theft, loss or compromise; ensuring that connections are only used by authorised employees.

Answer 198

defended against with encryption. Creating a VPN tunnel from the user device back to the office can defeat all but the most determined attacker if it is implemented properly (as described in previous sections).

Answer 199

partly safeguarded with encryption to protect data held on devices carried off site. This can either be at file level or, where possible (a much better solution), the whole of the device, usually by encrypting the entire hard disk drive. hardware stolen- attacker cannot login steal + reformat and sell still not access to data ensure awareness training should be about working in unsecured environments: who can see the tablet or laptop screen and paperwork or overhear sensitive conversations?

Answer 200

make sure that any communications ID&A process includes a PIN or token code, and that devices capable of remote communications can have their service disabled quickly. This stops the attacker from being able to access an organisation network and from running up big bills with the service provider.

Answer 201

The ISO/IEC 27000 series of standards has been **enhanced to include ISO/IEC 27010 – Information security management for inter-sector and inter-organisation communications.**

Answer 202

third party regulatory/legal requirements in data exchange must be followed!

Answer 203

**DPA;** **GDPR;** Human Rights Act (HRA); Financial Services Act (FSA); Official Secrets Act (OSA) for government and defence projects; Markets in Financial Instruments Directive (MiFID); Freedom of Information Act (FoIA); CMA; Communications Act.

Answer 204

**DPA;** **GDPR;** define very clearly how personal data are to be protected and used, considering the rights of the data subject as defined in the DPA. Other legislation will relate only to the financial industry (e.g. FSA and MiFID), but is equally important to them.

Answer 205

hose organisations to agree and sign a protocol that specifies all of these matters as part of a legally binding contract where all parties agree to common standards for the processing and protection of data each provides to the other. Each party is then **bound under law to a duty of care**. All parties are then said to have **shown due diligence and have defence in law** (and usually the right of redress) against wrongdoings by the other.

Answer 206

movement away from in-house IT dep-outsourcing third party design, deployment and support of all the services they require e.g. cloud based services CONTRACT must include overall security requirements in project financial team + security team must both team up

Answer 207

effective risk management not always necessary to join-up systems limited functionality to pass between systems through inter-domain connecter data pass only one way through data diode or specially configured router less complex to manage +easier risk assess

Answer 208

functionality to pass between systems through an inter-domain connector (IDC)

Answer 209

security policy, standards and guidelines MUSR be aligned to operational needs Accreditation to ISO/IEC 27001 requires relevant controls followed with audit

Answer 210

The policy defines the overall IA goals of the organisation and must be supported by the board and chief executive to provide authority. The standards define the minimum acceptable criteria for achieving that policy in the key areas (e.g. the control groupings in ISO/IEC 27002). The guidelines advise how to design and implement workable procedures and countermeasures to meet the standards and enable the organisation to manage risk.

Answer 211

no point having such controls if access to the ability to update or change those controls is not also protected attacker will try subvert through granting themselves privileges ensure only1/2 accounts that can grant these with longer passwords

Answer 212

incorrect user input/software coding errors main control is DPA

Answer 213

requirement for personal data to be accurate. LAW

Answer 214

Make sure the design of the software and database is correct, so that values reflect the right information, and relationships have the right meanings. Use proven code review techniques when developing and testing the application before it goes live. Use defensive coding, which checks for values within acceptable ranges and looks for correct relationships with other fields before accepting an update command to change the database. Train the users in how to use the application properly. Make sure they understand the meanings of the fields and their relationships. Audit the system regularly to look for anomalies. Automated tools can help this process. Have a means whereby it is easy for those who have data in the system to report any errors and have them resolved as soon as possible. Try to identify how the errors occurred and then how to stop them happening again.

Answer 215

theft of a laptop or the failure of a hard disk through to the entire building being lost to fire. 10 days+ loss data access= out of business essential that backups exist for all data, and not just current backups.

Answer 216

Used for backups grandfather-father-son; maintaining at least three generations of the backed-up data) to allow recovery of data back to a previous point in time is highly desirable.

Answer 217

roll back the system to a point in time before the malware was present and rebuild the data from paper records. Without a GFS backup approach, this is not possible.

Answer 218

It is also important to consider how the integrity of the restored data can be checked. It is all very well to bring back a database of information, but if there has been some corruption of that data, from whatever cause, deliberate or accidental, there is a lot of work to do to clean the data up before operational use is possible again.

Answer 219

consider a disaster recovery contract or having the ability to relocate the data centre to another company site in times of emergency. Whatever is done, a copy of the backup must be kept in a secure location off site.

Answer 220

to understand the current status (What is complete and what transactions need to be rolled back or re-entered?); to identify what happened and who did it; for compliance with standards and legislation and demonstration of due diligence; as a deterrent against internal attack. (protective monitoring)

Answer 221

collecting and keeping transaction and event logs is often referred to as protective monitoring, because it is a means of doing all of the above tasks. Treat the logs in the same way as all data backups. With the right tools and training, the audit data can provide powerful insights into what is going on.

Answer 222

a. Verify the integrity of the message content and authenticate the sender. A message digest (typically created using a cryptographic hash function) allows the recipient to: Verify integrity: Ensures the message hasn’t been altered. Authenticate sender: When combined with a digital signature, confirms the sender’s identity.

6 TECHNICAL SECURITY Flashcards

(253 cards)