Security

Cards (48)

  • 7 Layers of Security:
    1. Data - access to business and customer data and encryption to protect data
    2. Application - applications are secure and free of security vulnerabilities
    3. Compute - access virtual machines (ports, on-premise, cloud)
    4. Network - limit communication between resources using segmentation and access controls
    5. Perimeter - distributed denial of service (DDoS) protection
    6. Identity and access - controlling access to infrastructure and change control
    7. Physical - limiting access to a datacenter to only authorized personnel
  • Confidentiality, Integrity, Availability (CIA Triad) is model describing the foundation to security principles and their trade-off relationship
  • Confidentiality is a component of privacy that implements to protect our data from unauthorized viewers by encrypting our data.
  • Integrity is a component for maintaining and assuring the accuracy and completeness of data over its entire lifecycle by using tamper proof Hardware security modules..
  • Availability is where information needs to be made available when needed by having high availability, mitigating DDoS, decryption access
  • Vulnerability is a weakness in the application which can be a design flaw that allows attackers to cause harm to stakeholders of application.
  • Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries.
  • Encryption is the process of encoding (scrambling) information using a key and a cypher to store sensitive data in an unintelligible format as means of protection.
  • An encryption takes in plaintexts and produces a ciphertext.
  • Cypher is an algorithm that performs encryption or decryption.
  • Cipher is a synonym for the word "code"
  • Cyphertext is the result of encryption performed on plaintext via an algorithm
  • Cryptographic Key is a variable in conjunction with an encryption algorithm in order to encrypt or decrypt data.
  • Symmetric Encryption uses the same key for both encryption and decryption.
  • Asymmetric Encryption are two keys used, one to encode and the other to decode.
  • Advanced Encryption Standard (AES) is an example of symmetric encryption.
  • RSA is an example of asymmetric encryption, where the sender and receiver have different keys.
  • Hashing is a function that accepts arbitrary size value and maps it to a fixed-size data structure.
  • Salting Password is a random string not known to attacker that hash function can accept to mitigate brute force attacks.
  • Digital Signature is a mathematical scheme for verifying the authenticity of digital messages or documents
  • 3 algorithms to digital signatures:
    1. Key generation - generates public and private keys
    2. Signing - the process of generating a digital signature with a private key and inputted message
    3. Signing verification - verify the authenticity of message with a public key
  • Encryption In-Transit is data that is secure when moving between locations. e.g. TLS, SSL
  • Encryption At-Rest is data that is secure when residing on storage or within a database e.g. AES, RSA
  • Transport Layer Security (TLS) is an encryption protocol for data integrity between two or more communicating computer application
  • Secure Sockets Layers (SSL) is an encryption protocol for data integrity between 2 or more communicating applications.
  • Compliance Programs are set of internal policies and procedures of a company to comply with laws.
  • PenTesting (Penetration Testing) is an authorized simulated cyberattack on a computer system performed to evaluate the security of the system.
  • AWS Artifact is a self-serve portal for on-demand access to AWS Compliance reports.
  • Hardening is the act of eliminating as many security risks as possible
  • AWS Inspector uses a security benchmark against specific EC2 instances.
  • DDoS is a malicious attempt to disrupt normal traffic by flooding a website with large amounts of fake traffic
  • AWS Shield is a managed DDos protection service that safeguards applications running on AWS.
  • AWS Shield protects against Layer 3, 4 and 7
  • AWS Shield standard is FREE which is protection against most common DDOS attacks
  • AWS Shield Advance is additional protection against larger and more sophisticated attacks
  • Intrusion Detection system and Intrusion Protection system (IDS/IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations
  • AWS Guard Duty is a threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior. It uses ML to analyze AWS logs.
  • Amazon Macie is a fully managed service that continuously monitors S3 data access activity for abnormalities and generates alerts. It uses ML to analyze CloudTrail Logs
  • Virtual Private Network (VPN) lets you establish a secure and private tunnel from your network or device to the AWS Global Network
  • AWS Site-to-Site VPN is a secure connection on premise network or branch office site to VPC.