Network - limit communication between resources using segmentation and access controls
Perimeter - distributed denial of service (DDoS) protection
Identity and access - controlling access to infrastructure and change control
Physical - limiting access to a datacenter to only authorized personnel
Confidentiality, Integrity, Availability (CIA Triad) is model describing the foundation to security principles and their trade-off relationship
Confidentiality is a component of privacy that implements to protect our data from unauthorized viewers by encrypting our data.
Integrity is a component for maintaining and assuring the accuracy and completeness of data over its entire lifecycle by using tamper proof Hardware security modules..
Availability is where information needs to be made available when needed by having high availability, mitigating DDoS, decryption access
Vulnerability is a weakness in the application which can be a design flaw that allows attackers to cause harm to stakeholders of application.
Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries.
Encryption is the process of encoding (scrambling) information using a key and a cypher to store sensitive data in an unintelligible format as means of protection.
An encryption takes in plaintexts and produces a ciphertext.
Cypher is an algorithm that performs encryption or decryption.
Cipher is a synonym for the word "code"
Cyphertext is the result of encryption performed on plaintext via an algorithm
Cryptographic Key is a variable in conjunction with an encryption algorithm in order to encrypt or decrypt data.
Symmetric Encryption uses the same key for both encryption and decryption.
Asymmetric Encryption are two keys used, one to encode and the other to decode.
Advanced Encryption Standard (AES) is an example of symmetric encryption.
RSA is an example of asymmetric encryption, where the sender and receiver have different keys.
Hashing is a function that accepts arbitrary size value and maps it to a fixed-size data structure.
Salting Password is a random string not known to attacker that hash function can accept to mitigate brute force attacks.
Digital Signature is a mathematical scheme for verifying the authenticity of digital messages or documents
3 algorithms to digital signatures:
Key generation - generates public and private keys
Signing - the process of generating a digital signature with a private key and inputted message
Signing verification - verify the authenticity of message with a public key
Encryption In-Transit is data that is secure when moving between locations. e.g. TLS, SSL
Encryption At-Rest is data that is secure when residing on storage or within a database e.g. AES, RSA
Transport Layer Security (TLS) is an encryption protocol for data integrity between two or more communicating computer application
Secure Sockets Layers (SSL) is an encryption protocol for data integrity between 2 or more communicating applications.
Compliance Programs are set of internal policies and procedures of a company to comply with laws.
PenTesting (Penetration Testing) is an authorized simulated cyberattack on a computer system performed to evaluate the security of the system.
AWS Artifact is a self-serve portal for on-demand access to AWS Compliance reports.
Hardening is the act of eliminating as many security risks as possible
AWS Inspector uses a security benchmark against specific EC2 instances.
DDoS is a malicious attempt to disrupt normal traffic by flooding a website with large amounts of fake traffic
AWS Shield is a managed DDos protection service that safeguards applications running on AWS.
AWS Shield protects against Layer 3, 4 and 7
AWS Shield standard is FREE which is protection against most common DDOS attacks
AWS Shield Advance is additional protection against larger and more sophisticated attacks
Intrusion Detection system and Intrusion Protection system (IDS/IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations
AWS Guard Duty is a threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior. It uses ML to analyze AWS logs.
Amazon Macie is a fully managed service that continuously monitors S3 data access activity for abnormalities and generates alerts. It uses ML to analyze CloudTrail Logs
Virtual Private Network (VPN) lets you establish a secure and private tunnel from your network or device to the AWS Global Network
AWS Site-to-Site VPN is a secure connection on premise network or branch office site to VPC.