Chapter 6 cloud and wireless security coursa
Mitigation strategies
-Anti-malware protection -VLANs -Firewalls _OT,ICS and IoT -Separation of duties and need to know -Authentication -Patch management -Policies
The five essential characteristics of clouds
-Broad network access -Rapid elasticity -Resource pooling -Measured service -On-demand self-service
General roles for P&DP
-Data subject -Controller -Processor The customer determines the purpose of processing and decides on outsourcing or the delegation of all or part of the concerned activities to external organizations.
WPA3 (Wi-Fi Protected Access 3)
-Downgrade-attack proof in that they do not provide backward-compatible support to WPA2 or previous versions of security. -Uses a handshake called the simultaneous authentication of equals (SAE) Tools available to secure wireless networks include: -Intrusion detection -Intrusion prevention systems -Block suspicious network traffic
Two forms of convergence
-End-user side of things Opened by the world of remote collaboration, enabled virtual teams to meet online and cooperatively create digital products Engineering front -Variety of approaches suit needs and opportunities of different markets
Configuration and Change Management
-Harden all physical and/or virtual servers before deployment. -Harden physical and virtual switches. -Any and all changes require testing and documentation. Track VM configurations.
Different types of Virtualized storage
-Host-based -Storage device-based -Network-based -Archival and offline storage -Sandbox -Ephemeral storage -Content delivery network (CDN) -Raw storage -Long-term storage
Transmission methods that overcame limitations of DSSS
-Orthogonal Frequency Division Multiplexing (OFDM) -Multiple Input Multiple Output (MIMO)
WEP is susceptible to the following attacks
-Passive attacks to decrypt traffic based on known plaintext and chosen ciphertext attacks -Passive attacks to decrypt traffic based on statistical analysis of ciphertexts -Active attacks to inject new traffic from unauthorized mobile stations -Active attacks to modify data -Active attacks to decrypt traffic, based on tricking the access point into redirecting wireless traffic to an attacker's machine
Privacy Level Agreement (PLA)
-Provides a clear and effective way to communicate the level of personal data protection provided by a service provider -Works as a tool to assess the level of a service provider's compliance with data protection legislative and requirements and best practices -Provides a way to offer contractual protection against possible financial damages due to lack of compliance
Essential Requirements in P&DP Laws
-Set out specific privacy data protection obligations -Provide safeguards to the individuals for the processing of their personal data in the respect of their privacy and will
Common Wireless Security Flaws
-Shared Key authentication -Service set identifier (SSID) -Temporal Key Integrity Protocol (TKIP)
Benefits of Convergence
-Usefulness -Flexibly invites innovation -Service-based -More maintainable -Improved security management
Infrastructure as a Service (IaaS)
-Volume storage: virtual hard drive that can be attached to a VM instance and be used to host data within a file system. -Object storage: like a file share accessed via APIs or a web interface.
Which of the following is an important privacy and data protection consideration for cloud hosted data?
-What information in the cloud is regulated under data protection laws -Who holds the responsibility for personal data -Where the personal data is processed
H.323
-a suite of protocols used to provide audio or video communications over an IP network. -Addresses bandwidth control signaling and transport control
Best practice for classification
-identify all PII that you store, create, use, modify or share with others -Track down all places in your organization that have a role in storing this information -Properly classify each PII or personal data asset type -Ensure that a data disposal plan is in place. -Make sure that the organization's acceptable use policy covers all types of PII -Ensure appropriate protection of data in use, in motion, at rest. -Develop, use and monitor the effectiveness of an employee education, training awareness program focusing on protection of PII. -Create, validate and use proper procedures for dealing with employees leaving organization. -Provide an effective channel by which employees report incidents involving protection of personally sensitive data or other PII.
third party/outsourcing
-occurs when organizations make arrangements of any kind to have another organization provide any type of of services that are needed. -The organization must work to protect the data that any third party is involved in handling, storing, moving, processing or disposing of.
Types of Virtualization
-server virtualization -Network as a service (NaaS) -Network virtualization -Desktop virtualization and desktop as a service (DaaS) -Application Virtualization -Virtual appliances
Wireless Devices and Security
-wireless devices present a serious security risk to an organization if they are not properly installed and configured. -Security administrators today are using WPA3 to provide a broad-spectrum approach to protect against compromise of a network.
What 802 standard is focused on wireless security?
802.11i
Desktop as a Service (DaaS)
A form of virtual desktop infrastructure (VDI) in which the VDI is outsourced and handled by a third party. Also called hosted desktop services, desktop as a service is frequently delivered as a cloud service along with the apps needed for use on the virtual desktop.
Cloud Computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
Which cloud deployment model refers to a proprietary network or data center?
A private cloud is owned and architected for use by a specified entity utilizing cloud technologies to provide services behind a firewall.
Cellular Network
A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.
What type of attack is hyperjacking?
A rootkit (Hyperjacking is an advanced form of attack that creates a malicious, virtual machine running inside a legitimate virtual machine that creates covert access channels.)
Cloud Provider, Cloud Services Provider (CSP)
A service provider who offers customers storage or software solutions available via a public network, usually the internet.
Voice over Internet Protocol (VoIP)
A set of technologies that enables voice to be sent over a packet network.
Packet Loss Concealment (PLC)
A technique used in VoIP communications to mask the effect of dropped packets.
Managed by a third party:
A trusted third party provides key escrow services. Key management providers use specifically developed secure infrastructure and integration services for key management. Security professionals must evaluate any third-party key storage services provider that may be contracted by the organization to ensure that the risks of allowing a third party to hold encryption keys are well understood and documented.
Temporal Key Integrity Protocol (TKIP)
Allowed WEP users to create a series of defensive layers: 1. prevent replay attacks, added a sequence counter 2. a 64-bit message integrity check 3. A key mixing function 4. a re-keying mechanism
Anything as a Service (XaaS)
An imprecise, generic term which refers to the growth in services, tools, technologies and capabilities being offered via the internet to businesses and consumers. XaaS capabilities may or may not be cloud-hosted. Unlike SaaS, PaaS and IaaS, XaaS does not represent or imply any consistent architectural ideas, approaches, concepts or designs.
Virtualization attacks
Attacks against virtualized systems tend to cone in three basic forms: -Host traffic interception -Denial of service or Distributed Denial of service (DDos) -VM jumping
Identity as a Service (IDaaS)
Cloud-based services that broker identity and access management (IAM) functions to target systems on customers' premises and/or in the cloud.
The team has decided to allow for more time and budget for the migration so they can take advantage of some of the advanced features and better storage options. Which migration option should they select?
Deep migration takes more time but allows for a greater integration of the available advanced features.
Converged Communication
Digital networks handle multiple concurrent streams of data, combine services and bundle landline with cable TV and Internet.
Network Strategies
Disconnect any unused network interface controllers (NICs). Create encrypted tunnels for VM traffic. Enable MAC address filtering. Use the corporate certificate authority (CA) or buy third-party certificates for the CIANA+PS components associated with the network. Use temporal access control. Make sure devices are in promiscuous mode to enable monitoring.
When using VoIP systems, packets can arrive out of sequence. When this happens what does the system do
Drops them and uses packet loss concealment to deal with the missing traffic
Wired Equivalent Privacy (WEP) Protocol
Early WLAN implementations (e.g., 802.11b) were based on the Wired Equivalent Privacy (WEP) protocol and operated at nominal speeds of 11MB/s. As the name implies, WEP is intended to provide security comparable to that of a wired network. It was introduced in the 802.11b standard (Wireless Fidelity or Wi-Fi) that uses the Rivest Cipher 4 (RC4) and was designed to provide data encryption. As a result, it is considered insecure and should no longer be used in any network system.
WPA3 comes in two versions
Enterprise and Personal
Himari has asked you to provide potential key performance indicators (KPIs) for the partial migration to the cloud. Which of the following could help to measure the success or challenges of the partial cloud migration?
Error rates Availability Page load times
The Logical Disk Manager is an example of what type of virtualized storage?
Host-based
Log management, reporting, authentication, access control and SaaS are all core features of IDaaS.
IDaaS provides organizations within an SSO solution for use in a web-based environment and for the core features.
Also referred to as hardware as a service, ____ is a model where the customer can provision equipment "as a service" to support operations.
IaaS
Externally managed:
In this method, keys are maintained separate from the encryption engine and data. They can be on the same cloud platform, internally within the organization, or on a different cloud. The actual storage can be a separate instance (hardened especially for this specific task) or on a hardware security module (HSM). When implementing external key storage, consider how the key management system is integrated with the encryption engine and how the entire lifecycle of key creation through to retirement is managed.
Internally managed:
In this method, the keys are stored on the virtual machine or application component that is also acting as the encryption engine. This type of key management is usually used in storage-level encryption, internal database encryption, or backup application encryption. This approach can be helpful to mitigate against the risks associated with lost media.
Which of the following is a valid wireless mode?
Infrastructure
Key storage in the cloud is typically implemented using one or more of the following approaches
Internally managed Externally managed Managed by a third party
Wireless Network operations modes
-Ad hoc -Infrastructure
Wi-Fi Protected Access (WPA)
Introduced in the draft 802.11i standard, this improved security protocol was available in 2003. It was only intended to act as a stopgap solution to address the issues in WEP and was expected to be replaced with WPA2 (released in 2004) in the full 802.11i standard. A message integrity checker (like MICheal) was added to the security suit, together with the Temporal Key Integrity Protocol (TKIP) for added data encryption and 802.1x authentication for enhanced user authentication and Wi-Fi Protected Access 2 (WPA2). WPA evolved into the WPA2 standard which uses the Advanced Encryption Standard (AES) algorithm for both encryption and data integrity in a mode known as AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol).
Personal Area Network (PAN)
Involve the use of digital communications devices connected together that serve the needs of one person and are usually carried by that person.
Lack of automated recovery points (copies). Not all storage providers offer an automated service. A lack of copies can render an organization unable to function.
Lack of backups
Big Data
Large volumes of structured and unstructured data. It is differentiated from legacy structured data by five general characteristics: Volume of data collected Velocity of data streams Variety that data arrives in Variability of where data is located Value of the data to the organization
What is the biggest security issue associated with the use of a Multiprotocol Label Switching (MPLS) network?
MPLS does not provide native encryption; it is a tunneling protocol that manages the route and priority for traffic. This is a security risk if an organization mistakenly believes that the traffic is encrypted.
Whether on-premises but virtualized, or in the cloud, some important security measures to take include:
Masking allows administrators to "hide" one or more logical unit numbers (LUNs)* being made available from the storage array. Use Internet Small Computer Systems Interface (iSCSI) and Network File System (NFS) for network storage networks. -Use IPsec to encrypt iSCSI traffic. -Deploy physical switches when using iSCSI or NFS. -Configure NFS servers to restrict access to specific IP addresses. -Fibre Channel storage networks require zoning. -Isolate storage from non-storage traffic.
Which network topology do cellular phone systems use?
Mesh
The team has also stressed the need to future proof the migration as much as possible and to allow for adaption or movement if the business needs change. Which cloud option would be the best choice for IMI based on this identified need?
Multi-cloud
WPA3 provides two operational security characteristics worth noting
Natural password selection: allows user to choose passwords that are easier to remember Forward secrecy: This involves automatic and routine changing of session keys throughout a session or conversation.
SIP provides all the following except which one?
Non-repudiation
Deployment model
Public Private Community Hybrid Govcloud
The use of BYOD and IoT that can introduce devices with weakened or no security. They are also unregistered devices having access to corporate data.
Rogue devices
Storage Virtualization
Several advantages to the organization: -Significantly increases storage resource utilization and flexibility -Simplifies OS patching and driver requirements regardless of storage topology -Increases application uptime and simplifies day-to-day operations
To help the IMI board understand the options, you also indicate which options carry the lowest up-front costs. The lowest cost options would be:
Shallow migration and single cloud
Multi-tenanted providers offering shared access to devices such as servers. The data of organization A might become visible to organization B. If organization A uploads malware, all users of the shared resource might be infected.
Shared resources
Service models
Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
Voice over IP (VoIP)
Takes a voice conversation and converts it into a digital signal to be transmitted as data packets over a digital network.
Data Subject
The natural person who is identified or described by the data.
Cloud Migration
The process of transitioning all or part of a company's data, applications, and services from on-site premises behind the firewall to the cloud, where the information can be provided over the internet on an on-demand basis.
What is network as a service (NaaS)?
The reproduction of a complete network
Cloud Storage
The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Which of the following would be the best choice for a home user's Wi-Fi security?
WPA3
When considering jurisdiction, which of the following is not a consideration?
Who uploaded the data
Data Portability
a data subject has the right to request that data about them held by one data controller be made available in a form that lets the subject transfer that data to another controller for use. must be allowed without hindrance (and sometimes without fees) to the data subject.
Session Initiation Protocol (SIP)
a signaling protocol used for the three key elements for creating a real-time audio, video, or messaging session via initiation, maintenance and termination processes. Text-based SIP incorporates elements of SMTP and HTTP and works with other protocols to transmit session media.
Jitter occurs
because of a variation in packet delays
advantage of VoIP calling:
can be conducted at a fraction of the cost of traditional long-distance phone calls.
SECaaS
can provide a wide variety of services to an organization, including (but not limited to) antivirus, intrusion detection, DLP, vulnerability scanning and web security.
Zoning
is the process of assigning servers, storage devices and communications systems into logical groups; the servers in a zone can freely mount and access all storage devices in the zone but must request support services to access devices outside of their zone. Its is used as part of load balancing strategies.
zero substitution
is the simplest PLC technique that provide the lowest quality sound when a significant number of packets are discarded.
Data Discovery
provides operative foundation for effective application and governance for any of the P&DP fulfillments -from the customer perspective
The Hardware plane
the foundation of a cloud
Waveform substitution
works by substituting the lost frames with artificially generated, substitute sound.
