Chapter 6 Responsibilities in the Cloud
A honeypot should contain _________ data.
A honeypot is meant to draw in attackers but not divulge anything of value.
Honeypot
A tool used to detect, identify, isolate, and analyze attacks by attracting attackers.
Firewall
A tool which can be either hardware of software, or a combination of both, used to limit communications based on some criteria.
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except: A. Security control administration B. Access to audit logs and performance data C. SIM, SEIM, and SEM logs D. DLP solution results
A. Security control administration While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer. Security controls are the sole province of the provider.
In all Cloud models, security controls are driven by what?
Business requirements Security is always contingent on business drivers and beholden to operational needs.
Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer's trust in the provider? A. Site visit access B. SOC 2 Type 2 C. Audit and performance log data D. Backend administrative access
C. Audit and performance log data The provider may share audit and performance log data with the customer.
firewall can use all of the following techniques for controlling traffic except: A. Behavior analysis B. Rule sets C. Randomization D. Content filtering
C. Randomization Firewalls do use rules, behavior analytics, and/or content filtering in order to determine which traffic is allowable. Firewalls ought not use random criteria, because any such limitations would be just as likely to damage production efforts as enhance them.
The cloud customer's trust in the cloud provider can be enhanced by all of the following except: A. Audits B. SLAs C. Real-time video surveillance D. Shared administration
C. Real-time video surveillance Video surveillance will not provide meaningful information and will not enhance trust.
Vulnerability assessments cannot detect which of the following? A. Malware B. Defined vulnerabilities C. Zero-day exploits D. Programming flaws
C. Zero-day exploits Vulnerability assessments can only detect known vulnerabilities, using definitions.
Virtual Private Network (VPN)
Creates a secure tunnel across untrusted networks that can aid in obviating man-in-the-middle attacks suchs as eavesdropping
In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure.
Customer The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious.
User access to the cloud environment can be administered in all of the following ways except: A. Third party provides administration on behalf of the customer B. Provider provides administration on behalf of the customer C. Customer provides administration on behalf of the provider D. Customer directly administers access
Customer provides administration on behalf of the provider
In all cloud models, the customer will be given access and ability to modify what?
Data The customer always owns the data and will therefore always have access to it.
Shared Policy
Helps the customer seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider
What is the cloud service model in which the customer is responsible for administration of the OS?
IaaS the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data.
What is it called when you create a template for OS hardening?
OS Baseline This can be done with automated tools. We can also use those tools (or similar ones) to continually check the environment to ensure all current images and machines have an OS that meets the baseline configuration. Any OS configuration that differs from the baseline and is detected by the monitoring tool should be addressed accordingly (this might include patching or a reinstallation/rollback of the entire OS configuration).
Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?
Open Source Software Open source software is available to the public, and often draws inspection from numerous, disparate reviewers.
Strong authentication
Reduces the likelihood of unauthorized users gaining access and restricts authorized users to permitted activities.
Hardening the operating system refers to all of the following except A. Closing unused ports B. Removing antimalware agents C. Limiting administrator access D. Removing unnecessary services and libraries
Removing antimalware agents. Hardening the operating system means making it more secure.
What does Operating System Hardening include?
Removing unnecessary services and libraries Closing unused ports Installing antimalware agents Limiting administrator access Ensuring default accounts are removed Ensuring event/incident logging is enabled
Which kind of SSAE audit reviews controls dealing with the organization's controls for assuring the confidentiality, integrity, and availability of data?
SOC 2
Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it?
SOC 2 Type 2 The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.
Which kind of SSAE report comes with a seal of approval from certified auditor?
SOC 3
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
SOC 3 The SOC 3 is the least detailed, so the provider is not concerned about revealing it.
As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:
SOX Sarbanes-Oxley was a direct response to corporate scandals.
Intrusion Prevention System (IPS)
Takes defensive action when suspicious activity is recognized (Such as closing ports and services), in addition to sending alerts.
What is a SOC 3 Report
The SOC 3 is the "seal of approval" mentioned earlier in this lesson. It contains no actual data about the security controls of the audit target and is instead just an assertion that the audit was conducted and that the target organization passed. That's it. This makes it of dubious use for verifying the trustworthiness of an organization. Instead of taking the word of a company that the company is trustworthy, with no evidence offered in support of their word, we are asked to take the word of an auditor hired by that company that the company is trustworthy, with no evidence offered to support the auditor's assertion.
Why is there an element of Adversarial relationship between the Cloud customer and vendor?
The cloud customer wants to maximize their computing capabilities and security of information while minimizing their costs. The cloud vendor wants to maximize their profits while minimizing what they have to provide (which is expressed in terms of computing capabilities and security of information).
Cloud Provider and Customer Responsibilities: Platform as a Service (PaaS)
The cloud provider will still maintain physical security control of the facility and hardware but will now also be responsible for securing and maintaining the OS. The cloud customer will remain obligated to provide all other security.
n addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties?
The contract The contract between the provider and customer enhances the customer's trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures).
Why will cloud providers be unlikely to allow physical access to their datacenters?
They want to enhance security by keeping information about physical layout and controls confidential.
Cloud Provider and Customer Responsibilities: Infrastructure as a Service (IaaS)
cloud provider is only hosting the hardware and utilities, their only sole responsibility will be for physical security of the facility and systems. The customer will have sole responsibility for all other security aspects.
What is Version Control for applications?
includes following vendor recommendations, applying requisite patches and upgrades, ensuring interoperability with the rest of the environment, and documenting all changes and developments.
What is the Physical Plant of a data center?
includes the campus on which the datacenter facility is located, the physical components inside that facility, and the services that support and connect them.
What are SOC reports
part of the SSAE reporting format created by the American Institute of Certified Public Accountants (AICPA). These are uniformly recognized as being acceptable for regulatory purposes in many industries, although they were specifically designed as mechanisms for ensuring compliance with the Sarbanes-Oxley Act
What is a SOC 2 report
specifically intended to report audits of any controls on an organization's security, availability, processing integrity, confidentiality, and privacy. Therefore, a cloud provider intending to prove its trustworthiness would look to an SOC 2 report as the artifact that demonstrated it. SOC 2 reports also come in two subclasses: Type 1 and Type 2. Type 1 only reviews the design of controls, not how they are implemented and maintained, or their function. The SOC 2 Type 2 report, however, does just that. This is why the SOC 2 Type 2 is the sort of report that is extremely useful for getting a true assessment of an organization's security posture. However, cloud vendors will probably never share an SOC 2 Type 2 report with any customer or even release it outside the provider's organization. The SOC 2 Type 2 report is extremely detailed and provides exactly the kind of description and configuration that the cloud provider is trying to restrict from wide dissemination. It's basically a handbook for attacking that cloud provider.
What is a SOC 1 report?
strictly for auditing the financial reporting instruments of a corporation, and therefore have nothing to do with our field and are no interest to us. It's worth knowing that they exist (SOC 1 is mentioned in the CBK, and it's important to know the distinction between them and SOC 2 and SOC 3 reports), and that there are two subclasses of SOC 1 reports: Type 1 and Type 2.
Cloud Provider and Customer Responsibilities: Software as a Service (SaaS)
the cloud provider will have to maintain physical security for the underlying infrastructure and OS as in the previous models, but will have to secure the programs as well. the cloud customer will only be left with very specific aspects of security: access and administration of assign user permissions to the data.
Cloud Provider Audit reports usually come in what form to the Cloud Customer.
this usually takes the form of an SOC 3 audit report.