C838: Managing Cloud Security
1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement
What are the five ITIL stages?
1. Broad network access 2. Rapid elasticity 3. Measured service 4. On-demand self-service 5. Resource pooling
What are the five essential characteristics of cloud computing?
1. Incident management 2. Problem management 3. Event management 4. Request fulfillment 5. Access management
What are the five processes of the ITIL Service Operation stage, where organizations deliver IT services?
1. Initiation: gather requirements for new cryptographic system 2. Acquisition/Development: find appropriate combo of hardware, software, and algorithms that meet objectives 3. Implementation/Assessment: configure and test the system 4. Operations/Maintenance: ensure the continued secure operation of the cryptographic system 5. Disposition (Sunset): phase out system and destroy or archive keying material
What are the five stages in NIST's Cryptographic Lifecycle?
1. Individuals and interactions over processes and tools 2. Working software over comprehensive documentation 3. Customer collaboration over contract negotiation 4. Responding to change over following a plan.
What are the four components of the Agile Manifesto?
1. Vendor Selection 2. Onboarding 3. Monitoring 4. Offboarding
What are the four steps in the Vendor Management Lifecycle?
1. Operational Investigations: look into technology issues with the organization's infrastructure. For example: if a server is responding slowly. Seek to resolve the issue and restore service as quickly as possible with root cause analysis. Low standard of evidence. 2. Criminal Investigations: conducted by gov't agencies to look into possible crimes. Can involve fines and jail time. Use "beyond a reasonable doubt" standard of evidence. 3. Civil Investigations: resolve disputes between parties. Can be initiated by gov't or private citizens. For example: contract disputes, employment law violations, intellectual property infringement. No fines or jail time. Use "preponderance of evidence" standard where jury decides more likely than not one party is correct. 4. Regulatory Investigations: conducted by gov't agencies looking into possible violations of administrative law. Can be civil or criminal, using the corresponding standard of evidence.
What are the four types of investigations which often involve cybersecurity professionals?
- Risk Register - Threat Intelligence
- A document in which the results of risk analysis and risk response planning are recorded. A core tool used by organizations for providing ongoing visibility into risks. Typically contain the following information about risks: a description, category, probability & impact, and risk rating - This is how organizations share knowledge about risks with each other
- Asset Value (AV) - Exposure Factor (EF): for example, if it was determined that a flood would destroy 50% of a data center, the EF for that risk would be 50% - Annualized Rate of Occurrence (ARO)
- A dollar value assigned to an asset based on actual cost and nonmonetary expenses. - The proportion of an asset's value that is likely to be destroyed by a particular risk (expressed as a percentage). - The number of times that a risk is expected to occur in a particular year.
- Broad network access - Metered service
- A feature of cloud computing defined by availability using a wide variety of client devices, such as PCs, laptops, tablets, and smartphones, and only needing an internet connection - A feature of cloud computing where you only pay for resources based on how much you use them
- Extranet - Border Firewall
- A private electronic network that links a company with its suppliers and customers. May be an extension of an intranet. - What device is commonly used to create multiple security zones, such as a DMZ or intranet, while also filtering internet traffic?
- CMMI (Capability Maturity Model Integration) 1. Initial: company is new to software development, disorganized approach, no defined processes 2. Repeatable: some basic processes are started, such as reusing code between projects. Managers can expect repeatable results. Project & configuration management, QA, and supplier management all begin here 3. Defined: they have formal documented procedures. Risk management, process focus & definition, validation & verification begin here 4. Quantitatively Managed: they use measurements to track progress 5. Optimizing: use continuous process improvement. Causal analysis and organizational performance management start here - IDEAL (Initiating, Diagnosing, Establishing, Action, Learning)
- A process improvement technique for evaluating how efficiently a company is able to deliver technology products to its customers - What are its five levels? - What is another type of maturity model?
- Key Stretching 1. Salting: adds a value to the key to make it more complex 2. Hashing: adds time to verification process by requiring more math 1. PBKDF2 (Password-Based Key Derivation Function 2) 2. bcrypt (key stretching with Blowfish)
- A technique used to increase the strength of stored passwords. it adds additional bits (called salts) and can help thwart brute force, dictionary, and rainbow table attacks. - What are two methods this technique uses? - What are two algorithms used to accomplish this?
- Buffer Overflow - Input Validation: do not accept any submissions larger, or with different characters than, what is expected
- An attack where an application receives more input, or different input, than it expects. It exposes system memory that is normally inaccessible. For example, inputting 4,000 digits into a 5-digit zip code field - How is this defended against?
- DKIM (domainKeys identified mail): email servers add DKIM signatures to all outbound email message headers - To filter spam emails and catch spoofed messages
- An authentication method that uses encryption to verify the domain name of an email's sender. Provides email authentication by allowing mail servers to digitally sign legitimate outbound email messages. - What is a way this is commonly used?
- SPOF (Single Point of Failure) 1. HA (High Availability): using operationally redundant systems, sometimes at different sites, to protect against service failure. 2. FT (Fault Tolerance): makes a single system resilient against technical failures. RAID falls under FT since it is NOT a backup strategy - Load Balancing: this spreads the burden of service demands across multiple systems to provide a scalable environment 1. Power Supplies 2. Storage Media
- Any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove these - What are two key technical concepts which improve the availability of systems? - What is a related, but different concept which should not be confused with these? - What are two parts of a computer which commonly fail?
- Direct Identifier - Indirect Identifier
- Data which immediately reveals who a certain individual is, such as a social security number - Data which are characteristics and traits of an individual which can be aggregated to reveal their identity.
- Data Subject - Data Controller - Data Processor
- For PII, this is the person the PII data refers to; a specific human being - This is the entity creating or editing the PII. In the cloud motif, it would be the cloud customer - This is any entity acting at the behest of the second role above, performing manipulation, storage, or transmission of the PII
- An organization writes to the "Son backup set" four days in a row. On the fifth day, they write to the first "Father" set. The next four days, they go back and overwrite the Son sets and on the fifth day, they write to the next Father set. On the last day of the month, regardless of which day of the week it is or where they are in the "Son" backup sets, they write to a "Grandfather" set. - It allows you to choose several different points in time to potentially restore from: any of the past 5 days, any Friday of the past four weeks, or the last day of the past four months. This is more cost effective than storing backup data from every single day over the past 4 months.
- How does the Grandfather-Father-Son backup rotation system work? - What is the benefit of this?
- Entity - Identities - Attributes
- In the concept of Identity and Access Management, this term describes an actual person but can also describe an object or group - This describes the role(s) which each person can have within an organization - These are various things which describe aspects of the role
- XSS (Cross Site Scripting) - Input validation
- In this attack, code is placed on a website that executes in the user's browser. Possible when a website allows reflected input, meaning an attacker can provide text to the site that will be displayed to other users such as on message boards. Input must also be unvalidated and not scrubbed for security issues. - What is a safeguard against this attack?
- Network Security Groups: these serve as IaaS firewall. They operate similar to firewall rules and allow control over traffic from the internet to virtualized systems and between systems in the environment. - The customer's responsibility
- Since CSPs (Cloud Service Providers) cannot allow their customers access to internal firewalls in an IaaS environment, what is a solution? - Whose responsibility is it to maintain these?
- Security Association (SA): systems compare lists of which cipher suites they support and use the strongest one
- The IPSec component that generates the encryption and authentication keys that are used by IPsec. Identifies cryptographic algorithms and allows systems to communicate to each other which cipher suites they support.
- MTTF (Mean Time To Failure) - MTBF (Mean Time Between Failures) - MTTR (Mean Time To Repair)
- The average time a nonrepairable component will last - Average time gap between failures of a comparable component - Average time required to return a repairable component to service
- RTO (Recovery Time Objective) - RPO (Recovery Point Objective) - RSL (Recovery Service Level): for example, you can set the RSL of your website to 50% to show that diminished capacity is acceptable during a disaster.
- The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. - The maximum time period from which data may be lost after a disaster - Percentage of a service that must be available during a disaster
- Threat - Vulnerabilities - Risk - Likelihood and Impact
- This is an external force which jeopardizes security. Can be naturally occurring, or man-made. You do not have control over these - These are weaknesses in your security controls which may be exploited by the above. You DO have control over these - These occur when you environment contains both of the above - What two ways is the above evaluated?
- IDaaS (Identity as a Service) 1. Directory Integration: synchronize with an organization's existing directory to obtain user information. Can be done with on-premises directory service such as LDAP or cloud-based directory like Google's G-Suite 2. Application Integration: replace authentication services for many SaaS products, simplifying user and admin experience
- These allow organizations to move some or all of their IAM (Identity Access Management) infrastructure to the cloud - What are two ways these integrate in order to function?
- SDK (software development kit) - API (Application Programming Interface)
- These are collections of software libraries combined with documentation, examples, and other resources designed to help programmers. May also contain utilities designed to help programmers design & test code - Instead of designing code the developers run themselves, these make services available that run elsewhere for developers to call. Commonly uses technology known as REST (REpresentational State Transfer), which basically means you access it via web calls and pass arguments as variables using standard notation
- SOC (Service Organizational Control) Reports - SOC 1 Reports: assurance required for customer financial audits. Most common type, but not related to cybersecurity. - SOC 2 Reports: detailed assurance of CIA triad controls & very relevant to cybersecurity. Contain sensitive information and not shared as widely as SOC 1 reports b/c it could provide a roadmap for attackers into the cloud provider's network - SOC 3 Reports: High-level, "seal-of-approval" public reporting of CIA triad controls with little detail. Designed for public consumption 1. SOC 2, Type 1 Reports: describe controls that the service provider has in place and an opinion on suitability of the controls. No testing; a "point in time" report 2. SOC 2, Type 2 Reports: go a step further by including everything in Type 1 reports plus actual testing to see how well the controls work. A "period of time" report. - SSAE 16 applies in the US, while ISAE 3402 applies internationally
- These are issued by cloud data centers since it would not be feasible to allow all of their customers to audit them - What are the different levels of these? - What types are these further divided into? - What two sets of standards govern these?
- Laws; failure to follow can result in fines or imprisonment - Regulations; failure to follow can result in fines or imprisonment - Standards
- These are legal rules created by a body such as Congress or Parliament - These are rules created by departments of government or other entities empowered by gov't - These are created by nongovernmental organizations which provide frameworks and guidelines for organizations to follow
- Safe Harbor - Privacy Shield
- These are privacy rules which outline what American companies must do in order to comply with EU laws. - What update replaced this?
- WAF (Web Application Firewall) 1. SQL Injection 2. XSS 3. Directory Traversal 4. Buffer Overflows 5. Privilege Escalation 6. Cookie-based Attacks
- These inspect HTTP requests made to a server and watch for any signs of a potential attack occurring against the application itself. Potentially malicious activity is blocked before it even reaches the web server. They protect specific web-based applications - What are six common attacks these defend against?
- Self-Signed Certificates - Certificate Chaining
- These types of digital certificates are used by organizations to save money by avoiding paying external CAs for many certificates. They are not trusted by the outside world, but can be used for internal purposes. - This takes the process a step further, where the organization would have its internal CA trusted by an external CA and the use of intermediate CAs is allowed, which enables an organization to create its own certificates which can be trusted by outside users
- Distributed Resource Scheduler (DRS) - VMotion - Dynamic Optimization - Maintenance Mode
- This VMware virtualization technology aggregates computing capacity across a collection of servers into logical resource pools and balances available resources among the VMs - This allows VMware administrators to manually move VMs between physical servers located in the same resource pool - This is when the virtualization platform itself is able to adjust and reallocate resources based on changing needs and activity - Administrators can use this to help reallocate resources when physical hardware components in a virtualization platform need to be worked on
- IPsec 1. ESP (Encapsulating Security Payload): provides confidentiality and integrity protection for packet payloads 2. AH (Authentication Header): provides integrity protection for packet headers and payloads. Ensures no changes are made to the headers or payloads of packets while in transit over a network
- This framework retroactively added security for the TCP/IP communication protocols, which were not originally designed with security in mind. It provides security for the entire payload. - What two protocols does it use?
- PCI DSS - CIP (Critical Infrastructure Program)
- This industry regulation is for protecting credit card data - This industry regulation is from NERC and protects the electric grid
- DAM (Database Activity Monitoring) - Deception Technology - API Gateway
- This is a piece of software or dedicated appliance which helps to protect databases by detecting unusual requests or activity. Can be either agent (host)-based or network based. - This is a newer type of technology which can work with the above as well as WAFs by actively monitoring activity and diverting suspicious activity to a honeypot or honeynet - These protect APIs by doing things like acting as a proxy for the API, limiting API connections, and enabling API logging
- ONF (Organizational Normative Framework) - ANF (Application Normative Framework) - ANF to ONF is one-to-one; each ANF traces back to one ONF. The ONF to ANF can be one-to-many.
- This is an organizational or Company guidelines/matrix/repository on securing applications controls and process. It is the framework of so-called containers for all subcomponents of application security best practices cataloged by an organization - This is a subset of the above that contains the information specific to an application on how to reach the required level of trust. - What is the relationship between these?
- SLE (Single Loss Expectancy) - SLE = Asset Value (AV) * EF (Exposure Factor) - An example is an asset worth $10,000, and we would expect it to lose half its value in a risk event - $10,000 (AV) * 0.5 (50% EF) = $5,000 (SLE)
- This is the cost (in dollars) that can be lost if a risk event happens. - What is the equation for this? - What is an example of how this works?
- WDE (Whole Disk Encryption) - Volume Encryption
- This is the idea of encrypting all of a system's data at rest in one instance. Rather than having special folders, the entire storage medium is encrypted. - This refers to only encrypting a partition on a hard drive as opposed to the entire disc
- ALE (Annualized Loss Expectancy) - ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrance (ARO); remember that AV * EF = Single Loss Expectancy (SLE) - The SLE is $5,000 and we expect two risk events to happen in a year - $5,000 (SLE) x 2 (200% ARO) = $10,000 (ALE)
- This is the total cost (in dollars) for all of the SLEs during the year - What is the equation for this? - What is an example of how this works?
- Code Execution 1. Limit administrative access 2. Patch systems and applications
- This is when an attacker exploits a vulnerability on a system that allows the attacker to run commands. Usually occurs through some resource that the system exposes to the world. - What are two ways to defend against this?
- Directory Traversal Attack 1. Input Validation: prevent usage of "." or ".." 2. Strict User Access Controls for files
- This is when an attacker users directory navigation references to search for unsecured files on a server. In Linux, it would be carried out by using "." or ".." inserted into commands. Can be done by intercepting a file request and inserting the directory navigation characters - What are two ways to defend against this?
- FERPA - GLBA (Gramm-Leach-Bailey Act) - COPPA - SOX - Privacy Act of 1974
- This law covers handling of student educational records, right of inspection, right for correction - This law requires financial institutions to have a written information security program, designated security officer, and limits sharing of financial records - This law protects children under 13, requires websites to have a privacy policy - This law regulates publicly-traded companies and requires them to report accurate financial information - This privacy law only applies to government agencies
- Electronic Communications Privacy Act (ECPA) - The Stored Communications Act (SCA, Title II of the ECPA)
- This law restricts the gov't from putting wiretaps on phones and electronic data - Restricts the government from forcing ISPs to disclose customer data
- Identity Management - Access Management - Identity Repository Directory
- This process associates user rights with a given identity. It includes provisioning, where subjects are issued a unique user ID - This process deals with controlling access to resources once they have been granted. Includes authentication, authorization, federation, etc - This is where these components are stored; it is like an Active Directory on steroids and protection of it is vital to an organization
- CSA STAR 1. CCM (Cloud Controls Matrix): list of security controls & principles appropriate for the cloud environment. 2. CAIQ (Consensus Assessments Initiative Questionnaire): self-assessment performed by cloud providers 1. Level One: Self Assessment. Completion and release of the CAIQ 2. Level Two: CAS STAR Attestation. Release & publication of the results of an assessment done by a third party. 3. Level Three: Continuous Monitoring.
- This program was designed to provide an independent level of program assurance for cloud customers. - What are its two main components? - What are the three levels it provides?
- RTP (Real-time Transport Protocol) - SRTP
- This protocol is frequently used for VoIP and video conferencing. - What is the secure version of this?
- White Box Testing - Black Box Testing - SAST (Static Application Security Testing) - DAST (Dynamic Application Security Testing)
- This refers to testing the source code of an app. it should not be done by the same programmers who wrote the code - This refers to testing the application as it functions, in real-time. Code is not reviewed, but instead examines inputs and results while running the app - In this software testing method, the source code and binaries are tested without running the app. Usually done in early stages of development. Useful for finding XSS, SLQ injection, buffer overflow, unhandled error condition, and backdoor vulnerabilities - Similar to the second thing above, no code is reviewed in this testing method. This looks for problems and vulnerabilities while the program is running.
- TOR (The Onion Router) browser - PFS (Perfect Forward Secrecy) - Hidden Sites
- This software package provides a method for users to anonymously access the internet as well as the Dark Web. It uses encryption and relay nodes. A user talks directly to an entry node, that talks to a relay node, and finally an exit node talks directly to the destination. - What technology enables this by hiding details of a communication from participants in a communication? - This describes when a user doesn't know the location of the website they are browsing, such as a news site having a secure drop location for anonymous submissions
- Preventative Control - Detective Control - Corrective Control
- This stops a security issue from occurring in the first place, such as a network firewall - This identified that a potential security issue has taken place and may require further investigation, such as an IDS alert - This remediates security issues which have already taken place, such as restoring lost files from a backup
- DES - 3DES: essentially you run DES 3 times. Could not be done only twice, because that would leave it vulnerable to a "meet-in-the-middle attack"
- This symmetric block cipher was developed by IBM in the 1970s but is no longer considered secure - What was a workaround used until a new algorithm could be created and tested and what was the logic behind it?
- Provisioning - Deprovisioning
- This term describes the process of onboarding a new employee and granting them authentication credentials and authorization to access resources - This is the opposite, when an employee leaves and their accounts are deactivated
- Public - Private - Community
- This type of cloud deployment model is owned by a specific company and offered to anyone who contracts it services. - This type of cloud is owned by a specific organization but is only available to users authorized by that organization; it is similar to a legacy IT structure or what used to be considered an itranet - This type of cloud features infrastructure and processing owned or controlled by distinct individuals and organizations, but they come together in some fashion to perform joint tasks; an example is the Playstation gaming network
1. Store software source code files 2. Coordinate changes among multiple developers 3. Perform version control 4. Promote code reuse 5. Helps to avoid "dead code" where either nobody is responsible for code maintenance, or nobody knows where the code is stored - GitHub
- What are advantages of using Code Repositories? - What is a very popular, cloud-based code repository?
- Tier 1 Basic Site Infrastructure: simplistic datacenter with little to no redundancy. Minimum requirements for a datacenter. Suitable as a hot/warm backup site. - Tier 2 Redundant Site Infrastructure Capacity Components: rudimentary redundancy. Good for small organizations looking for low overhead - Tier 3 Concurrently Maintainable Site Infrastructure: multiple distribution paths, dual power supplies for all IT systems. Good general purpose facility for most organizations - Tier 4 Fault-Tolerant Site Infrastructure: the best. Fit for government and critical organizational use
- What are the Uptime Institute's four tiers of datacenters? - What amount of fuel should be on hand to power a datacenter, regardless of its Tier?
1. Policies: carefully written over a long period, provide foundation for a security policy, approved at highest levels, require compliance from all employees. Should not contain any information too specific such as "Store all records in room 266". 2. Standards: specific details of security controls, derive authority from policies, less rigorous approval process, require compliance from all employees, can draw upon industry sources 3. Guidelines: provide advice to employees, best practices, optional practices and not mandatory 4. Procedures: step by step process for an activity, may require compliance depending on circumstances - Policies
- What are the four aspects of a security policy framework? - Which one of these defines an organization's risk tolerance and are the foundation of a risk management program?
1. Network traffic 2. Memory contents 3. System and process data 4. Files 5. Logs 6. Archived records - Time Offsets: comparing the file timestamp from the device to a reliable source to ensure it is accurate
- What are the six orders of volatility in forensic investigations? - What can help correlate records from different sources?
- Discovery phase (social engineering, probing, etc) and Attack phase (actually conducting the attack) 1. Gaining Access to a system 2. Escalating Privileges 3. System Browsing 4. Install Additional Tools
- What are the two phases which constantly loop back and forth during a pentest? - What are the four parts of the second phase?
1. Hardware WAF: physical device positioned between the network firewall and web server 2. Software WAF: runs on the web server and screens requests 3. Cloud-based WAF: third party services where you direct your web traffic which can remotely filter requests before they hit your network. This is particularly effective in preventing DDoS attacks - XML Firewall: protects XML-based services such as RESTful APIs
- What are three common deployment models for a WAF (Web Application Firewall)? - What is a specialized type of WAF?
1. Root Certificate: protects CA private keys, usually not connected to a network (offline CA). 2. Wildcard Certificate: covers an entire domain. For example: *.linkedin.com. The asterisk indicates the certificate can be used for any subject name ending in "linkedin.com". It only goes one level deep, however. For example: mail.linkedin.com or www.linkedin.com would be fine, but www.mail.linkedin.com would not work. - Administrators do not have to obtain and install different certificates for every single sub domain.
- What are two different types of digital certificates? - What is an advantage of the second type?
1. ITAR: State Department restrictions on defense-related exports, including cryptography systems 2. EAR: Commerce Department restrictions on dual-use items (those which could be used for commercial and military purposes) 1. Cryptography (various): countries have various laws restricting the import of cryptosystems or encrypted material 2. Wassenaar Agreement: 41 member countries agreed to inform each other of military shipments to non-member countries. Not a treaty or legally binding.
- What are two important export restrictions? - What are two important import restrictions?
1. Underprovisioned Services: the demand exceeds capacity. In this case, you may need to add and pay for additional resources. 2. Overprovisioned Services: capacity exceeds demands. In this case, you should downsize your resources b/c you are paying for things which you don't need to use. - Memory
- What are two things a cloud customer should look out for through monitoring in regards to usage? - What type of monitoring metric will usually require installation of a host-based agent?
1. Software Model Validation: asks the question, are we building the right software? 2. Software Verfication: asks the question, are we building the software right? - UAT (User Acceptance Testing) - Regression Testing
- What are two things which occur during software testing? - This type of testing is usually the final stage of code testing and is often referred to as Beta Testing - This is testing modified code, such as when bugs are fixed or patches have been applied, to ensure no strange behavior occurs
1. Direct Evidence: witness provides evidence based upon their own observations 2. Expert Opinion: expert witness draws conclusions based upon other evidence - Hearsay: cannot testify about something you heard someone else say or something told to you outside of court. Some exceptions apply
- What are two types of Testimonial Evidence? - What is not allowed in Testimonial Evidence?
1. Full Tunnel VPN: all network traffic leaving the connected device is routed through the VPN tunnel, regardless of final destination 2. Split-Tunnel VPN: only traffic destined for the corporate network is sent through the VPN. Other traffic is routed over the internet. - Full Tunnel, because end users don't usually understand the difference and assume all of their traffic is secure. - Always-On VPN: devices are configured to automatically connect to the VPN, taking this control away from the end user.
- What are two types of VPN tunnels? - Which one of these is generally recommended? - What is a third, newer type of VPN?
1. Site-to-Site VPN (Tunnel Mode): admins create IPsec tunnels to connect two different sites together. Connection is transparent to end users. Encrypts traffic so it can safely travel over a public network 2. End User VPN Clients (Transport Mode): provides encrypted remote network access for individual systems - TLS on Port 443 (HTTPS) because it's easier to configure - VPN concentrator
- What are two ways IPsec supports VPNs? - What protocol is being used more often with remote access VPNs for remote users, and which port does it use? - What can be used to increase speed if an organization has a high volume of VPN traffic?
1. Input Validation: application inspects input before executing any commands 2. Paramaterized Queries: SQL statements are stored on a server where input from applications is provided after the statement is already processed. - One single quote or a " ' " character
- What are two ways to defend against a SQL injection attack? - What character is commonly used in these attacks?
- S/MIME - DNSSEC
- What can you use to encrypt email messages and attachments at the application layer instead of the network layer? - What can be used to add digital signatures to DNS?
- RSA - It is slow - Key exchange between users; this is a better use than exchanging long messages since it is slow to use
- What is an asymmetric algorithm created in 1977 which is still considered secure and in use today? - What is a drawback to this algorithm? - What is it primarily used for?
- One-Time Pad (OTP): since the letters used in the pad are totally random, there is no way to break the encryption as long as pad is only used one time. - It is very difficult to distribute one-time pads. Sender & receiver need to be in the same room and physically hand over the OTP, then meet again once they pad has been used.
- What is an unbreakable encryption algorithm? - Why isn't this used more frequently today?
- PGP (Pretty Good Privacy) - A randomly generated key - GnuPG (Privacy Guard)
- What is not an algorithm but a framework for using other algorithms created by Phil Zimmerman in 1991, which uses aspects of both symmetric and asymmetric cryptography? - What key does it use to encrypt a message? - What is an open source package using this?
- GDPR (General Data Protection Regulation), or Data Protection Directive 95/46 E - Fine up to 20 million Euros - PIPEDA (Personal Information Protection and Electronic Documents Act) - CPEA (APEC Cross-border Privacy Enforcement Arrangement) - Australian Privacy Act of 1988
- What is the European privacy law? - What is the penalty for violating this law? - The Canadian privacy law? - The Asian privacy law? - The Australian privacy law?
- Code: a system that substitutes one word or phrase for another. Intended to provide secrecy and/or efficiency. For example, the Ten Code system used by police where "10-4" means "I acknowledge your message" - Cipher: a system that uses a mathematical algorithm to encrypt and decrypt messages. 1. Stream Cipher: operates on one character, or bit, of a message at a time. 2. Block Cipher: works on chunks of a message (or blocks) at a time. 3. Substitution Ciphers: change the characters in a message, for example ROT 13 shifts 13 alphabetical positions 4. Transposition Cipher: rearranges characters in a message instead of changing them. The key is required to unscramble them
- What is the difference between a code and a cipher? - What are four types of ciphers?
- UEFI Secure Boot: validates that the firmware is intact before loading 1. Checksum Verification: computes a checksum of the binary prior to loading and verifies it appears on a list of approved checksums 2. Signature Verification: verifies digital signature on binary and ensures it came from legitimate source - TPM (Trusted Platform Module)
- What is the primary method of securing the BIOS? - In what two ways does it accomplish this? - This is a cryptographic processor sometimes stored on a device
- TLS - ASIC (Application Specific Integration Chips)
- What protocol is commonly used to apply encryption algorithms to encrypt network communications? - What is a special type of chip which can perform this type of encryption without placing the burden on the client and the server?
- WOT (Web Of Trust) - Its decentralized approach makes it hard to manage, there is a high barrier to entry for new participants, and it requires a good deal of technical knowledge from the end user
- What trust model is used by PGP and uses indirect approval such as you might find on LinkedIn where someone you know can vouch for someone you don't know? - What are problems with this model?
- ICMP echo request 1. Destination unreachable messages 2. Redirects 3. Time exceeded 4. Address mask requests and replies
- What type of packet is sent in a ping request? - What are four other uses for this protocol, besides ping requests?
- Doctrine of the Proper Law - Restatement (Second) Conflict of Law
- When a conflict of laws occurs, this determines in which jurisdiction the dispute will be heard. - This is a coalition of developments in law which help courts stay up to date with changes
- Risk Avoidance - Risk Transference or Sharing - Risk Mitigation or Modification - Risk Acceptance or Retention - Risk Profile
- When an organization deals with a risk by changing its business practices - This shifts the impact of a risk to another organization - Takes action to reduce the likelihood or impact of a risk - When a risk is dealt with head-on without taking any further action - This is the full set of risks facing an organization
1. NIST 800-53 2. NIST 800-61 3. NIST 800-37 4. ISO 31000:2009 5. ISO/IEC 28007:2007
1. A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all U.S. federal government information in information management systems. 2. A guidance document which outlines a framework for incident response plans 3. A guidance document for implementing RMF (Risk Management Framework) 4. This is an international standard that focuses on designing, implementing, and reviewing risk management processes & practices 5. This standard refers to addressing risks in a supply chain
AI (Artificial Intelligence)
A collection of techniques which mimic human thought processes in computers
Forklifting
A term for moving an application to a cloud environment without any significant changes
Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, and does not provide any access control checks to prevent data manipulation.
Cryptographic Erasure
A method of sanitizing encrypted data by erasing the decryption key. This can work if a client has been encrypting data before uploading it to the cloud. Note that ALL copies of the key, including backups, must be destroyed.
Certificate Pinning: when a certificate is received, the user will be told to "pin" the certificate for a certain amount of time, and that no certificate changes will be issued in this time frame
A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks and fraudulent certificate creation. This tells users they should not expect a certificate to change.
TCI (Trusted Cloud Initiative) Reference Architecture
A methodology and a set of tools that enables security professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Cloud Orchestration
A way to automate cloud management programmatically using Infrastructure as Code. Can access resources through vendor's API.
EC2 (Elastic Compute Cloud)
Amazon's web service that provides resizable computing capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. Reduces the time required to obtain & boot new server instances.
Session Hijacking
An attack in which an attacker attempts to impersonate the user by using his session token (cookie) without knowing their password
Multitenancy
Architecture providing a single instance of an application or resources to serve multiple clients
No; under current laws, liability and risk for safeguarding PII and meeting regulations reside with the organization, even if they have contracted with a cloud provider.
Can an organization transfer risk and liability for safeguarding PII to a cloud provider?
CDN (Content Delivery Network)
Collection of resource services deployed in numerous data centers across the internet to provide low latency, high performance, high availability. Manage data in caches of copied content close to locations of high demand. For example: a streaming video provider which places most requested media near large cities
Compensating Controls
Control procedures that compensate for the deficiency in other controls, such as posting a guard to ensure no one jumps a turnstile, placing a barricade to block a hole in a fence, or way to mitigate exceptions found during an audit
They reduce the management of the hosts
How do immutable workloads effect security overhead?
Offline CA (Offline Certificate Authority)
In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise. This can protect sensitive root keys. Can be used to sign certificates for intermediate CAs belonging to the same organization.
IaaS
In what type of cloud deployment model would you purchase a server instance to run your own software?
Object Identifier (OID)
Inside of digital certificates, these are strings of numbers which look like IP addresses. They are used to uniquely identify each section of a digital certificate. They can help to trace back the origin of a certificate and its components.
KRIs (Key Risk Indicators)
Metrics that provide an early warning of increasing levels of uncertainty in a particular business area.
FIPS 140-2
Primary goal of this is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.
Keyspace
The entire range of values that can be used to construct an individual key.
CER (Crossover Error Rate)
The point where the false acceptance rate (FAR) crosses over with the false rejection rate (FRR). The lower this is, the more accurate a biometric system is.
DevOps
The practice of blending the tasks performed by the development and IT operations groups to enable faster and more reliable software releases.
Gap Analysis
These are typically delivered by an audit to provide a roadmap for remediation of issues
Cloud Service Partner
Third party which is engaged in the support of, or auxiliary to, activities of either the cloud service provider or the cloud service customer or both. For example, they might help implement a cloud application, provide operational assistance, or help with security monitoring
Spiral Model
This SDLC model was a alternate to the Waterfall model. It has four stages in an iterative process and encourages constant improvements as each phase is repeated several times as the solution becomes more and more complete
RASP (Runtime Application Self-Protection)
This assists in the prevention of a successful attack by protection itself through reconfiguring itself without human intervention. Typically occurs in response to certain threats. Comes into play by launching itself as a program is executed in memory.
Encryption
This can not only help protect sensitive data, but many regulations have exemptions for things like data breach laws if this was applied to the data
Cryptoshredding (AKA Cryptographic Erasure)
This involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.
Certificate Stapling
This process provides clients with a timestamped, digitally signed OCSP response. This is from the CA and appended to the digital certificate sent to a user's web browser. The user's browser can verify both that the certificate and the OCSP response are valid instead of directly contacting the CA, which reduces the overall OCSP traffic sent to a CA and reduces burden on their servers.
KVM systems (keyboard, video, mouse)
This technology allows servers in a data center to share a mouse, keyboard, and video, since there is not enough physical space to have one of these devices for every single server in the data center
NetFlow
This tool captures high-level, summary information about all communications on a network. It is often captured at network choke points such as routers or firewalls. Similar to what you'd find on a phone bill, such as what numbers were dialed and the time & duration of the call. It gives IP addresses & ports, timestamp, and amount of data transferred. This is a good alternative to trying to save all data captured through Wireshark, for example, since that would generate massive amount of data requiring storage.
1. Prevent data inconsistency 2. Prevent update anomalies 3. Reduce need for restructuring existing databases 4. Make database schemas more informative
What are advantages of normalizing the data in your database?
1. Perspective: vision & direction of the organization 2. Position: how the organization competes in the marketplace 3. Plans: objectives to move forward 4. Patterns: processes to achieve plans
What are the "Four P's" of the ITIL Service Strategy?
1. Definitions: any terms should be clearly defined. For example, if "outage" is mentioned, what specifically constitutes an "outage"? 2. Clear Performance Metrics: can either be in the contract, or reference a specific SLA 3. Should have remedies for if a vendor fails to live up to its obligations 4. Should clearly state that the customer retains ownership of any data they upload to or create in the cloud service, and terms of data destruction 5. Any compliance obligations 6. Customer must retain the right to audit the vendor's performance 7. Indemnification clauses should be considered, where one party agrees to pay for losses incurred by the other party. The customer should not indemnify the vendor, but would probably want indemnification from the vendor if something goes wrong. 8. Contracts should also envision their own ending and lay out steps for this eventuality. This would include things like litigation, in case it is needed.
What are eight things a vendor contract should include?
1. Read-through: simplest type of test. Each team member reviews their role and provides feedback. 2. Walk-through: aka "tabletop" exercise where team members get together and formally review plan together 3. Simulation: use a practice scenario to test plan 4. Parallel: not theoretic, actually activates the DR plan through use of something like an alternate cloud environment. Operations don't actually switch to this environment, but run in parallel 5. Full Interruption: most effective test, but also most disruptive to operations.
What are five types of BC (Business Continuity) and DR (Disaster Recovery) testing plans?
1. MOU (Memorandum Of Understanding): written document which can even be done between two departments of the same company 2. BPA (Business Partnership Agreement): when two different organizations will be working together 3. ISA (Interconnection Security Agreement): details on the way two different organizations will interconnect their networks, systems, or data. Provides details on connection security parameters such as encryption and transfer protocols to be used. 4. MSA (Master Service Agreement): used when a company will be entering into several different agreements with a vendor. When specific projects will be undertaken, they can then create an SOW 5. SOW (Statement Of Work): specific terms of one engagement or project. Can be governed by terms of umbrella MSA
What are five types of vendor agreements in addition to SLAs?
1. Rudimentary Reference Checks: the content itself can automatically check for ownership. This is like when old video games would ask you to type a word from a certain page in the owner's manual. 2. Online Reference Checks: this is like typing in a PKC to activate software 3. Local Agent Checks: reference tool or client is installed locally, such as with Steam or GOG 4. Presence of Licensed Media: when a disk or other physical media must be present in order for the software to unlock 5. Support-Based Licensing: need of continual support for content such as patches and updates.
What are five ways DRM can be implemented?
1. Validate the supply chain; know where your hardware is coming from and that it hasn't been tampered with 2. Verify driver integrity; know who manufactured your drivers 3. Inspect security controls 4. Apply firmware & driver updates
What are four hardware integrity controls?
1. Baseline Security Review: provide initial review of system's security status. Compares current configuration to expected baseline. Can be automated with tools. 2. Attack Surface Review: enumerates all possible attack paths. Makes heavy use of port, vulnerability, and application scanners; adopts the mindset of an attacker 3. Code Review: assessment of software security. Includes peer code review for an extra set of eyes to detect security issues. Should be mandatory part of promotion and release process for new code. 4. Architecture Review: dissects how all IT components fit together. Analyzes the interaction of various systems.
What are four threat assessment techniques?
1. Frequency Analysis: detects patterns in the ciphertext 2. Known Plaintext Attack: an attacker has access to an unencrypted message and the encrypted version 3. Chosen Plaintext Attack: attacker can create an encrypted message of their choice. They can study how the algorithm works in greater detail 4. Birthday Attack: searches for collisions to find two inputs with the same hash value
What are four types of knowledge-based attacks?
1. Must be authenticated before it can be admitted. Someone must testify to its legitimacy 2. Best Evidence Rule: original documents are superior to copies. Copies can only be submitted into evidence when the original is no longer available 3. Parol Evidence Rule: written contracts are assumed to be the entire agreement. Cannot be modified verbally. Any modification to a written agreement requires another written agreement.
What are rules for documentary evidence?
1. DER (Distinguished Encoding Rules): binary format, appears like gibberish to human eyes. Stored in .der, .crt, .pfx, and .cer files 2. PEM (Privacy Enhance Mail): ASCII text equivalent of DER format. Older, secure email standard that's no longer used, but we still use the certificate format from that standard. Can easily convert between this and DER format with openSSL. Stored in .pem and .crt files
What are some common digital certificate formats?
1. Management: have policies, procedures, and governance structures in place to protect privacy 2. Notice: data subject should receive notice that their information is being collected and used. 3. Choice and Consent: inform data subjects of their options regarding the data and get consent 4. Collection: only collect information for the purposes disclosed in their privacy notices 5. Use, Retention, and Disposal: only collect and use personal information for disclosed purposes and securely dispose of it when no longer needed 6. Access: provide data subjects with ability to review and update their personal information 7. Disclosure to third parties: only disclose information with third parties if the subject consents and if the disclosure is in line with their policies 8. Security: must secure private information against unauthorized access 9 Quality: information maintained is accurate, complete, & relevant 10. Monitoring & Enforcement: ensure compliance & dispute resolution mechanism
What are the principles of GAPP (Generally Accepted Privacy Principles)
1. Only continuous process improvement. This is the only stage which is also its own process
What are the processes of the ITIL Continuous Process Improvement stage?
1. Design coordination 2. Service catalog management 3. Availability management 4. Information Security Management 5. Supplier management 6. Capacity management 7. IT service continuity management
What are the seven processes of the ITIL Service Design stage, where organizations design IT services?
1. Transition planning and support 2. Asset and configuration management 3. Change management 4. Release and deployment management 5. Knowledge management 6. Service validation and testing 7. Change evaluation
What are the seven processes of the ITIL Service Transition stage, where organizations create, change, and retire services?
1. Spoofing: any impersonation attack 2. Tampering: with data input, output, or stored data 3. Repudiation: when nonrepudiation is compromised 4. Information Disclosure: data leakage or an outright breach 5. Denial of Service: self explanatory 6. Escalation of Privilege: same
What are the six parts of the STRIDE threat modeling technique, which helps by describing different threats you should test against your app?
1. Defining: identify the business needs of the application 2. Designing: develop user stories and decide if development of APIs will be needed, identify programming language and architecture (SOAP, REST, etc) 3. Development: where the code is written 4. Testing: pentesting and vulnerability scanning 5. Secure Operations: application is deemed secure and used in production environment 6. Disposal
What are the six stages of the Cloud Secure SDLC (Software Development Lifecycle)?
1. "Categorize" the information system: inputs are the architectural description and operational inputs 2. "Select" security controls. Typically starts with baseline controls 3. "Implement" security controls. 4. "Assess" how the controls are working 5. "Authorize" operation of the system 6. "Monitor" to ensure ongoing effectiveness and respond to any security concerns
What are the six steps of risk management outlined in NIST 800-37 Risk Management Framework?
1. Developer obtains digital certificate 2. Digital signature is created and inserted into code using the private key associated with the certificate 3. User downloads the software 4. OS uses the certificate's public key to validate the signature 5. OS verifies that the signature's hash matches what's in the code 6. OS verifies that the developer is trusted
What are the steps in code signing & verification?
- Full backup: everything - Differential backup: all data modified since the last full backup; you only need the last full backup and most recent differential backup in order to restore - Incremental backup: All data modified since the last full or incremental backup; these are smaller than differential backups, but you need all of the incremental backups plus the last full backup in order to restore.
What are the three different types of backups?
1. Service portfolio management 2. Financial management 3. Business relationship management
What are the three processes of the ITIL Service Strategy stage?
1. SYN 2. SYN/ACK 3. ACK
What are the three steps in the TCP handshake?
1. REST (Representational State Transfer): this is lightweight, uses simple URLs, not reliant on XML, scalable, outputs in many formats (JSON, etc), efficient due to small message size. Works well when bandwidth is limited, stateless operations are in use, or caching is needed 2. SOAP (Simple Object Access Protcol): this is standards-based, reliant on XML, intolerant of errors, slower, built-in error handling. Works well with asynchronous processing, format contracts, stateful operations
What are the two most common types of APIs for cloud-based apps and how do they differ?
1. Domain Validation (DV): lowest level of trust. CA simply checks the ownership record for a domain and communicates with the registered owner of the domain to make sure they approve the issuance of the digital certificate 2. Organizational Validation (OV): go a step further. CA also verifies that the business name of requester matches business records such as state business registrations or business databases 3. Extended Validation (EV): highest level of trust. After receiving documentation from a certificate's subject, the CA performs an extended investigation to verify physical existence and legitimacy of the organization
What are three different types of identity verification used by a CA?
1. Request Control: customer make the initial change request. These are reviewed by management who prioritizes them for DEV 2. Change Control: grants permission for some changes to be made to the code 3. Release Control: after QA approval, new code is released into production
What are three key elements of change management?
1. Real Evidence: tangible objects that can be brought into a courtroom 2. Documentary Evidence: written information such as a contract under dispute or computer logs 3. Testimonial Evidence: consists of witness statements
What are three main types of evidence in an investigation?
1. Serves as UEFI root of trust 2. Protects keys for full disk encryption 3. Verifies hypervisor integrity
What are three security functions of the TPM (Trusted Platform Module)?
1. Asset Focus: use the asset inventory as a basis and go one-by-one down the list evaluating threats for each asset 2. Threat Focus: identify how specific threats can affect each information system 3. Service Focus: identify impact of various threats on a specific service. This is most commonly done by cloud service providers. For example, they would think of an API which provides a service, then go through all the ways possible threats could affect it
What are three structured approaches for identifying threats?
1. Original Cost: what you paid for the asset 2. Depreciated Cost: devalues the asset with age over time 3. Replacement Cost: how much it would cost the organization if they had to replace the asset (frequently used)
What are three types of asset valuation techniques?
1. Data Owner: business leader with overall responsibility for data. They set policies and guidelines for their data sets. 2. Data Steward: typically have day-to-day data governance activities delegated to them from the Data Owner. 3. Data Custodians: store and process information and are often IT staff members
What are three types of data security roles?
1. WS-Federation: uses the term "Realms" 2. OAuth: often used with mobile apps; gives third party apps limited access to HTTP services 3. Open ID Connect: interoperable authentication protocol based on OAuth2. Allows developers to authenticate users across websites and apps without having to manage passwords
What are three types of federation standards other than SAML?
1. Port Scanner: simply scans for open ports on a system, like rattling on a system's doors. Nmap is a popular example 2. Vulnerability Scanner: checks ports for known vulnerabilities. Provides steps for remediation, but can also serve as a roadmap for an attacker. Nessus is a popular example. 3. Application Scanner: probes deep into web applications to detect flaws
What are three types of security scanners and what do they do?
1. Virtualized KVM 2. RDP on port 3389 (Windows) 3. SSH on port 22 (command line for Linux)
What are three ways an administrator can connect to a server in a data center?
1. Qualitative Risk Assessment: uses subjective ratings such as Low, Medium, and High 2. Quantitative Risk Assessment: uses objective numeric ratings
What are two techniques for evaluating risk likelihood and impact?
1. In-band (inline) deployment: the IPS sits in the path of network communications. Can block suspicious traffic, but is also a single point of failure 2. Out-of-band (passive) deployment: Sits outside of network traffic, connected to a SPAN switch. Device can react after suspicious traffic is detected.
What are two types of IPS deployment modes?
1. Tightly Coupled: all storage devices directly connected to physical backplane. Each component is aware of the others and subscribes to the same policies and rule sets. More restrictive, but performance is enhanced as it scales since everything is connected. 2. Loosely Coupled: more flexible. Each node in the cluster is independent of the others. Only logically connected, not physically. Performance does not scale.
What are two types of clustered storage architectures?
1. PII (Personally Identifiable Information): any information that can be traced back to an individual 2. PHI (Protected Health Information): individually identifiable health records governed under HIPAA. Can also be referred to as "ePHI"
What are two types of private information?
1. Built-in backup verification: bare bones verification system often included with backup software. You are relying on the software which performed the backup to tell you it performed properly. Organizations should ensure both that this feature is turned on, and that they have configured alerts to notify admin when a backup fails 2. Test backups by restoring a single file from a single point in time 3. Restore a server or entire service from a backup
What are types of backup validation tests you should perform?
1. Input validation (correct format & length) 2. OS admin (supported versions & current patches) 3. Least privilege 4. Any special technologies such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) designed specifically to prevent privilege escalation
What are ways to defend against privilege escalation attacks?
VPC (Virtual Private Cloud)
What cloud networking feature is similar to a VLAN and used to segment virtual networks?
- Try...Catch. The code will say "Try *followed by an operation in brackets*" and below that, "Catch *followed by another operation in brackets in case the 'Try' command fails*"
What is a Java clause that is critical for error handling?
Delivering computing resources to a remote customer over a network
What is a simple definition of Cloud Computing?
- RC4
What is a symmetric stream cipher created in 1987 by Ron Rivest which is no longer considered secure?
Amazon EBS (Elastic Block Storage)
What is an Amazon service that offers block storage volumes?
ECC (Elliptic Curve Cryptography)
What is an asymmetric algorithm which is still secure, does not rely on prime factorization, and is commonly used for encryption with mobile devices such as smart phones? It would also be most susceptible to a quantum computing attack, should that technology ever be developed.
The Usefulness of the asset
What is something that cannot be determined about assets by gathering business requirements?
Dedicated hosting
Which cloud security control eliminates the risk of virtualization guest escape from another tenant?
Asymmetric cryptography
Which type of cryptography allows for nonrepudiation?
1. It is difficult or impossible for users to update the embedded OS 2. They connect to our home or wireless networks, so if a device is compromised it can be the gateway for an attack 3. IoT devices often connect back to cloud services for command & control, creating a path for attackers which bypasses firewalls
What are three security challenges involving IoT devices?
- Key Escrow - The Clipper Chip - Recovery Agent
- A control procedure whereby a trusted party is given a copy of a key used to encrypt database data. Law enforcement would like to do this so they can access encrypted communications under certain conditions - What was a controversial and failed way that the NSA tried to do this? - This is a user who has been granted the authority to get a key from escrow and decrypt files, usually because another user has forgotten their password or left the organization and their encrypted files need to be accessed
- Virtual Desktop Infrastructure (VDI), or Desktop Virtualization - Application Virtualization
- A desktop operating system running within a virtual machine (VM) running on a server. For example, using Amazon WorkSpaces installed on a Mac to access a VM in the cloud running Windows. The resources it uses are cloud-based, not on the local computer - This streams applications to a user's desktop
- Hardware Security Module (HSM) 1. Security Level 1: allows for the use of standard operating systems and does not have any physical security requirements. Appropriate for low-level security applications 2. Security Level 2: adds requirements for physical security, including tamper-evident seals and requires that software and firmware used be certified under the Common Criteria EAL2 3. Security Level 3: adds even more requirements such as zeroing out the contents of the HSM when someone tries to tamper with it, and authenticating the identity of the operator before granting access to encryption keys. Also requires Common Criteria EAL3 4. Security Level 4: highest level. Requires Common Criteria EAL4 and has strict physical security requirements
- A device that can safely store and manage encryption keys and perform cryptographic operations. They can be used in servers, data transmission, protecting log files, etc. - What are the three security levels for these devices as defined in FIPS 140-2?
- ICS (Industrial Control System) 1. Attacks have dramatic implications. Could disable a nation's power grid, or damage parts of a city's infrastructure. 2. ICS devices are often not well secured. 3. Systems are less likely to be current on patches because of requirements for high stability and availability. Some manufacturers even advise customers not to update the devices, ever.
- A network or system used to support municipal services (sewage, electricity, gas, etc), industrial processes, and transportation systems, often full of IoT devices with embedded operating systems. - What are three reasons a threat actor might want to attack these types of devices?
- Quantum computing - Quantum computers have the potential to render all modern cryptography completely ineffective - Quantum cryptography could theoretically provide better cryptography than any currently known methods
- A still theoretical technology that applies the principles of quantum physics and quantum mechanics to computers to direct atoms or nuclei to work together as quantum bits (qubits), which function simultaneously as the computer's processor and memory. Currently confined to theoretical research as no one has yet designed a practical application of a useful one of these types of computers. - What is a security concern should these types of computers become developed and widespread? - How could this also theoretically provide a benefit?
- Federated Identity Management (FIM) - Shibboleth 1. Transitive Trust: if domain 1 trust domain 2, and domain 3 trusts domain 1, that trust will transfer between domains 2 and 3 without an administrator having to create the trust 2. Nontransitive Trust: No transfer of trust occurs 3. One-Way Trust: Domain 1 trusts Domain 2, but Domain 2 does not trust Domain 1 4. Two-Way Trust: Domains 1 and 2 both trust each other
- A technology that uses a single authenticated ID to be shared across multiple networks owned by different organizations for SSO purposes. For example, using your Google ID to log into Udemy - This is one such solution that several universities came up with so they could share resources with users without requiring multiple authentications - What are four types of trusts in this environment?
- Write Once Read Many (WORM) - NTP (Network Time Protocol) - NTPsec
- A technology to write data onto a storage medium which does not permit changes. Frequently used with SIEM systems so logs cannot be altered - What protocol is used to synchronize device clocks to ensure timestamps on logs are in the proper order? - What is a secure version of this?
- SAML (Security Assertion Markup Language) 1. Principal: end user making the request on web browser 2. Identity Provider: organization providing the proof of identity (employer, school, etc) 3. Service Provider: web based service end user wishes to access - Principal requests resource from the Service Provider, but end user has to authenticate SSO first with Identity Provider, which provides XHTML. Principal then provides Request Assertion to Service Provider which contains proof of identity. End user only has to share password with Identity Provider and if they are already logged in w/SSO, the Service Provider will automatically grant them access.
- An XML-based data format used to exchange authentication information between a client and a service. Commonly used for SSO in web browsers. - What are the three actors in this type of request? - How does this process work?
- VM Escape attack - VM Sprawl
- An attack that allows an attacker to access the host system from within a virtual machine. The primary protection is to keep hosts and guests up to date with current patches. - A vulnerability that occurs when an organization has created too many VMs and some aren't properly managed. Unmanaged VMs are not kept up to date with current patches.
- Data Obfuscation 1. Hashing sensitive fields, although this is vulnerable to a rainbow table attack 2. Tokenization: sensitive fields are replaced with a unique identifier which can be found through a lookup table. The table must be kept secure in this method. Requires two databases. 3. Masking: redacts sensitive information from a file by replacing it with blanks.
- Data transformation that makes it difficult for a human to recognize the original data. Can be an alternative to data anonmyzation when safeguarding PII - What are three tools which assist with this?
- They use a "hot aisle, cold aisle" approach. Server racks are designed to take cold air in through the front and expel hot air out through the back. Data centers are designed where one aisle will have fronts of data racks facing each other, taking in cold air. Likewise, the next aisle will have backs of racks facing each other, expelling hot air. HVAC systems can take advantage of this by pumping cold air into cold aisles and pulling hot air out of the hot aisles for re-circulation. - Building a Faraday Cage around the data center; this is usually used to protect government facilities or sensitive scientific equipment
- How are data centers designed specifically with ventilation concerns in mind? - What is an effective, but expensive way to control EMI emanating from data centers?
- SaaS; the vendor owns the hardware, software, and admin duties for both. The customer only supplies the data. The customer is essentially the same as a basic user in legacy IT environments: they have little to no admin rights or privileged accounts and few permissions and responsibilities.
- In which Cloud Model does the customer have the least amount of control over the environment?
- IaaS: the customer is responsible for everything from OS on down including choosing, installing, and administering software and supplying and managing data. Vendor provides buildings and hardware for the datacenter. The customer can still collect and review logs from the software.
- In which Cloud Model does the customer have the most responsibility and authority?
- PaaS
- In which Cloud Model is the vendor responsible for installing and administering the OS but not other software?
- Out-of-band key exchange - In-band key exchange - Diffie-Helman: it is a way to do in-band key exchange securely - ECDH (Elliptical Curve Diffie Helman)
- Involves the use of a separate, independent channel, such as snail mail, USB stick, or even a different network connection, to send an encryption key to the authorized users. - Involves using the same communications channel you are using to send the message to send the encryption key. - What is a very popular way to use this second method? - What is a variant of this popular method commonly used with mobile devices?
- No, it is only a protocol which uses different encryption algorithms - SSL - HTTP for secure web browsing via HTTPS 1. Client sends the TLS request listing which cipher suites they support 2. The server analyzes info from the client and tells the client which cipher suite they will use and sends the server's digital certificate with the server's public key. 3. The client checks which CA issued the certificate and uses the CA's public key to verify the digital signature on the certificate 4. Once verified, the client creates a symmetric session key, or ephemeral key, since it will only be used once. It encrypts this key with the server's public key and sends it back. 5. Once the session has ended, the session key is destroyed
- Is TLS an encryption algorithm? - What was the predecessor to TLS which is no longer considered secure and should not be used? - What protocol is TLS commonly used to secure? - What steps are involved between client and server when a TLS session is established?
- File Integrity Monitoring (FIM) - Tripwire
- Technique or technology under which certain files or logs are monitored through cryptographic hash functions to detect unexpected modification. When critical files or logs are modified, alerts should be sent to appropriate security personnel. - What is the name of a Linux program which does this?
- Elasticity - Scalability
- The ability to acquire resources as you need them and release resources when you no longer need them - This is similar, but usually relates more to environments with more predictable workloads. Usually done in advance to give resources room to grow. For example, purchasing additional room to allow a database to grow larger in the coming months due to projected business growth.
- Anomaly or Heuristic Analysis - Trend Analysis - Behavioral Analysis - Availability Analysis
- The process of defining an expected outcome or pattern to events, and then identifying any events that do not follow these patterns by looking for outlier data points. For example: finding huge spikes in bandwidth usage - This looks for historical changes over time - This detects unusual user activity such as logins at strange times - This provides system performance and uptime information
- Infrastructure as code 1. Increases scalability of environments 2. Reduces user error 3. Facilitates testing of new code
- The process of managing and provisioning computer data centers through machine-readable definition files rather than manually configuring physical hardware. For example, using a baseline script to spin up a new Linux server instead of manually logging into a system and configuring it step by step. - What are three advantages of this?
- Data anonymization - HIPAA 1. Expert determination: a third party of statisticians analyze your data and confirm that it's statistically impossible to determine someone's identity 2. Safe Harbor: requires eliminating 18 elements from your data set which might be combined with each other to determine someone's identity - De-identification: removes obvious identifiers in a data set. Often not enough by itself to safeguard information. For example, zip codes, dates of birth, and gender are not removed in de-identification, but they can be correlated to find out someone's identity.
- The process of protecting people's private or sensitive data by eliminating identifying information - What federal regulation requires this and what are two ways it allows to achieve this? - What is something similar which is not enough when done by itself?
- Viruses - Worms - Trojans - Spyware
- These are malicious code objects which spread from system to system after some type of human action - These are similar, but spread under their own power without human interaction. They can scan networks seeking out vulnerable systems - These disguise themselves as legitimate pieces of software but have a hidden, malicious payload - This gathers information without the user's knowledge or consent
- Containers - Similar security concerns to VMs, especially strictly enforcing an isolation policy to ensure containers cannot access the data or resources allocated for other containers. 1. VMs can be heavy. For example, if you have 10 VMs, you essentially have 10 different computers to maintain, 10 different copies of Windows to keep up to date & manage, etc. Containers package up application code and dependencies only, in a standardized format, so it can be easily moved between systems. 2. Instead of running on a hypervisor, system-supporting containers run on a containerization platform. The platform provides a standard interface to the OS which allows the containers to function regardless of the OS and hardware. 3. They do not have their own OS, and instead use the host's OS
- These are the next evolution in virtualization. They are a lightweight way to package up an entire application and make it portable so it can easily move between hardware platforms. - What sort of security considerations do these have? - What are three ways this an improvement on traditional virtualization?
- IRM (Information Rights Management) 1. Enforcing data rights to keep information out of unauthorized hands 2. Provisioning access to authorized users 3. Implementing access control models - DRM (Digital Rights Management) software
- These programs are designed to enforce an organization's intellectual property policy. - What are three ways they do this? - What is one of the most widespread types of these programs?
- Copyrights - Trade Marks - Patents - Trade Secrets
- These protect creative works like books and written content against theft. Automatically granted upon creation and provided for 70 years after author's death. Moves into public domain upon expiration - These protect words and symbols such as brand names, logos, and slogans. These must be registered. They are indefinite, but must be re-registered every 10 years. If they are not used for 5 years, they are considered abandoned. - These protect inventions, provided they meet three criteria: novelty (new idea no one else has thought of), usefulness (invention can actually be used), and non-obvious (some creative work was involved). Lasts for 20 years past the filing date. - What is an alternative to the last item which does not require public disclosure of details of an invention, and lasts in perpetuity as long as it continues to be used?
- DLP (Data Loss Prevention) 1. Host-Based DLP: software agents installed on a single system. These can even block users from copying files to a USB drive 2. Network-based DLP: monitors network traffic, scanning for transmissions which contain sensitive information 1. Pattern matching: recognizes known patterns such as SSNs and credit card numbers 2. Watermarking: systems or administrators apply electronic tags to sensitive documents and the DLP system watches for those in transmissions
- These tools search systems and networks for stores of sensitive information which might be unsecured, and monitor network traffic for potential attempts to remove sensitive information - What are two types of environments these tools operate in? - What are two mechanisms of action for these tools?
- MSSP (Managed Security Service Provider), but can also be referred to as SECass (Security as a service) - CASB (Cloud Access Security Brokers)
- Third-party provision of security configuration and monitoring as an outsourced service. They can be contracted for anything from managing an entire security infrastructure to merely monitoring system logs. - These are similar, but add a third party security layer to interactions that users have with cloud services
- SaaS - PaaS; it is everything included in IaaS which the addition of operating systems - IaaS - Physical access to the devices on which their data resides
- This cloud service model includes applications, CRM, hosted HR, and email - This model includes operating systems and is popular with DevOps for creating and testing software - This model includes hardware, blades, connectivity, and utilities; it is similar to a "warm site" - What does a customer give up in all three of these models?
- ISO 17789 - Customer activities: use cloud services, perform service trials, monitor services, administer security, provide billing reports, handle problems, administer tenancies, perform business administration, select services, request audit reports - Provider activities: prepare systems and services, monitor services, manage assets, provide audit data, manage customer relationships, perform peering with other cloud providers, ensure compliance with laws & regulations, provide network connectivity - Partner activities vary depending on what services they provide, but can include any of the following: design, create, and maintain services, test services, perform audits, set up legal agreements, acquire and assess customers, assess the marketplace
- This document is a cloud reference architecture. It lays out a common terminology framework for providers, partners, and clients to communicate about roles & responsibilities. It defines different activities which are the responsibilities of different entities - What customer activities are defined in this document? - What cloud service provider activities are defined in this document? - What cloud service partner activities are defined in this document?
- All communication is passed unencrypted, including usernames & passwords - SSH (although it is no longer considered secure) - Either through FTPS (using TLS) or SFTP (using SSH) - The SCP (Secure CoPy) command line tool - TFTP (Trivial File Transfer Protocol)
- Why is telnet insecure? - What was created to do the same function, but with encryption? - What are two ways that FTP can be secured? - What is a secure alternative to using FTP? - What is an insecure version of FTP that is not frequently used?
- Blockchain - Originally created for cryptocurrency, but can also address important business needs where immutable ledgers would be useful, such as property ownership, tracking supply chains (ensuring items came from reputable sources and allowing regulators to track items easily), and tracking vital records such as passports, birth certificates, etc.
- This is a distributed, immutable ledger. It can store records in a way that distributes those records among many different systems around the world and do so in a manner which prevents anyone from tampering with the records. It creates a data store that nobody can tamper with or destroy. - What was this originally created for, and what are three larger business applications for this technology?
- Sandboxing - Application Control 1. Whitelisting: administrators create a full list of programs allowed to run. Anything not on the list cannot run. Can be difficult to administer. 2. Blacklisting: this lists prohibited applications. Anything not on the list is allowed to run. Easier for users, but reduces the effectiveness of application control. - App Locker
- This is an advanced malware detection technique that executes suspicious code in a test environment where it is monitored for signs of malicious activity - This is the process of ensuring that only authorized software programs are allowed to run - What are two methods of enforcing this? - What is a Windows tool which can help accomplish this?
- Data Mapping - Data Classification - Data Discovery
- This is designed to find all of the locations in an organization where sensitive information is stored and to develop an inventory of that information. - This assigns the information to categories which determine storage, handling, and access requirements - This helps to comb through your organization's data stores and find information which has not been appropriately labeled per above. For example, if a user created a new file which contains sensitive information and stored it on their computer
- Horizontal Scaling - Vertical Scaling
- This is employing multiple computers to share the workload, such as adding servers to a pool to meet increased demand - This would be increasing the capacity of your existing servers. For example: adding more memory or CPU cores
- Reversibility or rollback plan - Portability - Interoperability
- This is rolling back away from cloud operations to the previous operational configuration if something goes wrong - The ability to move workloads between vendors and avoid vendor lock-in - This consideration involves cloud solutions from different providers working together. For example: ensuring your expense reporting system can interact with your financial system
- Resiliency - Performance - Availability
- This is the ability of the cloud infrastructure to withstand disruptive events - This is how well the cloud service can stand up to demands of the customer - This is what percentage of the time the cloud service is up and running and meeting customer needs
- Preset Locks - Cipher Locks - Biometric Locks - Card reader locks
- This is the name for your regular, key-based lock on a door - This is the name for a keypad lock requiring a number combination to be entered - This lock requires something like a thumbprint - These locks require a magnetic stripe or proximity card to unlock
- Expanded Environmental Envelope 1. High Humidity: if condensation forms inside electronic equipment, it can cause shorts and failures. 2. Low Humidity: this can cause static electricity buildup - Humidity is measured by Dew Point. An acceptable range is between 41.9 - 50 degrees F
- This is the term for allowing data centers to be maintained at a temperature between 64.4 - 80.6 degrees F. Previously, data centers were kept at frigid temperatures which consumed massive amounts of electricity, but hardware has become more tolerant of higher temperatures. - What are two other environmental considerations which must be avoided? - How is this second issue measured?
- Continuous Security Monitoring 1. Define: states your policy and strategy 2. Establish: define metrics and assessment frequencies 3. Implement: collect metrics perform assessments, and build reports (should be automated as much as possible) 4. Analyze and Report: examine & respond to findings 5. Respond: do this as necessary after previous set 6. Review/Update: also done as needed
- This is usually done in addition to reviewing log files and is a more real-time and proactive method of security - What are the six steps in this process?
- Vendor Lock-in - Vendor Lock-out
- This is when a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints. - This is when a customer is unable to access their data because a cloud vendor has gone out of business or otherwise left the marketplace.
- Multivendor Connectivity - Tenant Partitioning
- This is when you have multiple physical network connections available from different ISPs in order to ensure greater availability in case one connection is disrupted. It reduces the likelihood that a single disruption will cause your cloud services to go down. - When running a cloud data center, this is the process of logically separating your clients' resources & data from each other
1. Configure security policies 2. Manage updates & patches 3. Harden configurations 4. Lock down firewalls 5. Disable default accounts - "apt-get update" preceded by "sudo" will retrieve a list of update packages, while "apt-get upgrade" will download & install them - "yum"
- What are five things you should do for OS security? - What command would you run on most Linux systems to update or patch the OS? - What is another update command sometimes used in Linux systems?
- Class A: common combustibles such as wood, cloth, and trash - Class B: flammable liquids like gasoline and oil - Class C: electrical fires (useful for data centers) - Class D: heavy metal fires (industrial applications) - Class K: kitchen fires (fats and oils) 1. Wet Pipe System: water is constantly kept in the pipes. This is not favorable for a data center since a ruptured pipe can cause severe damage to electronic equipment. 2. Dry Pipe System: pipes do not contain water until a valve opens during a fire alarm
- What are the five types of fire extinguishers? Keep in mind that some types of extinguishers can meet multiple types, and this will be mentioned on its label. - What are two methods of facility fire suppression systems?
1. Create: where the data owner is identified; new data is generated, either directly in the cloud or in an on-premises system that will move to the cloud. Also includes modifications to existing data. 2. Store: data is placed into one or more storage systems (e.g. block or object cloud storage) 3. Use: where active use of the data takes place. Users view and process the data. 4. Share: data is made available to other people through one or more sharing mechanisms, such as providing a link to a file or modifying access controls 5. Archive: when data is no longer being actively used. It is retained in long term storage and not immediately accessible but can be restored if necessary 6. Destroy: data is destroyed when no longer needed. Should take place using a secure method. - Not all of these steps are followed in order, and not every piece of data will use all of these steps
- What are the six stages of the Cloud Data Lifecycle? - What is something to keep in mind in terms of use with the Cloud Data Lifecycle?
1. Block Storage: allocates a large chunk of storage for access as a disk volume managed by the OS 2. File Storage: data stored and displayed as a file structure like in the legacy environment with hierarchical and naming functions - Object Storage: stores files as individual objects managed by the Cloud Service Provider. The client uploads files, and the provider has to figure out how to store them. Allows for significant level of description (marking, labels, classification, etc) - Both volume and object - Object storage is much less expensive b/c you are only paying for the storage you are using rather than paying for the equivalent of an entire disk drive
- What are the two types of volume storage in the cloud? - What is the alternative to volume storage, usually associated with IaaS? - Which type of storage do Enterprise environments commonly need? - Which type of storage is less expensive?
1. Accountability or Identity Attribution: who caused the event? 2. Traceability: uncover all other related events. 3. Auditability: provide clear documentation of the events - SIEM (Security Information and Event Management) - The SIEM has access to all logs from across the entire organization so no information is siloed by different departments 1. Act as a central, secure collection point for logs. Programs and systems send their logs directly to the SIEM, which stores the logs securely 2. Apply AI to correlate the log entries and detect patterns other systems might miss
- What are three important objectives of logging? - What is something which utilizes AI to assist with analyzing log files? - What is a major advantage of these? - What two major functions do these serve in enterprise networks?
1. Structured Data: data stores that use a rigid design structure, such as relational databases and highly structured file servers 2. Unstructured Data: doesn't have a rigid organization. Requires more thoughtful attention during data discovery 1. Automated Tools: search for data containing recognizable patterns, keywords, or metadata flags 2. Manual Review: typically done in high-risk repositories.
- What are two types of data that can be stored in an organization? - What are two ways to accomplish data mapping?
- HMAC (Hash-Based Message Authentication Code) - With the user's PRIVATE key, then decrypted with the recipient's public key - A digital signature; it is simply a message digest encrypted with the sender's private key
- What combines symmetric cryptography with hashes to provide authentication and integrity for message? - How are these hashes encrypted? - What is this output called?
- Message Digest - MD5 - SHA-3 - RIPEMD
- What is another term for Hash? - Which 128-bit hashing algorithm was created by Ron Rivest in 1991, but is now insecure? - Which (still secure) algorithm was created by NIST and uses the Keccak algorithm? - Which algorithm of Belgian origin was created as an alternative to the above, for those who are leery of using an algorithm created by the US gov't, and supports Bitcoin transactions?
- X.509 1. Create a CSR (Certificate Signing Request) which contains the requestor's public key 2. Send the CSR to a CA (Certificate Authority) 3. The CA verifies identity of the requestor 4. Once verified, the CA creates the X.509 certificate and digitally signs it using the CA's private key, then sends the certificate back to the requestor
- What standard is used for creating digital signatures? - What are the four steps in obtaining a digital certificate?
- Oversubscription - Resource pooling; different customers usually have different usage peaks and valleys, and do not need the full capacity all the time. If multiple clients do end up requiring resources all at the same time, however, degraded performance can occur
- When capacity of a cloud environment sold to clients exceeds the actual capacity - What makes this possible while still providing availability to clients?
- Type 1 or bare-metal - Type 2
- Which type of hypervisor runs directly on top of the hardware and hosts guest OSs on top of that? This is the most common type of virtualization found in cloud data centers and in the cloud - With this type of hypervisor, the physical machine runs an OS of its own and the hypervisor runs as a program on top of the OS. This is commonly used on PCs
- The customer. The vendor provides all hardware, but not logical resources such as software - The vendor
- Who is responsible for all logical resources, such as software, in an IaaS service model? - Who is responsible for administering, patching, and updating the OS in a PaaS service model?
- Cloud Service Providers - Cloud Service Partners
- Who provides cloud computing services for sale to third parties? - Who provides add-on services to cloud computing?
1. ISO 27017 2. ISO 27018:2014 3. ISO/IEC 27034-1 4. ISO/IEC 27043:2015 5. ISO/IEC 27050-1 - ENISA - Cloud Computing: Benefits, Risks, and Recommendations. It outlines the top 8 security risks of cloud computing based on likelihood and impact.
1. This is the international standard for providing guidance for cloud security 2. This standard addresses privacy aspects of cloud computing for consumers 3. This is one of the most widely accepted set of standards and guidelines for secure software development 4. This standard provides procedures for incident investigation principles and processes 5. This standard addresses acquisition of forensic artifacts - This agency is the European counterpart to NIST, but its publication are not as widely accepted - What cloud-related document did this agency create and what is it known for?
Data Dispersion
A core principal of business continuity which states that important data should always be stored in more than one location to ensure that a copy of the data exists even if a copy is destroyed
CASB (Cloud Access Security Broker)
A software tool or service that enforces cloud-based security requirements such as IAM (Identity and Access Management). It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies.
Serverless Computing
This is a cloud-hosted execution environment that runs your code or app but abstracts the underlying hosting environment. You create an instance of the service and you add your code. No infrastructure configuration or maintenance is required, or even allowed. Your code or app runs only when triggered by an event such as a REST endpoint, a periodic timer, or even a message received from another service.
Management Plane
This is a separate network, created by administrators, specifically for management of underlying hardware required for cloud services. It is highly restricted and dedicated for admin use. Allows an administrator to remotely manage a fleet of servers
Machine Learning (ML)
This is a subset of artificial intelligence. It is data analysis that automates data model building. It uses algorithms that learn iteratively from data and can find insights without explicit programming. It's a technical discipline designed to apply the principles of computer science and statistics to uncover knowledge that's hidden in data we accumulate every day. It helps to uncover trends and categorize data.
Homomorphic Encryption
This technology is still theoretic. It would enable processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
1. Descriptive analytics: merely seeks to describe data. For example, doing this on your customer records you would ask questions such as how many customer are female and what % are repeat customers? 2. Predictive analytics: seeks to predict future events by analyzing data. 3. Prescriptive analytics: seek to optimize our behavior by simulating many different scenarios. For example, figuring out how best to use marketing funds by running simulations of consumer response and then using algorithms to prescribe behavior.
What are several types of analytics in Machine Learning (ML)?
1. Block storage can use either magnetic drives (cheaper but slower) or solid state drives (faster but more expensive) 2. Object storage can be optimized for high availability (files are always immediately available but more expensive) or archival (may take hours to spin your files up for use but this is cheaper)
What are some cloud storage classes for both block and object storage?
- Ubiquitous: the resources are everywhere and can be accessed by a client with an internet connection - Convenient: easy for the client to use - On-demand: available whenever the client needs to use it and can be upgraded easily; for example, adding a new virtual with a few mouse clicks - Minimal management effort by client and minimal interaction with the cloud service provider; when you need to add that virtual server, you can do it easily yourself and do not need to send a request to AWS or speak to an AWS representative
What are some features of cloud computing as defined by NIST?
1. Build databases on virtualized servers. Most similar to on-premises operations. Requires customer management of servers and databases. 2. Managed database service. Customer requests database from cloud provider using platform of choice (Access, MySQL, etc). Cloud provider has to obtain licenses and administer database. More expensive than first option. 3. Use a cloud-native database. Designed specifically for cloud environment. Could be a relational DB, key-value store, Graph DB, etc. Offers high degree of cloud customization. Places management burden on cloud provider. May require retooling existing applications to work with the database.
What are the types of Cloud Database options?
1. Common Criteria technology certification. This is actually an ISO standard 15-408, which describes a certification program for technology, products, and services. Mostly applies to hardware and software products instead of services. 2. The FedRAMP program (Risk and Authorization Management) is a centralized approach to certifying cloud service providers. It is run by the US General Services Administration and certifies the security of cloud services. Vendors can go to this single source for a certification which applies across the US government. 3. FIPS 140-2: Describes the process used to approve cryptographic implementations for use in government applications. Any cryptographic algorithms used must in compliance.
What are three federal government programs which are of interest to cloud security professionals?
1. Preservation: preventing any records from being deleted or altered. This includes stopping any automated processes which may affect or delete the data. 2. Collection: gathering the data & files 3. Production: presenting the data & files to the other side
What are three major steps in the Electronic Discovery or eDiscovery process?
1. The CRL (Certificate Revocation List): the CA places the serial number of the certificate to be revoked on the list. This often has time delays and can be slow if everyone is constantly downloading the latest CRL from each CA 2. The OCSP (Online Certificate Status Protocol): CAs provide a real-time service that allows users to verify that a certificate is not revoked. Most modern web browsers use this method, except Google Chrome which uses its own proprietary method
What are two methods of revoking a digital certificate?
1. Raw disk storage: permanently allocated storage space that exists independently of a server instance 2. Ephemeral storage: temporary storage associated with a specific instance that is destroyed when the instance is stopped. This is faster, but temporary storage only
What are two types of block storage?
1. Network-based CASB: broker intercepts traffic between the user and cloud service, monitoring for security issues. Broker can block requests. 2. API-based CASB: broker does not sit in line of communication between user and cloud. Broker queries cloud service via API. May not be able to block requests, depending on API capabilities.
What are two ways CASBs (Cloud Access Security Brokers) work?
Cost-Benefit Analysis
What should a client perform to determine if they should move to a cloud environment and which model they should select?
APIs
What technology do cloud orchestration services use to interact with cloud service providers? These are coding components which allow applications to speak to each other, generally through a web interface
1. Data Retention: specify the minimum and maximum amount of time various data elements will be kept 2. Archiving: procedures and mechanism for long-term storage of inactive data 3. Deletion: techniques for destroying data that is no longer needed
What three issues should a Data Lifecycle Policy address?
1. Governance: ensures effective oversight of cloud use in an organization. This is how vendors are vetted and relationships are managed 2. Auditability: a contract should state that a customer has the right to audit their cloud service provider 3. Regulatory Oversight: any customer subject to regulations such as HIPAA, PCI, etc, needs to ensure their cloud service provider is also in compliance with them
What three security and privacy conerns are introduced with a cloud environment in addition to the standard CIA triad?
Cloud Bursting
When a company uses its own computing infrastructure for normal usage and accesses the cloud when it needs to scale for high/peak load requirements, ensuring a sudden spike in usage does not result in poor performance or system crashes.