2.1 Configuration management

Question 1

Why configuration management is important?

Answer 1

Because OS, application updates, network modifications, new applications instances etc may have an impact on security.

Question 2

Why is documentation important in configuration management ?

Answer 2

It is important to indentify and document hardware & software settings to rebuild those systems if a disaster occurs

Question 3

What type of documentation is needed & important in network configuration management?

Answer 3

• Network diagram: document the physical wire and device to know what is connect to what
• Physical data center layout (inc. physical rack location):
• Device diagrams: to get detailed on where thing are connected to identify & track the path the wire takes from beginning to end

Question 4

What type of documentation is needed & important in application configuration management?

Answer 4

It is important to document the way the application is designed. Documents such as firewall settings, patch levels, OS file versions are important and may require constant update

Question 5

Why is it important to adopt a standard naming convention when documenting ?

Answer 5

Create a standard within an organization such as asset tag name & nb, computer names (+location), serial nb, label switches and routers, domain config (usernames, email) makes easier to understand by everyone for mainteance/ disasters.

Question 6

What is an IP schema ?

Answer 6

An IP address plan or model that help to avoid duplicate IP adressing, with informations like nb of subnets, hosts per subnets, IP ranges, reservered address (printers, routers, users).

Question 7

Where data can be located within an organization ?

Answer 7

Everywhere: on a storage drive, on the network or CPU of a system

Question 8

What are the different ways to protect data?

Answer 8

• Encryption
• Security policies
• Data permissions (not everyone has the same access)

Question 9

What is data sovereignty ?

Answer 9

Data that resides in a country is subject to the laws of that country.
Laws may prohibit where data is stored ( the compliance laws may prohibit moving data out of the country) and what type of data can be kept (GDPR).

Question 10

What is data masking in a way to protect data ?

Answer 10

Hide some of the original data (ie ***5428 for a CB)

Question 11

What is data encryption in a way to protect data?

Answer 11

Encode information into a unreadable data (from plaintext to ciphertext).
If one character of the plaintext input is change, it changes many characters of the cypher output

Question 12

What is data at-rest and how to protect it?

Answer 12

It refers to the data on a storage device (hard drive, SSD, flash drive etc). To be able to protect these data, we may need to:
- Encrypt the data (disk encryption, DB encryption, file/folder level encryption)
- Apply permissions (access control list)

Question 13

What is data in-transit and how to protect it?

Answer 13

It refers to data transmitted over the network. To protect these data, we may need to:
- Set up a network-based protection (firewall, IPS)
- Provide transport encryption (TLS/SSL, IPsec)

Question 14

What is data in-use and how to protect it?

Answer 14

It refers to data actively processing in the memory (system, CPU registers and cache), these data is almost always decrypted (otherwise we couldn’t do anything with it).
The attackers can pick decrypted information out of the RAM

Question 15

What is tokenization when you want to protect data?

Answer 15

When sensitive data are replace with non-sensitive data. It is comminly use with credit card processing (use a temporary token during payment so an attacker capturing card nb can’t use them later).
This is not encrypting or hashing.

Question 16

What is Information Rights Management (IRM) in data protection?

Answer 16

Restricting data access to unauthorized person, for exemple by:
- preventing copy/paste
- control screenshots
- manage printing
- restrict editing.

The goal of IRM is to limit the scope of what ppl can do with a document so that the attacker will only be able to manipulate the doc from the perspective of that user’s permission.

Question 17

What is Data Loss Prevention (DLP)?

Answer 17

DLP systems makes sure that users do not send sensitive or critical information outside the corporate network. It can be set up on :
- the computer: USB blocking
- network (to analyze packets)
- server (data at-rest)
- cloud based DLP: located between the users and the internet (watch every byte of network traffic): block viruses & malware, manage access to URLs
- email: look at the inbout and outbound traffic (block keywords, identify impostors, employee information etc)

Question 18

Managing security: why geographical considerations are important ?

Answer 18

• Legal implications: regulation between state (data etc)
• Offsite backup: if the organization owned a site or 3rd party site, how to access it
• Offsite recovery

Question 19

Managing security: what is response and recovery controls ?

Answer 19

It focuses on returning things to normal following a security incident, and limit the impact of an attacker.

Incident response plan should be established and incident investigation (root cause, contain the attack etc) must be documented.

Question 20

Managing security: what is SSL/TLS inpection ?

Answer 20

It is commonly used to examine outgoing SSL/TLS (ie from your computer to your bank). With special type of configuration, the admin can intercept all traffic, decrypts (w/ SSL decryption device) it and scan it.

Question 21

Managing security: What is hashing ?

Answer 21

It represent data as a short string of text. It’s a one-way trip.

Question 22

Managing security: how to secure API ?

Answer 22

• Authentication: limit API access to legitimate users, use secure protocols
• Authorization: API should not allow extended access, each user has a limited role
• WAF : apply rule to API communication

Question 23

Site resiliency: what is it ?

Answer 23

Site resilience means that if the solution fails in the first datacenter, there is still a second datacenter that can take over and continue servicing users. Therefore, with site resilience the solution will fail only when both datacenters fail.

Question 24

Site resiliency: what is a hot site?

Answer 24

An exact replica of our data center (inc. hardware) with application and software constantly updated (automated replication).

Question 25

Site resiliency: what is a cold site?

Answer 25

An empty site with no harware, data or application (empty room).

Question 26

Site resiliency: what is a warm site?

Answer 26

Somewhere in the middle between cold and hot site. E.g room with rack space, harware is ready and waiting.

Question 27

Honeypots & Deception: what is a honeypots?

Answer 27

A honeypot is a security mechanism that creates a virtual trap to lure attackers. An intentionally compromised computer system allows attackers to exploit vulnerabilities so you can study them to improve your security policies.

Question 28

Honeypots & Deception: what is a honeyfiles and honeynets?

Answer 28

• Honeynets: multiple honeypot on a network to have more than one source of information
• Honeyfiles: file that might be interesting for an attacker (ie password.txt), an alert is sent if the file is accessed

Question 29

Honeypots & Deception: what is fake telemetry?

Answer 29

It refers to make malicious malware look benign to bypass the machine learning process. And once the training is over, they can then send their malicious software through, and the machine will not be able to identify it.

Question 30

Honeypots & Deception: what is DNS skinhole?

Answer 30

DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address