3.1 Flashcards
Cloud infrastructures, network infrastructure concepts, other infrastructure concepts, infrastructure considerations
When using a cloud responsibility matrix, how do you know who is responsible for security?
Each CSP has their own policies
Contractual agreements
5 security considerations when using a hybrid cloud (more than one CSP for additional clouds)
Authentication across platforms
Firewall configurations
Server settings
^These 3 things need to match between clouds
Log monitoring - each CSP might have different types of logs using different terminology
Data leakage - data is constantly transferred from one cloud to another across the public internet
Enables the management and maintenance of security for third-party technologies/applications implemented in your organization’s private cloud
Vendor risk management policy
True/False
You must perform a third-party impact assessment for incident response
True
True/False
You can trust third party process to have robust security practices, so you don’t need to constantly monitor them for unusual activity or changes in availability
False
You cannot trust that third parties have not been compromised, so you always need to be monitoring them.
A method of defining cloud infrastructure (servers, networks, application instances, databases) as code, rather than as hardware.
This allows the administrator to quickly build, modify, and create versions of the infrastructure
Infrastructure as code
True/False
IaC allows an administrator to build out code and then copy/paste this layout to other CSPs. This way, the administrator can create their perfect layout and use it again and again.
True
FaaS stands for
Function as a Service
A cloud computing service where an application instance is serverless.
Instead of accessing the application, you are accessing only the individual, autonomous functions of the application. The microservices.
This method removes the emphasis on the OS. These microservices can run on any OS needed.
FaaS
How does serverless FaaS work?
Developers separate applications into individual, autonomous functions that are stored in the cloud server
Once the function is no longer needed, it is removed from the cloud
Why is it called serverless?
Because the developers do not need to worry about server infrastructure or server space.
Backend computing is provided on an as-used basis.
Difference between IaaS, PaaS, and serverless
IaaS is paid for as pre-purchased units of capacity. The client can set up a data collection system, etc.
PaaS charges the client for the resources used. However, the client must request the provider for more resources. The client does not have to set up the OS or anything about the underlying infrastructure. It is used for building apps.
Serverless is paid for as an as-used basis. Resources are automatically scaled. There is no backend/resource management at all. Serverless microservices are much more lightweight than PaaS applications, so it is faster.
True/False
In serverless architecture, ALL security concerns are the responsibility of the third party
True
True/False
In serverless architecture, microservices can be triggered and ephemeral
True
An application that is built as a single unified unit. It does everything, and all code needs to be present for the application to execute correctly. Takes care of user interface, business logic, I/O, etc.
It is self-contained and independent from other application. It is made from ONE code base.
Monolithic application
What enables the use of microservices in cloud architecture? It acts as the “glue” between microservices.
It allows you to programmatically control the way that an application works
APIs
True/False
In comparison to a monolithic architecture, microservice architecture is more secure, more resilient, and more scalable.
True
A physical or digital separation that prevents a system from being reached by anyone or anything.
This means that this device also cannot connect to other computers or networks either wirelessly or physically.
Air gap
Why would an organization utilize airgapping?
Separate database servers and web servers
A managed service provider might use it to put one customer on one switch, and a different customer on another, physically isolated switch
It prevents attackers from gaining access
Describe physical segmentation
Each segment has its separate physical devices and infrastructure. Not easily scalable, since more segments means more hardware needed.
Describe logical segmentation
VLANs are used. You can configure one switch to have a group of interfaces belong to VLAN A, and the other group of interfaces to belong to VLAN B. This saves on hardware costs and is more scalable than physical segmentation.
True/False
Because logical segments are connected by the same physical switch, the VLANs have an inherent ability to communicate with each other.
False
The segmented VLANs need a Layer 3 device/router to communicate.
SDN stands for
Software-Defined Networking
The 3 functional planes involved in SDN
Data plane
Control plane
Management plane
The functional plane that:
Processes network frames and packets
Forwards packets
Enables trunking, encrypting, and NAT
Data plane
The functional plane that:
Manages routing tables, session tables, NAT tables
Executes dynamic routing protocol updates
Tells the data plane how to get data from point A to point B
Control plane
The functional plane that:
Enables configuration changes for the device through SSH, a browser, or an API
Management plane
True/False
Logically separating networking devices into multiple control planes allows you to extend the functionality and management of a single device, as well as use the device for the cloud.
True
A network architecture created by separating network devices into logical functional planes.
SDN
True/False
It is easier to secure a decentralized network than a centralized network
False
It’s difficult to manage diverse systems, especially when they’re in separate physical locations
True/False
Using a centralized management console to control the security of decentralized/diverse devices can introduce a single point of failure and potential performance issues due to lack of scalability.
True
What is the main challenge with virtualization/VMs?
Each VM needs to have its own OS, even if every VM is identical.
This adds overhead and complexity, and causes virtualization to be expensive.
VMs can sometimes be inefficient–especially when the organizations runs multiple identical VMs. What solves this problem?
Using containers instead of VMs
How do containers solve the VM inefficiency problem?
Multiple applications can run simultaneously on one OS/hardware.
Each container has only the application–no OS. It uses the OS on the host machine.
True/False
Containers are self-contained and cannot interact with each other, even if they are operating on the same machine. Just like VMs.
True
SCADA stands for
Supervisory Control and Data Acquisition System
SCADA is AKA
ICS
ICS stands for
Industrial Control System
How do you secure SCADA/ICS?
Extensive segmentation
NO access should come from outside! Compromise can affect the system severely.
RTOS stands for
Real-Time Operating System
An OS where no one process can take complete control over the device’s resources
Non-deterministic OS
Does industrial/manufacturing/automobile/military equipment commonly use deterministic or non-deterministic OSs?
Deterministic
An OS that may allow one process to take complete control over the device’s resources.
Deterministic OS
Why can deterministic OSs be helpful in some situations?
Some processes MUST take priority for safety. For example, when you press your brake while driving your car, that will take priority over everything else.
True/False
Security is critical in RTOSs because the operations they perform are extremely necessary
True
A small device that’s part of a larger device, machine, or system, and is designed to control a specific function within it. They are less complex than computers and only exist inside other systems.
They normally only have a limited amount of tasks they can perform, but advanced ones can control entire OSs.
Embedded system
True/False
Embedded systems are often created/built for ONE sole purpose, and to do that thing very well and efficiently.
True
Examples of embedded systems
Traffic light controllers
Digital watches
Medical imaging systems
HA means that something is ____ available.
ALWAYS
MTTR stands for
Mean Time to Repair
The average time it takes to fix a system/piece of equipment after it has failed
Mean Time to Repair
A metric that measures how quickly a system delivers responses after having been given a request
Responsiveness
A metric measuring the ease with which you can increase or decrease capacity for use.
Scalability
The ability to automatically acquire and release resources as needed to meet changing demands
Elasticity
Difference between scalability and elasticity
Scalability deals with long-term changes
Elasticity deals with short-term, daily changes
True/False
When scaling your network infrastructure according to demand, it is important to also extend the security functions of your network
True
The acting of transferring risk to a third party
Risk transference
Cybersecurity insurance is a method of
Risk transference
True/False
An organization that rarely patches is a significant security concern.
True
What types of systems often do not have patches released for them?
Embedded systems
ex. HVAC controls, time clocks
True/False
Because embedded systems almost never have patches available, it is recommended to implement additional security measures around them. ex. Firewalls
True
UPS stands for
Uninterruptable Power Supply
The component that provides the heavy lifting in processing
Compute component
True/False
The compute component is AKA a CPU
False
The compute component is more than just a single CPU.
In a cloud architecture, the component that does the actual thinking and processing of the data.
It may be a single processor in a datacenter, or it may be multiple CPUs across multiple clouds.
Using this in a multi-cloud architecture (as referenced above) enhances scalability with the cost of some additional complexity.
Compute engine