CCSK - V4 and ENISA (Quizlet)

Question 1

What is the standard cloud computing model used here?

Answer 1

NIST (National Institute of Standards and Technology, a US federal agency); the ISO definition is similar.

Question 2

What are the five essential characteristics that NIST uses to define cloud computing?

Answer 2

1) broad network access 2) rapid elasticity 3) measured service 4) on-demand self service 5) resource pooling

Question 3

What are the four cloud deployment models defined by NIST?

Answer 3

1) Public 2) Private 3) Hybrid 4) Community

Question 4

What is a cloud broker?

Answer 4

Entity that manages the use, performance, and delivery of cloud services (and negotiates relationship with customer)

Question 5

What is the Jericho Cloud Cube Model?

Answer 5

Four dimensions to differentiate cloud (or IT) formations:

1) External/Internal (physical location)
2) Proprietary/Open (technology)
3) Perimiterized/De-perimiterized (within firewall)
4) Outsourced/Insourced

Question 6

What is the CSA Cloud Reference Model?

Answer 6

The service models fit in an architectural framework (where APIs are an important access mechanism)

Question 7

What is Multi-tenancy (in the ISO definition)

Answer 7

The characteristic of multiple independent consumers sharing resources, which implies a need for certain controls.

Question 8

What are SLAs for?

Answer 8

Important control to allocate responsibility between consumer and provider. Shared responsibility model.

Question 9

How do characteristics introduce risk?

Answer 9

Broad network access introduces the client device and the network as new sources of risk. Rapid Elasticity brings availability risks. Measured service can bring licensing risk. Resource pooling brings isolation related risks. On-demand self service introduces risks around who can control what.

Question 10

What are Security concerns for hypervisor architecture?

Answer 10

VM hosts and guests need to be hardened; Hypervisor software and provenance is highest risk area.

Question 11

What do you need to know about AV?

Answer 11

Don’t run AV scan inside VM; use hypervisor aware products.

Question 12

What are blind spots?

Answer 12

Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.

Question 12

What are blind spots?

Answer 12

Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.

Question 13

What are VM isolation (compartmentalization) techniques?

Answer 13

LANs, IDS/IPS, Firewalls, zoning (combinations may be required for complian

Question 14

How can VM persistent storage leak risk (safe destruction) be countered?

Answer 14

Storage level encryption

Question 15

What is VM image risk?

Answer 15

Too many different images (sprawl) and images that are not up to date (staleness)

Question 16

What is Commingling?

Answer 16

Sensitive data may be in non compliant zones.

Question 17

Why is asset management more complicated?

Answer 17

Asset management for audit/monitoring is complicated by the extra need need to track hosts as well as guests and images.

Question 18

What is OVF?

Answer 18

Open Virtualization Format (helps ensure interoperability)

Question 19

What is a instant-on gap?

Answer 19

Securely configured VM when off but vulnerable by the time it is started.

Question 20

How does In-Motion VM characteristics create complexity for audits?

Answer 20

The unique ability to move virtual machines from one physical server to another creates a complexity for audits and security monitoring. In many cases, virtual machines can be relocated to another physical server (regardless of geographic location) without creating an alert or track-able audit trail.

Question 21

What are four D’s of perimeter security?

Answer 21

Deter, Detect, Delay and Deny

Question 22

How are service levels established?

Answer 22

Documentation should make clear how service levels are maintained in the face of technical, natural, and malicious threats.

Question 23

How is risk associated with a real person and a real machine doing the work on a real location in the cloud managed?

Answer 23

BCM (Business Continuity Management) aims to reduce risk in this area.

Question 24

Is automation of logging and reporting required (especially over multi-site datacenters)?

Answer 24

Yes

Question 25

What are the six phases of the Data Security Lifecycle and their key elements?

Answer 25

The six phases of the data lifecycle with their top controls are create (classify), store (encryption), use (logical controls), share (DLP, encryption), archive (asset management), destroy (crypto shredding).

Question 26

What are data at rest security options?

Answer 26

1) Data dispersion/fragmentation (spread over multiple disks) 2) Replication (multiple copies) 3) Encryption

Question 27

Which locations can data in motion encryption be applied?

Answer 27

1) Application (server and/or client side encryption) 2) Link (for example: HTTPS, VPN) 3) Proxy based encryption (related to DLP

Question 28

What are all data in motion security options?

Answer 28

Data can be protected by access controls, encryption, database and file monitoring, URL or content based filtering (Data Loss or Leakage Prevention)

Question 29

Why are data abstraction levels important?

Answer 29

Distinguish raw storage, volume storage, object storage, database, CDN (each of these abstractions has its own Features, Risks, Threats, and Control opportunity)

Question 30

What is Portability?

Answer 30

The ease with which applications and data can be moved to a different provider (or into the cloud in the first place)

Question 31

What is Interoperability?

Answer 31

Elements of the cloud ecosystem working together

Question 32

What is an example of how open standards can ease interoperability (and portability)?

Answer 32

SAML

Question 33

How can lock-in risk be mitigated?

Answer 33

Portability

Question 34

What is WS-Security for?

Answer 34

WS-Security is for securing web services.

Question 35

What is SAML for?

Answer 35

SAML is for making identities portable and inter-operable.

Question 36

What is Portability solution for IaaS?

Answer 36

OVF (open virtualization format) - open standard virtual machine images

Question 37

What is Portability solution for PaaS?

Answer 37

Open API

Question 38

What should be included in every service offering?

Answer 38

IR functionality should be engineered into any service offering. Up to date contact lists. Responsibilities shift across service models. Virtualization can make IR and forensics easier, including offline analysis. IR readiness is something to check on an (internal) audit.

Question 39

What is the main data source for analysis of an incident?

Answer 39

Logging.

Question 40

How can incidents and/or their impact be reduced?

Answer 40

Customer specific application logs

Question 41

What is the IR (Incident Response) lifecycle?

Answer 41

Preparation, detection & analysis, containment, eradication & recovery

Question 42

How often should IR testing be performed?

Answer 42

At least annually

Question 43

What is ENISA?

Answer 43

European Network and Information Security Agency

Question 44

What are the top 8 risks according to ENISA?

Answer 44

``` LOSS OF GOVERNANCE (cloud provider does not commit to necessary task) LOCK-IN (vendor lock-in) ISOLATION FAILURE (one tenant influences another) COMPLIANCE RISKS (audit impossible, or no evidence) MANAGEMENT INTERFACE COMPROMISE DATA PROTECTION (protection cannot be demonstrated) INSECURE OR INCOMPLETE DATA DELETION MALICIOUS INSIDER (cloud provider or auditor) ```

Question 45

What are the key legal issues common across all scenarios?

Answer 45

Data protection, confidentiality, intellectual property, professional negligence, outsourcing services and changes in control

Question 46

What is the underlying vulnerability in Loss of Governance?

Answer 46

Provider does not commit to controls only they can do

Question 47

What is user provisioning vulnerability?

Answer 47

Loss of control over user rights

Question 48

What is the risk of a cloud provider being acquired?

Answer 48

New owner may not want to serve existing customers.

Question 49

In Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring?

Answer 49

Consumer

Question 50

What is isolation failure?

Answer 50

This is where multi-tenancy and resource sharing are defining characteristics of the cloud. Thus it is entirely likely for competing companies to be using the same cloud services, in effect, running their workloads shoulder-to-shoulder. Keeping memory, storage, and network access isolated is essential.

Question 51

What is a data controller?

Answer 51

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

Question 52

What is a data processor?

Answer 52

A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Question 53

What is Economic Denial of Service?

Answer 53

An attacker uses a public channel to use up the customer's metered resources - for example, where the customer pays per HTTP request, a DDoS attack can have this effect.

Question 54

What are the main reasons for encryption?

Answer 54

1) Compliance 2) Threats (including system admins) 3) Provable deletion

Question 55

Who should be in control of encryption key management?

Answer 55

The consumer (different entities/users should have different keys).

Question 56

What are alternatives to encryption?

Answer 56

1) Tokenization (token instead of sensitive info) 2) Masking/anonymization (concealment of sensitive info) 3) Cloud based access/database controls Proprietary encryption techniques should be avoided.

Question 57

What is the first step in cloud security?

Answer 57

A good threat and risk modeling process

Question 58

What are examples of cloud specific threats/risks?

Answer 58

1) External providers (e.g. auditors that need to look at log files) 2) Broad network accessibility (e.g. malicious actors or DDOS) 3) IaaS available (e.g. size breaks hardware) 4) API and other supply chain dependencies

Question 59

What is IdEA?

Answer 59

Identity, entitlement, and access management

Question 60

What threats does IdEA (identity, entitlement, and access management) protect against?

Answer 60

spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE)

Question 61

Does cloud security require require attention across the entire software development life cycle (SDLC) from design to operation?

Answer 61

Yes

Question 62

What helps with with multiple attributes as input for access decisions?

Answer 62

Entitlement matrix

Question 63

What is an example of a threat model?

Answer 63

STRIDE

Question 64

Does remote vulnerability testing (i.e. penetration testing) ever need to be coordinated with the provider?

Answer 64

Yes

Question 65

What is Federated Identify Management for?

Answer 65

Federated identity management is about splitting the role of the identity provider from that of the relying parties to allow control over user access

Question 66

How does Federated Identify Management help?

Answer 66

1) Supports consumer compliance 2) Reduces provider cost *SSO (Single Sign on) is a use case

Question 67

What are common Federated Identify Management technologies?

Answer 67

1) OpenID 2) Oauth-AD sync 3) ADFS-SAML

Question 68

What is a big security issue related to Federated Identify Management?

Answer 68

Directories of identity providers are likely to contain PII (Personally Identifiable Information) or SPI (Sensitive Personal Information)

Question 69

Who is Authorization provided by with respect to Federated Identify Management?

Answer 69

The relying party

Question 70

Identities have attributes that can be part of authentication and authorization decisions: name, age, location, device, etc - where do these come from?

Answer 70

All these may be provisioned from different sources.

Question 71

What is PEP?

Answer 71

Policy Enforcement Point - Point which intercepts user's access request to a resource, makes a decision request to the PDP (Policy Decision Point) to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision. PEP is likely to be application specific or on a network device.

Question 72

Who is the authoritative for identity with respect to Federated Identify Management?

Answer 72

Identity provider is authoritative for identity.

Question 73

What are relevant Federated Identify Management standards?

Answer 73

SAML and WS-Federation, XACML, OpenID, Oauth

Question 74

What is security as a service (SECaaS)?

Answer 74

SECaaS includes monitoring and control servers for security functions, such as intrusion detection, externally placed web and spam filtering, authentication, and more. Same pros and cons as cloud computing in general.

Question 75

When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?

Answer 75

Quality of reports and/or reporting

Question 76

What do you protect with encryption?

Answer 76

Data

Question 77

What do you protect against with encryption?

Answer 77

Threats. With encryption you typically do not handle availability risks, you handle confidentiality and some integrity risks.

Question 78

What is the residual risk after encryption?

Answer 78

Protection of the encryption key and availability of the key management.

Question 79

What are Information risks classified into?

Answer 79

Confidentiality risks, integrity risks and availability risks.

Question 80

What are associated risks to IT but not specific to it?

Answer 80

Legal risks, third-party risks, compliance risks

Question 81

What are risk mitigation approaches?

Answer 81

Avoid, transfer, mitigate, accept. Risk management includes making sure all relevant risks are identified and treated.

Question 82

What is the risk management process about?

Answer 82

Identifying risks (e.g. through a threat model), qualifying and prioritizing them, and recording the evidence of their mitigation, if any.

Question 83

What is an ISMS?

Answer 83

Information security management system

Question 84

Why is continuous attention to transparency on supply chain essential?

Answer 84

Every organization is part of a cloud supply chain which introduces third party risk

Question 85

What are traditional methods of risk management and audit?

Answer 85

Scanning, penetration testing, and machine level logs. A cloud provider may restrict that, so new ways to do risk management must be found.

Question 86

What do industry standard risk management practices include?

Answer 86

ISO 27000 series, NIST and the CSA cloud controls matrix.

Question 87

What are the three dimensions of legal issues?

Answer 87

1) Functional - what does the service do for the consumer 2) Jurisdictional - location implies jurisdiction, implies rules on data handling 3) Contractual - contractual relates to termination clauses, escalation, etc.

Question 88

What is Discovery?

Answer 88

Discovery is the process of finding information that has to be surrendered in a legal proceeding (litigation "hold").

Question 89

What are the five key legal issues according to ENISA?

Answer 89

1) Data protection 2) Confidentiality 3) Intellectual property 4) Professional negligence 5) Outsourcing services & changes in control

Question 90

What is the European Data Protection Directive (DPD)?

Answer 90

) Identifiable person 2) Controller 3) Processor *Directive is implemented differently across states

Question 91

What is a Data Processor?

Answer 91

Anyone who processes personal information on behalf of a data controller - the word 'processes' is very broadly defined, e.g. includes just storing

Question 92

What is a Data Controller?

Answer 92

A cloud consumer who holds their customers' personal data.

Question 93

What is the most important tool to control providers?

Answer 93

Contracts are the most important tool to control providers

Question 94

What is an essential part of any service?

Answer 94

The ability to access meta-data and log-files is an essential part of any service.

Question 95

How should compliance requirements be treated?

Answer 95

As first class system requirements, on equal footing with any business requirement, and where necessary translated to obligations on subcontractors.

Question 96

When was the ENISA document written?

Answer 96

2009

Question 97

What is segregation of duties primarily for?

Answer 97

Contain personnel risks

Question 98

Why do blind spots occur in a virtual environment?

Answer 98

Communication over hardware backplane instead of network

Question 99

What is best practice for a datacenter audit?

Answer 99

The datacenter operator provides independent audit results

Question 100

What is a characteristic of object data storage?

Answer 100

Can be accessed by API or web

Question 101

What risk does open and published web API prevent?

Answer 101

Data exchange between providers being interrupted.

Question 102

What is recommended to improve application security in the cloud?

Answer 102

Use threat modeling adapted to the cloud

Question 103

What is recommended to improve SDLC for application security in the cloud?

Answer 103

Include cloud specific threats into an adapted threat model

Question 104

What is SAML?

Answer 104

Security Assertion Markup Language - an identity federation protocol which enables enterprise to use their preferred identity provider with cloud services

Question 105

PEP is likely to be in which layer?

Answer 105

Access management layer

Question 106

What are the principles of Corporate Governance?

Answer 106

Auditing supply chains Board and management structure and process Corporate responsibility and compliance Financial transparency and information disclosure Ownership structure and exercise of control rights

Question 107

What are valid risk responses?

Answer 107

Avoidance—exiting the activities giving rise to risk Reduction—taking action to reduce the likelihood or impact related to the risk Share or insure—transferring or sharing a portion of the risk to finance it Accept—no action is taken due to a cost/benefit decision

Question 108

Company that stores customer's data at a cloud provider is the Data Controller?

Answer 108

Yes

Question 109

Who is responsible for data when it has been transferred to a third party?

Answer 109

The data custodian

Question 110

What is the best description for Corporate Governance?

Answer 110

Balance control between important stakeholders within the organization

Question 111

According to ENISA, the cloud consumer is most often a Data Controller?

Answer 111

Yes

Question 112

According to ENISA, the inability of a customer to apply required security controls is a "loss of governance"?

Answer 112

Yes

Question 113

What is volume storage?

Answer 113

This includes volumes attached to IaaS instances, typically as a virtual hard drive. Volumes often use data dispersion to support resiliency and security.