CCSK - V4 and ENISA (Quizlet) Flashcards

1
Q

What is the standard cloud computing model used here?

A

NIST (National Institute of Standards and Technology, a US federal agency); the ISO definition is similar.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the five essential characteristics that NIST uses to define cloud computing?

A

1) broad network access 2) rapid elasticity 3) measured service 4) on-demand self service 5) resource pooling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the four cloud deployment models defined by NIST?

A

1) Public 2) Private 3) Hybrid 4) Community

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a cloud broker?

A

Entity that manages the use, performance, and delivery of cloud services (and negotiates relationship with customer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the Jericho Cloud Cube Model?

A

Four dimensions to differentiate cloud (or IT) formations:

1) External/Internal (physical location)
2) Proprietary/Open (technology)
3) Perimiterized/De-perimiterized (within firewall)
4) Outsourced/Insourced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the CSA Cloud Reference Model?

A

The service models fit in an architectural framework (where APIs are an important access mechanism)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Multi-tenancy (in the ISO definition)

A

The characteristic of multiple independent consumers sharing resources, which implies a need for certain controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are SLAs for?

A

Important control to allocate responsibility between consumer and provider. Shared responsibility model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do characteristics introduce risk?

A

Broad network access introduces the client device and the network as new sources of risk. Rapid Elasticity brings availability risks. Measured service can bring licensing risk. Resource pooling brings isolation related risks. On-demand self service introduces risks around who can control what.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Security concerns for hypervisor architecture?

A

VM hosts and guests need to be hardened; Hypervisor software and provenance is highest risk area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What do you need to know about AV?

A

Don’t run AV scan inside VM; use hypervisor aware products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are blind spots?

A

Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are VM isolation (compartmentalization) techniques?

A

LANs, IDS/IPS, Firewalls, zoning (combinations may be required for complian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can VM persistent storage leak risk (safe destruction) be countered?

A

Storage level encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is VM image risk?

A

Too many different images (sprawl) and images that are not up to date (staleness)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Commingling?

A

Sensitive data may be in non compliant zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Why is asset management more complicated?

A

Asset management for audit/monitoring is complicated by the extra need need to track hosts as well as guests and images.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is OVF?

A

Open Virtualization Format (helps ensure interoperability)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a instant-on gap?

A

Securely configured VM when off but vulnerable by the time it is started.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How does In-Motion VM characteristics create complexity for audits?

A

The unique ability to move virtual machines from one physical server to another creates a complexity for audits and security monitoring. In many cases, virtual machines can be relocated to another physical server (regardless of geographic location) without creating an alert or track-able audit trail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are four D’s of perimeter security?

A

Deter, Detect, Delay and Deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How are service levels established?

A

Documentation should make clear how service levels are maintained in the face of technical, natural, and malicious threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How is risk associated with a real person and a real machine doing the work on a real location in the cloud managed?

A

BCM (Business Continuity Management) aims to reduce risk in this area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Is automation of logging and reporting required (especially over multi-site datacenters)?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the six phases of the Data Security Lifecycle and their key elements?

A

The six phases of the data lifecycle with their top controls are create (classify), store (encryption), use (logical controls), share (DLP, encryption), archive (asset management), destroy (crypto shredding).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are data at rest security options?

A

1) Data dispersion/fragmentation (spread over multiple disks)
2) Replication (multiple copies)
3) Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which locations can data in motion encryption be applied?

A

1) Application (server and/or client side encryption) 2) Link (for example: HTTPS, VPN) 3) Proxy based encryption (related to DLP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are all data in motion security options?

A

Data can be protected by access controls, encryption, database and file monitoring, URL or content based filtering (Data Loss or Leakage Prevention)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Why are data abstraction levels important?

A

Distinguish raw storage, volume storage, object storage, database, CDN (each of these abstractions has its own Features, Risks, Threats, and Control opportunity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is Portability?

A

The ease with which applications and data can be moved to a different provider (or into the cloud in the first place)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is Interoperability?

A

Elements of the cloud ecosystem working together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is an example of how open standards can ease interoperability (and portability)?

A

SAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How can lock-in risk be mitigated?

A

Portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is WS-Security for?

A

WS-Security is for securing web services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is SAML for?

A

SAML is for making identities portable and inter-operable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is Portability solution for IaaS?

A

OVF (open virtualization format) - open standard virtual machine images

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is Portability solution for PaaS?

A

Open API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What should be included in every service offering?

A

IR functionality should be engineered into any service offering. Up to date contact lists. Responsibilities shift across service models. Virtualization can make IR and forensics easier, including offline analysis. IR readiness is something to check on an (internal) audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the main data source for analysis of an incident?

A

Logging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

How can incidents and/or their impact be reduced?

A

Customer specific application logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the IR (Incident Response) lifecycle?

A

Preparation, detection & analysis, containment, eradication & recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

How often should IR testing be performed?

A

At least annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is ENISA?

A

European Network and Information Security Agency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are the top 8 risks according to ENISA?

A
LOSS OF GOVERNANCE (cloud provider does not commit to necessary task)
LOCK-IN (vendor lock-in)
ISOLATION FAILURE (one tenant influences another)
COMPLIANCE RISKS (audit impossible, or no evidence)
MANAGEMENT INTERFACE COMPROMISE
DATA PROTECTION (protection cannot be demonstrated)
INSECURE OR INCOMPLETE DATA DELETION
MALICIOUS INSIDER (cloud provider or auditor)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What are the key legal issues common across all scenarios?

A

Data protection, confidentiality, intellectual property, professional negligence, outsourcing services and changes in control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What is the underlying vulnerability in Loss of Governance?

A

Provider does not commit to controls only they can do

47
Q

What is user provisioning vulnerability?

A

Loss of control over user rights

48
Q

What is the risk of a cloud provider being acquired?

A

New owner may not want to serve existing customers.

49
Q

In Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring?

A

Consumer

50
Q

What is isolation failure?

A

This is where multi-tenancy and resource sharing are defining characteristics of the cloud. Thus it is entirely likely for competing companies to be using the same cloud services, in effect, running their workloads shoulder-to-shoulder. Keeping memory, storage, and network access isolated is essential.

51
Q

What is a data controller?

A

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

52
Q

What is a data processor?

A

A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

53
Q

What is Economic Denial of Service?

A

An attacker uses a public channel to use up the customer’s metered resources - for example, where the customer pays per HTTP request, a DDoS attack can have this effect.

54
Q

What are the main reasons for encryption?

A

1) Compliance
2) Threats (including system admins)
3) Provable deletion

55
Q

Who should be in control of encryption key management?

A

The consumer (different entities/users should have different keys).

56
Q

What are alternatives to encryption?

A

1) Tokenization (token instead of sensitive info)
2) Masking/anonymization (concealment of sensitive info)
3) Cloud based access/database controls

Proprietary encryption techniques should be avoided.

57
Q

What is the first step in cloud security?

A

A good threat and risk modeling process

58
Q

What are examples of cloud specific threats/risks?

A

1) External providers (e.g. auditors that need to look at log files)
2) Broad network accessibility (e.g. malicious actors or DDOS)
3) IaaS available (e.g. size breaks hardware)
4) API and other supply chain dependencies

59
Q

What is IdEA?

A

Identity, entitlement, and access management

60
Q

What threats does IdEA (identity, entitlement, and access management) protect against?

A

spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE)

61
Q

Does cloud security require require attention across the entire software development life cycle (SDLC) from design to operation?

A

Yes

62
Q

What helps with with multiple attributes as input for access decisions?

A

Entitlement matrix

63
Q

What is an example of a threat model?

A

STRIDE

64
Q

Does remote vulnerability testing (i.e. penetration testing) ever need to be coordinated with the provider?

A

Yes

65
Q

What is Federated Identify Management for?

A

Federated identity management is about splitting the role of the identity provider from that of the relying parties to allow control over user access

66
Q

How does Federated Identify Management help?

A

1) Supports consumer compliance
2) Reduces provider cost

*SSO (Single Sign on) is a use case

67
Q

What are common Federated Identify Management technologies?

A

1) OpenID
2) Oauth-AD sync
3) ADFS-SAML

68
Q

What is a big security issue related to Federated Identify Management?

A

Directories of identity providers are likely to contain PII (Personally Identifiable Information) or SPI (Sensitive Personal Information)

69
Q

Who is Authorization provided by with respect to Federated Identify Management?

A

The relying party

70
Q

Identities have attributes that can be part of authentication and authorization decisions: name, age, location, device, etc - where do these come from?

A

All these may be provisioned from different sources.

71
Q

What is PEP?

A

Policy Enforcement Point - Point which intercepts user’s access request to a resource, makes a decision request to the PDP (Policy Decision Point) to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision. PEP is likely to be application specific or on a network device.

72
Q

Who is the authoritative for identity with respect to Federated Identify Management?

A

Identity provider is authoritative for identity.

73
Q

What are relevant Federated Identify Management standards?

A

SAML and WS-Federation, XACML, OpenID, Oauth

74
Q

What is security as a service (SECaaS)?

A

SECaaS includes monitoring and control servers for security functions, such as intrusion detection, externally placed web and spam filtering, authentication, and more. Same pros and cons as cloud computing in general.

75
Q

When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?

A

Quality of reports and/or reporting

76
Q

What do you protect with encryption?

A

Data

77
Q

What do you protect against with encryption?

A

Threats. With encryption you typically do not handle availability risks, you handle confidentiality and some integrity risks.

78
Q

What is the residual risk after encryption?

A

Protection of the encryption key and availability of the key management.

79
Q

What are Information risks classified into?

A

Confidentiality risks, integrity risks and availability risks.

80
Q

What are associated risks to IT but not specific to it?

A

Legal risks, third-party risks, compliance risks

81
Q

What are risk mitigation approaches?

A

Avoid, transfer, mitigate, accept. Risk management includes making sure all relevant risks are identified and treated.

82
Q

What is the risk management process about?

A

Identifying risks (e.g. through a threat model), qualifying and prioritizing them, and recording the evidence of their mitigation, if any.

83
Q

What is an ISMS?

A

Information security management system

84
Q

Why is continuous attention to transparency on supply chain essential?

A

Every organization is part of a cloud supply chain which introduces third party risk

85
Q

What are traditional methods of risk management and audit?

A

Scanning, penetration testing, and machine level logs. A cloud provider may restrict that, so new ways to do risk management must be found.

86
Q

What do industry standard risk management practices include?

A

ISO 27000 series, NIST and the CSA cloud controls matrix.

87
Q

What are the three dimensions of legal issues?

A

1) Functional - what does the service do for the consumer
2) Jurisdictional - location implies jurisdiction, implies rules on data handling
3) Contractual - contractual relates to termination clauses, escalation, etc.

88
Q

What is Discovery?

A

Discovery is the process of finding information that has to be surrendered in a legal proceeding (litigation “hold”).

89
Q

What are the five key legal issues according to ENISA?

A

1) Data protection
2) Confidentiality
3) Intellectual property
4) Professional negligence
5) Outsourcing services & changes in control

90
Q

What is the European Data Protection Directive (DPD)?

A

) Identifiable person

2) Controller
3) Processor

*Directive is implemented differently across states

91
Q

What is a Data Processor?

A

Anyone who processes personal information on behalf of a data controller - the word ‘processes’ is very broadly defined, e.g. includes just storing

92
Q

What is a Data Controller?

A

A cloud consumer who holds their customers’ personal data.

93
Q

What is the most important tool to control providers?

A

Contracts are the most important tool to control providers

94
Q

What is an essential part of any service?

A

The ability to access meta-data and log-files is an essential part of any service.

95
Q

How should compliance requirements be treated?

A

As first class system requirements, on equal footing with any business requirement, and where necessary translated to obligations on subcontractors.

96
Q

When was the ENISA document written?

A

2009

97
Q

What is segregation of duties primarily for?

A

Contain personnel risks

98
Q

Why do blind spots occur in a virtual environment?

A

Communication over hardware backplane instead of network

99
Q

What is best practice for a datacenter audit?

A

The datacenter operator provides independent audit results

100
Q

What is a characteristic of object data storage?

A

Can be accessed by API or web

101
Q

What risk does open and published web API prevent?

A

Data exchange between providers being interrupted.

102
Q

What is recommended to improve application security in the cloud?

A

Use threat modeling adapted to the cloud

103
Q

What is recommended to improve SDLC for application security in the cloud?

A

Include cloud specific threats into an adapted threat model

104
Q

What is SAML?

A

Security Assertion Markup Language - an identity federation protocol which enables enterprise to use their preferred identity provider with cloud services

105
Q

PEP is likely to be in which layer?

A

Access management layer

106
Q

What are the principles of Corporate Governance?

A

Auditing supply chains
Board and management structure and process
Corporate responsibility and compliance
Financial transparency and information disclosure
Ownership structure and exercise of control rights

107
Q

What are valid risk responses?

A

Avoidance—exiting the activities giving rise to risk
Reduction—taking action to reduce the likelihood or impact related to the risk
Share or insure—transferring or sharing a portion of the risk to finance it
Accept—no action is taken due to a cost/benefit decision

108
Q

Company that stores customer’s data at a cloud provider is the Data Controller?

A

Yes

109
Q

Who is responsible for data when it has been transferred to a third party?

A

The data custodian

110
Q

What is the best description for Corporate Governance?

A

Balance control between important stakeholders within the organization

111
Q

According to ENISA, the cloud consumer is most often a Data Controller?

A

Yes

112
Q

According to ENISA, the inability of a customer to apply required security controls is a “loss of governance”?

A

Yes

113
Q

What is volume storage?

A

This includes volumes attached to IaaS instances, typically as a virtual hard drive. Volumes often use data dispersion to support resiliency and security.

114
Q

What are blind spots?

A

Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.