CCSP Domain 5: Cloud Security Operations

Question 1

BICSI

Answer 1

The Building Industry Consulting Service International issues certification in the area of complex cabling for data systems as well as develops standards for them.

This standard is focused on cabling design and setups and also includes specifications on power, energy efficiency, and hot / cold aisle setups.

Question 2

IDCA

Answer 2

The International Data Center Authority has established the Infinity Paradigm, which is intended to be a comprehensive data center design and operations framework – i.e. it covers all aspects of data center design.

Question 3

NFPA

Answer 3

The National Fire Protection Association publishes a large collection of standards regarding fire protection for almost any type of facility – from data centers to offices, vehicles, etc.

Question 4

Uptime Institute

Answer 4

The Uptime Institute publishes the most commonly used and widely known standard on data center tiers and topologies. It is based on a series of four tiers, with each representing a progressive increase in standards for reliability, redundancy, connectivity, fault tolerance, redundancy, and cooling.

Question 5

Optimal temperature range in a data center

Answer 5

Temperature: 64.4 - 80.6F or 18-27 C

Question 6

Optimal humidity range in a data center

Answer 6

Humidity: 40-60 percent relative humidity

Question 7

Storage communication

Answer 7

Storage traffic should be segregated and isolated on its own LAN. (Ergo, treated as LAN traffic rather than WAN traffic due to importance and heavy network utilization.)

iSCSI is the most prevalent communications protocol for network-based storage; the iSCSI protocol allows for use of SCSI commands and features over TCP (transmission control protocol).

Question 8

VLAN

Answer 8

VLANs (virtual local area networks) are used to segregate customers or application zones within the cloud service.

Confidentiality of cloud customer data within an architecture that relies on resource pooling and multitenancy is dependent upon network isolation and segregation.

Question 9

TLS

Answer 9

Transport Layer Security has replaced SSL as the default acceptable method for encryption of data in transit across a network; it uses X.509 certificates to provide authentication and to encrypt communications between parties.

Question 10

TLS handshake protocol

Answer 10

The ‘handshake’ protocol is what negotiates and establishes the TLS connection between the parties.

At high-level, the handshake consists of three phases:

1) Server parameters: The server responds with parameters the set the constraints for a secure transport layer
2) Key exchange: The client initiates an exchange of shared key material and parameters based on the Server parameters.
3) Authentication: The server is authenticated (and, optionally, the client) and provides key confirmation and handshake integrity.

The handshake in greater detail:

1. client > syn > server
2. client < syn-ack < server
3. > ack >
4. < serverHello, certificate, serverHelloDone <
5. > clientKeyExchange, changeCipherSpec, finished >
6. < changeCipherSpec, finished <
7. > application data >
8. < application data

Question 11

TLS Record Protocol

Answer 11

The TLS record protocol is the actual secure communications method for transmitting of data; the record protocol is responsible for the encryption and authentication of packets throughout their transmission between the parties, and, in some cases, it performs compression of the packets.

Question 12

DHCP

Answer 12

Dynamic Host Configuration Protocol is essential for automation and orchestration within a cloud environment.

Within a cloud environment, DHCP is used to centralize the issuance of IP addresses and maintain them in a static manner, where the IP, MAC address, hostname, and node names are set and not changed, and they are always assigned to the same virtual machine.

Question 13

DNSSEC

Answer 13

DNS (Domain Name System) SEC is a security extension of the regular DNS protocol and services that allows for the validation of integrity of DNS lookups.

It allows a DNS client to perform DNS lookups and validate both their origin and authority via the cryptographic signature that accompanies the DNS response.

Question 14

VPN

Answer 14

A Virtual Private Network facilitates the extension of a private network over public networks, and enables a device to operate as it it were on the private network directly.

A VPN works by enabling a point-to-point connection from a device to a private network, typically through software applications, but also can be done via hardware accelerators.

Question 15

IPsec

Answer 15

IPsec is a protocol for encrypting and authenticating packets during tranmission between two parties, which can be a pair of servers, a pair of network devices, or network devices and servers.

Question 16

DRS

Answer 16

Distributed Resource Scheduling is used within all clustering systems as the method for clusters to provide high availability, scaling, management, workload distribution, and the balancing of jobs and processes.

From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.

Question 17

DO

Answer 17

Dynamic Optimization is the process through which the cloud environment is constantly maintained to ensure that resources are available when and where needed and that physical nodes do not become overloaded or near capacity while others are underutilized.

Question 18

What are the four key areas of a physical cloud environment?

Answer 18

CPU
memory (ephemeral storage)
disk (persistent storage)
network

Question 19

Secure Keyboard Video Mouse (KVM)

Answer 19

Secure keyboard video mouse (KVM) switches combine physical and logical protections that assist organizations in protecting against unauthorized and malicious surveillance conducted through electronic emanations.

Video cables can emit significant emanations that, if duplicated, can provide a view of all activity to an unauthorized recipient that resides outside of the system’s otherwise physically protected area.

Question 20

Secure Shell (SSH)

Answer 20

SSH is an administrative protocol used to manage remote hosts over the internet in an encrypted fashion. The client user can execute shell commands remotely and securely in the same manner that would be done locally.

Question 21

Remote Desktop Protocol (RDP)

Answer 21

RDP services include encryption, smart card authentication, bandwidth reduction, resource sharing, the ability to use multiple displays, and the ability to disconnect temporarily without logging off. RDP also allows for the redirection of functions such as audio and printing.

Question 22

Customer Management Console-based Access

Answer 22

Console-based access mechanisms are implemented proprietarily by each CSP vendor, which allows consumers to access, configure, and manage virtual machines. At a minimum access to the platforms should be done administratively through need-to-know management and technically through least-privilege controls. In addition, role-based dual-factor authentication should be required to access a cloud console.

Question 23

Virtual Extensible LAN (VXLAN)

Answer 23

Allows placement of VMs into a single LAN segment even when they are on separate networks.

Encapsulates layer 2 frames within layer 4 UDP packets, using some techniques similar to VLAN but supporting up to 16 million logical networks.

Question 24

Firewall

ACL
Dynamic filters
Next-generation

Answer 24

A firewall is a software- or hardware-based network security system that controls the incoming and outgoing network traffic based on an applied rule set.

There are three generic families of firewalls:

Stateless network access control list (ACL) filters that manage ingress and egress flows of network traffic based upon IP address and service or port number. Cloud service customers will typically leverage ACLs by means of a security group.

Dynamic filters that use engines defined by signatures, anomalies, behavior, heuristics, and artificial intelligence.

Next-generation firewalls (in hardware, software, and hypervisor) combine intrusion detection/prevention at the host and network and traffic management through micro-segmentation policies.

Question 25

NIST SP 800-125B

Answer 25

NIST SP 800-125B provides guidance on implementation of firewalls with VMs and workloads by focusing on use cases that illuminate the lack of granularity of traffic security in traditional firewall management solutions.

Question 26

Security Content Automation Protocol (SCAP)

Answer 26

SCAP is a suite of specifications that standardize the format and nomenclature by which software flaws and security configuration information is communicated, both to machines and humans.

SCAP is a multipurpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

Question 27

Five categories of

Security Content Automation Protocol (SCAP)

Answer 27

1) Languages: The SCAP languages provide standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results – e.g. Open Vulnerability and Assessment Language (OVAL), etc.
2) Reporting formats: The SCAP reporting formats provide the necessary constructs to express collected information in standardized formats. The SCAP reporting format specifications are Asset Reporting Format (ARF) and asset identification.
3) Enumerations: Each SCAP enumeration defines a standard nomenclature (naming format) and an official dictionary or list of items expressed using that nomenclature – e.g. Common Vulnerabilities and Exposures (CVE), etc.
4) Measurement and scoring systems: In SCAP, this refers to evaluating specific characteristics of a security weakness (for example, software vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity – e.g. Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS).
5) Integrity: The integrity specification helps to preserve the integrity of SCAP content and results – i.e. Trust Model for Security Automation Data (TMSAD).

Question 28

Security Technical Implementation Guides (STIGs)

Answer 28

Security Technical Implementation Guides (STIGs) are the configuration standards for the Department of Defense (DoD) information assurance (IA) and IA-enabled devices/systems.

Question 29

Security Requirements Guides (SRGs)

Answer 29

SGRs drive STIGs – there is a parent child relationship.

SGRs are collections of security requirements applicable to a given technology family, product category, or an organization in general. SRGs provide nonproduct-specific requirements to mitigate sources of security vulnerabilities commonly encountered across IT systems and applications.

Conversely, Security Technical Implementation Guides (STIGs) are the detailed guidelines for specific products; STIGs are derived from SRGs.

Question 30

Live migration

Answer 30

Live migration is the transferring of the operation of one virtual machine to another in such a way that it is completely transparent to the user.

Question 31

Maintenance mode

Answer 31

Maintenance mode is utilized when updating or configuring different components of the cloud environment including virtual machines.

While in maintenance mode:

Customer access is blocked
Alerts are disabled
Logging remains enabled

Question 32

VM snapshot / VM image

Answer 32

When a snapshot of a VM is taken, the image is kept in object storage.

At high level, the cloud server provider platforms will save the following in a snapshot:

The state of all the virtual machine’s disks
The contents of the virtual machine’s memory
The virtual machine settings

Question 33

ISO / IEC 20000-1 : 2018

Answer 33

ISO/IEC 20000-1:2018, Service Management System, informs consumers and providers how to establish requirements for implementing, maintaining, and continually improving a service management system (SMS). 

Question 34

Information Technology Infrastructure Library (ITIL) v4

Answer 34

The (ITIL) v4 framework addresses service value streams (SVSs) in five dimensions: governance, guiding principles, practices, service value chain, and continual improvement.

SVSs represent components and activities within an organization working in coordination to create value through IT-enabled services.

Question 35

ISO / IEC 20000-1 : 2018

Answer 35

ISO / IE 20000-1 : 2018 sets out requirements for continual improvement of the service management system (SMS); customers input service demand to the SMS and the SMS outputs services.

To continually improve these services the SMS considers:

Context of the organization (mission, objective, vision, …)

Leadership (what does the chain of command want?)

Planning (prior planning prevents piss poor performance)

Support of the SMS (BAU / keep the lights on ops.)

Operation of the SMS (implementation and execution)

Performance evaluation (KPI, performance metrics, …)

Improvement (optimization, CARs, PARs, etc.)

Question 36

(ITIL) v4, Service Value Streams (SVS) ontology

Answer 36

Information Technology Infrastructure Library (ITIL) v4 framework addresses service value streams (SVSs) which represent components and activities within an organization working in coordination to create value through IT

The core components of the ITIL are:

Governance
Guiding principles
Practices
Service value chain 
Continual improvement

Question 37

(ITIL) v4, Change Management ontology

Standard
Normal
Emergency

Answer 37

Three types of changes:

1) Standard changes: These are low-risk and pre-authorized changes that have complete documentation and can be implemented without additional authorization. (i.e. changes via an approved process flow such as patching or v 1.x upgrades, etc.)
2) Normal changes: These need to be scheduled, tested, assessed, and authorized, typically through the auspices of a change management board. (i.e. changes with ‘large’ potential downside impact such as v x.1 upgrades, go-live or deprecation of a system, etc.)
3) Emergency changes: Implementation of these changes are normally part of the resolution to an incident or high-impact security concern. (i.e. system outage, incident response, etc.)

Question 38

ISO / IEC 20000-1 : 2018, change management

Policy
Initiation
Activities

Answer 38

ISO/IEC 20000-1:2018, Service Management System, stipulates that change management shall be comprised of policy, initiation, and activities.

1) Policy: The policy for change management should be established and documented to define service components under the control of change management.
2) Initiation: The initiation of change management will be guided by service design and transition and will be implemented according to policy. Major activities include adding new services, removal, and transfer of services.
3) Activities: The change management activities mandate that the organization and interested parties shall make decisions based upon risks, business benefits, feasibility, and financial impact.

Question 39

Event, Incident handling and response

Answer 39

Events are changes in a system state that have significance for the management of a service or other configuration item.

Question 40

Incident, Incident handling and response

Answer 40

An incident is an unplanned interruption or degradation in the quality of a service.

Question 41

Breach, Incident handling and response

Answer 41

A breach is proof that a system has been accessed without authorization.

Question 42

Disclosure, Incident handling and response

Answer 42

A disclosure is proof that confidential information has been shared outside of owner-defined clearance levels.

Question 43

Incident management, ISO / IEC 20000-1 : 2018

Answer 43

ISO/IEC 20000-1:2018 simply orders incident management as:

Prioritize based on impact
Record / classify
Escalate if needed
Resolve
Close

Question 44

Incident management, (ITIL) v4

Answer 44

ITIL v4 defines the primary purpose of incident management as the practice of minimizing the negative impact of incidents by restoring normal service operation as quickly as possible.

Best practices of incident management include:

All incidents should be logged and managed and resolved in a time frame that meets customer agreements and expectations.

Prioritization of incidents happens based on classifications of service impact levels agreed to by provider and consumer.

Question 45

Release management

Answer 45

Release management makes new and changed services and features available for use by customers.

A version of a service or configuration item (CI) that is made available for use.

Question 46

Deployment management

Answer 46

Deployment management moves new hardware, software, documentation, processes, or other components to live environments.

Question 47

Patch management

Answer 47

Patch management updates a system to fix functionality, features, or security.

Question 48

Deployment management:

phased deployment
continuous deliver
big bang deployment
pull deployments

Answer 48

Phased deployment: Incrementally changed components are deployed for specific parts of the production environment until complete

Continuous delivery: Frequent deployment with tight integration and testing that conforms to amplified customer feedback loops

Big bang deployment: Updates are deployed to all production targets simultaneously

Pull deployment: Updates are held in repository and can be triggered at the discretion/schedule of the user

Question 49

Patch management, scope of activities

Answer 49

A patch management process should address the following items:

Vulnerability detection and evaluation by the vendor

Subscription mechanism to vendor patch notifications

Severity assessment of the patch by the receiving enterprise using that software

Applicability assessment of the patch on target systems

Opening of tracking records in case of the lack of patch applicability

Customer notification of applicable patches, if required

Change management

Successful patch application verification

Issue and risk management in case of unexpected troubles or conflicting actions

Closure of tracking records with all auditable artifacts

Question 50

Configuration management

Answer 50

The primary purpose of configuration management is to ensure that accurate and reliable information is maintained about the configuration of services and systems known as configuration items.

The basic goals are to:

Verify accuracy of collected data
Audit applications and infrastructure to expose undocumented items
Update changes to the environment
Identify new configuration items

Question 51

Capacity management, (ITIL) v4

Answer 51

Capacity and performance management are combined in ITIL v4. The following activities drive capacity and performance management:

Research and monitoring of services
Performance and capacity modeling
Capacity requirement analysis
Demand forecasting
Performance improvement plan

Question 52

ISO / IEC 18788-2015

Answer 52

Management systems for private security operations (i.e. security operations center [SOC]).

The document provides for a business and risk management framework for effective conduct of security operations. ISO / IEC 18788-2015 utilizes plan, do, check, act as an implementation approach and requires organizations conducting or contracting security operations to demonstrate:

Adequate business and risk management capacity that is suitable for stakeholders and clients

Ability to assess and manage impact on local communities

Accountability to law and respect for human rights

Consistency with applying the organization’s own commitments and beliefs

Question 53

Simple Network Management Protocol (SNMP)

Answer 53

SNMP collects and organizes information about managed devices on IP networks. It can be used to determine the “health” of networking devices including routers, switches, servers, workstations, printers, and modem racks.

Question 54

NIST SP 800-92

Answer 54

Guide to Computer Security Log Management, NIST SP 800-92, notes that organizations should establish policies and procedures for log management.

Per NIST SP 800-92, to establish and maintain successful log management activities, an organization should:

Develop policies that clearly define mandatory requirements and suggested recommendations for log management activities, including log generation, transmission, storage, analysis, and disposal

Ensure that related policies and procedures incorporate and support the log management requirements and recommendations

Define logging requirements and goals as part of the planning process

Develop a standard process for performing log management

Question 55

Security Information and Event Management (SIEM)

Answer 55

The SIEM is a centralized collection and monitoring of security and event logs from different systems.

SIEMs allow for the correlation of different events and early detection of attacks. At the most basic level, a SIEM system can be rules based or employ a statistical correlation engine to establish relationships between event log entries, or a combination of the two.