CH13 Cloud Security

Question 1

What is Hyperconvergence?

Answer 1

Hyperconvergence allows providers to fully integrate the storage, network, and servers

Question 2

What is VDI?

Answer 2

VDI = Virtual Desktop Infrastructure

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Question 3

What is Secure Enclaves ?

Answer 3

Secure Enclaves is a technique that utilizes two distinct areas that the data may be stored and accessed from. Each enclave can be accessed by the proper processor

Question 4

What is Secure Volumes ?

Answer 4

a method of keeping data at rest, secure from prying eyes. When data on the volume is needed, a secure volume is mounted and it’s properly decrypted to allow that access. Once the volume is no longer needed, it’s encrypted again and unmounted from the virtual server

Question 5

What are 4 types of Cloud?

Answer 5

Public,
Private,
Hybrid,
Community

Question 6

What is a public cloud?

Answer 6

A service provider makes resources available to the end users over the internet.

Question 7

What is a private cloud?

Answer 7

A company creates its own cloud environment that only it can utilize as an internal enterprise resource.

Private cloud should be chosen when security is more important than cost.

Question 8

What is a Hybrid cloud?

Answer 8

Some resources are developed and operated by the organization itself like a private cloud would be, but the organization can also utilize the publicly-available resources or outsource services to another service provider like a public cloud does

Question 9

What is Community Cloud?

Answer 9

Resources and costs are shared among several different organizations who have common service needs. Similar to taking several private clouds and connecting them together.

Question 10

What are 4 types of cloud services?

Answer 10

Infrastructure as a Service (Iaas),
Platform as a Service (PaaS),
Software as a service (SaaS),
and Security as a Service (SECaaS).

Question 11

What is Iaas?

Answer 11

IaaS = Infrastructure as a Service

Provides all the hardware, operating system, and backend software needed in order to develop your own software or service

Question 12

What is PaaS?

Answer 12

PaaS = Platform as a Service

Provides your organization with the hardware and software needed for a specific service to operate

Question 13

What is SaaS

Answer 13

SaaS = Software as a Service

Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered

Question 14

What is SECaaS?

Answer 14

SECaaS = Security as a Service

Provides your organization with various types of security services without the need to maintain a cybersecurity staff

Question 15

What is Sandboxing in terms of Cloud computing?

Answer 15

utilizes separate virtual networks to allow security professionals to test suspicious or malicious files

Question 16

What are some of the Cloud Security vulnerabilities?

Answer 16

1. If physical sever crashes due to something one organization does, it can affect all of the organizations hosted on that same physical server.
2. Collocated data can become a security risk. You need to configure, manage, and audit user access to virtualized servers.
3. Utilizing the cloud securely requires good security policies.
4. Data remnants may be left behind after deprovisioning. Data should always be encrypted when placed in the cloud server.

Question 17

How would you defend file servers?

Answer 17

use proper data encryption, should have monitoring and logging on it, should have a good host-based intrusion detection system. May want data loss prevention applications to ensure the data isn’t stolen

Question 18

How would you defend Email Servers ?

Answer 18

use hardening techniques. Spam filtering installed, antivirus, scan and quarantine all the attachments being sent or received by the users

Question 19

How would you defend Web servers ?

Answer 19

Should be placed in DMZ. Firewalled, monitored, logged, audited, and patched

Question 20

How would you defend FTP server?

Answer 20

always enforce encrypted connection using transport layer security or TLS

Question 21

How would you defend Domain Controller (Active Directory or LDAP)?

Answer 21

this server acts as the central repository of all of your user accounts, your computer accounts, and their associated passwords for the network.

Make sure that Active Directory controller is up to date on its patches, its configurations are hardened, and that It’s secure and in place in your network.

Question 22

What is Golden ticket attack?

Answer 22

uses a program known as Mimikatz to exploit a vulnerability in the Kerberos ticket-granting system, to generate a ticket that acts as a skeleton key for all of the devices in the domain

Question 23

What is VPC?

Answer 23

VPC = Virtual Private Cloud

A private network segment made available to a single cloud consumer within a public cloud

VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites

Question 24

what is CASB?

Answer 24

CASB = Cloud Access Security Broker

Enterprise management software designed to mediate access to cloud services by users across all types of devices. It is a middle man that helps you with your authentication and ensure that people are using the services they’re supposed to use

CASB provide visibility into how clients and other network nodes use cloud services.

Question 25

what are the benefit of using CASB ?

Answer 25

CASB = Cloud Access Security Broker

they can enable single sign-on authentication and enforce access controls and authorizations across your entire enterprise network.

Malware and rogue device detection.
Monitor and audit user activity.
Mitigate data exfiltration.

Question 26

What are the 3 ways that you can set up CASB ?

Answer 26

CASB = Cloud Access Security Broker

Forward poxy,
a reverse proxy, or
using API access

Question 27

What is Forward Proxy in terms of CASB?

Answer 27

CASB = Cloud Access Security Broker

a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy.
Warning: Users may be able to evade the proxy and connect directly

Question 28

What is Reverse Proxy in terms of CASB?

Answer 28

CASB = Cloud Access Security Broker

an appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy.
Warning : This approach can only be used if the cloud application has proxy support

Question 29

What is Application Programming Interface (API) in terms of CASB?

Answer 29

CASB = Cloud Access Security Broker

a method that uses the broker’s connections between the cloud service and the cloud consumer.
Warning : Dependent on the API supporting the functions that your policies demand.

Question 30

What is curl?

Answer 30

a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE)

Question 31

What is FAAS ?

Answer 31

FAAS = Function as a Service

a cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

Question 32

What is Serverless ?

Answer 32

a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Everything in serverless is developed as a function or microservice.

Question 33

What are some of Cloud Threats?

Answer 33

1. Insecure API – an API must only be used over an encrypted channel (HTTPS).
   Data received by an API must pass server-side validation routines.
   Think about error handling and error messages. When you give somebody an error message, make sure it’s been sanitized. Make sure it’s as simple as possible and just ells what the error is, without giving them too much detail.
   Make sure that your APIs are not subject to denial of service attack.
   Implement throttling / rate-limiting mechanisms to protect from a DoS.
2. Improper key management – API should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data.
   Warning : Do not hardcode or embed a key into the source code.
   Delete unnecessary keys and regenerate keys when moving into a production environment
   Make sure that you have hardening policies in place for any of your client hosts and any of your servers and the development workstations.
3. Insufficient logging and monitoring – Software as a service may not supply access to log files or monitoring tools.
4. Unprotected storage – Cloud storage containers are referred to as buckets or blobs.

Warning : Access control to storage is administered through container policies, IAM authorizations, and object ACLs.
Incorrect permissions may occur due to default read/write permission left over from creation.

Incorrect origin settings may occur when using content delivery networks.
Cross Origin Resource Sharing (CORS) Policy. – a content delivery network policy that instructs the browser to treat requests from nominated domains as safe.
Warning : Weak CORS policies expose the site to vulnerabilities like XSS