CIS test 4 Flashcards
IDS type that:1) Analyzes activity loges, including system calls, application logs, etc.2) Better view of the monitored system but high vulnerability for an attack on IDS itself.
Server based IDS
3 type of Intrusion Detection Systems (IDSs)
1) Server-based IDS 2) Network-based IDS3) Integrated IDS
Process of detecting events and/or entities that could possibly compromise the security of the system.
Intrusion Detection
Key method for providing confidentiality and integrity services
Encryption of data in flight
Protocol which allows client / server applications to enforce encryption service.
Transport Layer Security (TLS)
Benefit of network level encryption
Network level encryption is independent of the underlying guest OS.
Two general encryption methods
1) Application Level (where data is generated) 2) Network Level (IPSec to encrypt IP packets)
Key measure against “sniffing” attacks
Encryption of data in flight
True or False: A virtualized DMZ can fully support and enforce multiple trust zones.
TRUE
Physical or logical (sub)network that limits the exposure of the nodes in the internal network from external networks.
Demilitarized Zone (DMZ)
Why can sandboxing be used as a security measure against side-channel-attacks?
Because sandboxing disallows a malicious software from monitoring system components.
Where guest OS sandboxing is achieved
On the hypervisor level or at the OS kernel level.
Where sandboxing should be applied
On a vulnerable or suspected guest OS or application.
Guest OS Hardening Measures
Deleting unused files and applying latest patches. Applying hardening checklists available for specific OSs. Installing the guest OS in TCB mode if the VM is to be used for critical applications.
VM Hardening Considerations
Use VM templates to provision new VMs. Limit the resources that VM can consume to prevent DoS attacks. Disable unused functions and devices on VM. Use a directory service for authentication. Perform vulnerability scanning and penetration testing of the guest OS.
Ways to protect hypervisor management systems
1) Configuring strong security on the firewall between the management system and the network. 2) Providing direct access to management server only to administrators. 3) Disable access to management console to prevent unauthorized access.
Process of changing the default configuration in order to achieve greater security.
Hardening
Hypervisor Security Measures
1) Install hypervisor updates. 2) Harden VMs to prevent attacks.
Protection measures for physical server security
1) Authentication and authorization mechanisms. 2) Disabling unused hardware such as NICs, USB ports, or drives. 3) Physical premises security.
Server security considerations
1) Deciding whether the server will be used for specific applications or for general purpose. 2) Identifying the network services to be provided on the server. 3) Identifying users and/or user groups who will be given access rights on the server, including specific access privileges.
Included in securing a compute system
Securing physical server. Securing hypervisor. Securing VMs (VM isolation, VM hardening). Security at guest OS level (guest OS hardening). Security at application level (application hardening).
VM protective measure against DOS attacks
Resource consumption of a VM needs to be restricted.
Attempt to prevent legitimate users from accessing a resource or service.
Denial of Service (DOS)
Could reveal information of a client to another malicious client that runs its VMs on the same server.
Cross-VM Side Channel Attack (SCA)
Extracts information by monitoring indirect activities (e.g., cache data).
Side Channel Attack (SCA)
A malicious program which is installed before a hypervisor or VMM is fully booted on a physical server, thereby running with privileged access and remains invisible to network administrators.
Rootkit
True or False: Regular security measures are effective against hyperjacking.
FALSE
A rootkit level vulnerability that enables an attacker to install a rogue hypervisor or VMM that can take complete control of the underlying physical server.
Hyperjacking
Measures against hyperjacking
1) Hardware-assisted secure launching of the hypervisor. 2) Scanning hardware-level details to assess the integrity of the hypervisor and locating the presence of the rogue hypervisor.
Enables an attacker to install a rogue hypervisor or VMM that can take control of the underlying server resources.
HyperJacking
Copy and move restrictions should be limited to what?
Critical / sensitive VMs only
Bind a VM to a specific physical machine
Copy and move restrictions
Essential to safeguard against VM theft
Copy and Move restrictions
Vulnerability that enables an attacker to copy or move a VM in an unauthorized manner.
VM Theft
True or False: VMs are vulnerable to attack when they are running and when they are powered-off.
TRUE
How are VM image files protected?
Encryption of VM image files is required as a protection measure when it is powered-off or during its migration.
How are VM templates protected?
VM templates must be kept encrypted.Access to VM templates should be restricted to privileged users (administrators).
Private data may include
Individual identity of a cloud user.Details of the services requested by a client.Proprietary data of the client.
Information assurance concerns for cloud users
Confidentiality, Integrity, and Availability (CIA) - - Authorized Use
Counter to challenge of VOA
Depth-in-Depth
Effects of a high velocity of attack (VOA)
Potential loss due to an attack is comparatively higher.It is comparatively difficult to mitigate the spread of the attack.
Velocity of Attack
Security threats amplify and spread quickly in a cloud
Refers to various access points / interfaces that an attacker can use to launch an attack
Attack Surface
Key measure against multitenancy-related security concerns
Mutual Client Isolation- Isolation of VMs- Isolation of data- Isolation of network communication
Why is multitenancy a key security concern for cloud service providers?
Enforcing uniform security controls and measures is difficult.
Why is multitenancy a key security concern for cloud clients?
Co-location of multiple VMs in a single server and sharing the same resources increases the attack surface.
Could occur when a malicious VM is installed on the same server and consumes all the server resources, thus preventing other VMs from functioning properly.
Denial of Service (DOS) Attack
Unauthorized loss or manipulation of data
Data Leakage
Attacker installs a rogue hypervisor or VMM that can take complete control of the underlying server.
HyperJacking
Guest OS or an application running on it breaks out and starts interacting directly with the hypervisor.
VM Escape
Involves unauthorized copying or movement of a VM.
VM Theft