Cloud Operations Flashcards
How do you secure a KVM?
Combine Physical and Logical controls to protect against unauthorized electronic emanation surveillance
Features of a Secure KVM
- Push button control - physical access needed to control KVM
- Firmware that has authenticated protection
- Isolated data channels
- Restricted USB functionality
- Does not allow buffering
Secure Shell (SSH)
A protocol used to administer remote devices over network using TCP, Port 22
uses symmetric and asymmetric cryptography
If using asymmetric, the ssh-keygen command is used to generate the public private key pair
Remote Desktop Protocol (RDP)
List features
Allows a remote connection to a workstation or server via port 3389
Features include:
- Encryption of the data in transit
- Authentication via use of smart cards
- Bandwidth reduction which optimizes the data transfer rate if a low speed connection is used
- Resource sharing
- Can disconnect the RDP connection temporarily without logging off the remote connection
Customer Management Console-based Access
What securing features should it include?
A proprietary API that the CSP creates to allow the cloud customer to access, configure, and manage virtual machines
Securing Features should include:
- NTK admin controls
- Least privilege technical controls
- Role-based access with MFA controls
- Isolated and protected communication channels via TLS and VPN
- Any command line interface (CLI) should be protected by using SSH
DNSSEC
provides for integrity of DNS resolver request, responses and zone transfer
List DNSSEC resource records?
DNSKEY - holds public key that resolvers can use to verify DNSSEC signatures in RRSIG records
RRSIG - a record that holds DNSSEC digital signature for a records
To prevent DNS hijacking and unauthorized manipulation of resolve request what should you ensure of your email domain?
Ideally ensure your email domain has a
DMARC - Domain Based Message Authentication Reporting and Compliance
policy with
SPF - Sender Policy Framework
and/or
DKIM - Domain Keys Identified Mail
and that you enforce such policies provided by other domains on your email system
List DNS Attacks
DNS cache poisoning
Hijack DNS servers
MiTM can send a fake DNS response
DNS Shawdowing - attacker compromises registry account and registers subdomains to host fake sites
How can MiTM DNS attacks be addressed?
DNS Security - DNSSEC - designed to prevent DNS cache poisoning - uses digital signatures to verify that DNS data is coming from authenticated source
Virtual LAN (VLAN)
Methods of separating layer 3 networks using a layer 2 switch
You still need a router and ACLs to properly forward and control
Used to create isolation beyond traffic segmentation
Maximum allowed networks in VLAN is 4096
VXLAN
VXLAN (X is for extensible) is an encapsulation protocols that provide data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network
VXLAN is the most commonly used protocol to create overlay networks that encapsulates layer 2 over layer 3 (L2oL3) enabling the user of virtual networks, and allows for 16.7 million separate networks or VXLANs
How does VXLAN enable cloud?
It supports virtualization of the data center network while addressing the needs of multi tenant data centers by providing the necessary segmentation on a large scale.
VXLAN allows for scalability and allows cloud providers to effectively separate and isolate tenants from each other.
VXLAN Tunnel End Point (VTEP)
is a hypervisor based function that allows VMs to communicate via source and destination IP addresses
Virtual Private Network (VPN)
Allows two private networks to communicate with each other over a public network (Internet)
OpenVPN
A open source VPN solution that provides up to 256-bit encryption.
It is very customizable, can bypass firewalls and can support several types of encryption algorithms.
Point to Point Tunneling (PPTP)
AKA
Uses a 128 bit encryption called Microsoft Point to Point Encryption (MPPE) which is weak and has been compromised.
Secure Socket Tunneling Protocol
Developed by Microsoft to replace PPTP and is proprietary. Offers 256-bit encryption.
SoftEther
An open source VPN protocol that uses 256-bit encryption.
Used on workstations and mobile devices.
Layer 2 Tunneling Protocol (L2TP)
A VPN joint effort by Cisco and Microsoft. Typically secured by using IPSEC.
256 bit encryption.
Used everywhere.
Supports multi threading, but slower.
Internet Key Exchange v2 (IKE)
An IPSEC protocol based on the ISAKMP framework and the Oakley key negotiation protocol
IKE is for building and managing Security Associations (SA’s), it encrypts the AH or ESP
2 ways to exchange keys Diffie Helman (DH) style negotiation (routers) or public keys (users)
IP Security (IPSEC)
A layer 3 protocol used to secure IP traffic for VPNs
IP SEC Transport Mode
Only the payload portion of each packet is protected (end to end encryption for ex between client and server)
IP SEC Tunnel Mode
The entire original packet is protected including IP header (link encryption e.g. firewall to firewall)
IPSEC Authentication Header
Authenticates sender (source IP) and does an integrity check
AH Transport mode protects integrity of payload only
AH Tunnel mode protects integrity of header and payload
IPSEC Encapsulating Security Payload
Same as Authentication Header plus encrypts for confidentiality
ESP Transport mode encrypts payload only, the original IP header is left unecrypted
ESP Tunnel mode encryptions headers and payload
IPSEC Security Association (SA’s)
One way connection using either AH or ESP services
Each SA is uniquely identified in packet using 3 indicators
- Security Parameter index (session ID# used for tracking)
- Destination IP Address
- An AH or ESP identifier to indicate which is being used
Internet Security Association and Key Management Protocol (ISAKMP)
A framework for choosing encryption algorithms and key exchange methods
Oakley
A key negotiation protocol using the Diffie Hellman approach
Transport Layer Security 1.3 (TLS)
Originally used SSL v1, 2, 3 but SSL has been deprecated
TLS v1.1 and 1.2 should not be used as they are vulnerable to attacks. Use TLS v 1.3.
Commonly used for end to end encryption,
TLS Negotiation
- Client Hello contains:
- Protocol Version - TLS 1.3
- Asymmetric Algorithm for session Key - RSA
- Symmetric Algorithm for encrypting data in transit - Salsa
- Hashing Algorithm - SHA256 - Server chooses TLS 1.3, RSA, Salsa, SHA256
- Answers these conditions and sends server certificate to client
- Optional: If client has a certificate, client sends to server (mutual authentication) - Session Key negotiated between client and server.
- All traffic encrypted
Firewalls
Firewalls can be software or hardware based form of protecting a host or network. Every firewall comes with an implicit deny-all rule.
Ingress filtering - analyzing traffic coming into the firewall
Egress filtering - analyzing traffic leaving the firewall
Stateless Firewall
A firewall that filters egress and ingress based on IP and port number regardless of session
Dynamic firewall
does the same as stateless but adds engines defined by signatures, behavior, anomalies, heuristics and artificial intelligence
Next-Generation (Next-Gen) Firewall
A standard firewall but adds intrusion detection/prevention technology and traffic management through segmentation policies
List Firewall Categories
Software Firewall
Hardware Firewall
Application Firewall
Database Firewall
Software Firewall
A firewall that is installed on the host or is built into the operating system of the host
Hardware Firewall
An actual piece of HW that serves as a firewall
Application Firewall
Works at Layer 7 of OSI, example WAF used to protect web application and backend DB, and performs input validation
Database Firewall
A layer 7 firewall used to protect DB, ex DB Activity Monitor
- Network-based IDS/IPS?
- Host-based IPS/IDS?
- Why wold you employ both on your network?
- system that scans network traffic looking for attacks or intrusion
- systems only scan a single host they are installed on, sometimes called HBSS (Host based security sytem)
- To apply defense in depth, host based can better detect internal threats, Network based can’t read encrypted traffic, devices can be taken offline
IDS/IPS scanning technologies?
Signature based - pattern matching or knowledge based, scan based on attack signatures and used to find known threats
Behavior-based - anomaly-based or profile based
- system must learn, build normal profiles (baseline) and later it scans for deviations from the profiles (network must be secure as the IDPS learns
- Used to find new or unknown threats
IDS/IPS alert veracity measures?
True Positive - the system correctly identifies an intrusion
True Negative - correctly determines that no intrusion is present
False Positive - the system mistakenly identifies legitimate traffic as an intrusion
False Negative - Mistakenly allows threat to enter the network
Honeypot/Honeynet
Fake target on the network designed to lure-in attackers
- protects the real network from attacks
- allows security personnel to observe attacker’s actions
- acts as a type of early warning system
- a honeynet is multiple honeypots networked together
Padded Cell
Designed to work with the IDS, the attacker is sent to a sandboxed honeypot where they can do no harm
Application Baseline
A baseline is the minimum settings, permissions, or requirements to meet the objective
IT Asset Management (ITAM)
A database of all assets, firmware, and version numbers their locations, who is in possession
Configuration Management Database (CMDB)
Works with ITAM. It is a single repository containing all settings, configurations, and other information about assets.
It is a good practice to automate the creation, application, management, updating, tracking, and compliance checking for baselines
Security Content Automation Protocol (SCAP)
Method for using specific standards (baselines) to enable automated vulnerability scanning and policy compliance evaluation of systems in an organization
This allows you to scan systems to see if they’re compliant
You download a SCAP content module (standard), load it into a SCAP scanner, then scan your devices to see if they conform to the standard
Security Technical Implementation Guides (STIGs)
The configuration standards for DoD information assurance enabled devices and systems
Cloud Computing Security Requirements Guide (CC SRG)
A collection of security requirements applicable to a given technology family, product category, or the organization in general
CC SRG provide non-specific requirements to implement the STIG control guidance in a cloud environment
Center for Internet Security (CIS)
A community driven non profit that has globally recognized best practices for security IT systems and data
CIS Critical Security Controls
A group of best practices used to mitigate attacks against system and networks
CIS Benchmarks
Guidelines for hardening specific operating system, middleware, software applications, and network devices
Stand Alone Hosts
a dedicated hosting solution for individual processes and resources. To create an isolated, secured, dedicated hosting environment, use a stand alone host. Note this doesn’t meet the 5 essential characteristics of cloud.
Shared Host
configuration offers multi-tenant, secured hosting capabilities
Clustered Host
Logically and physically connected to other hosts within a management framework. This framework allows central management of resources for the collection of hosts, the application, and the VMs running on any member of the cluster. Cluster host allow for failover or movement between host members.
Storage Cluster
Using two or more storage servers working in unison for better performance, capacity, and reliability.
Cluster Storage Architectures
- Tightly Coupled Cluster - uses a proprietary physical backplane that the controller nodes connect
- Loosely Coupled Cluster - uses building blocks that can start small and grow with demand, which in turn is more cost effective
Maintenance Mode
Utilized when updating or configuring different components of cloud environment including VMs
When in maintenance mode ensure the following?
- Customer access should be blocked; New logins are prevented
- Alerts should be disabled
- Logging remains enabled and continues
- All active production instances are removed
Live Migration
the transferring of the operation of one VM to another in such a way that it is completely transparent to the user
Information Technology Infrastructure Library (ITIL) v4
A standard for achieving quality IT services and addresses service value streams (SVS).
SVS’s are used to create value through IT-enabled services.
Core Components of ITIL
- Service Value Chain
- Practices
- Guiding Principles
- Governance
- Continual Improvement
ITIL Change Management
The practice of ensuring changes in an organization are smoothly and successfully implemented and the lasting benefits are achieved by managing the human aspects of the changes.
What are the 3 types of changes in ITIL? Descriptions?
- Standard change - low risk, pre-authorized, routine changes. Well understood and fully documented. Implemented without needing additional authorization
- Normal changes - use standard process to schedule, assess, and authorize change. Is triggered by creating a change request.
- Emergency changes - must be implemented as soon as possible. Not typically included in a change schedule. Assessment and authorization is expedited.
Continuity Management
The practice of ensuring that services AVAILABILITY and PERFORMANCE are maintained at sufficient level in the event of a disaster
Information Security Management
The practice of protecting an organization by understanding and managing risk to the CIA of information.
Continual Service Improvement Management
The practice of aligning an organizations practices and services with the changing business needs through the ongoing identification and improvement of all elements involved in the effective management of products and services
Release Managment
The practice of making new and changed services and features available for use
Patch Management
The process of applying updates to fix functionality, features, or security
Incident Management
The practices of minimizing the negative impact of incidents by restoring normal service operations as quickly as possible
Incident Management - Event
Changes in a system state that have significance for the management of a service or other configuration item
Incident Management - Incident
An unplanned interruption or degradation in the quality of a service
Incident Management - Breach
proof that a system had unauthorized access
Incident Management - Disclosure
proof that confidential information has been shared outside of owner defined clearance levels
How are incidents in Incident Management prioritized?
By high, medium, low based on:
- Impact - how is the incident going to affect the organization
- Urgency - how fast the incident needs to be resolved
- Priority = Impact X Urgency
List Incident Responses Phases in Order
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Problem Management
The practice of reducing the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds or known errors
Problem Management - Problem
Unknown cause of an incident, often identified as a result of several incidents
Problem Management - Known Error
the known root cause of a problem
Problem Management - Workaround
a momentary fix
Deployment Management
The practice of moving new and changed hardware, software, documentation, processes, or any other service components to live environments
Approaches to Deployment Management
- Phased - deployments conducted in phases
- Continuous delivery - frequent deployments
- Big Bang deployment - updates deployed all at once
- Pull deployments - updates are self selected by the user
Configuration Management
The practice of ensuring that accurate and reliable information about configuration or services and the configuration items that a support them, is available when needed
Service Level Management
The practice of setting clear business based targets for service performance so that the delivery of service can be properly assessed, monitored, and managed against these targets
Objective is end to end visibility
Availability Management
The practice of ensuring that services deliver agreed levels of availability to meet the needs of the customer and users
Capacity and Performance Management
The practice of ensuring that services achieve agreed and expected performance levels, satisfying current and future demand in a cost effective way
What questions should be asked when managing communications to relevant parties?
- Who is the target of communication?
- What goal are we trying to achieve and what risk is involved?
- When is the best time to communicate?
- Where is the communication pathway managed from?
- Why is communication needed?
- How is communication being transmitted?
When considering supporting vendor or partner needed communication paths with the organization what needs to be in place?
Onboarding
Management
Offboarding
Hardware Monitoring, why is it essential, what are
Common Areas to monitor, and what may be an early warning of failure?
Is essential for the secure and reliable operations of cloud environment
Data performance (I/O) of underlying components may provide early indicators of HW failure
Common areas:
- Network
- CPU
- Disk
- RAM/Memory
SOMS Flow Diagram
- Establish the framework
- Policy
- Planning
- Implementation and Operation
- Performance Evaluation
- Management Review
What is SOMS
What is ISO?
Security Operations Management Systems for security operations
Used to establish a Security Operations Center
ISO 18788
A successful SOMS has the following
- Leadership and commitment
- Statement of conformance
- Policy
- Organizational roles, responsibilities, and authorities
- Planning
- Legal and other requirements
- Internal/external requirements risk communication and consultation (whistle blower or grievance procedures)
- Competence training and awareness
- User of force (use of less-lethal, lethal, and law enforcement engagement)
- Background screening
- Occupational health and safety
- Security operations and risk treatment objectives
CLUB PISS POOL
Application Performance Monitoring goal?
CAMP?
Cloud application performance management (CAMP) is the process of monitoring resources that support application program performance in private and hybrid cloud environments
The goal of the application monitoring is to provide admins with the ability to identify a poor user experience quickly so cloud issue can be resolved
Real User Monitoring (RUM)
Monitoring users live as they utilize a system by capturing and analyzing every transaction of every user
Synthetic Performance Monitoring
The use of scripts and agents to run preprogrammed scenarios to determine predictable outputs
An automated test of a cloud service
What should an organization do to establish and maintain successful log management activities?
- Establish policies and procedures for log management
- Develop standard process for performing log management
- Define its logging requirements and goals as a part of the planning process
- Develop policies that clearly define mandatory requirements and suggested recommendations for log management
- Ensure that related policies and procedures incorporate and support log management requirements
Security Information and Event Management (SIEM)
technology provides real time reporting and analysis of security events that generate alerts
information sourced from network hardware and applications
available as software, appliances, or managed services and is also used to log security data and generate reports for compliance purposes
will collect logs and information from many disparate sources to aggregate and correlate the data
List Goals of Security Information and Event Management (SIEM)
Centralize collection of log data
Enhance analysis capabilities
Dashboarding
Automated Response
