Cloud Operations Flashcards

1
Q

How do you secure a KVM?

A

Combine Physical and Logical controls to protect against unauthorized electronic emanation surveillance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Features of a Secure KVM

A
  1. Push button control - physical access needed to control KVM
  2. Firmware that has authenticated protection
  3. Isolated data channels
  4. Restricted USB functionality
  5. Does not allow buffering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Secure Shell (SSH)

A

A protocol used to administer remote devices over network using TCP, Port 22

uses symmetric and asymmetric cryptography

If using asymmetric, the ssh-keygen command is used to generate the public private key pair

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Remote Desktop Protocol (RDP)

List features

A

Allows a remote connection to a workstation or server via port 3389

Features include:

  1. Encryption of the data in transit
  2. Authentication via use of smart cards
  3. Bandwidth reduction which optimizes the data transfer rate if a low speed connection is used
  4. Resource sharing
  5. Can disconnect the RDP connection temporarily without logging off the remote connection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Customer Management Console-based Access

What securing features should it include?

A

A proprietary API that the CSP creates to allow the cloud customer to access, configure, and manage virtual machines

Securing Features should include:

  1. NTK admin controls
  2. Least privilege technical controls
  3. Role-based access with MFA controls
  4. Isolated and protected communication channels via TLS and VPN
  5. Any command line interface (CLI) should be protected by using SSH
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNSSEC

A

provides for integrity of DNS resolver request, responses and zone transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List DNSSEC resource records?

A

DNSKEY - holds public key that resolvers can use to verify DNSSEC signatures in RRSIG records

RRSIG - a record that holds DNSSEC digital signature for a records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

To prevent DNS hijacking and unauthorized manipulation of resolve request what should you ensure of your email domain?

A

Ideally ensure your email domain has a
DMARC - Domain Based Message Authentication Reporting and Compliance

policy with

SPF - Sender Policy Framework

and/or

DKIM - Domain Keys Identified Mail

and that you enforce such policies provided by other domains on your email system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List DNS Attacks

A

DNS cache poisoning

Hijack DNS servers

MiTM can send a fake DNS response

DNS Shawdowing - attacker compromises registry account and registers subdomains to host fake sites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can MiTM DNS attacks be addressed?

A

DNS Security - DNSSEC - designed to prevent DNS cache poisoning - uses digital signatures to verify that DNS data is coming from authenticated source

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Virtual LAN (VLAN)

A

Methods of separating layer 3 networks using a layer 2 switch

You still need a router and ACLs to properly forward and control

Used to create isolation beyond traffic segmentation

Maximum allowed networks in VLAN is 4096

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

VXLAN

A

VXLAN (X is for extensible) is an encapsulation protocols that provide data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network

VXLAN is the most commonly used protocol to create overlay networks that encapsulates layer 2 over layer 3 (L2oL3) enabling the user of virtual networks, and allows for 16.7 million separate networks or VXLANs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does VXLAN enable cloud?

A

It supports virtualization of the data center network while addressing the needs of multi tenant data centers by providing the necessary segmentation on a large scale.

VXLAN allows for scalability and allows cloud providers to effectively separate and isolate tenants from each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

VXLAN Tunnel End Point (VTEP)

A

is a hypervisor based function that allows VMs to communicate via source and destination IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Virtual Private Network (VPN)

A

Allows two private networks to communicate with each other over a public network (Internet)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

OpenVPN

A

A open source VPN solution that provides up to 256-bit encryption.

It is very customizable, can bypass firewalls and can support several types of encryption algorithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Point to Point Tunneling (PPTP)

AKA

A

Uses a 128 bit encryption called Microsoft Point to Point Encryption (MPPE) which is weak and has been compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Secure Socket Tunneling Protocol

A

Developed by Microsoft to replace PPTP and is proprietary. Offers 256-bit encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

SoftEther

A

An open source VPN protocol that uses 256-bit encryption.

Used on workstations and mobile devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Layer 2 Tunneling Protocol (L2TP)

A

A VPN joint effort by Cisco and Microsoft. Typically secured by using IPSEC.

256 bit encryption.
Used everywhere.
Supports multi threading, but slower.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Internet Key Exchange v2 (IKE)

A

An IPSEC protocol based on the ISAKMP framework and the Oakley key negotiation protocol

IKE is for building and managing Security Associations (SA’s), it encrypts the AH or ESP

2 ways to exchange keys Diffie Helman (DH) style negotiation (routers) or public keys (users)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

IP Security (IPSEC)

A

A layer 3 protocol used to secure IP traffic for VPNs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

IP SEC Transport Mode

A

Only the payload portion of each packet is protected (end to end encryption for ex between client and server)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

IP SEC Tunnel Mode

A

The entire original packet is protected including IP header (link encryption e.g. firewall to firewall)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

IPSEC Authentication Header

A

Authenticates sender (source IP) and does an integrity check

AH Transport mode protects integrity of payload only

AH Tunnel mode protects integrity of header and payload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

IPSEC Encapsulating Security Payload

A

Same as Authentication Header plus encrypts for confidentiality

ESP Transport mode encrypts payload only, the original IP header is left unecrypted

ESP Tunnel mode encryptions headers and payload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

IPSEC Security Association (SA’s)

A

One way connection using either AH or ESP services

Each SA is uniquely identified in packet using 3 indicators

  1. Security Parameter index (session ID# used for tracking)
  2. Destination IP Address
  3. An AH or ESP identifier to indicate which is being used
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Internet Security Association and Key Management Protocol (ISAKMP)

A

A framework for choosing encryption algorithms and key exchange methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Oakley

A

A key negotiation protocol using the Diffie Hellman approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Transport Layer Security 1.3 (TLS)

A

Originally used SSL v1, 2, 3 but SSL has been deprecated

TLS v1.1 and 1.2 should not be used as they are vulnerable to attacks. Use TLS v 1.3.

Commonly used for end to end encryption,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

TLS Negotiation

A
  1. Client Hello contains:
    - Protocol Version - TLS 1.3
    - Asymmetric Algorithm for session Key - RSA
    - Symmetric Algorithm for encrypting data in transit - Salsa
    - Hashing Algorithm - SHA256
  2. Server chooses TLS 1.3, RSA, Salsa, SHA256
    - Answers these conditions and sends server certificate to client
    - Optional: If client has a certificate, client sends to server (mutual authentication)
  3. Session Key negotiated between client and server.
  4. All traffic encrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Firewalls

A

Firewalls can be software or hardware based form of protecting a host or network. Every firewall comes with an implicit deny-all rule.

Ingress filtering - analyzing traffic coming into the firewall
Egress filtering - analyzing traffic leaving the firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Stateless Firewall

A

A firewall that filters egress and ingress based on IP and port number regardless of session

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Dynamic firewall

A

does the same as stateless but adds engines defined by signatures, behavior, anomalies, heuristics and artificial intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Next-Generation (Next-Gen) Firewall

A

A standard firewall but adds intrusion detection/prevention technology and traffic management through segmentation policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

List Firewall Categories

A

Software Firewall
Hardware Firewall
Application Firewall
Database Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Software Firewall

A

A firewall that is installed on the host or is built into the operating system of the host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Hardware Firewall

A

An actual piece of HW that serves as a firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Application Firewall

A

Works at Layer 7 of OSI, example WAF used to protect web application and backend DB, and performs input validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Database Firewall

A

A layer 7 firewall used to protect DB, ex DB Activity Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. Network-based IDS/IPS?
  2. Host-based IPS/IDS?
  3. Why wold you employ both on your network?
A
  1. system that scans network traffic looking for attacks or intrusion
  2. systems only scan a single host they are installed on, sometimes called HBSS (Host based security sytem)
  3. To apply defense in depth, host based can better detect internal threats, Network based can’t read encrypted traffic, devices can be taken offline
42
Q

IDS/IPS scanning technologies?

A

Signature based - pattern matching or knowledge based, scan based on attack signatures and used to find known threats

Behavior-based - anomaly-based or profile based

  • system must learn, build normal profiles (baseline) and later it scans for deviations from the profiles (network must be secure as the IDPS learns
  • Used to find new or unknown threats
43
Q

IDS/IPS alert veracity measures?

A

True Positive - the system correctly identifies an intrusion

True Negative - correctly determines that no intrusion is present

False Positive - the system mistakenly identifies legitimate traffic as an intrusion

False Negative - Mistakenly allows threat to enter the network

44
Q

Honeypot/Honeynet

A

Fake target on the network designed to lure-in attackers

  • protects the real network from attacks
  • allows security personnel to observe attacker’s actions
  • acts as a type of early warning system
  • a honeynet is multiple honeypots networked together
45
Q

Padded Cell

A

Designed to work with the IDS, the attacker is sent to a sandboxed honeypot where they can do no harm

46
Q

Application Baseline

A

A baseline is the minimum settings, permissions, or requirements to meet the objective

47
Q

IT Asset Management (ITAM)

A

A database of all assets, firmware, and version numbers their locations, who is in possession

48
Q

Configuration Management Database (CMDB)

A

Works with ITAM. It is a single repository containing all settings, configurations, and other information about assets.

It is a good practice to automate the creation, application, management, updating, tracking, and compliance checking for baselines

49
Q

Security Content Automation Protocol (SCAP)

A

Method for using specific standards (baselines) to enable automated vulnerability scanning and policy compliance evaluation of systems in an organization

This allows you to scan systems to see if they’re compliant

You download a SCAP content module (standard), load it into a SCAP scanner, then scan your devices to see if they conform to the standard

50
Q

Security Technical Implementation Guides (STIGs)

A

The configuration standards for DoD information assurance enabled devices and systems

51
Q

Cloud Computing Security Requirements Guide (CC SRG)

A

A collection of security requirements applicable to a given technology family, product category, or the organization in general

CC SRG provide non-specific requirements to implement the STIG control guidance in a cloud environment

52
Q

Center for Internet Security (CIS)

A

A community driven non profit that has globally recognized best practices for security IT systems and data

53
Q

CIS Critical Security Controls

A

A group of best practices used to mitigate attacks against system and networks

54
Q

CIS Benchmarks

A

Guidelines for hardening specific operating system, middleware, software applications, and network devices

55
Q

Stand Alone Hosts

A

a dedicated hosting solution for individual processes and resources. To create an isolated, secured, dedicated hosting environment, use a stand alone host. Note this doesn’t meet the 5 essential characteristics of cloud.

56
Q

Shared Host

A

configuration offers multi-tenant, secured hosting capabilities

57
Q

Clustered Host

A

Logically and physically connected to other hosts within a management framework. This framework allows central management of resources for the collection of hosts, the application, and the VMs running on any member of the cluster. Cluster host allow for failover or movement between host members.

58
Q

Storage Cluster

A

Using two or more storage servers working in unison for better performance, capacity, and reliability.

59
Q

Cluster Storage Architectures

A
  1. Tightly Coupled Cluster - uses a proprietary physical backplane that the controller nodes connect
  2. Loosely Coupled Cluster - uses building blocks that can start small and grow with demand, which in turn is more cost effective
60
Q

Maintenance Mode

A

Utilized when updating or configuring different components of cloud environment including VMs

61
Q

When in maintenance mode ensure the following?

A
  1. Customer access should be blocked; New logins are prevented
  2. Alerts should be disabled
  3. Logging remains enabled and continues
  4. All active production instances are removed
62
Q

Live Migration

A

the transferring of the operation of one VM to another in such a way that it is completely transparent to the user

63
Q

Information Technology Infrastructure Library (ITIL) v4

A

A standard for achieving quality IT services and addresses service value streams (SVS).

SVS’s are used to create value through IT-enabled services.

64
Q

Core Components of ITIL

A
  1. Service Value Chain
  2. Practices
  3. Guiding Principles
  4. Governance
  5. Continual Improvement
65
Q

ITIL Change Management

A

The practice of ensuring changes in an organization are smoothly and successfully implemented and the lasting benefits are achieved by managing the human aspects of the changes.

66
Q

What are the 3 types of changes in ITIL? Descriptions?

A
  1. Standard change - low risk, pre-authorized, routine changes. Well understood and fully documented. Implemented without needing additional authorization
  2. Normal changes - use standard process to schedule, assess, and authorize change. Is triggered by creating a change request.
  3. Emergency changes - must be implemented as soon as possible. Not typically included in a change schedule. Assessment and authorization is expedited.
67
Q

Continuity Management

A

The practice of ensuring that services AVAILABILITY and PERFORMANCE are maintained at sufficient level in the event of a disaster

68
Q

Information Security Management

A

The practice of protecting an organization by understanding and managing risk to the CIA of information.

69
Q

Continual Service Improvement Management

A

The practice of aligning an organizations practices and services with the changing business needs through the ongoing identification and improvement of all elements involved in the effective management of products and services

70
Q

Release Managment

A

The practice of making new and changed services and features available for use

71
Q

Patch Management

A

The process of applying updates to fix functionality, features, or security

72
Q

Incident Management

A

The practices of minimizing the negative impact of incidents by restoring normal service operations as quickly as possible

73
Q

Incident Management - Event

A

Changes in a system state that have significance for the management of a service or other configuration item

74
Q

Incident Management - Incident

A

An unplanned interruption or degradation in the quality of a service

75
Q

Incident Management - Breach

A

proof that a system had unauthorized access

76
Q

Incident Management - Disclosure

A

proof that confidential information has been shared outside of owner defined clearance levels

77
Q

How are incidents in Incident Management prioritized?

A

By high, medium, low based on:

  1. Impact - how is the incident going to affect the organization
  2. Urgency - how fast the incident needs to be resolved
  3. Priority = Impact X Urgency
78
Q

List Incident Responses Phases in Order

A
  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned
79
Q

Problem Management

A

The practice of reducing the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds or known errors

80
Q

Problem Management - Problem

A

Unknown cause of an incident, often identified as a result of several incidents

81
Q

Problem Management - Known Error

A

the known root cause of a problem

82
Q

Problem Management - Workaround

A

a momentary fix

83
Q

Deployment Management

A

The practice of moving new and changed hardware, software, documentation, processes, or any other service components to live environments

84
Q

Approaches to Deployment Management

A
  1. Phased - deployments conducted in phases
  2. Continuous delivery - frequent deployments
  3. Big Bang deployment - updates deployed all at once
  4. Pull deployments - updates are self selected by the user
85
Q

Configuration Management

A

The practice of ensuring that accurate and reliable information about configuration or services and the configuration items that a support them, is available when needed

86
Q

Service Level Management

A

The practice of setting clear business based targets for service performance so that the delivery of service can be properly assessed, monitored, and managed against these targets

Objective is end to end visibility

87
Q

Availability Management

A

The practice of ensuring that services deliver agreed levels of availability to meet the needs of the customer and users

88
Q

Capacity and Performance Management

A

The practice of ensuring that services achieve agreed and expected performance levels, satisfying current and future demand in a cost effective way

89
Q

What questions should be asked when managing communications to relevant parties?

A
  1. Who is the target of communication?
  2. What goal are we trying to achieve and what risk is involved?
  3. When is the best time to communicate?
  4. Where is the communication pathway managed from?
  5. Why is communication needed?
  6. How is communication being transmitted?
90
Q

When considering supporting vendor or partner needed communication paths with the organization what needs to be in place?

A

Onboarding
Management
Offboarding

91
Q

Hardware Monitoring, why is it essential, what are

Common Areas to monitor, and what may be an early warning of failure?

A

Is essential for the secure and reliable operations of cloud environment

Data performance (I/O) of underlying components may provide early indicators of HW failure

Common areas:

  1. Network
  2. CPU
  3. Disk
  4. RAM/Memory
92
Q

SOMS Flow Diagram

A
  1. Establish the framework
  2. Policy
  3. Planning
  4. Implementation and Operation
  5. Performance Evaluation
  6. Management Review
93
Q

What is SOMS

What is ISO?

A

Security Operations Management Systems for security operations

Used to establish a Security Operations Center

ISO 18788

94
Q

A successful SOMS has the following

A
  1. Leadership and commitment
  2. Statement of conformance
  3. Policy
  4. Organizational roles, responsibilities, and authorities
  5. Planning
  6. Legal and other requirements
  7. Internal/external requirements risk communication and consultation (whistle blower or grievance procedures)
  8. Competence training and awareness
  9. User of force (use of less-lethal, lethal, and law enforcement engagement)
  10. Background screening
  11. Occupational health and safety
  12. Security operations and risk treatment objectives

CLUB PISS POOL

95
Q

Application Performance Monitoring goal?

CAMP?

A

Cloud application performance management (CAMP) is the process of monitoring resources that support application program performance in private and hybrid cloud environments

The goal of the application monitoring is to provide admins with the ability to identify a poor user experience quickly so cloud issue can be resolved

96
Q

Real User Monitoring (RUM)

A

Monitoring users live as they utilize a system by capturing and analyzing every transaction of every user

97
Q

Synthetic Performance Monitoring

A

The use of scripts and agents to run preprogrammed scenarios to determine predictable outputs

An automated test of a cloud service

98
Q

What should an organization do to establish and maintain successful log management activities?

A
  1. Establish policies and procedures for log management
  2. Develop standard process for performing log management
  3. Define its logging requirements and goals as a part of the planning process
  4. Develop policies that clearly define mandatory requirements and suggested recommendations for log management
  5. Ensure that related policies and procedures incorporate and support log management requirements
99
Q

Security Information and Event Management (SIEM)

A

technology provides real time reporting and analysis of security events that generate alerts

information sourced from network hardware and applications

available as software, appliances, or managed services and is also used to log security data and generate reports for compliance purposes

will collect logs and information from many disparate sources to aggregate and correlate the data

100
Q

List Goals of Security Information and Event Management (SIEM)

A

Centralize collection of log data
Enhance analysis capabilities
Dashboarding
Automated Response