cours 03 configurations de sécurité Flashcards

1
Q

Pourquoi utiliser le protocole SAML ?

A

Security Assertion Markup Language (SAML)

With increased collaboration and the move towards cloud-based environments, many applications have moved beyond the boundaries of a company’s domain. So authentication to a large number of applications is required from users.
If a user needs to access multiple applications where each one requires a different set of credentials, it becomes a problem for the end user. Federated Authentication is the solution to this problem.
Federated Identity started with the need to support application access that spans beyond a company or organization boundary.

ref:
https://developer.okta.com/docs/concepts/saml/#saml-2-0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Qu’est-ce que le protocole SAML?

A

Security Assertion Markup Language est un standard ouvert qui, par le jeu de fonctions d’authentification et d’autorisation, permet de sécuriser la communication d’identités d’une entreprise à l’autre. Il sert principalement à établir une authentification unique (SSO) entre un fournisseur d’identités (IDP) et un prestataire de services (SP). Lorsqu’un IdP (un employeur, par exemple) et un fournisseur de services (une société SaaS, par exemple) implémentent le protocole SAML, ils peuvent facilement authentifier les utilisateurs accrédités chez l’IdP pour qu’ils puissent utiliser les services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Quel est le principe de fonctionnement de SAML?

A

Security Assertion Markup Language
Dans un premier temps, l’utilisateur tente d’accéder au prestataire de services via une URL ou un lien vers un portail. Le logiciel de fédération d’identité de l’IdP active et confirme ensuite l’identité de l’utilisateur. L’IdP transmet l’information au même logiciel utilisé chez le prestataire de services. Le message tokenisé contient toutes les informations relatives à l’utilisateur, notamment ses autorisations et les groupes auxquels il appartient. Le logiciel de fédération d’identité du prestataire de services vérifie alors que le message provient d’un IdP de confiance, puis crée une session utilisateur dans l’application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Nommer différents protocoles d’authentification

A

SAML, OpenId, LDAP, Kerberos,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Différence entre SAML et LDAP

A

SAML gère les identités fédérées. Format XML interopérable. Permet transfert en ligne. LDAP plutôt on-prem, (basé sur les annuaires). Gère les auth/auto aux répertoires d’une machine. (Utilisé sur les serveurs windows).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Différence entre LDAP et Kerberos

A

Kerberos and LDAP are both network protocols used for authentication and authorization.

Intended usage: Kerberos was designed for authentication, while LDAP is a directory management protocol that can also facilitate authentication.

Authentication process: Kerberos uses symmetric key cryptology to facilitate mutual authentication between a client and a resource; LDAP queries a database to compare a user’s input credentials with those stored in the directory.

Because Kerberos and LDAP differ in these key areas, they actually work fairly well together. For example, a system might use Kerberos to authenticate users to resources and use LDAP to store users’ data, which would inform their permission levels within their resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Application loadBalancing vs Network loadBalancing?

A

LoadBalancer balance le trafic réseau ou les tâches applicatives.
Réseau -> se fait sur le réseau

App -> on peut répliquer l’app plusieurs fois, alors on dirige/distribue le trafic dans les différentes app répliquées. Dans une instance, il y a plusieurs containeurs, le trafic app est diriger vers le différent containeur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Qu’est-ce que le Constistent haching hache dans un context de network vs application?

A

hache l’adresse IP, dans un context de network balancing.

Dans un context d’application loadBalancing, alors consistent haching hache le processID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Pourquoi utiliser consistent haching

A

Distributive hashing prend plus d’espace. Quand bcp de données, hashMap a une limite.

L’aspect circulaire du constitent hashing bon pour plus grosse infra (bcp de données)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Quelles sont les connexions VPN qui font le network to vpc? (sur AWS)

A

Service Aws-Direct-Connect.
Permet à des clients de se connecter direct sur des VPC à travers un tunnel ipSec.

Aws Direct-Connect il peut fonctionner en mode peer-to-peer ou en mode Gateway.
Gateway : les clients passent par une passerelle avant de connecter avec le vpn. La passerelle orchestre les connexions aux vpc. Elle peut mettre des connexions en attente.

Peer-to-peer:
moins bon, moins de gestion des accès aux vpc. Aucun client n’est mis en attente

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Qu’est-ce que Aws Certificate Manager

A

Certificat manager permet de gérer les requetes.
CA (central autority)
Certificat doit être présent sur un site pour être https

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Avantage du trafic mirroring

A

Analyse du trafic
Permet analyse passive et detection d’intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Qu’utilise-t-on pour chiffrement (protection) en transit?
Quel service permet de gérer les certificats pour la protection en transit.

A

Vpn ipSec2.
La protection fondamentale : SSL/TLS
SSL manager**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Que doit-on définir quand on créer un policy IAM?

A

IAM policy specifies the effect (allow, deny), actions (e.g ec2CreateVPC) and ressources (arn:aws:ec2*).

OPTIONNEL: Condition(e.g. filtrer uniquement sur les vpc productions)

Principal : utilisateur ou ressource sur qui la politique s’applique

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Quel protocole utilise les routeurs?

A

Protocole BGP
Path vector algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Qu’est-ce que le Vpc peering?

A

connecter directement deux vpc aver leur adresses privées, pour redondance, “no single point of failure, no network bandwidth bottleck”

17
Q

Qu’est-ce qu’un tier?

A

Réplication d’un containeur (plusieurs containeurs répliqués) au cas où un containeur fail. On peut répliquer des bds.
Pas forcément dans un même subnet,
Pas forcément dans une même instance,
Les tières doivent être connectés*

18
Q

Qu’est-ce que les standards SOC et hipaa?

A

Des standard d’audit

The Need for HIPAA Compliance
HHS points out that as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data.
The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

SOC (un peu comme ISO9001):
standard,
ensemble de processus, procédures bien documentés
assure que l’organisation est bien structurée

19
Q

Service Aws qui découvre vulnérabilités?

A

Aws Inspector

20
Q

What is SIEM? What are the main fonctions?

A

Security Information and Event Management

At its core, SIEM is a data aggregator, search, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates and makes that data human accessible. With the data categorized and laid out at your fingertips, you can research data security breaches with as much detail as needed.

SIEM provides two primary capabilities to an Incident Response team:

Reporting and forensics about security incidents
Alerts based on analytics that match a certain rule set, indicating a security issue

Collecte: alertes remontées par les IDS et IPS, journeaux.
Normalisation: format lisible permettant des recherches multi-critères
Agrégation: regrouper et réduire le nombre d’évènements
Corrélation: application de règles logiques et statistiques
Reporting: création et gestion de tableaux de bord
Archivage: besoin de garantir l’intégrité des traces (valeur juridique et réglementaire)
Rejeu des évènements: mener des investigations post-incidents

21
Q

Quel est le role de audit manager:

A

évaluer les risques qui sont liés à l’infrastructure complète. Documente tous les comportements anormaux selon les normes de standards (ex ISO27001 et autres). Par ex: chiffrement non activé dans la BD. Fournit également des blueprints (templates) d’architecture pour rendre l’architecture conforme au standard.

22
Q

Qu’est-ce que la gestion des vulnérabilités et ses composantes?

A

Permet
- d’identifier les risques et vulnérabilités
et Rapporte les vulnérabilités liées au fournisseau ( si on intègre d’autres outils on peut détecter d’autres vulnérabilités).
- Classification des risques par niveau de priorité

23
Q

Qu’est-ce que le flow log et à quel niveau se situe l’information?

A

au niveau de la couche 4: session. On peut capturer le traffic rejeté ou accepté.

on veut seulement garder ip source, ip destination, port et protocole.

24
Q

What is the difference between AWS KMS and Certification Manager ?

A

Certification Manager manages and deploys Secure Sockets Layer/Transport Layer Security certificates while KMS manages the encryption keys used to encrypt your data

25
Q

Qu’est-ce que la Threat Intelligence et ses composants?

A

Ex: ElasticSearch : prend l’info des agents et l’affiche et Guard Duty sur AWS

Ingestion: Ensemble d’agents récultent des infos

Veille de sécurité:
Analyse des informations recues par les différents agents

Collecte des signatures des attaques

SOAR (Security Orchestration, Automation, and Response) Ex: automatiquement fermer une instance qui a eu un ransomware pour éviter le mouvement latéral.

Incident response management: Permet d’identifier les phases avec des plans d’actions pour la gestion des incidents. Systèmede gouvernance des incidents.

ref crowdstrike : “Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.

Threat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets. – Gartner”

26
Q

Étapes du ransomware

A

-Initial access
-encryption
-lateral movement (infecter plusieurs machines du reseau)

27
Q

comment proteger un VPC

A

Firewall

Isolation : creer des reseaux différents pour les domaines (ex marketing) et les utilisateurs internes et externes. Utiliser les subnets pour isoler les reseaux. Avantage: s’il y a une vulnerabilité ca reste dans un sous-reseau.

28
Q

Difference entre DDos et distributed DDos

A

distributed: plusieurs sources provenant p-e de regions differentes envoient des requetes.

29
Q

Qu’est-ce que AWS WAF?

A

Premiere ligne de defense du VPC mais pas suffisamment specialise pour gerer DDos. On l’utilise normalement comme 1e ligne de defense avant Shield pour eviter des couts.

30
Q

Qu’est-ce que AWS Cloudfront

A

CDN dans plusieurs regions. Basé sur algo consistent hashing. Utile pour videos.

31
Q

Quelle attaque est mitigée par le CDN?

A

CDN permet de lutter contre DDos car quand il recoit des infos (videos) , il va cacher ces infos. Il y aura un systeme pour verifier le contenu à l’aide de centre de données proche de la ressource.

32
Q

Qu’est-ce que AWS security HUB?

A

permet de verifier activités malicieuses et les afficher selon un niveau de risque (high, low). Il faut investiguer ensuite selon les alertes.

33
Q

What is the difference between AWS GuardDuty and Inspector ?

A

Inspector monitors software vulnerabilities (en rapport aux standard sélectionné) while GuardDuty monitors threat activities on AWS resources

34
Q

Qu’est-ce que SOAR?

A

SOAR (Security Orchestration, Automation, and Response) refers to a collection of software solutions and tools that allow organizations to streamline security

35
Q

What is the Threat Intelligence Lifecycle?

A
  1. Requirements
    The requirements stage is crucial to the threat intelligence lifecycle because it sets the roadmap for a specific threat intelligence operation. During this planning stage, the team will agree on the goals and methodology of their intelligence program based on the needs of the stakeholders involved. The team may set out to discover:

who the attackers are and their motivations
what is the attack surface
what specific actions should be taken to strengthen their defenses against a future attack
2. Collection
Once the requirements are defined, the team then sets out to collect the information required to satisfy those objectives. Depending on the goals, the team will usually seek out traffic logs, publicly available data sources, relevant forums, social media, and industry or subject matter experts.

  1. Processing
    After the raw data has been collected, it will have to be processed into a format suitable for analysis. Most of the time, this entails organizing data points into spreadsheets, decrypting files, translating information from foreign sources, and evaluating the data for relevance and reliability.
  2. Analysis
    Once the dataset has been processed, the team must then conduct a thorough analysis to find answers to the questions posed in the requirements phase. During the analysis phase, the team also works to decipher the dataset into action items and valuable recommendations for the stakeholders.
  3. Dissemination
    The dissemination phase requires the threat intelligence team to translate their analysis into a digestible format and present the results to the stakeholders. How the analysis is presented depends on the audience. In most cases the recommendations should be presented concisely, without confusing technical jargon, either in a one-page report or a short slide deck.
  4. Feedback
    The final stage of the threat intelligence lifecycle involves getting feedback on the provided report to determine whether adjustments need to be made for future threat intelligence operations. Stakeholders may have changes to their priorities, the cadence at which they wish to receive intelligence reports, or how data should be disseminated or presented.
36
Q

What is LDAP protocol

A

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly.

Someone within your office wants to do two things: Send an email to a recent hire and print a copy of that conversation on a new printer. LDAP (lightweight directory access protocol) makes both of those steps possible.

Set it up properly, and that employee doesn’t need to talk with IT to complete the tasks.

What Is LDAP?
Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.

LDAP is a protocol, so it doesn’t specify how directory programs work. Instead, it’s a form of language that allows users to find the information they need very quickly.

37
Q

What is Kerberos

A

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users’ identities.

Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late ’80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.