Domain 1 and Some 2 Flashcards
Many different customers accessing cloud resources hosted on shared hardware.
Multitenancy
Only Matthew’s company has access to any resources hosted on the same physical hardware.
Private cloud
Matthew’s organization is combining resources of public and private cloud computing.
Hybrid cloud
Resource use is limited to members of a particular group.
Community cloud
A strong sanitization technique that involves encrypting data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the resulting keys of the second round of encryption.
Cryptographic erasure
Cryptographic erasure is effective on:
Magnetic and solid-state drives.
T/F: Degaussing and overwriting are not effective on SSDs
True
T/F: Containers provide easy portability.
False, because they are dependent on the host operating system.
Hypervisors are used to:
Host virtual machines on a device.
A platform as a service model that allows cloud customers to run their own code on the provider’s platform without provisioning servers.
Serverless computing
Virtual machines are self-contained and have their own internal operating system, which can be moved between:
different host operating systems.
Responsibilities of the customer
Use cloud services
perform service trials
monitor services
administer service security
provide billing and usage reports
handle problem reports
administer tenancies
perform business administration
select and purchase service
request audit reports.
The ability of a system to dynamically grow and shrink based on the current level of demand.
Elasticity
The ability of a system to grow as demand increases but does not require the ability to shrink.
Scalability
Zero trust decisions are not based on network location, such as IP address. Instead, it’s based on:
User’s identity, the nature of the requested access, and the user’s geographic (not network!) location.
Bare-metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (Type 2) because:
It will offer less attack surface.
Network security groups provide functionality equivalent to:
Network firewalls for cloud-hosted server instances.
_____ restrict traffic that might reach a server instance.
Network Security Groups
T/F Only cloud provider can modify network firewalls
True
Restrict the geographic locations from which users may access the servers.
Geofencing
_____ may be used to examine the traffic reaching the instance.
Traffic inspection
Susceptible to disk failures and user error that may unintentionally destroy or modify data.
Vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service.
Object storage flaws
Geofencing may be used to trigger actions, such as an alert, when:
a user or device leaves a defined geographic area.
Geotagging annotates log records or other data with:
the geographic location of the user performing an action.
The Cloud Security Alliance (CSA) provides an enterprise architecture reference guide that offers vendor-neutral _____.
design patterns for cloud security
The use of an API is an example of accessing data programmatically during the _____ phase of the lifecycle
Use
Storage that is available as disk volumes.
Block storage
Object storage maintains files in:
Buckets
T/F Virtualized servers are storage capabilities.
F, Compute capabilities
Network capacity is used to connect _____ to each other
Servers
The sudo command allows a normal user account to execute administrative commands and is an example of
Privileged access
Service access is the access to resources by:
system services, rather than individual people
What protects against the risk of a lost device?
Confidentiality
________ is when the recipient of a message can prove the originator’s identity to a third party.
Nonrepudiation
________ is a means of proving one’s identity.
Authentication
_____ demonstrates that information has not been modified since transmission.
Integrity
_____ are often used in business impact assessment to capture the impact on intangible factors
Qualitative tools
Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for:
easily quantifiable risks.
EAL2 assurance applies when the system has been
structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.
These tools manage workloads and seamlessly shift them between cloud service providers.
Orchestration
Virtualization platforms allow a cloud provider to host:
virtual server instances.
Databases are a cloud service offering that allows for
the organized storage of relational data.
Cloud access service brokers (CASBs) allow for the consistent enforcement of _____ across cloud providers.
security policies
Governs the storage, processing, and transmission of credit card information.
The Payment Card Industry Data Security Standard (PCI DSS)
Regulates the financial reporting of publicly traded corporations.
The Sarbanes–Oxley (SOX) Act
Protects personal financial information.
The Gramm–Leach–Bliley Act (GLBA)
Bring all of an organization’s cloud activities under more centralized control.
They serve as a screening body helping to ensure that cloud services used by the organization meet technical, functional, and security requirements.
They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment.
Cloud governance programs
use a pair of keys for each user.
Asymmetric cryptosystems
use a pair of keys for each user.
Hybrid cloud strategies combine public and private cloud resources,
not resources from multiple public cloud providers.
Email is an application-level service that is offered by cloud providers as a software as a
service (SaaS) capability.
Block storage and network capacity are infrastructure as a service
(IaaS) offerings and are infrastructure capabilities.
Serverless computing is a _____ offering.
PaaS
Occurs when a customer (not a service provider) purchases more capacity than they need.
Overprovisioning
a mix of public cloud and private cloud services. is an example of a
hybrid cloud environment.
a mix of public cloud and private cloud services. is an example of a
hybrid cloud environment.
In an infrastructure as a service environment, security duties are a _____.
shared responsibility
When Lucca reviews the RTO, he needs to ensure that the organization can recover from an outage in less than two hours based on _____.
the maximum tolerable downtime (MTD) of two hours.
How does the recipient of a message that was encrypted using asymmetric cryptography decrypt a message?
Using their own private key
The sender using asymmetric cryptography would have previously encrypted
using the recipient’s public key.
organization that helps cloud service customers use the services offered by cloud service providers.
cloud service partner
cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services.
Cloud service brokers
applies specifically to the use of controlled unclassified information (CUI).
NIST 800-171
provide a certification process for hardware and software products.
Common Criteria (CC)
the Security Requirements for Cryptographic Modules. This guidance is specific to cryptographic requirements.
FIPS 140-2
Services should be able to integrate and work together
Interoperability
What is the highest level of assurance under the Common Criteria?
EAL7
What does EAL7 ensure?
A system has been formally verified, designed, and tested
Technology that uses cryptography to create a distributed immutable ledger.
Blockchain
Blockchain is the technical foundation behind ________.
Cryptocurrency
An emerging technology that uses principles of particle physics to perform computing.
Quantum computing
Moves compute power to IoT devices located at the edge of the network.
Edge computing
What’s the difference b/w verification and certification?
Verification can involve a 3P testing service and compile results that may be trusted by many different organizations
An area of research into methods for protecting data in use through the protection provided by a trusted execution environment (TEE)
Confidential computing
The act of management formally accepting (not evaluating) an evaluating system
Accreditation
Verification and certification process both
validate security controls
What is one of the core capabilities of IaaS?
providing servers on a vendor-managed virtualization platform.
Web-based payroll and email systems are examples of
SaaS
Does the CP’s brand influence the cost-benefit analysis?
No
An application platform managed by
T/F: The provider absorbs the cost when the customer requests a modification of the SLA.
False. The customer pays for all costs associated w/ modifications to the SLA. These are chargeable expenses.
Creating computer resources to solve a particular problem and then getting rid of them when you no longer need them.
Ephemeral computing
Guaranteeing that the service will be available 99% of the time
availability committment
Ability of a system to withstand failures
resiliency
Why do users have the most control over the environments hosted on IaaS?
because they are able to manually adjust the resources assigned to an application
What standard provides the security controls that should be implemented by cloud service providers
ISO 27017
What standard provides the security controls that should be implemented for a cybersecurity program
ISO 27001
What standard provides the security controls that should be implemented to provide control guidance for privacy programs?
ISO 27701
What standard provides a cloud reference architecture and does not offer specific security guidance?
ISO 17789
Who oversees the PCI DSS
Payment Card Industry Security Standards Council (PCI SSC)
Cloud computing where the customer only provides application code for execution on a vendor-supplied computing platform are examples of
PaaS
Providing fully functional application to customers as a cloud service
SaaS
CaaS is a subcategory of ____
IaaS
In risk acceptance strategy:
the org does nothing but document the risk
Purchasing insurance is what type of risk strategy
Risk transference
Relocating a data center would be what kind of risk strategy
risk avoidance
Reengineering a facility would be what kind of risk strategy
risk mitigation
Using existing data to predict future events
Predictive analytics
A style of analytics that describes data
Descriptive analytics
A style of analytics that optimizes our behavior by simulating scenarios
Prescriptive analytics
What allows CPs to meet various demands from customers while remaining financially viable?
Resource pooling
The model that allows customers to scale their compute and/or storage needs w/ little or no intervention the provider
On-demand self service
Documents, in formal terms, expectations for availability, performance, or other parameters.
SLAs
An internal agreement b/w service organizations
OLA
The ability to back out of a change.
Reversibiity
Capability to move workloads easily between environments
Portability
T/F: The customer has no access to or ability to maintain the operating system in the PaaS environment.
True
What is block storage used for?
To provide disk volumes.
What is object storage used for?
To store individual files. But they cannot be mounted as a disk.
When should archival storage be used?
Only in cases where data does not need to be frequently accessed.
What is the least disruptive type of disaster recovery test?
Checklist review.
Each team member reviews the content of their disaster recovery checklist and suggest necessary changes.
Checklist review
Team members come together and walk through a scenario without making any changes to information systems.
tabletop exercise
The team activates the disaster recovery site for testing while primary site remains operational.
parallel test
Team takes down primary site and confirms the disaster recovery site is capable of handling regular operations. Most thorough test but also most disruptive.
full interruption test
In SaaS solution, the vendor manages:
the physical infrastructure and complete application stack so customer accesses a fully managed application.
PaaS offerings provide customers with an environment where customers can:
execute their own code.
CaaS is a subcategory of IaaS for:
computing resources provided as a service.
Security baselines provide a:
starting point to scope and tailor security controls to your orgs needs.
T/F: Security baselines ensure systems are always secure and prevent liability.
False
Integrating software development, operations, and quality assurance.
DevOps
What is ITIL?
A collection of best practices for managing IT orgs.
T/F: Customers should have access to underlying infrastructure in a PaaS environment.
False. But IaaS offers.
What is RPO?
The amount of data loss that’s acceptable due to an incident.
The amount of downtime that the business can safely withstand.
MTO - maximum tolerable outage
What is OpenID Connect?
An authentication layer that works w/ OAuth 2.0 as its underlying authorization framework. Used widely by CSPs.
SAML, RADIUS, and Kerberos are:
authentication technologies but don’t have the same seamless integration w/ OAuth.
A vendor offering a fully functional application as a web-based service is an example of:
SaaS
The customer provides their own software in:
IaaS, Compute as a Service (CaaS), and PaaS
Where does edge computing service model place computing power?
At the sensor, minimizing the data that is sent back to the cloud over limited connectivity network links.
What is the best choice for providing authentication and authorization information?
SAML
What is used to exchange user information for SSO?
SPML
What is XACML used for?
access control policy markup
T/F: In IaaS, the customer is not responsible for server security operations
False
T/F: In SaaS, a fully developed and hosted application is provided to the customer.
True
Managing security settings, host firewalls, and configuring server access controls are examples of what?
Server security operations
T/F: In PaaS, the customer provides application code for execution on a vendor-supplied computing platform.
True
T/F: IaaS provides complex infrastructure building blocks to customers?
False, it’s basic building blocks
Function as a Service is a subcategory of _____ for ______
PaaS for serverless computing applications
What are more traditional methods of software development that aren’t commonly used with DevOps and DevSecOps
waterfall, modified waterfall, spiral models
What’s the purpose of a CASB?
to enforce security policies consistently across cloud services
Are DLP and DRM solutions effective at consistently enforcing security policies across cloud platforms?
No
IPS are designed to:
detect and block malicious activity
What is the vendor responsible for in IaaS?
hardware and network related responsibilities
Configuring network firewalls, maintaining the hypervisor, and managing physical equipment are the responsibility of:
Vendor
In IaaS, who’s responsible for patching OS on VMs?
Customer
What is it called when a single platform is shared among many different customers?
Multitenancy
T/F: IaaS allows you to set up infrastructure as quickly as you can deploy and pay for it?
True
T/F: Security groups are different from firewall rules for IaaS?
False
T/F: You cannot configure IaaS networking.
False, it’s done thru use of network security groups and bandwidth provisioning.
Who has responsibility for configuring OS securely in serverless computing?
Vendor
What is the framework created by government to assess security of systems?
NIST 800-37
What is the list of security controls created by government?
NIST 800-53
What is the payment card industry’s framework of compliance for all entities accepting credit cards?
PCI DSS
What is portability?
The capability to move workloads easily b/w environments
T/F: Services that are scalable are always elastic?
F: Services that are elastic are scalable but scalable not always elastic b/c scalability doesn’t shrink
In IaaS, the customer has to maintain the
OS
T/F: Additional security means measurable less operational capability
True, there’s always a tradeoff b/w security and productivity
The minimal amount of effort required to perform your duty to others. This is care a cloud customer is required to demonstrate to protect the data it owns.
Due care
T/F: Due diligence and due care are the same thing.
False, due diligence is activity taken in support of furthering due care.
Confidential computing protects data in use by
using a TEE - Trusted Execution Environment. Can also use TPMs, HSMs, and PKIs, but they don’t protect date in use.
What provides a general certification process for computing hardware?
The common criteria
What provides certification process for hardware but is not specific to cryptographic models or used for generalized hardware?
FIPS 140-2
What provides a certification process for cloud computing services?
FedRAMP
What is the nomenclature for all entries in an LDAP environment?
The distinguished name (DN)
Databases are used to store collected info into
related tables
Are networking and virtualization technologies used to store data?
No.
What is confidential computing designed to support?
The protection of data actively stored in memory
T/F: The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy.
True
What service model allows an org to retain the most control of their IT assets in the cloud?
IaaS
In IaaS, what is the customer responsible for?
OS, apps, and data
What model allows org to retain greatest degree of governance?
Private
Placing IoTs on a dedicated subnet or network prevents what?
Other users from accessing the devices directly.
Does public cloud use vendor datacenters?
Yes
Hypervisors enforce isolation b/w:
VMs and are susceptible to escape attacks
HSMs and Trusted Platform Modules:
store and manage cryptographic keys
Are databases vulnerable to escape attacks?
No.
What allows examination of contents of encrypted HTTPS traffic and detect sensitive info?
Traffic inspection
Can port blocking detect a security violation?
No.
T/F: Cloud minimizes DR costs?
True, you can configure but not activate resources until needed
Verifying a user is who they claim to be:
Authentication
Granting access based on user identity:
Authorization
Not allowing a participant in a transaction to deny they particpated:
Non-repudiation
T/F: In symmetric encryption, all data is encrypted and decrypted with the same key.
True
How do you validate the authenticity of a digital certificate?
By using the CA’s public key
Using computing assets on a temporary basis:
Ephemeral computing
Confidential computing uses ____ to protect data in ____
TEE, use
Parallel computing uses ______ ________ to perform _________.
multiple processors, different parts of a calculation simultaneously
Business continuity ensures
business can function during disruptive event
Support the return to normal operations
Disaster recovery
T/F: BC and DR use RTO and RPO as metrics to determine success.
True
What is paramount in all security efforts?
Health and human safety.
What is MTD in disaster recovery?
Maximum tolerable downtime.
Identifying the key, user, and how it is used would support what?
Accountability for usage
What is the issue with overwriting SSDs and volumes?
Remnant data
Tokenization relies on:
two databases, one with tokenized data and one with actual data
T/F: Tokenization requires id practices, encryption, and specifies FIPS 140 requirements.
False, it does not
What is FIPS 140?
The 140 series of Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptographic modules.
T/F: You can tokenize data by hashing
True
What is tokenizing data?
The process of substituting a sensitive data element with a non-sensitive equivalent.
What helps you see how data is created, moves, and is used thru org?
Dataflow diagrams
Classification, creation, and date/time are all captured in:
Data labeling
Data types, fields/names, services, systems, ports, protocols, and security detail are all included in:
Dataflow diagrams
Includes retention periods, reg/comp requirements, data classification impacts on retention, how/when data should be deleted, archiving/retrieval processes.
Retention policies
An IRM should maintain a:
certificate revocation list
What is an IRM system?
IT security technology used to protect documents containing sensitive information from unauthorized access.
How does an IRM system perform provisioning?
Provides rights based on roles and responsibilities.
What does a business impact analysis determine?
What data is needed to continue the operations of the business. An assessment of data criticality.
Data mapping matches:
fields in databases.
BIAs assess:
the importance of data to an organization’s work
Data classification describes:
Data based on things like sensitivity, jurisdiction, and criticality
Installing a local agent for an IRM system ensures data is properly handled on _____.
Endpoint systems
What is a local agent?
A program that collects information or performs a task in the background at a particular schedule.
Examples of unstructured data
images, audio, video, word processing files
T/F: Ingress and egress fees are cheap
False
T/F: Working with the original drive is a best practice.
False, not a forensic best practice
T/F: IRM cannot prevent copying, printing, and making copies
False, this is what it does.
T/F: Discovery can be conducted using local tools in each region.
True
It is common to archive data to a _____ storage tier
lower cost and lower performance
The ____ phase often includes modification of data.
Use
What is the encryption protocol of choice for web app traffic?
TLS - Transport layer security (replaced SSL)
MD5 and SHA-1 are _______ algorithms.
Hashing
Uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit
TLS
Used to establish a secure session between a client and a server. Public key cryptography.
asymmetric encryption
What is symmetric encryption?
Used to exchange data within a secured session created by asymmetric encryption. You use the same key to encrypt and decrypt.
How does asymmetric encryption work?
Uses a mathematically related pair of keys for encryption and decryption: a public key and a private key. If the public key is used for encryption, then the related private key is used for decryption. If the private key is used for encryption, then the related public key is used for decryption.
What is a public key?
A key made available to anyone to encrypt data.
What is a piece of information used for scrambling data so that it appears random; often represented by a large number, or string of numbers and letters?
Key
What’s another word for unencrypted data?
Plaintext
What is a private key?
The key used to put encrypted information back into plaintext.
Plaintext + key =
Ciphertext
Where can you find a public key?
In a website’s SSL/TLS certificate
Where is the private key installed?
On the origin server
What uses public key cryptography to authenticate the identity of the origin server and exchange data that is used for generating the session keys.
TLS handshake
How are bad actors prevented from decrypting communications, even if they identify or steal one of the session keys from a previous session?
Clients and servers agree upon new session keys for each communication session
What is spreading data across different storage areas and potentially different cloud providers spread across geographic boundaries?
Data dispersion
What is the technique of splitting up and storing encrypted information across different cloud storage services?
Bit splitting. Used by criminals to hide data across the cloud and makes it extremely difficult for forensics to find and obtain.
Ephemeral storage is wiped and reclaimed for reallocation only when:
An instance is terminated, not just shut down. For shut downs, it’s retained until the system is reactivated.
Ephemeral data is kept for ______ periods of time?
Short (like 45 days)
What does it take to complete the destruction process for crypto-shredding?
Securely erasing all copies of the encryption key. Just erasing the key deletes all data associated with it.
Deleting replicated data (especially in a relational database - which could accidentally delete a lot of unintentional data), data in a backup, and deleting the right data are all problems solved by _____.
crypto-shredding
What is cloud security?
How cloud affects confidentiality, integrity, and availability
What does an IRM system rely on to identify systems?
Certificates
What can be issued centrally, managed, and used for digital signatures and encryption?
Certificates
What is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization.
Certificate
________ uses a one-way cryptographic function to replace data with values that can be referenced without exposing the actual data.
Hashing
What is long-term storage often used for?
Logs and data storage
What storage is allocated as a virtual drive/device w/in cloud?
Volume-based storage
What is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
DevOps
What is a code used to identify and authenticate an application or user?
An API key
What are processes used to restore the service if the system becomes unavailable for reasons other than regular maintenance?
Break-glass process
- Automated backups in place and executed regularly based on # of secrets and their lifecycle
- Frequently test the restore procedures
- Encrypt backups and place on secure, monitored storage
OWASP’s requirements for break-glass secrets backup
What is the amount of time before data can be accessed?
Retrieval time
What compares two strings to determine if they’re the same?
String comparison
What allows IRM to apply rules appropriately?
Tagging and labeling
What’s one of the most important things to understand before selecting archival storage?
Data access patterns
What influences cost of storage?
Volume of data and amount of time it needs to be stored
How are data owners defined?
By data classification policies
What do data custodians do?
Be responsible for the data, ensure access control, proper storage, and other operational controls
Who processes data as part of a business process?
Data processors
Are tokens encrypted?
No
T/F: Versioning takes up very little space.
False
T/F: Daily backups, recurring snapshots, and archiving processes are able to be quickly restored.
False
T/F: You can use least privilege for secrets.
True
What type of discovery searches for specific terms in unstructured data?
Content-based
What type of discovery relies on data labels?
Label-based
What type of discovery uses metadata information?
Metadata-based
What can help DLP manage data without relying on pattern matching?
Tagging
T/F: Tags are unique allowing events to be tracked to an instance.
True
Which sanitization technique is best for solid-state drives (SSDs)?
Cryptographic erasure
T/F: Cryptographic erasure is good for SSD and magnetic drives?
True
With zero trust architecture, trust decisions are not based on _________.
Network location, like IP address.
What is geolocation?
The geographic location of a user or computing device.
What security control is best to restrict ports on a server?
Network security groups - they’re like firewalls for cloud server instances.
Can a customer modify network firewall rules?
No
What restricts locations from which users can access servers?
Geofencing
Does geofencing trigger alerts?
Yes
What EAL assurace level provides the system has been structurally tested?
EAL2
They offer a managed IAM service to customers that integrate security requirements across cloud services.
cloud brokers
What’s the highest level of assurance under Common Criteria?
EAL7 - verified, designed, and tested
Functionally tested
EAL1
Structurally tested
EAL2
Methodically tested and checked
EAL3
EAL4
Methodically designed, tested, and reviewed
EAL5
Semi-formally designed and tested
Semi-formally verified, designed, and tested
EAL6
Formally verified, designed, and tested
EAL7
What optimizes our behavior by simulating many scenarios?
Prescriptive analytics
______ storage is used to provide disk volumes, which are storage areas with a single file system.
Block
Storage that will be used as a disk attached to a server instance?
Block storage
What is used to store individual files but can’t be mounted as a disk?
Object storage
OpenID Connect works with ________.
OAuth 2.0
A _____ is a condition that must be present for an event to occur.
Necessary condition
A _______ is a condition or set of conditions that will produce the event.
Sufficient condition
In IaaS, the provider is responsible for hardware and _____ related responsibilities.
Network - this includes configuring firewalls, maintaining hypervisor, and managing physical equipment
FedRAMP provides a certification process for ____________.
Cloud computing services
Common Criteria provides what?
General certification process for computing hardware that might be used in government applications
In a LDAP environment, each entry in a directory server is identified by a ______.
Distinguished name (DN)
What does confidential computing protect?
Data actively stored in memory
What’s the most cost effective DR approach?
Using a cloud site without activating resources until needed.
What are the 3 categories of infrastructure?
- compute - where processors are
- storage - object, block, file
- network - how everything talks
GPU
graphics processor for ml/ai
Compute
general purpose computing needs, web/app server
HPC
high performance computing - things that require lots of power in small footprint
Object storage
lower performance but inexpensive, general purpose storage - pictures, documents, data/graphics on web server, etc.
Block storage
network storage, attaches iscuzi
File storage
attaches with nfs
