Domain 3 Flashcards

1
Q

What is the primary requirement for cloud functionality?

A

ISP connectivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What provides immediate, battery-driven power for a short period of time?

A

UPS - uninterruptible power supplies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What’s the best option for providing backup power for a sustained period of time?

A

Generators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Redundant arrays of inexpensive disks (RAID) and redundant servers are examples of what kind of controls?

A

high-availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What identifies sensitive information stored on endpoint systems or in transit over a network?

A

DLP systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a duplicate of your system – including lines of communication and network devices – that can act as your business’s main operating system if your primary server goes down for any reason?

A

Redundant server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What creates a single usable data disk, where several physical disks are combined into an array for better speed and fault tolerance.

A

Redundant arrays of inexpensive disks (RAID)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the following key concepts for:
* Mirroring: copying data to more than one disk
* Striping: splitting data across more than one disk
* Error correction (fault tolerance): redundant data is stored to allow problems to be detected and possibly fixed

A

RAID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Is RAID a backup solution?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a network encryption protocol used to protect sensitive information?

A

TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can TLS identify sensitive information?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

T/F: The management plane of a cloud service provider’s datacenter should be reserved for use by the provider’s own engineers.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does traffic on the management plane control?

A

Operation of the infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What’s a cost-effective way to track items in a facility?

A

RFID - Radio frequency identification technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What type of site includes the basic capabilities required for datacenter operations, like space, power, HVAC, and communications?

A

Cold site, but it lacks hardware required to restore operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the most simplistic type of disaster recovery site consisting of elements providing power, networking capability, and cooling

A

Cold site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What type of DR site has storage hardware such as tape or disk drives, servers, and switches but has to have data transported for use in recovery?

A

Warm site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What type of DR site is ideal but challenging to attain that is a fully functional backup site that already has important data mirrored to it?

A

Hot site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the maximum acceptable delay between the interruption of service and restoration of service. This determines an acceptable length of time for service downtime.

A

RTO - recovery time objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the maximum acceptable amount of time since the last data recovery point. This determines what is considered an acceptable loss of data.

A

RPO - recovery point objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Every region consists of multiple __________.

A

Availability zones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What DR strategy is when data is live, services are idle, and some resources are provisioned and scaled after event?

A

Pilot light

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What DR strategy is always running, business critical, and scales AWS resources after event?

A

Warm standby

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What DR strategy has real-time RPO and RTO, zero downtime, near zero data loss, and is for mission critical services?

A

Multi-site, active/active

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What provides the best redundancy and resiliency for backup?
Having your backup at another cloud provider
26
What is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.
Docker
27
What packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime.
Docker
28
What is the highest priority in security?
Human safety
29
What allows every resource on the server to be placed in a partition and can be used to achieve multitenancy, logical separation of data, scalability, and geographic sharding?
Tenant partitioning
30
What partitions virtual machines belonging to different tenants on a virtualization platform?
Hypervisor
31
Where should datacenters be located?
In the core of a building
32
What principle states an individual should react in a situation using the same level of care expected from any reasonable person?
Due care principle
33
What states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner?
Due care
34
In what service model is the vendor responsible for hardware related and network related responsibilities?
IaaS
35
*configuring network firewalls *maintaining hypervisor *managing physical equipment Are three _____ responsibilities in _____.
vendor / IaaS
36
What is customer responsible for in IaaS?
Patching OS on VM and managing ingress/egress via NSGs.
37
What data is included in incremental backup?
Only the data modified since the most recent incremental backup
38
What data is included in differential backup?
All data modified since last full backup
39
What data is included in the full backup?
All data on the server
40
What are transaction log backups designed to support?
Database servers, not effective on file server
41
A computer responsible for the storage and management of data files so that other computers on the same network can access the file.
What is a file server
42
What is a machine running database software dedicated to providing database services.
Database servers
43
What do SIEMs do?
Correlate info from multiple sources and perform analysis on data
44
What does SOAR stand for?
Security orchestration, automation, and response
45
What do SOAR platforms provide?
automated playbook responses
46
What do intrusion prevention platforms do?
Block traffic based on analysis performed by the IPS itself.
47
Do log repositories perform analysis?
No, they just collect log info
48
Do SIEM solutions create an audit trail?
Yes
49
What does an audit trail show you?
Sequential record of all the activity on a specific system
50
What analyzes and blocks suspicious network traffic?
IPS
51
What monitors endpoints for malware and responds to malware infections?
Endpoint detection and response platforms
52
The process of protecting devices like desktops, laptops, mobile phones, and tablets from malicious threats and cyberattack
Endpoint security
53
What are physical devices that connect to a network system such as mobile devices, desktop computers, virtual machines, embedded devices, and servers.
Endpoints
54
Who enforces an org's security policies across cloud providers?
CASB - Cloud access security broker
55
What can handle large-scale DDoS attacks?
Content delivery network
56
What is a network of servers that distributes content from an origin server by caching content close to where each end user is accessing the internet via a web-enabled device.
CDN - content delivery network. It speeds up webpage loading for data-heavy applications.
57
What is designed to overwhelm a system until it can no longer process legitimate requests?
DoS attack
58
What principle does DDoS affect?
Availability
59
Is an IPS an example of risk mitigation?
Yes
60
What determines the critical path of assets, resources, and data w/in an org?
BIA - business impact plan - useful in shaping BC/DR plan
61
What should be redundant in a well-designed datacenter?
power, cooling, and network connectivity
62
What allows for the programmatic interaction w/ services and platforms?
APIs
63
What is a file that generally contains a short self-contained set of instructions, i.e., lines of code, that perform a specific task.
Python script
64
What do the following do: Use HTTPS Activate Authentication & Authorization Validate User Input Limit Access to Sensitive Data Monitor and Log API Activity Keep Software and Libraries Up-to-date Perform Regular Security Audits
Secure the backend
65
What are the elements of hardware and software that ensure that a system can only be controlled by those w/ proper permissions
TCB - Trusted Computing Base
66
What coordinates access to physical hardware and enforces isolation b/w different virtual machines running on the same physical platform?
Hypervisor
67
What's the most cost-effective way to provide network segmentation that's used to create logical separation b/w systems in a datacenter?
Virtual local area networks (VLANs)
68
What's used to connect remote users and sites over an insecure network?
VPN - virtual private network
69
What's an option to route traffic b/w network sites?
BGPs - border gateway protocol
70
What tier is expected to achieve 99.741% availability?
Tier 2
71
What tier is expected to achieve 99.671% availability?
Tier 1
72
What tier is expected to achieve 99.982% availability?
Tier 3
73
What tier is expected to achieve 99.995% availability?
Tier 4
74
Does running unnecessary services on a server increase the attack vector?
Yes
75
How are compute nodes measured?
In terms of how many CPUs/how much RAM is available in the center
76
Do compute nodes include virtual and hardware machines?
Yes
77
T/F: Block storage provides disk volumes for use by servers.
True
78
What is a named logical area of the physical disk?
Volume
79
B/c entire machines could be stolen in highly-portable, easily copied formats, _____ must be protected?
VM file stores
80
What is a common attack vector that uses malicious SQL code for backend database manipulation to access PI?
SQL Injection
81
What is a programming language for storing and processing information in a relational database?
SQL
82
What attack executes code on a remote user's system?
Cross-site scripting
83
What attack exploits trust relationships by tricking systems into authorizing unauthorized activity?
Cross-site request forgery and server-side request forgery
84
What is a measure of data that can be lost in an outage w/out damaging the organization?
RPO
85
What strategy most affects RPO?
Data replication
86
What's a measure of how long an org can endure an outage w/out irreparable harm?
RPO
87
This is how long an org can suffer an outage before ceasing to be an org
MAD - maximum allowable downtime
88
What technology performs the following: Encryption: hides the data being transferred from third parties Authentication: ensures that the parties exchanging information are who they claim to be Integrity: verifies that the data has not been forged or tampered with
TLS
89
What's the primary protocol used to implement HTTPS for secure communication?
TLS
90
What is separating and storing data in separate logical partitions or storage areas, even if those partitions or storage are on the same physical device.
Logical separation
91
What is separating and storing data on different physical systems or networks.
Physical separation
92
What is a protocol used to implement VPNs?
IPsec
93
What is a group of protocols for securing connections between devices that helps keep data sent over public networks secure. It is often used to set up VPNs?
IPsec
94
What works by encrypting IP packets, along with authenticating the source where the packets come from to secure connections b/w devices?
IPsec
95
What is it called when you assign users only the permissions they need to perform their job responsibilities?
Least privilege
96
What is the unintentional accumulation of privileges over time?
Aggregation or privilege creep
97
What is it called when two people must work together to perform a sensitive action?
Two-person control
98
What is the reliance upon secrecy of security mechanisms to provide security for a system or process?
Security through obscurity
99
What hypervisor provides a greater degree of security b/c they run directly on top of hardware, decreasing the attack surface?
Type 1 (bare-metal)
100
What's the major driver to lease space in a colocation facility?
A reduction in cost achieved by sharing cost among multiple clients.
101
At a minimum, the Uptime Institute requires it to offer a UPS; a designated space for IT systems; dedicated cooling equipment that runs outside of office hours; and an engine generator.
Tier 1 datacenters
102
What is a voltage regulator that protects sensitive electronics, such as computers, lab equipment, home theaters from voltage fluctuations and power surges?
Line conditioners
103
Dual-power supplies are a requirement for what datacenter tier?
Tier 3
104
What handles traffic b/w SDN controllers and SDN applications?
NBI - northbound interface
105
What is used to access the SDN controller and allows a network administrator to access the SDN to configure it or to retrieve information from it?
NBI - northbound interface
106
In what do applications often need to communicate with network controllers to query or modify the current state of the network?
SDN - Software defined networking
107
What is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network?
SDN - Software defined networking
108
What is basically SSO across multiple organizations?
Federation
109
What is a method of linking a user’s identity across multiple separate identity management systems allowing users to quickly move between systems while maintaining security.
Federated identity
110
What are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.
Hardware security modules
111
What technology provides for the management of physical keys?
KMBs - Key management boxes
112
Components of Kerberos authentication process.
TGT - ticket granting tickets
113
What is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third-party for authenticating client-server applications and verifying users' identities.
Kerberos
114
What provides a secure operating environment inside a computer system?
TCB - trusted computing base
115
Technological capabilities of virtualization create the ease of use that can cause ______.
Sprawl
116
Sprawl should be addressed from a _________ perspective.
Managerial
117
T/F: It's helpful to have a moderator to guide participants thru tabletop exercises.
True
118
The ________ contains the suite of security controls applied uniformly thru an environment.
Baseline
119
Forensic analysis is an important part of ______.
Incident response
120
What is the term used to describe the ability of customers to access their systems remotely?
Ping
121
What is the term used to describe the network connectivity that supports servers' connections to the internet?
Pipe
122
What is the software layer between the hardware and the guest operating systems that acts as a resource manager to enable the sharing of processing power and memory.
Hypervisor
123
What reroutes traffic based on current customer demand, creates logical subnets w/out having to change any physical connections, and filters access to resources based on specific rules or settings?
SDNs
124
What splits a large network into a grouping of smaller, interconnected networks to help minimize traffic and increases network speed?
Subnet
125
What delivers streaming media content efficiently by placing it closer to the end user?
CDN
126
What is a group of servers with mostly shared storage between them that can be used to facilitate high availability for your applications and services and can also be used to create the benefits of reliability, performance, and lower TCO?
Failover clusters
127
What is a group of independent computers that work together to increase the availability and scalability of clustered roles
Failover cluster
128
What's another word for clustered servers?
Nodes
129
How can you ensure your data is not held hostage or lost if a provider becomes unusable?
Having a backup with a different provider.
130
What are two things that provide compute capability?
Virtual server instances and containers
131
____ is the most significant reason cloud datacenters use VMs
Cost
132
What shuts down the primary operating facility and shifts operations to the backup facility?
Full tests or full interruption tests
133
What test for backup and restore capabilities restores a system that hasn't actually broken down to an alternate location?
Parallel test - activates the facility but doesn't move production responsibility to it.
134
What kind of attack is when the attacker is able to leave the confines of its own VM and access resources belonging to another customer?
Escape attack
135
What type of vulnerability occurs when there is more data in a buffer than it can handle and causes data to overflow into adjacent storage, which can cause a system crash or, worse, create an entry point for a cyberattack.
Overflow vulnerability
136
What kind of vuln exists in the following example: A search form where visitors send their search query to the server, and attackers typically send victims custom links that direct unsuspecting users toward a vulnerable page.
Scripting vulnerability
137
What vulnerability causes escape attacks to occur?
A vuln in the hypervisor, b/c it's supposed to be the separation that prevents customers from accessing each other's resources.
138
Disk volumes are stored on _____ storage, except when snapshotting is used to create a backup, then they're stored on less expensive ______ storage.
Block - Object
139
Hot and warm sites are not needed when your data is backed up __________.
In the cloud
140
T/F: A specified configuration built to defined standards and with a controlled process can be used to show that all VMs w/in an environment include certain controls.
True
141
What records provide the "telephone bill" level of communication detail but not the content?
Netflow records
142
What is a commonly used standard for monitoring network flow data that allows you to monitor IP network traffic information as data packets enter or exit an interface.
NetFlow
143
What standard provides the most accurate reconstruction of user activity but is costly to implement due to data storage requirements?
Packet capture
144
What is a networking term for intercepting a data packet that is crossing a specific point in a data network, and once captured in real-time, is stored for a period of time so that it can be analyzed, and then either be downloaded, archived or discarded.
Packet capture
145
What type of backup provides the best redundancy and resiliency?
Having your backup at another cloud provider
146
Every plan/policy should include mention of:
The governance documents, by reference, that drive the formation of the plan/policy
147
What is SAML?
Security Assertion Markup Language - based on XML
148
What is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP).
SAML
149
HTTP is used for port ___ web traffic
80
150
What is used to load web pages using hypertext links?
HTTP - hypertext transfer protocol
151
What is used to present web pages?
HTML
152
What is the universal alphanumeric character set?
ASCII
153
Moving information into another jurisdiction may affect your:
Regulatory compliance
154
What are the 4 major risk management strategies?
Risk acceptance Risk transference Risk avoidance Risk reduction
155
What most affects RPO?
Data replication strategies, which determine how much recent data is available for recovery purposes
156
T/F: Data replication affects RPO more than RTO.
True
157
What is the process of granting users and other security principles access to resources in an environment?
Authorization
158
When using two different cloud providers, a customer runs the risk of:
Data/software formats being different and not readily adapted, causing delays during a failover
159
In what model does the customer have most configuration control?
IaaS
160
In what model does the customer have least configuration control?
SaaS
161
Public cloud makes a ______ _______ more likely.
Guest escape
162
What is used to create an encrypted communication tunnel over an untrusted medium?
VPN
163
What are used for central repositories for identification, authentication, and authorization purposes?
ACLs
164
What is an access control model used to assign permissions based on job functions w/in an org?
RBAC
165
What is the address at which an item (memory cell, storage element, network host) appears to reside from the perspective of an executing application program.
Logical address
166
What is the least disruptive type of disaster recovery test?
Checklist review
167
Accessing source code is necessary for ______
Static analysis
168
Which dev model is most frequently associated with cloud services?
Agile
169
What is the best solution to prevent 3Ps from intercepting and accessing data sent via API calls?
TLS
170
What provides protection against inadvertent data exposure when multiple tenants share the same underlying infrastructure?
Encryption at rest
171
T/F: Multiple paths are ideal for CI/CD pipeline.
False
172
Automation, use of metrics, and version control are all recommended best practices for ________.
CI/CD pipelines
173
IdPs integrate with _______ or ______.
OpenID Connect or SAML
174
In what phase of the SDLC is user input most necessary?
Define
175
Customer responsible for apps, data, runtime, middleware, and OS. CSP responsible for virtualization, servers, storage, and networking.
IaaS
176
Customer responsible for apps and data. CSP responsible for runtime, middleware, OS, virtualization, servers, storage, and networking.
PaaS
177
Shared responsibility for apps and data. CSP also responsible for runtime, middleware, OS, virtualization, servers, storage, and networking
SaaS
178
Standard measures such as locks, security personnel, lights, fences, visitor check in procedures.
CSP data center physical security measures
179
_____ controls Identity and access management (IAM), single sign on (SSO) provider, multifactor authentication (MFA) and logging.
Logical access
180
Customer is responsible for configuring the VMs, virtual network, and guest OS security as if the systems were on premises. CSP responsible for physical host, physical storage, and physical network. CSP provides the tooling to secure the VM but customer must configure them.
IaaS
181
CSP is responsible for the physical components, the internal network, and the tools provided. Cheaper for customer, but less control. Customer is responsible for configuration of application and data access security. CSP is responsible internal network, and the tools provided.
PaaS
182
The customer remains responsible for configuring access to the cloud service for their users, as well as shared responsibility for data recovery. CSP owns physical infrastructure, as well as network and communication. CSP may provide the tools for data recovery, but customer may need to perform recovery in some cases.
SaaS
183
Maximum utilization of compute resource by a customer (e.g. VM) which are allowed to change dynamically based on current conditions and consumption
limits
184
A weighting given to a particular VM used to calculate percentage based access to pooled resources when there is contention. In cases of shortage, host scoring determines who gets capacity.
shares
185
A minimum resource that is guaranteed to a customer.
reservation
186
The infrastructure components that deliver compute resources, such as the VMs, disk, processor, memory and network resources.
compute
187
The _____ remains responsible for the maintenance and security of the physical components of compute.
csp
188
The security of the hypervisor is always the responsibility of the _____.
csp
189
– Flawed hypervisor can facilitate inter VM attacks – Network traffic between VMs is not necessarily visible – Resource availability for VMs can be impacted – VMs and their disk images are simply files, can be portable and movable
risks associated with virtualization
190
Install all updates to the hypervisor as they are released by the vendor. Restrict administrative access to the management interfaces of the hypervisor. Capabilities to monitor the security of activity occurring between guest operating systems (VMs).
hypervisor security recommedations
191
Install all updates to the guest OS promptly. Back up the virtual drives used by the guest OS on a regular basis
Security recommendations for the guest OS
192
- preventing physical access to the servers. - limiting both local and remote access to the hypervisor.
csp's hypervisor security
193
T/F: The virtual network between the hypervisor and the VM is also a potential attack surface.
True - Responsibility for security in this layer is often shared between the CSP and the customer. These components include virtual network, virtual switches, virtual firewalls, virtual IP addresses, etc.
194
A malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.
VM escape
195
Ensure patches on hypervisor and VMs are always up to date. Ensure guest privileges are low, server level redundancy and HIPS/HIDS protection.
Protection from VM escape
196
Whose responsibility: - physical protection of data centers and the storage infrastructure they contain. - security patches and maintenance of underlying data storage technologies and other data services they provide
csp
197
Whose responsibility: - properly configuring and using the storage tools. - logical security and privacy of data they store in the CSP’s environment.
customer
198
- Assessing the adequacy of these controls and properly configuring and using the controls available. - Ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP. - Configuring secure access, whether private or public.
customer storage responsibilities
199
Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space
customer storage challenge
200
- only storing data in an encrypted format – retaining control of the keys needed to decrypt the data
compensating controls for lack of physical storage
201
Provides the tools (web interface and APIs) necessary to configure, monitor, and control your cloud environment. Provides virtual management options equivalent to the physical administration options a legacy data center would provide.
management plane
202
You interact with the _____ through tools including the CSP’s cloud portal, PowerShell or other command line, or client SDKs
management plane
203
_____ is what you are calling when you create top level cloud resources with ARM & Bicep (Azure), CloudFormation (AWS) or Terraform (IaC)
Control plane
204
Performs operations on resources created through the control plane
data plane
205
The main web interface for the CSP platform.
cloud portal
206
- create tenant partitioning or isolation - limit and secure remote access - monitor the cloud infrastructure - allow for the patching and updating of systems
things logical data center design should provide
207
Who's responsible for implementing and enforcing controls that address the unique multitenant risks of the public cloud?
CSP and tenant
208
Single login for on premises and cloud
hybrid identity
209
– federate a customer’s existing IAM system with their CSP tenant – identity as a service ( IDaaS
methods to facilitate IAM between cloud and on premises
210
the native remote access protocol for Windows operating systems.
RDP
211
the native remote access protocol for Linux operating systems, and common for remote management of network devices.
SSH
212
a bastion host at the boundary of lower and higher security zones .
jumpbox
213
software tools that allow remote connection to a VM for use as if it is your local machine
virtual clients
214
Requires significant investment Offers the most control over datacenter design Requires knowledge and skill to match quality of other option
build
215
Generally, lower cost of entry (especially in shared) Less flexibility in service design (limited to what provider) Shared datacenters come with additional security challenges
buy
216
A strong fence line of sufficient height and construction Lighting of facility perimeter and entrances Video monitoring and alerting Electronic monitoring for tampering Visitor access procedures with controlled entry points Interior access controls (badges, key codes, secured doors) Fire detection and prevention systems Protection of sensitive assets, systems, wiring closets, etc.
physical security mechanisms
217
simply measures the amount of time a system is running
uptime
218
encompasses availability of the infrastructure, applications, and services
availability
219
- Involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption. - Must have an uninterruptible power supply that can handle brief power outages, as well as sags and spikes - Must also have dedicated cooling equipment that can run on 24/7, and a generator to handle extended power outages expected to provide 99.671% availability
Tier 1 - basic site infrastructure
220
- Provides partial redundancy, meaning an unplanned interruption will not necessarily cause an outage - Adds redundant components for important cooling and power systems - Facilities must also have the ability to store additional fuel to support the generator expected to provide 99.741% availability
Tier 2 - redundant site infrastructure
221
- Adds even more redundant components - Has a major advantage in that it never needs to be shut down for maintenance - Enough redundant components that any component can be taken offline for maintenance and data center continues to run - Expected to provide 99.982% availability
Tier 3 - concurrently maintainable site infrastructure
222
- Can withstand either planned or unplanned activity without affecting availability - This is achieved by eliminating all single points of failure - Requires fully redundant infrastructure, including dual commercial power feeds, dual backup generators - Expected to provide 99.995% availability
Tier 4 - fault-tolerant site infrastructure
223
_____ is an audit standard to enhance the quality and usefulness of System and Organization Control (SOC) reports.
SSAE 18
224
Connectivity to data center locations from more than one internet service provider (ISP) is _____.
multi vendor pathway connectivity
225
Best practice for CSPs or data centers is _____ for high availability.
dual entry, dual provider
226
HA firewalls, active passive or active active Multi vendor pathway connectivity Web server farm (behind redundant load balancers) Database cluster (Windows / Linux cluster feature)
resilient design
227
Two risk management frameworks
- ISO/IEC 31000:2018 Risk Management Guidelines - NIST SP 800 37, Guide for Applying the Risk Management Framework to Federal Information Systems
228
Assigns a dollar value to evaluate effectiveness of countermeasures. Objective, ensure controls are cost effective.
quantitative risk assessment
229
What will the impact be if that goes wrong?
Single loss expectancy (SLE) $
230
How likely is it to happen?
Annualized Rate of Occurrence (ARO) - decimal
231
ARO = An incident that happens twice a year has an ARO of An incident that happens once every two years has an ARO of An incident that happens once every five years has an ARO of
Incidents/Year 2.0 0.5 0.2
232
The possible yearly cost of all instances of a specific realized threat against a specific asset.
annualized loss expectancy (ale)
233
SLE x ARO
ALE
234
- Business units - Vendor management - Privacy - Information security
risk areas
235
Authentication Risk Data Security Supply Chain Risk Management (SCRM) Geographic dispersion of the CSP data centers Downtime Compliance General technology risk
common cloud risks
236
Different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Capabilities depend on tools, experience, and funding. Other external environmental threats, such as fire and floods, and manmade threats, such as the accidental deletion of data or users.
external threats
237
A malicious insider, a threat actor who may be a dissatisfied employee (someone overlooked for a promotion). Another internal threat is human error, which is when data is accidentally deleted.
internal threats
238
1. Data Breaches 2. Misconfiguration and inadequate change control 3. Lack of cloud security architecture and strategy 4. Insufficient identity, credential access and key management 5. Account hijacking 6. Insider threat 7. Insecure interfaces and APIs 8. Weak control plane 9. “Metastructure ” and "applistructure ” failures 10. Limited cloud usage visibility 11. Abuse and nefarious use of cloud services
The CSA Egregious 11
239
What's the most common account hijacking approach?
phishing
240
What mitigates insider threat?
Job rotation, privileged access management, auditing , security training
241
MFA, RBAC, and key based API access are controls for _____.
insecure interfaces and APIs
242
The protocols and mechanisms that provide the interface between the cloud layers, enabling management and configuration.
metastructure
243
Applications deployed in the cloud and the underlying application services used to build them.
applistructure
244
Selecting a qualified CSP Designing and architecting with security in mind Consider security at every step, starting with design Encryption, and data should be encrypted at rest and in transit. Storage and database encryption at rest, TLS and VPN in transit Ongoing monitoring and management to maintain posture.
risk mitigation strategies
245
– ability to restrict physical access at multiple points – ensuring a clean and stable power supply – adequate utilities like water and sewer – the availability of an adequate workforce
physical and environmental protection
246
Visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters.
site selection criteria
247
Automation of configuration Responsibilities for protecting cloud systems and services Monitoring and maintenance
security practices for people and processes
248
Policy and Procedures Separation of System and User Functionality Security Function Isolation Denial of Service Protection Boundary Protection Cryptographic Key Establishment and Management
system, storage, and communication protection
249
Preventing malicious traffic from entering the network Preventing malicious traffic from leaving your network Protecting against data loss (exfiltration) Configuring rules/policies in routers, gateways, or firewalls
boundary protection
250
What is typically enforced with adequate logging and monitoring of system activity?
accountability
251
– SaaS apps used as users travel make identifying anomalous / malicious behavior more difficult – Bad password practices (reuse across services) – Use of personal devices in BYOD scenarios
Cloud challenges in enforcing accountability
252
_____ are the weakest form of authentication
passwords
253
Oath tokens create _____
one time passwords (OTP)
254
This is a software based authenticator that implements two step verification services using the Time based One time Password Algorithm and HMAC based One time Password algorithm, for authenticating users of software applications.
authentication applications
255
This is where the server is pushing down the authentication information to your mobile device. Uses the mobile device app to be able to receive the pushed message and display the authentication information.
push notifications
256
This is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. Often includes a number of organizations that have established trust for shared access to a set of resources.
Federation
257
Refers to the ability to discover relationships between two or more events across logs.
correlation
258
Packet capture tools are also called _____
protocol analyzers
259
An open source protocol analyzer, with CLI and GUI versions, available for Windows and Linux.
Wireshark - packet capture
260
_____focuses on the whole business, while _____ focuses more on the technical aspects of recovery
BCP / DRP
261
The plan to move from the disaster recovery site back to your business environment or back to normal operations.
BRP (Business Resumption Plan)
262
A time determination for how long a piece of IT infrastructure will continue to work before it fails.
MTBF (Mean Time Between Failures)
263
A time determination for how long it will take to get a piece of hardware/software repaired and back on line.
MTTR (Mean Time to Repair)
264
The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.
MTD (Max tolerable downtime)
265
The overall organizational plan for “how to” continue business after an event has occurred. A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond
Disaster Recovery Plan
266
The plan for recovering from an IT disaster and having the IT infrastructure back in operation.
DRP (Disaster Recovery Plan) - tech focused
267
This is used to determine which processes are critical and which are not.
BIA
268
A BIA typically contains a _____
cost benefit analysis (CBA) and a calculation of the return on investment (ROI)
269
The ____ is responsible for determining how to recover in the case of a disaster in the cloud.
customer
270
CSPs can further protect customers in disaster by not allowing _____ within a single physical datacenter within a cloud region.
two availability zones
271
The plan that details how relevant stakeholders will be informed in event of an incident. Would include plan to maintain confidentiality, such as encryption to ensure that the event does not become public knowledge. Contact list should be maintained that includes stakeholders from the government, police, customers, suppliers, and internal staff.
communication plan
272
This is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down
rpo
273
This is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
rto
274
This measures the compute resources needed to keep production environments running during a disaster. It is a percentage measure (0-100%) of how much computing power you will need during a disaster based upon a percentage of computing used by production environments versus others, such as development, test, and QA
recovery service level - rsl
275
design - based on bia priorities implement the plan test the plan report and revise
BCDR plan process
276
A BCP and DRP should be tested at least _____
annually
277
Members of the disaster recovery team gather in a large conference room and role play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members refer to the document and discuss the appropriate responses to that particular type of disaster.
tabletop testing
278
In this test, some of the response measures are tested (on non critical functions).
dry run
279
Involves actually shutting down operations at the primary site and shifting them to the recovery site. When the entire organization takes part in an unscheduled, unannounced practice scenario, of full BC/DR activities.
full test
280
✓ multiple availability zones ✓ automatic failover to backup region(s) ✓ direct connection to a CSP.
high availability features for disaster recovery