Domain 3 Flashcards by Natasha WrightPope

What is the primary requirement for cloud functionality?

ISP connectivity

How well did you know this?

Not at all

Perfectly

What provides immediate, battery-driven power for a short period of time?

UPS - uninterruptible power supplies

How well did you know this?

Not at all

Perfectly

What’s the best option for providing backup power for a sustained period of time?

Generators

How well did you know this?

Not at all

Perfectly

Redundant arrays of inexpensive disks (RAID) and redundant servers are examples of what kind of controls?

high-availability

How well did you know this?

Not at all

Perfectly

What identifies sensitive information stored on endpoint systems or in transit over a network?

DLP systems

How well did you know this?

Not at all

Perfectly

What is a duplicate of your system – including lines of communication and network devices – that can act as your business’s main operating system if your primary server goes down for any reason?

Redundant server

How well did you know this?

Not at all

Perfectly

What creates a single usable data disk, where several physical disks are combined into an array for better speed and fault tolerance.

Redundant arrays of inexpensive disks (RAID)

How well did you know this?

Not at all

Perfectly

What are the following key concepts for:
* Mirroring: copying data to more than one disk
* Striping: splitting data across more than one disk
* Error correction (fault tolerance): redundant data is stored to allow problems to be detected and possibly fixed

RAID

How well did you know this?

Not at all

Perfectly

Is RAID a backup solution?

How well did you know this?

Not at all

Perfectly

What is a network encryption protocol used to protect sensitive information?

TLS

How well did you know this?

Not at all

Perfectly

Can TLS identify sensitive information?

How well did you know this?

Not at all

Perfectly

T/F: The management plane of a cloud service provider’s datacenter should be reserved for use by the provider’s own engineers.

True

How well did you know this?

Not at all

Perfectly

What does traffic on the management plane control?

Operation of the infrastructure

How well did you know this?

Not at all

Perfectly

What’s a cost-effective way to track items in a facility?

RFID - Radio frequency identification technology

How well did you know this?

Not at all

Perfectly

What type of site includes the basic capabilities required for datacenter operations, like space, power, HVAC, and communications?

Cold site, but it lacks hardware required to restore operations

How well did you know this?

Not at all

Perfectly

What is the most simplistic type of disaster recovery site consisting of elements providing power, networking capability, and cooling

Cold site

How well did you know this?

Not at all

Perfectly

What type of DR site has storage hardware such as tape or disk drives, servers, and switches but has to have data transported for use in recovery?

Warm site

How well did you know this?

Not at all

Perfectly

What type of DR site is ideal but challenging to attain that is a fully functional backup site that already has important data mirrored to it?

Hot site

How well did you know this?

Not at all

Perfectly

What is the maximum acceptable delay between the interruption of service and restoration of service. This determines an acceptable length of time for service downtime.

RTO - recovery time objective

How well did you know this?

Not at all

Perfectly

What is the maximum acceptable amount of time since the last data recovery point. This determines what is considered an acceptable loss of data.

RPO - recovery point objective

How well did you know this?

Not at all

Perfectly

Every region consists of multiple __________.

Availability zones

How well did you know this?

Not at all

Perfectly

What DR strategy is when data is live, services are idle, and some resources are provisioned and scaled after event?

Pilot light

How well did you know this?

Not at all

Perfectly

What DR strategy is always running, business critical, and scales AWS resources after event?

Warm standby

How well did you know this?

Not at all

Perfectly

What DR strategy has real-time RPO and RTO, zero downtime, near zero data loss, and is for mission critical services?

Multi-site, active/active

How well did you know this?

Not at all

Perfectly

What provides the best redundancy and resiliency for backup?

Having your backup at another cloud provider

What is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.

Docker

What packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime.

Docker

What is the highest priority in security?

Human safety

What allows every resource on the server to be placed in a partition and can be used to achieve multitenancy, logical separation of data, scalability, and geographic sharding?

Tenant partitioning

What partitions virtual machines belonging to different tenants on a virtualization platform?

Hypervisor

Where should datacenters be located?

In the core of a building

What principle states an individual should react in a situation using the same level of care expected from any reasonable person?

Due care principle

What states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner?

Due care

In what service model is the vendor responsible for hardware related and network related responsibilities?

IaaS

*configuring network firewalls *maintaining hypervisor *managing physical equipment Are three _____ responsibilities in _____.

vendor / IaaS

What is customer responsible for in IaaS?

Patching OS on VM and managing ingress/egress via NSGs.

What data is included in incremental backup?

Only the data modified since the most recent incremental backup

What data is included in differential backup?

All data modified since last full backup

What data is included in the full backup?

All data on the server

What are transaction log backups designed to support?

Database servers, not effective on file server

A computer responsible for the storage and management of data files so that other computers on the same network can access the file.

What is a file server

What is a machine running database software dedicated to providing database services.

Database servers

What do SIEMs do?

Correlate info from multiple sources and perform analysis on data

What does SOAR stand for?

Security orchestration, automation, and response

What do SOAR platforms provide?

automated playbook responses

What do intrusion prevention platforms do?

Block traffic based on analysis performed by the IPS itself.

Do log repositories perform analysis?

No, they just collect log info

Do SIEM solutions create an audit trail?

Yes

What does an audit trail show you?

Sequential record of all the activity on a specific system

What analyzes and blocks suspicious network traffic?

IPS

What monitors endpoints for malware and responds to malware infections?

Endpoint detection and response platforms

The process of protecting devices like desktops, laptops, mobile phones, and tablets from malicious threats and cyberattack

Endpoint security

What are physical devices that connect to a network system such as mobile devices, desktop computers, virtual machines, embedded devices, and servers.

Endpoints

Who enforces an org's security policies across cloud providers?

CASB - Cloud access security broker

What can handle large-scale DDoS attacks?

Content delivery network

What is a network of servers that distributes content from an origin server by caching content close to where each end user is accessing the internet via a web-enabled device.

CDN - content delivery network. It speeds up webpage loading for data-heavy applications.

What is designed to overwhelm a system until it can no longer process legitimate requests?

DoS attack

What principle does DDoS affect?

Availability

Is an IPS an example of risk mitigation?

Yes

What determines the critical path of assets, resources, and data w/in an org?

BIA - business impact plan - useful in shaping BC/DR plan

What should be redundant in a well-designed datacenter?

power, cooling, and network connectivity

What allows for the programmatic interaction w/ services and platforms?

APIs

What is a file that generally contains a short self-contained set of instructions, i.e., lines of code, that perform a specific task.

Python script

What do the following do: Use HTTPS Activate Authentication & Authorization Validate User Input Limit Access to Sensitive Data Monitor and Log API Activity Keep Software and Libraries Up-to-date Perform Regular Security Audits

Secure the backend

What are the elements of hardware and software that ensure that a system can only be controlled by those w/ proper permissions

TCB - Trusted Computing Base

What coordinates access to physical hardware and enforces isolation b/w different virtual machines running on the same physical platform?

Hypervisor

What's the most cost-effective way to provide network segmentation that's used to create logical separation b/w systems in a datacenter?

Virtual local area networks (VLANs)

What's used to connect remote users and sites over an insecure network?

VPN - virtual private network

What's an option to route traffic b/w network sites?

BGPs - border gateway protocol

What tier is expected to achieve 99.741% availability?

Tier 2

What tier is expected to achieve 99.671% availability?

Tier 1

What tier is expected to achieve 99.982% availability?

Tier 3

What tier is expected to achieve 99.995% availability?

Tier 4

Does running unnecessary services on a server increase the attack vector?

Yes

How are compute nodes measured?

In terms of how many CPUs/how much RAM is available in the center

Do compute nodes include virtual and hardware machines?

Yes

T/F: Block storage provides disk volumes for use by servers.

True

What is a named logical area of the physical disk?

Volume

B/c entire machines could be stolen in highly-portable, easily copied formats, _____ must be protected?

VM file stores

What is a common attack vector that uses malicious SQL code for backend database manipulation to access PI?

SQL Injection

What is a programming language for storing and processing information in a relational database?

SQL

What attack executes code on a remote user's system?

Cross-site scripting

What attack exploits trust relationships by tricking systems into authorizing unauthorized activity?

Cross-site request forgery and server-side request forgery

What is a measure of data that can be lost in an outage w/out damaging the organization?

RPO

What strategy most affects RPO?

Data replication

What's a measure of how long an org can endure an outage w/out irreparable harm?

RPO

This is how long an org can suffer an outage before ceasing to be an org

MAD - maximum allowable downtime

What technology performs the following: Encryption: hides the data being transferred from third parties Authentication: ensures that the parties exchanging information are who they claim to be Integrity: verifies that the data has not been forged or tampered with

TLS

What's the primary protocol used to implement HTTPS for secure communication?

TLS

What is separating and storing data in separate logical partitions or storage areas, even if those partitions or storage are on the same physical device.

Logical separation

What is separating and storing data on different physical systems or networks.

Physical separation

What is a protocol used to implement VPNs?

IPsec

What is a group of protocols for securing connections between devices that helps keep data sent over public networks secure. It is often used to set up VPNs?

IPsec

What works by encrypting IP packets, along with authenticating the source where the packets come from to secure connections b/w devices?

IPsec

What is it called when you assign users only the permissions they need to perform their job responsibilities?

Least privilege

What is the unintentional accumulation of privileges over time?

Aggregation or privilege creep

What is it called when two people must work together to perform a sensitive action?

Two-person control

What is the reliance upon secrecy of security mechanisms to provide security for a system or process?

Security through obscurity

What hypervisor provides a greater degree of security b/c they run directly on top of hardware, decreasing the attack surface?

Type 1 (bare-metal)

What's the major driver to lease space in a colocation facility?

A reduction in cost achieved by sharing cost among multiple clients.

At a minimum, the Uptime Institute requires it to offer a UPS; a designated space for IT systems; dedicated cooling equipment that runs outside of office hours; and an engine generator.

Tier 1 datacenters

What is a voltage regulator that protects sensitive electronics, such as computers, lab equipment, home theaters from voltage fluctuations and power surges?

Line conditioners

Dual-power supplies are a requirement for what datacenter tier?

Tier 3

What handles traffic b/w SDN controllers and SDN applications?

NBI - northbound interface

What is used to access the SDN controller and allows a network administrator to access the SDN to configure it or to retrieve information from it?

NBI - northbound interface

In what do applications often need to communicate with network controllers to query or modify the current state of the network?

SDN - Software defined networking

What is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network?

SDN - Software defined networking

What is basically SSO across multiple organizations?

Federation

What is a method of linking a user’s identity across multiple separate identity management systems allowing users to quickly move between systems while maintaining security.

Federated identity

What are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Hardware security modules

What technology provides for the management of physical keys?

KMBs - Key management boxes

Components of Kerberos authentication process.

TGT - ticket granting tickets

What is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third-party for authenticating client-server applications and verifying users' identities.

Kerberos

What provides a secure operating environment inside a computer system?

TCB - trusted computing base

Technological capabilities of virtualization create the ease of use that can cause ______.

Sprawl

Sprawl should be addressed from a _________ perspective.

Managerial

T/F: It's helpful to have a moderator to guide participants thru tabletop exercises.

True

The ________ contains the suite of security controls applied uniformly thru an environment.

Baseline

Forensic analysis is an important part of ______.

Incident response

What is the term used to describe the ability of customers to access their systems remotely?

Ping

What is the term used to describe the network connectivity that supports servers' connections to the internet?

Pipe

What is the software layer between the hardware and the guest operating systems that acts as a resource manager to enable the sharing of processing power and memory.

Hypervisor

What reroutes traffic based on current customer demand, creates logical subnets w/out having to change any physical connections, and filters access to resources based on specific rules or settings?

SDNs

What splits a large network into a grouping of smaller, interconnected networks to help minimize traffic and increases network speed?

Subnet

What delivers streaming media content efficiently by placing it closer to the end user?

CDN

What is a group of servers with mostly shared storage between them that can be used to facilitate high availability for your applications and services and can also be used to create the benefits of reliability, performance, and lower TCO?

Failover clusters

What is a group of independent computers that work together to increase the availability and scalability of clustered roles

Failover cluster

What's another word for clustered servers?

Nodes

How can you ensure your data is not held hostage or lost if a provider becomes unusable?

Having a backup with a different provider.

What are two things that provide compute capability?

Virtual server instances and containers

____ is the most significant reason cloud datacenters use VMs

Cost

What shuts down the primary operating facility and shifts operations to the backup facility?

Full tests or full interruption tests

What test for backup and restore capabilities restores a system that hasn't actually broken down to an alternate location?

Parallel test - activates the facility but doesn't move production responsibility to it.

What kind of attack is when the attacker is able to leave the confines of its own VM and access resources belonging to another customer?

Escape attack

What type of vulnerability occurs when there is more data in a buffer than it can handle and causes data to overflow into adjacent storage, which can cause a system crash or, worse, create an entry point for a cyberattack.

Overflow vulnerability

What kind of vuln exists in the following example: A search form where visitors send their search query to the server, and attackers typically send victims custom links that direct unsuspecting users toward a vulnerable page.

Scripting vulnerability

What vulnerability causes escape attacks to occur?

A vuln in the hypervisor, b/c it's supposed to be the separation that prevents customers from accessing each other's resources.

Disk volumes are stored on _____ storage, except when snapshotting is used to create a backup, then they're stored on less expensive ______ storage.

Block - Object

Hot and warm sites are not needed when your data is backed up __________.

In the cloud

T/F: A specified configuration built to defined standards and with a controlled process can be used to show that all VMs w/in an environment include certain controls.

True

What records provide the "telephone bill" level of communication detail but not the content?

Netflow records

What is a commonly used standard for monitoring network flow data that allows you to monitor IP network traffic information as data packets enter or exit an interface.

NetFlow

What standard provides the most accurate reconstruction of user activity but is costly to implement due to data storage requirements?

Packet capture

What is a networking term for intercepting a data packet that is crossing a specific point in a data network, and once captured in real-time, is stored for a period of time so that it can be analyzed, and then either be downloaded, archived or discarded.

Packet capture

What type of backup provides the best redundancy and resiliency?

Having your backup at another cloud provider

Every plan/policy should include mention of:

The governance documents, by reference, that drive the formation of the plan/policy

What is SAML?

Security Assertion Markup Language - based on XML

What is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP).

SAML

HTTP is used for port ___ web traffic

What is used to load web pages using hypertext links?

HTTP - hypertext transfer protocol

What is used to present web pages?

HTML

What is the universal alphanumeric character set?

ASCII

Moving information into another jurisdiction may affect your:

Regulatory compliance

What are the 4 major risk management strategies?

Risk acceptance Risk transference Risk avoidance Risk reduction

What most affects RPO?

Data replication strategies, which determine how much recent data is available for recovery purposes

T/F: Data replication affects RPO more than RTO.

True

What is the process of granting users and other security principles access to resources in an environment?

Authorization

When using two different cloud providers, a customer runs the risk of:

Data/software formats being different and not readily adapted, causing delays during a failover

In what model does the customer have most configuration control?

IaaS

In what model does the customer have least configuration control?

SaaS

Public cloud makes a ______ _______ more likely.

Guest escape

What is used to create an encrypted communication tunnel over an untrusted medium?

VPN

What are used for central repositories for identification, authentication, and authorization purposes?

ACLs

What is an access control model used to assign permissions based on job functions w/in an org?

RBAC

What is the address at which an item (memory cell, storage element, network host) appears to reside from the perspective of an executing application program.

Logical address

What is the least disruptive type of disaster recovery test?

Checklist review

Accessing source code is necessary for ______

Static analysis

Which dev model is most frequently associated with cloud services?

Agile

What is the best solution to prevent 3Ps from intercepting and accessing data sent via API calls?

TLS

What provides protection against inadvertent data exposure when multiple tenants share the same underlying infrastructure?

Encryption at rest

T/F: Multiple paths are ideal for CI/CD pipeline.

False

Automation, use of metrics, and version control are all recommended best practices for ________.

CI/CD pipelines

IdPs integrate with _______ or ______.

OpenID Connect or SAML

In what phase of the SDLC is user input most necessary?

Define

Customer responsible for apps, data, runtime, middleware, and OS. CSP responsible for virtualization, servers, storage, and networking.

IaaS

Customer responsible for apps and data. CSP responsible for runtime, middleware, OS, virtualization, servers, storage, and networking.

PaaS

Shared responsibility for apps and data. CSP also responsible for runtime, middleware, OS, virtualization, servers, storage, and networking

SaaS

Standard measures such as locks, security personnel, lights, fences, visitor check in procedures.

CSP data center physical security measures

_____ controls Identity and access management (IAM), single sign on (SSO) provider, multifactor authentication (MFA) and logging.

Logical access

Customer is responsible for configuring the VMs, virtual network, and guest OS security as if the systems were on premises. CSP responsible for physical host, physical storage, and physical network. CSP provides the tooling to secure the VM but customer must configure them.

IaaS

CSP is responsible for the physical components, the internal network, and the tools provided. Cheaper for customer, but less control. Customer is responsible for configuration of application and data access security. CSP is responsible internal network, and the tools provided.

PaaS

The customer remains responsible for configuring access to the cloud service for their users, as well as shared responsibility for data recovery. CSP owns physical infrastructure, as well as network and communication. CSP may provide the tools for data recovery, but customer may need to perform recovery in some cases.

SaaS

Maximum utilization of compute resource by a customer (e.g. VM) which are allowed to change dynamically based on current conditions and consumption

limits

A weighting given to a particular VM used to calculate percentage based access to pooled resources when there is contention. In cases of shortage, host scoring determines who gets capacity.

A minimum resource that is guaranteed to a customer.

reservation

The infrastructure components that deliver compute resources, such as the VMs, disk, processor, memory and network resources.

compute

The _____ remains responsible for the maintenance and security of the physical components of compute.

csp

The security of the hypervisor is always the responsibility of the _____.

csp

– Flawed hypervisor can facilitate inter VM attacks – Network traffic between VMs is not necessarily visible – Resource availability for VMs can be impacted – VMs and their disk images are simply files, can be portable and movable

risks associated with virtualization

Install all updates to the hypervisor as they are released by the vendor. Restrict administrative access to the management interfaces of the hypervisor. Capabilities to monitor the security of activity occurring between guest operating systems (VMs).

hypervisor security recommedations

Install all updates to the guest OS promptly. Back up the virtual drives used by the guest OS on a regular basis

Security recommendations for the guest OS

- preventing physical access to the servers. - limiting both local and remote access to the hypervisor.

csp's hypervisor security

T/F: The virtual network between the hypervisor and the VM is also a potential attack surface.

True - Responsibility for security in this layer is often shared between the CSP and the customer. These components include virtual network, virtual switches, virtual firewalls, virtual IP addresses, etc.

A malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.

VM escape

Ensure patches on hypervisor and VMs are always up to date. Ensure guest privileges are low, server level redundancy and HIPS/HIDS protection.

Protection from VM escape

Whose responsibility: - physical protection of data centers and the storage infrastructure they contain. - security patches and maintenance of underlying data storage technologies and other data services they provide

csp

Whose responsibility: - properly configuring and using the storage tools. - logical security and privacy of data they store in the CSP’s environment.

customer

- Assessing the adequacy of these controls and properly configuring and using the controls available. - Ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP. - Configuring secure access, whether private or public.

customer storage responsibilities

Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space

customer storage challenge

- only storing data in an encrypted format – retaining control of the keys needed to decrypt the data

compensating controls for lack of physical storage

Provides the tools (web interface and APIs) necessary to configure, monitor, and control your cloud environment. Provides virtual management options equivalent to the physical administration options a legacy data center would provide.

management plane

You interact with the _____ through tools including the CSP’s cloud portal, PowerShell or other command line, or client SDKs

management plane

_____ is what you are calling when you create top level cloud resources with ARM & Bicep (Azure), CloudFormation (AWS) or Terraform (IaC)

Control plane

Performs operations on resources created through the control plane

data plane

The main web interface for the CSP platform.

cloud portal

- create tenant partitioning or isolation - limit and secure remote access - monitor the cloud infrastructure - allow for the patching and updating of systems

things logical data center design should provide

Who's responsible for implementing and enforcing controls that address the unique multitenant risks of the public cloud?

CSP and tenant

Single login for on premises and cloud

hybrid identity

– federate a customer’s existing IAM system with their CSP tenant – identity as a service ( IDaaS

methods to facilitate IAM between cloud and on premises

the native remote access protocol for Windows operating systems.

RDP

the native remote access protocol for Linux operating systems, and common for remote management of network devices.

SSH

a bastion host at the boundary of lower and higher security zones .

jumpbox

software tools that allow remote connection to a VM for use as if it is your local machine

virtual clients

Requires significant investment Offers the most control over datacenter design Requires knowledge and skill to match quality of other option

build

Generally, lower cost of entry (especially in shared) Less flexibility in service design (limited to what provider) Shared datacenters come with additional security challenges

buy

A strong fence line of sufficient height and construction Lighting of facility perimeter and entrances Video monitoring and alerting Electronic monitoring for tampering Visitor access procedures with controlled entry points Interior access controls (badges, key codes, secured doors) Fire detection and prevention systems Protection of sensitive assets, systems, wiring closets, etc.

physical security mechanisms

simply measures the amount of time a system is running

uptime

encompasses availability of the infrastructure, applications, and services

availability

- Involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption. - Must have an uninterruptible power supply that can handle brief power outages, as well as sags and spikes - Must also have dedicated cooling equipment that can run on 24/7, and a generator to handle extended power outages expected to provide 99.671% availability

Tier 1 - basic site infrastructure

- Provides partial redundancy, meaning an unplanned interruption will not necessarily cause an outage - Adds redundant components for important cooling and power systems - Facilities must also have the ability to store additional fuel to support the generator expected to provide 99.741% availability

Tier 2 - redundant site infrastructure

- Adds even more redundant components - Has a major advantage in that it never needs to be shut down for maintenance - Enough redundant components that any component can be taken offline for maintenance and data center continues to run - Expected to provide 99.982% availability

Tier 3 - concurrently maintainable site infrastructure

- Can withstand either planned or unplanned activity without affecting availability - This is achieved by eliminating all single points of failure - Requires fully redundant infrastructure, including dual commercial power feeds, dual backup generators - Expected to provide 99.995% availability

Tier 4 - fault-tolerant site infrastructure

_____ is an audit standard to enhance the quality and usefulness of System and Organization Control (SOC) reports.

SSAE 18

Connectivity to data center locations from more than one internet service provider (ISP) is _____.

multi vendor pathway connectivity

Best practice for CSPs or data centers is _____ for high availability.

dual entry, dual provider

HA firewalls, active passive or active active Multi vendor pathway connectivity Web server farm (behind redundant load balancers) Database cluster (Windows / Linux cluster feature)

resilient design

Two risk management frameworks

- ISO/IEC 31000:2018 Risk Management Guidelines - NIST SP 800 37, Guide for Applying the Risk Management Framework to Federal Information Systems

Assigns a dollar value to evaluate effectiveness of countermeasures. Objective, ensure controls are cost effective.

quantitative risk assessment

What will the impact be if that goes wrong?

Single loss expectancy (SLE) $

How likely is it to happen?

Annualized Rate of Occurrence (ARO) - decimal

ARO = An incident that happens twice a year has an ARO of An incident that happens once every two years has an ARO of An incident that happens once every five years has an ARO of

Incidents/Year 2.0 0.5 0.2

The possible yearly cost of all instances of a specific realized threat against a specific asset.

annualized loss expectancy (ale)

SLE x ARO

ALE

- Business units - Vendor management - Privacy - Information security

risk areas

Authentication Risk Data Security Supply Chain Risk Management (SCRM) Geographic dispersion of the CSP data centers Downtime Compliance General technology risk

common cloud risks

Different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Capabilities depend on tools, experience, and funding. Other external environmental threats, such as fire and floods, and manmade threats, such as the accidental deletion of data or users.

external threats

A malicious insider, a threat actor who may be a dissatisfied employee (someone overlooked for a promotion). Another internal threat is human error, which is when data is accidentally deleted.

internal threats

1. Data Breaches 2. Misconfiguration and inadequate change control 3. Lack of cloud security architecture and strategy 4. Insufficient identity, credential access and key management 5. Account hijacking 6. Insider threat 7. Insecure interfaces and APIs 8. Weak control plane 9. “Metastructure ” and "applistructure ” failures 10. Limited cloud usage visibility 11. Abuse and nefarious use of cloud services

The CSA Egregious 11

What's the most common account hijacking approach?

phishing

What mitigates insider threat?

Job rotation, privileged access management, auditing , security training

MFA, RBAC, and key based API access are controls for _____.

insecure interfaces and APIs

The protocols and mechanisms that provide the interface between the cloud layers, enabling management and configuration.

metastructure

Applications deployed in the cloud and the underlying application services used to build them.

applistructure

Selecting a qualified CSP Designing and architecting with security in mind Consider security at every step, starting with design Encryption, and data should be encrypted at rest and in transit. Storage and database encryption at rest, TLS and VPN in transit Ongoing monitoring and management to maintain posture.

risk mitigation strategies

– ability to restrict physical access at multiple points – ensuring a clean and stable power supply – adequate utilities like water and sewer – the availability of an adequate workforce

physical and environmental protection

Visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters.

site selection criteria

Automation of configuration Responsibilities for protecting cloud systems and services Monitoring and maintenance

security practices for people and processes

Policy and Procedures Separation of System and User Functionality Security Function Isolation Denial of Service Protection Boundary Protection Cryptographic Key Establishment and Management

system, storage, and communication protection

Preventing malicious traffic from entering the network Preventing malicious traffic from leaving your network Protecting against data loss (exfiltration) Configuring rules/policies in routers, gateways, or firewalls

boundary protection

What is typically enforced with adequate logging and monitoring of system activity?

accountability

– SaaS apps used as users travel make identifying anomalous / malicious behavior more difficult – Bad password practices (reuse across services) – Use of personal devices in BYOD scenarios

Cloud challenges in enforcing accountability

_____ are the weakest form of authentication

passwords

Oath tokens create _____

one time passwords (OTP)

This is a software based authenticator that implements two step verification services using the Time based One time Password Algorithm and HMAC based One time Password algorithm, for authenticating users of software applications.

authentication applications

This is where the server is pushing down the authentication information to your mobile device. Uses the mobile device app to be able to receive the pushed message and display the authentication information.

push notifications

This is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. Often includes a number of organizations that have established trust for shared access to a set of resources.

Federation

Refers to the ability to discover relationships between two or more events across logs.

correlation

Packet capture tools are also called _____

protocol analyzers

An open source protocol analyzer, with CLI and GUI versions, available for Windows and Linux.

Wireshark - packet capture

_____focuses on the whole business, while _____ focuses more on the technical aspects of recovery

BCP / DRP

The plan to move from the disaster recovery site back to your business environment or back to normal operations.

BRP (Business Resumption Plan)

A time determination for how long a piece of IT infrastructure will continue to work before it fails.

MTBF (Mean Time Between Failures)

A time determination for how long it will take to get a piece of hardware/software repaired and back on line.

MTTR (Mean Time to Repair)

The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.

MTD (Max tolerable downtime)

The overall organizational plan for “how to” continue business after an event has occurred. A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond

Disaster Recovery Plan

The plan for recovering from an IT disaster and having the IT infrastructure back in operation.

DRP (Disaster Recovery Plan) - tech focused

This is used to determine which processes are critical and which are not.

BIA

A BIA typically contains a _____

cost benefit analysis (CBA) and a calculation of the return on investment (ROI)

The ____ is responsible for determining how to recover in the case of a disaster in the cloud.

customer

CSPs can further protect customers in disaster by not allowing _____ within a single physical datacenter within a cloud region.

two availability zones

The plan that details how relevant stakeholders will be informed in event of an incident. Would include plan to maintain confidentiality, such as encryption to ensure that the event does not become public knowledge. Contact list should be maintained that includes stakeholders from the government, police, customers, suppliers, and internal staff.

communication plan

This is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down

rpo

This is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.

rto

This measures the compute resources needed to keep production environments running during a disaster. It is a percentage measure (0-100%) of how much computing power you will need during a disaster based upon a percentage of computing used by production environments versus others, such as development, test, and QA

recovery service level - rsl

design - based on bia priorities implement the plan test the plan report and revise

BCDR plan process

A BCP and DRP should be tested at least _____

annually

Members of the disaster recovery team gather in a large conference room and role play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members refer to the document and discuss the appropriate responses to that particular type of disaster.

tabletop testing

In this test, some of the response measures are tested (on non critical functions).

dry run

Involves actually shutting down operations at the primary site and shifting them to the recovery site. When the entire organization takes part in an unscheduled, unannounced practice scenario, of full BC/DR activities.

full test

✓ multiple availability zones ✓ automatic failover to backup region(s) ✓ direct connection to a CSP.

high availability features for disaster recovery