Domain 5 Flashcards by Natasha WrightPope

What defines service-level targets and responsibilities for IT service provider?

SLAs

How well did you know this?

Not at all

Perfectly

What’s an internal agreement b/w the IT service provider and another part of the same org and supports the service provider’s delivery of the service.

OLAs - operational level agreement

How well did you know this?

Not at all

Perfectly

What’s used to determine whether a service meets its quality and functionality goals?

SAC - service acceptance criteria

How well did you know this?

Not at all

Perfectly

What defines the requirements of a service from the customer’s perspective?

SLR - service level requirement

How well did you know this?

Not at all

Perfectly

Reactive communications are used for:

data breach notification, regulatory compliance, and problem management

How well did you know this?

Not at all

Perfectly

T/F: Major cloud vendors provide their own customized versions of Linux that include additional agents and tools that help them work better w/ the provider’s infrastructure?

True

How well did you know this?

Not at all

Perfectly

When managing systems at scale in the cloud, is it best to use the cloud IaaS vendor’s tools?

Yes

How well did you know this?

Not at all

Perfectly

Why is it best to use the cloud IaaS vendor’s tools when managing systems at scale in the cloud?

B/c they’re designed to handle OS that may have special features to work in the vendor’s environment and applications.

How well did you know this?

Not at all

Perfectly

Do CSPs allow direct or 3P audits of their systems?

No - but they will provide audit results

How well did you know this?

Not at all

Perfectly

What is used to create, store, and manage secrets?

HSM - hardware security module

How well did you know this?

Not at all

Perfectly

What uses code and config files or variables to allow rapid deployment using scripts and automated tools?

Infrastructure as code design

How well did you know this?

Not at all

Perfectly

What’s used to access data from services?

APIs

How well did you know this?

Not at all

Perfectly

What are two practices to improve service continuity?

Understanding the number of business practices that have continuity planning in place.
Assessing which gaps in coverage are critical.

How well did you know this?

Not at all

Perfectly

Are Agile and DevOps well-suited to rapid release cycles w/ CI/CD delivery processes?

Yes

How well did you know this?

Not at all

Perfectly

T/F: Agile and DevOps are better with CI/CD than Waterfall and Spiral

True

How well did you know this?

Not at all

Perfectly

What is the first step in ITIL 4 continual service improvement process?

Identify strategy for improvement

How well did you know this?

Not at all

Perfectly

What comes after you identify strategy for improvement in ITIL 4 continual service improvement process?

Define what to measure

How well did you know this?

Not at all

Perfectly

What happens after you define what to measure in ITIL 4 continual service improvement process?

Gather data

How well did you know this?

Not at all

Perfectly

What happens after you gather data in ITIL 4 continual service improvement process?

Process the data

How well did you know this?

Not at all

Perfectly

What happens after you process the data in ITIL 4 continual service improvement process?

Analyze the information and data

How well did you know this?

Not at all

Perfectly

What happens after you analyze the information and data in ITIL 4 continual service improvement process?

Present and use the information

How well did you know this?

Not at all

Perfectly

What’s the last step in ITIL 4 continual service improvement process?

Implement improvement

How well did you know this?

Not at all

Perfectly

What mode migrates VMs to other hosts or waits until they are powered down to allow for hardware or other maintenance.

Maintenance

How well did you know this?

Not at all

Perfectly

What does centralized log collection, analysis, and detection?

SIEM tools

How well did you know this?

Not at all

Perfectly

What is used to detect and stop attacks?

IPS - intrusion prevention system

What is a government funded research organization w/ a heavy focus on security work?

MITRE

What is an encryption protocol used to secure data in transit?

TLS

What's used to logically separate network segments?

VLANs

What's intended to provide security to domain name system requests?

DNSSEC

What provides IP addresses and other network config info to systems automatically?

DHCP

Will the default SSH port stop attackers and 3Ps from accessing SSH as long as it hasn't been changed to a port outside of port 22?

Yes

What stores config management and info about relationships b/w configuration items?

Configuration Management Database

Who patches PaaS environments?

The vendor

What are designing services for availability, availability testing, and availability monitoring and reporting?

ITIL subprocesses for availability management

Do customers need to tell their vendors about breaches?

Do vendors need to tell their customers about breaches?

Yes

What's necessary to establish a configuration management database?

Having an inventory to create a baseline.

What can you do once a baseline is ceated?

Establish CMB, deploy new assets configured to meet baseline, and document deviations.

What adds functionality like use of GPUs (graphics processing unit), shared clipboards, and drag and drop b/w guest OS, shared folders, and similar features that require additional integration b/w guest OS and underlying hypervisor?

Guest OS virtualization tools

What focuses on whether security practices and procedures align to risk tolerance for the org and includes verification and testing like SOC2 Type 2 audit does.

Security review objective

What topics does the security review objective cover?

Design, testing, and incident management

Is manual static code review a good fit for CI/CD?

No b/c of speed requirements

Do WAFs and IPSs test code and make application more secure?

Who is responsible for network-based risks in IaaS?

Customer and provider

What does configuration management start with?

Baselining

What is the critical factor when transaction volume is key?

Network latency

Azure's best practices suggest creating disk snapshots for VM's OS and data disks and then ______.

Safely storing the snapshots and then comparing hashes b/w images and originals

Will comparing hashes of a snapshot validate it against the original?

Can VMs be exported as hashes?

Do businesses manage customer capacity?

No, they assess their own capacity, known as business capacity mgmt

What do data breach regulations typically focus on?

Customer notification

What is the process for preserving data for legal action?

Legal hold

What is a critical part of instance scheduling?

Tagging

What allows schedules to be easily applied to all instances w/ the proper tags?

Tagging

Is adding new hardware to increase performance an element of hardening?

What is the process of provisioning a specific element against an attack?

Hardening

Do audits protect against attacks?

No, they detect and direct responses to attacks

Are humans in the loop for patching?

Yes, and they can be installed in non-production environments to be validated before further installation

What speeds patching and patch accuracy via automation?

Automated patching systems

What controls the entirety of the virtual environment?

Management systems, and they should be isolated physically and virtually.

Does ITIL 4 categorize deployment management as part of release management?

Yes

Who is responsible for the fit for purpose for continual service improvement?

Process owner

Who improves ITSM processes and services?

CSI (continual service improvement) managers

Who ensures processes work together and support each other effectively?

Process architects

What performs firewall-like rules-based filtering?

Network security groups

What captures and observes attacker behaviors?

Honeypots

What detects and prevents attacks based on behaviors and signatures, respectivly?

IDSs and IPSs

Hardware redundancy, local sharing and balancing, and failure mode design are all:

common practices when designing redundancy into cloud datacenters

Will vendors allow customers to conduct PCI assessments of their underlying infrastructure?

Will IaaS vendors allow customers to scan their own internal systems?

Yes, but they may recommend that instances w/ lower resources are not scanned to avoid disruption

Are scanning tools required to be used in an IaaS environment?

Is external scanning prohibited?

Yes, b/c it can affect other customers

Is scheduling a time or date required for advanced/specialized testing?

Yes

Using load balancing to drain load from existing systems and then replacing them w/ new, patched instances is a common best practice for _____.

Cloud-hosted service environment patching

Could manual and scripting patching and re-IPing cause outages?

Yes, as systems are swapped over

1. Transferring users 2. Preventing new connections 3. Notifying customers

common practices for maintenance mode

Are HSMs used for boot security?

What allows you to add TPM 2.0 virtual crypto processor to a VM?

A virtual trusted platform module vTPM

What provides hardware-based, security-related functions such as random number generation, attestation, and key generation?

vTPM

What enables the guest operating system to create and store keys that are private, while not exposing the keys to the guest operating system and thereby reducing the virtual machine attack surface?

vTPM

What runs on top of an OS?

Type 2 hypervisor

What's ITIL's overall goal?

Restore service as soon as possible after an incident

What are top focuses of ITIL?

Identification, containment, resolution, and maintenance

What's an interruption of normal service, including reductions in the quality of services that may violate an SLA?

Incidents

What resolves the cause of problems?

Problem management

What restores services to normal levels?

Incident response

Is the number of individuals impacted a useful KPI for availability?

What is the basis of security management in ITIL?

Infosec policies - more specifically "underpinning infosec policies"

In what is automated testing conducted and code must pass testing before it's released?

CI/CD pipeline

Is human intervention/approval required for CI/CD pipelines?

What's the most common means of capturing disk images from VMs in an IaaS environment?

Snapshots

What makes using forensic image acquisition tools difficult in a cloud environment?

A lack of access to the underlying hardware

What is DBAN?

A wiping tool

Do copy utilities provide a complete forensically sound copy?

TerraForm, CloudFormation, Ansible, Chef, and Puppet are what kind of tools?

Infrastructure as Code

What ISO describes service management?

20000-1

What ISO describes an information security management system?

27001

What's the best tool to centralize logs and incident information?

SIEM

What can block legitimate traffic if it's improperly identified?

IPS

Which needs to be placed in-line with traffic? IDS or IPS

IPS

Do IPS and IDS use signature and behavior-based detection?

Yes

Can an IDS fail open or closed?

No, b/c it's not in-line

A system set to ________ does not shut down when failure conditions are present.

Fail open

________ is when a device or system is set, either physically or via software, to shut down and prevent further operation when failure conditions are detected.

Failing closed

An ________ sits in line with traffic flows and inspects all traffic before permitting it to continue on to its destination.

IPS

What shows which IP address contacted another IP address, source/destination ports, and volume of data?

Flow logging

AI features in SIEM devices are used to:

1. Analyze and learn network traffic patterns 2. Use log correlation and threat intelligence to identify unexpected/potentially malicious behavior

default gateway subnet mask DNS server info IP address Are all provided by

DHCP

A ________ is a router that connects your host to remote network segments.

default gateway

A _________ is a number that distinguishes the network address and the host address within an IP address.

subnet mask

________ is an Internet service that translates domain names (e.g., its.umich.edu) into IP addresses.

Domain Name System (DNS)

________ is a protocol for automatically assigning IP addresses and other configurations to devices when they connect to a network.

Dynamic Host Configuration Protocol (DHCP)

An ________ is a unique numerical identifier for every device or network that connects to the internet and is used for communicating across the internet.

Internet Protocol (IP) address

________ is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.

Secure Boot

Disabling _________ b/w VMs and the console is a standard security practice.

cut and paste

Removing ________ is a standard security practice.

unnecessary hardware

Use of the VM console is considered direct access and should only be used for ________.

critical actions - use virtualization management platform for most actions

Are honeypots used to capture traffic to stop attacks?

No - just to study

What 3 things can stop attacks by preventing malicious traffic from entering the network?

network security groups, firewalls, and IPSs

What can be associated with subnets or individual virtual machine instances within that subnet to activate a rule or access control list (ACL) to allow or deny network traffic to your virtual machine instances in a virtual network.

Network security groups

use multiple vendors have SLAs in place use self-hosted failover capabilities

high availability techniques

Invest in redundant systems Additional monitoring

availability management techniques

T/F: Disk images, VM snapshots, and network packet capture require low-level access that can't typically be accessed in SaaS.

True

What measures performance and checks it against requirements set in SLAs and service-level requirements?

Service capacity management

What involves interpreting business needs into requirements for services and architecture?

Business capacity management

What focuses on the actual components of an infrastructure?

Component capacity management

________ is dedicated file storage that enables multiple users and heterogeneous client devices to retrieve data from centralized disk capacity.

Network-attached storage (NAS)

________ is a management platform for Windows endpoints providing inventory, software distribution, operating system imaging, settings and security management.

Microsoft Endpoint Configuration Manager

What mode is used to remove running systems for a VM cluster to allow for hardware/software upgrades?

Maintenance mode

What hides details of a system to make management simpler?

Abstraction

Like honeypots, these are set up to detect network attacks and techniques.

Honeynets

What's used to look for unexpected traffic indicating probes by potential attackers?

Darknets

What's used to provide secure access from a lower security zone to a higher one?

Bastion hosts

What's the next step after data/artifacts are identified in forensics?

Preservation

________ is the managing and provisioning of infrastructure through code instead of through manual processes.

Infrastructure as Code (IaC)

Benefits of ______ include: Increase consistency by removing human error Easily updated Increases speed

IaC

A ________ ensures uptime and availability by helping you manage hardware, application, and site failures.

clustered environment

The benefits of ________ include flexibility and scalability, availability and performance, reduced IT costs, and a customizable infrastructure.

server clustering

* Identifying/specifying attributes for each config item type/subcomponent * The relationship b/w each CI/subcomponent and others in the org Are all things _____ includes.

ITIL's config identification subprocess

What focuses on managing changes in the config management system?

Config control

What validates that configs match what's expected?

Config verification

Typically, ________measure input/output operations per second (IOPS), filesystem performance, caching, and autoscaling.

cloud performance metrics

Availability, capacity, throughput, latency, cpu capacity, and error rates are all ____ that should be monitored for _____.

metrics / IaaS

What are the components/services managed as part of a config mgmt effort?

Config items

What are used to evaluate changes and causes of incidents?

Config models

What describes config item relationships and settings?

Config records

Is latency usually billed?

Can customers obtain forensic data from underlying infrastructure as a service environment?

Memory for instance, disk volumes, and logs are all:

cloud forensic artifacts

Will SaaS providers allow 3Ps to scan their production services?

27037, 27041, 27043, and 27050-1 all relate to _____ ?

forensics

______ covers standards for infosec management and ____ describes security controls

27001 and 27002

What ISO series covers quality management?

9000

Do SOCs provide eDiscovery services?

________ is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings.

E-discovery

What ISO standard focuses on business capacity mgmt, service capacity mgmt, and component capacity mgmt?

20000-1

What plans focus on creating and deploying releases?

Release and deployment plans

What ISO standard requires orgs to establish, approve, and communicate their infosec policy?

20000-1

What moves VMs from heavily loaded hosts to those w/ more resources available to help balance load across the cluster?

Distributed resource scheduling

What's a form of load balancing where requests are distributed to each server in a cluster as they come in based on a list?

Round-robin load balancing

Powered-on time, temp, and drive health are all elements of _______.

Hardware monitoring

What allows an app to run in a secure location while still allowing access to it from a lower-trust device?

Selecting a virtual client that allows apps to run in a cloud-hosted environment

What includes detailed plans for returning systems and services to a working state and recovering data to a known consistent state?

ITIL Recovery plan

What focuses on how to ensure continuity during specified disasters for services and systems?

Service continuity plans

Is it best to engage a 3P when facing cloud forensic investigations?

Yes

Assignment of tasks, including deviation notification and documentation, are things _____ should include.

Change management policies

What should be isolated to ensure security of production activities?

Provisioning, management, and access to storage

Ping, power, and pipe refers to _______, _______, and ________ with services like HVAC.

connectivity, power, and facility space

Tier 1 datacenters are cheapest and needed only for _______.

occasional backup

Creating and maintaining proper chain of custody documentation provides ________.

nonrepudiation

What are logical overlays used to segregate network devices?

VLANs

What's used to create secure channels b/w networks over untrusted networks?

VPNs

What's used to prevent loops in networks?

STP - spanning tree protocol

What are three options for backup power?

Batteries, redundant utility lines, and generator

What is two power lines with separate routes so the fault of one line cannot compromise the functionality of the other?

Redundant utility lines

What is a chip that resides on motherboard, is multi-purpose, and provides OS w/ access to keys while preventing drive removal and data access?

TPM - Trusted Platform Module

What is also called a cryptographic coprocessor?

Trusted Platform Module

What are virtual TPMs part of?

The hypervisor

Can a TPM be added or removed at later date?

No, b/c it's a physical component of the system hardware

What uses tamper-proof hardened devices to provide crypto processing and protection of keys?

HSM

What can be used in place of software crypto libraries and acclerators?

HSM

What is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive?

Full disk encryption

What verifies the keys match before the secure boot process takes place?

Hardware root of trust

When certificates are used in FDE, they use a _______ for key storage.

Hardware root of trust

What offers the ability to protect devices at a lower level with passwords and is a low level software for booting a device?

UEFI - unified extensible firmware interface

What is a physical computing device that manages digital keys?

HSM

Are HSMs removable/external?

Yes

Key escrows use ____ to store and manage private keys

HSM

T/F: Hardware root of trust is less susceptible to attacks b/c security solutions are on a chip

True

* TPM - module embedded in system * SED - self encrypting drives * HSM - dedicated crypto processor These are the three foundations of a _____.

TEE (trusted execution environment)

What is a network architecture approach that allows the network to be intelligently and centrally controlled using software?

Software Defined Networks

Can SDNs reprogram the data plane?

Yes, at any time.

How do you secure an SDN?

With TLS.

What consists of cloud resources, where the VMs for one company are isolated from the resources of another company.

Virtual Private Cloud

How are VPCs isolated?

By using public and private networks.

How are virtual networks connected to other networks?

Via VPN gateway or network peering.

When do you use NAT gateways?

For VDIs

1. Secure build 2. Secure initial configuration 3. Host hardening and patching 4. Host lock down 5. Secure ongoing config maintenance Are all _____ best practices.

cloud host servers

1. Redundancy 2. Scheduled downtime/maintenance 3. Isolated network/robust access controls - access to virtual mgmt tools should be tightly controlled 4. Config mgmt/change mgmt - for tools to stay in hardened state. 5. Logging and monitoring - can create additional overhead

management tooling considerations

What are the two main forms of control for virtual hardware security?

Configuration and patching

Who owns patching in IaaS?

Customer

Who owns patching in PaaS?

CSP

What enables granular network segmentation in a zero trust network architecture?

VPC

What is a security feature that's similar to ACL that has distinct rules for inbound/outbound traffic?

Security groups

1. Prevent oversubscription 2. Don't share w/ other network traffic 3. Encrypt 4. Isolate and compartmentalize 5. Create separate isolated virtual switch

storage network controller best practices

What is the native remote access protocol for Windows operating systems.

Remote Desktop Protocol

What is the **native remote access protocol for Linux** operating systems, and common for remote management of network devices.

Secure Shell

What is a system for secure local access?

Secure terminal/console-based access

What is a bastion host at the boundary of lower and higher security zones.

Jumpbox

What are software tools that allow remote connection to a VM for use as if it is your local machine.

Virtual clients

What is a software feature that you can install on physical Linux machines to create virtual machines

KVM - kernel-based virtual machine

What extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

VPN

What means using VPN for all traffic, both to the Internet and corporate network?

Full tunnel

What uses an always on mode where both packet header and payload are encrypted?

Site to site

What uses VPN for traffic destined for the corporate network only, and Internet traffic direct through its normal route.

Split tunnel

This is where a connection is initiated from a users PC or laptop for a connection of shorter duration.

Remote access

- Session Encryption - Strong Authentication - Enhanced logging and reviews - Use of identity and access management tool - Single Sign On (SSO)

local and remote access controls

Use a _____ for sensitive functions and a _____ for day to day use.

dedicated admin account / standard account

What addresses the limitations of the legacy network perimeter based security model, treats user identity as the control plane, and assumes compromise / breach in verifying every request?

Zero Trust Security

Network Security Group (NSG) Network Firewalls Inbound and outbound traffic filtering/inspection Centralized security policy management and enforcement

elements of zero trust architecture

What acts as a virtual firewall for virtual networks and resource instances, carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances, and provides a virtual firewall for a collection of cloud resources with the same security posture?

Network security groups

What restricts services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic?

Segmentation

These have their own CIDR IP address range and cannot connect directly to the internet.

Private subnets

In segmentation, rules are enforced by the _____.

IP address ranges of each subnet

Within a virtual network, ____can be used to achieve isolation and port filtering through a network security group.

subnet

What uses these IP addresses: 10.0.0.0 172.16.x.x 172.31.x.x 192.168.0.0

Private subnet

This is where traffic moves laterally between servers within a data center.

East-West Traffic

This is where a collection of devices communicate with one another as if they made up a single physical LAN.

VLAN

This is where a subnet is placed between two routers or firewalls. Bastion host(s) are located within that subnet.

Screened subnet

This is a sandboxed area within the larger public cloud that takes the form of a VLAN?

VPC

Two methods for securing connection to VPC

VPN and network peering

A set of specifications primarily aimed at reinforcing the integrity of DNS with cryptographic authentication using digital signatures.

DNSSEC

What provides proof of origin and makes cache poisoning and spoofing attacks more difficult?

DNSSEC

Data in motion is most often encrypted using _____ or ______.

TLS or HTTPS

_____ uses an x.509 certificate with a public/private key pair.

TLS

What allows a SIEM to leverage IP addresses associated with a system event to track an IP address to a specific endpoint?

Dynamic Host Configuration Protocol

Digital signatures (public/private key pair) Message authentication code (session key) Hash-based message authentication code (hash and cryptographic key)

three ways to provide non-repudiation

This is a host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it's connected to.

Bastion host

Additional security measures like hash based message authentication code (HMAC) can be used to detect _____.

Intentional tampering

HMAC can simultaneously verify both

data integrity and message authenticity

A host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it's connected to.

Bastion host

Two common names for bastion hosts.

Jumpbox or jumpserver

What can be applied to a single VM image, or to a VM template created that is then used to deploy all VMs

Baselines

_____ is a high level description, _____ contains a security recommendation, and _____ is the implementation of the benchmark.

Control, Benchmark, Baseline

The U.S. Defense Information Systems Agency (DISA) produces baseline documents known as _____.

Security Technical Implementation Guides (STIGs)

Vendor-supplied baselines DISA STIGs NIST checklists CIS benchmarks

baseline options

What verifies the deployment of approved patches to system

System audits

What is the management of infrastructure (networks, VMs, load balancers, and connection topology) described in code

IaC

T/F: Binary code in the IaC model results in the same environment every time it is applied.

True

Cloud native controls support

IaC

What helps reduce errors and configuration drift?

Declarative (must know current state) and idempotent (applied multiple times w/out changing result).

These include high availability via redundancy, optimized performance via distributed workloads, and the ability to scale resources.

Cluster advantages

Often part of hypervisor or load balancer software, this is responsible for mediating access to shared resources in a cluster.

Cluster management agent

This is the coordination element in a cluster of VMware ESXi hosts that mediates access to the physical resources and handles resources available to a cluster, reservations and limits for the VMs running on the cluster, and maintenance features.

DRS - Distributed resource scheduling

This is pool storage, providing reliability, increased performance, or possibly additional capacity.

Storage clusters

Resiliency of the physical hypervisor cluster, networks, and storage are responsibility of the _____.

CSP

This concept says monitoring should include utilization, performance, and availability of 1) CPU, 2) memory, 3) storage and 4) network.

Core 4

In PaaS, _____ owns infrastructure backups, _____ owns backups of data.

CSP / Customer

In Iaas, _____ owns backup/recovery of VMs.

Customer

______ says backups should be stored on different hardware or availability zones.

Physical separation

Specifies requirements for "establishing, implementing, maintaining and continually improving a service management system (SMS)”

ISO 20000-1

Provides virtual management options analogous to physical admin options of a legacy datacenter.

Management plane

_____ is the automated configuration and management of resources in bulk

Orchestration

The web-based consumer interface for managing resources.

Management console

Supports management of the service lifecycle, including planning, design, transition, delivery and service improvement.

ISO 20000-1

Process of evaluating a change request to decide if it should be implemented

Change control

This reduces operational overhead and human error, reduces security risk, and enables more frequent releases while maintaining a strong security posture.

Automating change management

This specifies the requirements needed for an organization to plan, implement, operate, and continually improve the continuity capability.

ISO 22301:2019 Security and resilience BC management systems

ISO 27001 ISO 27017 ISO 27018 ISO 27701 NIST RMF SP 800 53 NIST CSF AICPA SOC 2

Security control standards

Security standard developed for CSPs

ISO 27017

Standard for cloud privacy

ISO 27018

Standard for privacy risk

ISO 27701

NIST RMF

Cybersecurity risk management

Critical element of continual service improvement

Monitoring and measurement

Any observable action

Event

Unplanned events with adverse impact

Incidents

6 steps of incident management

preparation - to ensure they can respond identification containment eradication recovery lessons learned

What does problem management use to identify underlying problem?

root cause analysis

CI/CD positively impacts the _____.

Frequency of releases

SLAs are focused on _ that define _ and _.

measurable outcomes / availability / levels of service

Availability means the service is up and _____.

useable

Responsibility for capacity management belongs to _____ at the platform level, but belongs to _____ for deployed apps and services

CSP / customer

What is the identification, collection, preservation, analysis, and review of electronic information?

eDiscovery

Guide for collecting, identifying, and preserving electronic evidence

ISO/IEC 27037:2012

Guide for incident investigation

ISO/IEC 27041:2015

Guide for digital evidence analysis.

ISO/IEC 27042:2015

Guide for incident investigation principles and processes

ISO/IEC 27043:2015

Offers a framework, governance, and best practices for forensics, eDiscovery, and evidence management

ISO 27050

Offers guidance on legal concerns related to security, privacy, and contractual obligations

CSA Security Guidance

Evidence collection process

1. Logs are essential 2. Document everything 3. Consider volatility

1. Use original physical media 2. Verify data integrity 3. Follow documented procedures 4. Establish and maintain communications

evidence collection best practices

1. Data location 2. Rights and responsibilities 3. Tools 4. Regulatory and jurisdiction 5. Breach notification laws 6. Control 7. Multitenancy 8. Data volatility and dispersion

cloud forensics challenges

5 attributes of useful evidence

1. Authentic 2. Accurate 3. Complete 4. Convincing 5. Admissible

1. Relevant 2. Material 3. Competent/Reliable 4. Obtained legally

admissible requirements in court

Volatility in order

1. CPU, cache, and register contents 2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows 4. Memory (RAM) 5. Temporary file system and swap/pagefile 6. Data on hard disk 7. Remotely logged data 8. Data stored on archival media and backups

T/F: Volatile evidence should be collected first.

True

1. Collection 2. Examination 3. Analysis 4. Reporting

4 phases of digital evidence handling

Proper evidence handling and decision making should be a part of _____.

the incident response procedures and training

With evidence preservation, collect _____ and work from _____.

originals / copies

1. locked cabinets/safes 2. dedicated/isolated storage facilities 3. environment maintenance 4. access restrictions/document/track activity 5. blocking interference

Protections for evidence storage

When either the forensic copy or the system image is being analyzed, the data and applications are _____ at collection.

hashed

Hashes can be used as a

checksum to ensure integrity later.

Data provenance effectively provides a historical record of _____.

data, its origin, and forensic activities performed on it

_____ is the process of tracking flow of data over time, showing where the data originated, how it has changed, and its ultimate destination.

Data lineage

An image or exact sector by sector, copy of a hard disk or other storage device taken using specialized software, preserving an exact copy of the original disk.

Forensic copy

Deleted files, slack space, system files and executables (and documents renamed to mimic system files and executables) are all part of a _____.

forensic image

Threat Prevention Threat Detection Incident Management Continuous Monitoring & Reporting Alert Prioritization Compliance Management

Key functions of SOC

Tools such as _____ automate monitoring and provide real time analysis of events.

IDSs or SIEMs

NIST SP 800 37: Risk Management Framework (RMF) specifies the creation of a continuous monitoring strategy for getting _____.

near real time risk information

What is hardware called in the cloud (virtual)?

Network Virtual Appliance

Typically caters specifically to application communications. Often that is HTTPS or Web traffic.

Application

An application installed on a host OS, such as Windows or Linux, both client and server operating systems.

Host-based

In the cloud, firewalls are implemented as _____

virtual network appliances (VNA).

Watch network traffic and restrict or block packets based on source and destination addresses or other static values, not 'aware' of traffic patterns or data flows. Typically, faster and perform better under heavier traffic loads.

Stateless firewall

Can watch traffic streams from end to end. Are aware of communication paths and can implement various IP security functions such as tunnels and encryption. Better at identifying unauthorized and forged communications.

Stateful firewalls

Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection.

Web application firewall

A deep packet inspection firewall that moves beyond port/protocol inspection and blocking, adds application level inspection, intrusion prevention, and brings intelligence from outside the firewall.

Next generation firewall

Generally responds passively by logging and sending notifications

IDS

Is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target

IPS

Can monitor activity on a single system only. A drawback is that attackers can discover and disable them.

HIDS

Can monitor activity on a network, and isn’t as visible to attackers.

NIDS

Can monitor activity on a network, and isn’t as visible to attackers.

NIPS

A system that often has pseudo flaws and fake data to lure intruders.

Honeypot

Honeypots only entice, not

entrap

A subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.

Deep learning

This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day. It tracks the devices that the user normally uses and the servers that they normally visit.

User entity behavior analysis (ueba)

Using Artificial intelligence and machine learning to identify attacks.

Sentiment analysis

Centralized alert and response automation with threat specific playbooks.

SOAR

Log centralization and aggregation Data integrity - on separate host w/ own access control Normalization of incoming data Automated or continuous monitoring - algorithms to ID potential attacks Alerting - auto generate alerts Investigative monitoring

SIEM key features

The key to optimizing event detection and visibility and scale security operations:

log collection

Log collectors Log aggregation Packet capture Data inputs

SIEM benefits

400 series HTTP response codes are

client side errors

500 series HTTP response codes are

server side errors

Network log files may be helpful in stopping

DDoS attack

Web log files collect info about each web session and show evidence of _____.

potential threats and attacks

These files contains information about hardware changes, updates to devices, time synchronization, group policy application, etc.

System files

These files contain information about software applications, when launched, success or failure, and warnings about potential problems or errors.

Application

These files contain information about a successful login, as well as unauthorized attempts to access the system and resources.

Security

These files contain virtually all DNS server level activity, such as zone transfer, DNS server errors, DNS caching, and DNSSEC.

DNS

These files contain information about login events, logging success or failure

Authentication

These systems provide information on the calls being made and the devices that they originate from. may also capture call quality by logging the Mean Optical Score (MOS), jitter, and loss of signal.

VoIP and Call Managers

This is used for internet based calls and the log files generally show: the 100 events, known as the INVITE, the initiation of a connection, that relates to ringing, and the 200 OK is followed by an acknowledgement.

Session Initiation Protocol (SIP) Traffic

Preparation Detection and analysis Containment, eradication, recovery Post-incident activity

incident response lifecycle

A much more powerful version of the vulnerability scanner that has higher privileges.

Credentialed scan

Has lower privileges than a credentialed scan. It will identify vulnerabilities that an attacker would easily find.

Non-credentialed scan

These are passive and merely report vulnerabilities. They do not cause damage to your system.

Non-intrusive scans

Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.

Intrusive scans

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

Configuration Review

Before applications are released, coding experts perform regression testing that will check code for deficiencies.

application scans

the overall score assigned to a vulnerability

cvss

a list of all publicly disclosed vulnerabilities

cve

* software flaws * missing patches * open ports * services that should not be running * weak passwords

Vulnerabilities reported by a vuln scanner

The most effective vulnerability scan

credentialed vulnerability scan