Domain 5 Flashcards
What defines service-level targets and responsibilities for IT service provider?
SLAs
What’s an internal agreement b/w the IT service provider and another part of the same org and supports the service provider’s delivery of the service.
OLAs - operational level agreement
What’s used to determine whether a service meets its quality and functionality goals?
SAC - service acceptance criteria
What defines the requirements of a service from the customer’s perspective?
SLR - service level requirement
Reactive communications are used for:
data breach notification, regulatory compliance, and problem management
T/F: Major cloud vendors provide their own customized versions of Linux that include additional agents and tools that help them work better w/ the provider’s infrastructure?
True
When managing systems at scale in the cloud, is it best to use the cloud IaaS vendor’s tools?
Yes
Why is it best to use the cloud IaaS vendor’s tools when managing systems at scale in the cloud?
B/c they’re designed to handle OS that may have special features to work in the vendor’s environment and applications.
Do CSPs allow direct or 3P audits of their systems?
No - but they will provide audit results
What is used to create, store, and manage secrets?
HSM - hardware security module
What uses code and config files or variables to allow rapid deployment using scripts and automated tools?
Infrastructure as code design
What’s used to access data from services?
APIs
What are two practices to improve service continuity?
- Understanding the number of business practices that have continuity planning in place.
- Assessing which gaps in coverage are critical.
Are Agile and DevOps well-suited to rapid release cycles w/ CI/CD delivery processes?
Yes
T/F: Agile and DevOps are better with CI/CD than Waterfall and Spiral
True
What is the first step in ITIL 4 continual service improvement process?
Identify strategy for improvement
What comes after you identify strategy for improvement in ITIL 4 continual service improvement process?
Define what to measure
What happens after you define what to measure in ITIL 4 continual service improvement process?
Gather data
What happens after you gather data in ITIL 4 continual service improvement process?
Process the data
What happens after you process the data in ITIL 4 continual service improvement process?
Analyze the information and data
What happens after you analyze the information and data in ITIL 4 continual service improvement process?
Present and use the information
What’s the last step in ITIL 4 continual service improvement process?
Implement improvement
What mode migrates VMs to other hosts or waits until they are powered down to allow for hardware or other maintenance.
Maintenance
What does centralized log collection, analysis, and detection?
SIEM tools
What is used to detect and stop attacks?
IPS - intrusion prevention system
What is a government funded research organization w/ a heavy focus on security work?
MITRE
What is an encryption protocol used to secure data in transit?
TLS
What’s used to logically separate network segments?
VLANs
What’s intended to provide security to domain name system requests?
DNSSEC
What provides IP addresses and other network config info to systems automatically?
DHCP
Will the default SSH port stop attackers and 3Ps from accessing SSH as long as it hasn’t been changed to a port outside of port 22?
Yes
What stores config management and info about relationships b/w configuration items?
Configuration Management Database
Who patches PaaS environments?
The vendor
What are designing services for availability, availability testing, and availability monitoring and reporting?
ITIL subprocesses for availability management
Do customers need to tell their vendors about breaches?
No
Do vendors need to tell their customers about breaches?
Yes
What’s necessary to establish a configuration management database?
Having an inventory to create a baseline.
What can you do once a baseline is ceated?
Establish CMB, deploy new assets configured to meet baseline, and document deviations.
What adds functionality like use of GPUs (graphics processing unit), shared clipboards, and drag and drop b/w guest OS, shared folders, and similar features that require additional integration b/w guest OS and underlying hypervisor?
Guest OS virtualization tools
What focuses on whether security practices and procedures align to risk tolerance for the org and includes verification and testing like SOC2 Type 2 audit does.
Security review objective
What topics does the security review objective cover?
Design, testing, and incident management
Is manual static code review a good fit for CI/CD?
No b/c of speed requirements
Do WAFs and IPSs test code and make application more secure?
No
Who is responsible for network-based risks in IaaS?
Customer and provider
What does configuration management start with?
Baselining
What is the critical factor when transaction volume is key?
Network latency
Azure’s best practices suggest creating disk snapshots for VM’s OS and data disks and then ______.
Safely storing the snapshots and then comparing hashes b/w images and originals
Will comparing hashes of a snapshot validate it against the original?
No
Can VMs be exported as hashes?
No
Do businesses manage customer capacity?
No, they assess their own capacity, known as business capacity mgmt
What do data breach regulations typically focus on?
Customer notification
What is the process for preserving data for legal action?
Legal hold
What is a critical part of instance scheduling?
Tagging
What allows schedules to be easily applied to all instances w/ the proper tags?
Tagging
Is adding new hardware to increase performance an element of hardening?
No
What is the process of provisioning a specific element against an attack?
Hardening
Do audits protect against attacks?
No, they detect and direct responses to attacks
Are humans in the loop for patching?
Yes, and they can be installed in non-production environments to be validated before further installation
What speeds patching and patch accuracy via automation?
Automated patching systems
What controls the entirety of the virtual environment?
Management systems, and they should be isolated physically and virtually.
Does ITIL 4 categorize deployment management as part of release management?
Yes
Who is responsible for the fit for purpose for continual service improvement?
Process owner
Who improves ITSM processes and services?
CSI (continual service improvement) managers
Who ensures processes work together and support each other effectively?
Process architects
What performs firewall-like rules-based filtering?
Network security groups
What captures and observes attacker behaviors?
Honeypots
What detects and prevents attacks based on behaviors and signatures, respectivly?
IDSs and IPSs
Hardware redundancy, local sharing and balancing, and failure mode design are all:
common practices when designing redundancy into cloud datacenters
Will vendors allow customers to conduct PCI assessments of their underlying infrastructure?
No
Will IaaS vendors allow customers to scan their own internal systems?
Yes, but they may recommend that instances w/ lower resources are not scanned to avoid disruption
Are scanning tools required to be used in an IaaS environment?
No
Is external scanning prohibited?
Yes, b/c it can affect other customers
Is scheduling a time or date required for advanced/specialized testing?
Yes
Using load balancing to drain load from existing systems and then replacing them w/ new, patched instances is a common best practice for _____.
Cloud-hosted service environment patching
Could manual and scripting patching and re-IPing cause outages?
Yes, as systems are swapped over
- Transferring users
- Preventing new connections
- Notifying customers
common practices for maintenance mode
Are HSMs used for boot security?
No
What allows you to add TPM 2.0 virtual crypto processor to a VM?
A virtual trusted platform module vTPM
What provides hardware-based, security-related functions such as random number generation, attestation, and key generation?
vTPM
What enables the guest operating system to create and store keys that are private, while not exposing the keys to the guest operating system and thereby reducing the virtual machine attack surface?
vTPM
What runs on top of an OS?
Type 2 hypervisor
What’s ITIL’s overall goal?
Restore service as soon as possible after an incident
What are top focuses of ITIL?
Identification, containment, resolution, and maintenance
What’s an interruption of normal service, including reductions in the quality of services that may violate an SLA?
Incidents
What resolves the cause of problems?
Problem management
What restores services to normal levels?
Incident response
Is the number of individuals impacted a useful KPI for availability?
No
What is the basis of security management in ITIL?
Infosec policies - more specifically “underpinning infosec policies”
In what is automated testing conducted and code must pass testing before it’s released?
CI/CD pipeline
Is human intervention/approval required for CI/CD pipelines?
No
What’s the most common means of capturing disk images from VMs in an IaaS environment?
Snapshots
What makes using forensic image acquisition tools difficult in a cloud environment?
A lack of access to the underlying hardware
What is DBAN?
A wiping tool
Do copy utilities provide a complete forensically sound copy?
No
TerraForm, CloudFormation, Ansible, Chef, and Puppet are what kind of tools?
Infrastructure as Code
What ISO describes service management?
20000-1
What ISO describes an information security management system?
27001
What’s the best tool to centralize logs and incident information?
SIEM
What can block legitimate traffic if it’s improperly identified?
IPS
Which needs to be placed in-line with traffic? IDS or IPS
IPS
Do IPS and IDS use signature and behavior-based detection?
Yes
Can an IDS fail open or closed?
No, b/c it’s not in-line
A system set to ________ does not shut down when failure conditions are present.
Fail open
________ is when a device or system is set, either physically or via software, to shut down and prevent further operation when failure conditions are detected.
Failing closed
An ________ sits in line with traffic flows and inspects all traffic before permitting it to continue on to its destination.
IPS
What shows which IP address contacted another IP address, source/destination ports, and volume of data?
Flow logging
AI features in SIEM devices are used to:
- Analyze and learn network traffic patterns
- Use log correlation and threat intelligence to identify unexpected/potentially malicious behavior
default gateway
subnet mask
DNS server info
IP address
Are all provided by
DHCP
A ________ is a router that connects your host to remote network segments.
default gateway
A _________ is a number that distinguishes the network address and the host address within an IP address.
subnet mask
________ is an Internet service that translates domain names (e.g., its.umich.edu) into IP addresses.
Domain Name System (DNS)
________ is a protocol for automatically assigning IP addresses and other configurations to devices when they connect to a network.
Dynamic Host Configuration Protocol (DHCP)
An ________ is a unique numerical identifier for every device or network that connects to the internet and is used for communicating across the internet.
Internet Protocol (IP) address
________ is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
Secure Boot
Disabling _________ b/w VMs and the console is a standard security practice.
cut and paste
Removing ________ is a standard security practice.
unnecessary hardware
Use of the VM console is considered direct access and should only be used for ________.
critical actions - use virtualization management platform for most actions
Are honeypots used to capture traffic to stop attacks?
No - just to study
What 3 things can stop attacks by preventing malicious traffic from entering the network?
network security groups, firewalls, and IPSs
What can be associated with subnets or individual virtual machine instances within that subnet to activate a rule or access control list (ACL) to allow or deny network traffic to your virtual machine instances in a virtual network.
Network security groups
use multiple vendors
have SLAs in place
use self-hosted failover capabilities
high availability techniques
Invest in redundant systems
Additional monitoring
availability management techniques
T/F: Disk images, VM snapshots, and network packet capture require low-level access that can’t typically be accessed in SaaS.
True
What measures performance and checks it against requirements set in SLAs and service-level requirements?
Service capacity management
What involves interpreting business needs into requirements for services and architecture?
Business capacity management
What focuses on the actual components of an infrastructure?
Component capacity management
________ is dedicated file storage that enables multiple users and heterogeneous client devices to retrieve data from centralized disk capacity.
Network-attached storage (NAS)
________ is a management platform for Windows endpoints providing inventory, software distribution, operating system imaging, settings and security management.
Microsoft Endpoint Configuration Manager
What mode is used to remove running systems for a VM cluster to allow for hardware/software upgrades?
Maintenance mode
What hides details of a system to make management simpler?
Abstraction
Like honeypots, these are set up to detect network attacks and techniques.
Honeynets
What’s used to look for unexpected traffic indicating probes by potential attackers?
Darknets
What’s used to provide secure access from a lower security zone to a higher one?
Bastion hosts
What’s the next step after data/artifacts are identified in forensics?
Preservation
________ is the managing and provisioning of infrastructure through code instead of through manual processes.
Infrastructure as Code (IaC)
Benefits of ______ include:
Increase consistency by removing human error
Easily updated
Increases speed
IaC
A ________ ensures uptime and availability by helping you manage hardware, application, and site failures.
clustered environment
The benefits of ________ include flexibility and scalability, availability and performance, reduced IT costs, and a customizable infrastructure.
server clustering
- Identifying/specifying attributes for each config item type/subcomponent
- The relationship b/w each CI/subcomponent and others in the org
Are all things _____ includes.
ITIL’s config identification subprocess
What focuses on managing changes in the config management system?
Config control
What validates that configs match what’s expected?
Config verification
Typically, ________measure input/output operations per second (IOPS), filesystem performance, caching, and autoscaling.
cloud performance metrics
Availability, capacity, throughput, latency, cpu capacity, and error rates are all ____ that should be monitored for _____.
metrics / IaaS
What are the components/services managed as part of a config mgmt effort?
Config items
What are used to evaluate changes and causes of incidents?
Config models
What describes config item relationships and settings?
Config records
Is latency usually billed?
No
Can customers obtain forensic data from underlying infrastructure as a service environment?
No
Memory for instance, disk volumes, and logs are all:
cloud forensic artifacts
Will SaaS providers allow 3Ps to scan their production services?
No
27037, 27041, 27043, and 27050-1 all relate to _____ ?
forensics
______ covers standards for infosec management and ____ describes security controls
27001 and 27002
What ISO series covers quality management?
9000
Do SOCs provide eDiscovery services?
No
________ is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings.
E-discovery
What ISO standard focuses on business capacity mgmt, service capacity mgmt, and component capacity mgmt?
20000-1
What plans focus on creating and deploying releases?
Release and deployment plans
What ISO standard requires orgs to establish, approve, and communicate their infosec policy?
20000-1
What moves VMs from heavily loaded hosts to those w/ more resources available to help balance load across the cluster?
Distributed resource scheduling
What’s a form of load balancing where requests are distributed to each server in a cluster as they come in based on a list?
Round-robin load balancing
Powered-on time, temp, and drive health are all elements of _______.
Hardware monitoring
What allows an app to run in a secure location while still allowing access to it from a lower-trust device?
Selecting a virtual client that allows apps to run in a cloud-hosted environment
What includes detailed plans for returning systems and services to a working state and recovering data to a known consistent state?
ITIL Recovery plan
What focuses on how to ensure continuity during specified disasters for services and systems?
Service continuity plans
Is it best to engage a 3P when facing cloud forensic investigations?
Yes
Assignment of tasks, including deviation notification and documentation, are things _____ should include.
Change management policies
What should be isolated to ensure security of production activities?
Provisioning, management, and access to storage
Ping, power, and pipe refers to _______, _______, and ________ with services like HVAC.
connectivity, power, and facility space
Tier 1 datacenters are cheapest and needed only for _______.
occasional backup
Creating and maintaining proper chain of custody documentation provides ________.
nonrepudiation
What are logical overlays used to segregate network devices?
VLANs
What’s used to create secure channels b/w networks over untrusted networks?
VPNs
What’s used to prevent loops in networks?
STP - spanning tree protocol
What are three options for backup power?
Batteries, redundant utility lines, and generator
What is two power lines with separate routes so the fault of one line cannot compromise the functionality of the other?
Redundant utility lines
What is a chip that resides on motherboard, is multi-purpose, and provides OS w/ access to keys while preventing drive removal and data access?
TPM - Trusted Platform Module
What is also called a cryptographic coprocessor?
Trusted Platform Module
What are virtual TPMs part of?
The hypervisor
Can a TPM be added or removed at later date?
No, b/c it’s a physical component of the system hardware
What uses tamper-proof hardened devices to provide crypto processing and protection of keys?
HSM
What can be used in place of software crypto libraries and acclerators?
HSM
What is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive?
Full disk encryption
What verifies the keys match before the secure boot process takes place?
Hardware root of trust
When certificates are used in FDE, they use a _______ for key storage.
Hardware root of trust
What offers the ability to protect devices at a lower level with passwords and is a low level software for booting a device?
UEFI - unified extensible firmware interface
What is a physical computing device that manages digital keys?
HSM
Are HSMs removable/external?
Yes
Key escrows use ____ to store and manage private keys
HSM
T/F: Hardware root of trust is less susceptible to attacks b/c security solutions are on a chip
True
- TPM - module embedded in system
- SED - self encrypting drives
- HSM - dedicated crypto processor
These are the three foundations of a _____.
TEE (trusted execution environment)
What is a network architecture approach that allows the network to be intelligently and centrally controlled using software?
Software Defined Networks
Can SDNs reprogram the data plane?
Yes, at any time.
How do you secure an SDN?
With TLS.
What consists of cloud resources, where the VMs for one company are isolated from the resources of another company.
Virtual Private Cloud
How are VPCs isolated?
By using public and private networks.
How are virtual networks connected to other networks?
Via VPN gateway or network peering.
When do you use NAT gateways?
For VDIs
- Secure build
- Secure initial configuration
- Host hardening and patching
- Host lock down
- Secure ongoing config maintenance
Are all _____ best practices.
cloud host servers
- Redundancy
- Scheduled downtime/maintenance
- Isolated network/robust access controls - access to virtual mgmt tools should be tightly controlled
- Config mgmt/change mgmt - for tools to stay in hardened state.
- Logging and monitoring - can create additional overhead
management tooling considerations
What are the two main forms of control for virtual hardware security?
Configuration and patching
Who owns patching in IaaS?
Customer
Who owns patching in PaaS?
CSP
What enables granular network segmentation in a zero trust network architecture?
VPC
What is a security feature that’s similar to ACL that has distinct rules for inbound/outbound traffic?
Security groups
- Prevent oversubscription
- Don’t share w/ other network traffic
- Encrypt
- Isolate and compartmentalize
- Create separate isolated virtual switch
storage network controller best practices
What is the native remote access protocol for Windows operating systems.
Remote Desktop Protocol
What is the native remote access protocol for Linux operating systems, and common for remote management of network devices.
Secure Shell
What is a system for secure local access?
Secure terminal/console-based access
What is a bastion host at the boundary of lower and higher security zones.
Jumpbox
What are software tools that allow remote connection to a VM for use as if it is your local machine.
Virtual clients
What is a software feature that you can install on physical Linux machines to create virtual machines
KVM - kernel-based virtual machine
What extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
VPN
What means using VPN for all traffic, both to the Internet and corporate network?
Full tunnel
What uses an always on mode where both packet header and payload are encrypted?
Site to site
What uses VPN for traffic destined for the corporate network only, and Internet traffic direct through its normal route.
Split tunnel
This is where a connection is initiated from a users PC or laptop for a connection of shorter duration.
Remote access
- Session Encryption
- Strong Authentication
- Enhanced logging and reviews
- Use of identity and access management tool
- Single Sign On (SSO)
local and remote access controls
Use a _____ for sensitive functions and a _____ for day to day use.
dedicated admin account / standard account
What addresses the limitations of the legacy network perimeter based security model, treats user identity as the control plane, and assumes compromise / breach in verifying every request?
Zero Trust Security
Network Security Group (NSG)
Network Firewalls
Inbound and outbound traffic filtering/inspection
Centralized security policy management and enforcement
elements of zero trust architecture
What acts as a virtual firewall for virtual networks and resource instances, carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances, and provides a virtual firewall for a collection of cloud resources with the same security posture?
Network security groups
What restricts services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic?
Segmentation
These have their own CIDR IP address range and cannot connect directly to the internet.
Private subnets
In segmentation, rules are enforced by the _____.
IP address ranges of each subnet
Within a virtual network, ____can be used to achieve isolation and port filtering through a network security group.
subnet
What uses these IP addresses:
10.0.0.0
172.16.x.x
172.31.x.x
192.168.0.0
Private subnet
This is where traffic moves laterally between servers within a data center.
East-West Traffic
This is where a collection of devices communicate with one another as if they made up a single physical LAN.
VLAN
This is where a subnet is placed between two routers or firewalls. Bastion host(s) are located within that subnet.
Screened subnet
This is a sandboxed area within the larger public cloud that takes the form of a VLAN?
VPC
Two methods for securing connection to VPC
VPN and network peering
A set of specifications primarily aimed at reinforcing the integrity of DNS with cryptographic authentication using digital signatures.
DNSSEC
What provides proof of origin and makes cache poisoning and spoofing attacks more difficult?
DNSSEC
Data in motion is most often encrypted
using _____ or ______.
TLS or HTTPS
_____ uses an x.509 certificate with a public/private key pair.
TLS
What allows a SIEM to leverage IP addresses associated with a system event to track an IP address to a specific endpoint?
Dynamic Host Configuration Protocol
Digital signatures (public/private key pair)
Message authentication code (session key)
Hash-based message authentication code (hash and cryptographic key)
three ways to provide non-repudiation
This is a host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it’s connected to.
Bastion host
Additional security measures like hash based message authentication code (HMAC) can be used to detect _____.
Intentional tampering
HMAC can simultaneously verify both
data integrity
and message authenticity
A host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it’s connected to.
Bastion host
Two common names for bastion hosts.
Jumpbox or jumpserver
What can be applied to a single VM image, or to a VM template created that is then used to deploy all VMs
Baselines
_____ is a high level description, _____ contains a security recommendation, and _____ is the implementation of the benchmark.
Control, Benchmark, Baseline
The U.S. Defense Information Systems Agency (DISA) produces baseline documents known as _____.
Security Technical Implementation Guides (STIGs)
Vendor-supplied baselines
DISA STIGs
NIST checklists
CIS benchmarks
baseline options
What verifies the deployment of
approved patches to system
System audits
What is the management of infrastructure (networks, VMs, load balancers, and connection topology) described in code
IaC
T/F: Binary code in the IaC model results in the same environment every time it is applied.
True
Cloud native controls support
IaC
What helps reduce
errors and configuration drift?
Declarative (must know current state) and idempotent (applied multiple times w/out changing result).
These include high availability via redundancy, optimized performance via distributed workloads, and the ability to scale resources.
Cluster advantages
Often part of hypervisor or load balancer software, this is responsible for mediating access to shared resources in a cluster.
Cluster management agent
This is the coordination element in a cluster of VMware ESXi hosts that mediates access to the physical resources and handles resources available to a cluster, reservations and limits for the VMs running on the cluster, and maintenance features.
DRS - Distributed resource scheduling
This is pool storage, providing reliability, increased performance, or possibly additional capacity.
Storage clusters
Resiliency of the physical hypervisor cluster, networks, and storage are responsibility of the _____.
CSP
This concept says monitoring should include utilization, performance, and availability of 1) CPU, 2) memory, 3) storage and 4) network.
Core 4
In PaaS, _____ owns infrastructure backups, _____ owns backups of data.
CSP / Customer
In Iaas, _____ owns backup/recovery of VMs.
Customer
______ says backups should be stored on different hardware or availability zones.
Physical separation
Specifies requirements for “establishing,
implementing, maintaining and continually improving a service management system (SMS)”
ISO 20000-1
Provides virtual management options analogous to physical admin options of a legacy datacenter.
Management plane
_____ is the automated configuration and management of resources in bulk
Orchestration
The web-based consumer interface for managing resources.
Management console
Supports management of the service lifecycle, including planning, design, transition, delivery and service improvement.
ISO 20000-1
Process of evaluating a change request to decide if it should be implemented
Change control
This reduces operational overhead and human error, reduces security risk, and enables more frequent releases while maintaining a strong security posture.
Automating change management
This specifies the requirements needed for an organization to plan, implement, operate, and continually improve the continuity capability.
ISO 22301:2019 Security and resilience
BC management systems
ISO 27001
ISO 27017
ISO 27018
ISO 27701
NIST RMF
SP 800 53
NIST CSF
AICPA SOC 2
Security control standards
Security standard developed for CSPs
ISO 27017
Standard for cloud privacy
ISO 27018
Standard for privacy risk
ISO 27701
NIST RMF
Cybersecurity risk management
Critical element of continual service improvement
Monitoring and measurement
Any observable action
Event
Unplanned events with adverse impact
Incidents
6 steps of incident management
preparation - to ensure they can respond
identification
containment
eradication
recovery
lessons learned
What does problem management use to identify underlying problem?
root cause analysis
CI/CD positively impacts the _____.
Frequency of releases
SLAs are focused on _ that define _ and _.
measurable outcomes / availability / levels of service
Availability means the service is up and _____.
useable
Responsibility for capacity management belongs to _____ at the platform level, but belongs to _____ for deployed apps and services
CSP / customer
What is the identification, collection, preservation, analysis, and review of electronic information?
eDiscovery
Guide for collecting, identifying, and preserving electronic evidence
ISO/IEC 27037:2012
Guide for incident investigation
ISO/IEC 27041:2015
Guide for digital evidence analysis.
ISO/IEC 27042:2015
Guide for incident investigation principles and processes
ISO/IEC 27043:2015
Offers a framework, governance, and best practices for forensics, eDiscovery, and evidence management
ISO 27050
Offers guidance on legal concerns related to security, privacy, and contractual obligations
CSA Security Guidance
Evidence collection process
- Logs are essential
- Document everything
- Consider volatility
- Use original physical media
- Verify data integrity
- Follow documented procedures
- Establish and maintain communications
evidence collection best practices
- Data location
- Rights and responsibilities
- Tools
- Regulatory and jurisdiction
- Breach notification laws
- Control
- Multitenancy
- Data volatility and dispersion
cloud forensics challenges
5 attributes of useful evidence
- Authentic
- Accurate
- Complete
- Convincing
- Admissible
- Relevant
- Material
- Competent/Reliable
- Obtained legally
admissible requirements in court
Volatility in order
- CPU, cache, and register contents
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections and data flows
- Memory (RAM)
- Temporary file system and swap/pagefile
- Data on hard disk
- Remotely logged data
- Data stored on archival media and backups
T/F: Volatile evidence should be collected first.
True
- Collection
- Examination
- Analysis
- Reporting
4 phases of digital evidence handling
Proper evidence handling and decision making should be
a part of _____.
the incident response procedures and training
With evidence preservation, collect _____ and work from _____.
originals / copies
- locked cabinets/safes
- dedicated/isolated storage facilities
- environment maintenance
- access restrictions/document/track activity
- blocking interference
Protections for evidence storage
When either the forensic copy or the system image is being analyzed, the data and applications are _____ at collection.
hashed
Hashes can be used as a
checksum to ensure integrity later.
Data provenance effectively provides a historical record of _____.
data, its origin, and forensic activities performed on it
_____ is the process of tracking flow of data over time, showing
where the data originated, how it has changed, and its ultimate destination.
Data lineage
An image or exact sector by sector, copy of a hard disk or other storage device taken using specialized software, preserving an exact copy of the original disk.
Forensic copy
Deleted files, slack space, system files and executables (and documents renamed to mimic system files and executables) are all part of a _____.
forensic image
Threat Prevention
Threat Detection
Incident Management
Continuous Monitoring & Reporting
Alert Prioritization
Compliance Management
Key functions of SOC
Tools such as _____ automate monitoring and provide real time analysis of events.
IDSs or SIEMs
NIST SP 800 37: Risk Management Framework (RMF) specifies the creation of a continuous monitoring strategy for getting _____.
near real time risk information
What is hardware called in the cloud (virtual)?
Network Virtual Appliance
Typically caters specifically to application communications. Often that is HTTPS or Web traffic.
Application
An application installed on a host OS, such as Windows or Linux, both client and server operating systems.
Host-based
In the cloud, firewalls are implemented as _____
virtual network appliances (VNA).
Watch network traffic and restrict or block packets based on source and destination addresses or other static values, not ‘aware’ of traffic patterns or data flows. Typically, faster and perform better under heavier traffic loads.
Stateless firewall
Can watch traffic streams from end to end. Are aware of communication paths and can implement various IP security functions such as tunnels and encryption. Better at identifying unauthorized and forged communications.
Stateful firewalls
Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection.
Web application firewall
A deep packet inspection firewall that moves beyond port/protocol inspection and blocking, adds application level inspection, intrusion prevention, and brings intelligence from outside the firewall.
Next generation firewall
Generally responds passively by logging and sending notifications
IDS
Is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target
IPS
Can monitor activity on a single system only. A drawback is that attackers can discover and disable them.
HIDS
Can monitor activity on a network, and isn’t as visible to attackers.
NIDS
Can monitor activity on a network, and isn’t as visible to attackers.
NIPS
A system that often has pseudo flaws and fake data to lure intruders.
Honeypot
Honeypots only entice, not
entrap
A subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.
Deep learning
This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day. It tracks the devices that the user normally uses and the servers that they normally visit.
User entity behavior analysis (ueba)
Using Artificial intelligence and machine learning to identify attacks.
Sentiment analysis
Centralized alert and response automation with threat specific playbooks.
SOAR
Log centralization and aggregation
Data integrity - on separate host w/ own access control
Normalization of incoming data
Automated or continuous monitoring - algorithms to ID potential attacks
Alerting - auto generate alerts
Investigative monitoring
SIEM key features
The key to optimizing event detection and visibility and scale security operations:
log collection
Log collectors
Log aggregation
Packet capture
Data inputs
SIEM benefits
400 series HTTP response codes are
client side errors
500 series HTTP response codes are
server side errors
Network log files may be helpful in stopping
DDoS attack
Web log files collect info about each web session and show evidence of _____.
potential threats and attacks
These files contains information about hardware changes, updates to devices, time synchronization, group policy application, etc.
System files
These files contain information about software applications, when launched, success or failure, and warnings about potential problems or errors.
Application
These files contain information about a successful login, as well as unauthorized attempts to access the system and resources.
Security
These files contain virtually all DNS server level activity, such as zone transfer, DNS server errors, DNS caching, and DNSSEC.
DNS
These files contain information about login events, logging success or failure
Authentication
These systems provide information on the calls being made and the devices that they originate from. may also capture call quality by logging the Mean Optical Score (MOS), jitter, and loss of signal.
VoIP and Call Managers
This is used for internet based calls and the log files generally show: the 100 events, known as the INVITE, the initiation of a connection, that relates to ringing, and the 200 OK is followed by an acknowledgement.
Session Initiation Protocol (SIP) Traffic
Preparation
Detection and analysis
Containment, eradication, recovery
Post-incident activity
incident response lifecycle
A much more powerful version of the vulnerability scanner that has higher privileges.
Credentialed scan
Has lower privileges than a credentialed scan. It will identify
vulnerabilities that an attacker would easily find.
Non-credentialed scan
These are passive and merely report vulnerabilities. They do not cause damage to your system.
Non-intrusive scans
Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.
Intrusive scans
Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.
Configuration Review
Before applications are released, coding experts perform regression testing that will check code for deficiencies.
application scans
the overall score assigned to a vulnerability
cvss
a list of all publicly disclosed vulnerabilities
cve
- software flaws
- missing patches
- open ports
- services that should not be running
- weak passwords
Vulnerabilities reported by a vuln scanner
The most effective vulnerability scan
credentialed vulnerability scan
