Domain 5 Flashcards

1
Q

What defines service-level targets and responsibilities for IT service provider?

A

SLAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What’s an internal agreement b/w the IT service provider and another part of the same org and supports the service provider’s delivery of the service.

A

OLAs - operational level agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What’s used to determine whether a service meets its quality and functionality goals?

A

SAC - service acceptance criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What defines the requirements of a service from the customer’s perspective?

A

SLR - service level requirement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Reactive communications are used for:

A

data breach notification, regulatory compliance, and problem management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

T/F: Major cloud vendors provide their own customized versions of Linux that include additional agents and tools that help them work better w/ the provider’s infrastructure?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When managing systems at scale in the cloud, is it best to use the cloud IaaS vendor’s tools?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why is it best to use the cloud IaaS vendor’s tools when managing systems at scale in the cloud?

A

B/c they’re designed to handle OS that may have special features to work in the vendor’s environment and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Do CSPs allow direct or 3P audits of their systems?

A

No - but they will provide audit results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is used to create, store, and manage secrets?

A

HSM - hardware security module

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What uses code and config files or variables to allow rapid deployment using scripts and automated tools?

A

Infrastructure as code design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What’s used to access data from services?

A

APIs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are two practices to improve service continuity?

A
  1. Understanding the number of business practices that have continuity planning in place.
  2. Assessing which gaps in coverage are critical.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Are Agile and DevOps well-suited to rapid release cycles w/ CI/CD delivery processes?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

T/F: Agile and DevOps are better with CI/CD than Waterfall and Spiral

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the first step in ITIL 4 continual service improvement process?

A

Identify strategy for improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What comes after you identify strategy for improvement in ITIL 4 continual service improvement process?

A

Define what to measure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What happens after you define what to measure in ITIL 4 continual service improvement process?

A

Gather data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What happens after you gather data in ITIL 4 continual service improvement process?

A

Process the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What happens after you process the data in ITIL 4 continual service improvement process?

A

Analyze the information and data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What happens after you analyze the information and data in ITIL 4 continual service improvement process?

A

Present and use the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What’s the last step in ITIL 4 continual service improvement process?

A

Implement improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What mode migrates VMs to other hosts or waits until they are powered down to allow for hardware or other maintenance.

A

Maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does centralized log collection, analysis, and detection?

A

SIEM tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is used to detect and stop attacks?
IPS - intrusion prevention system
26
What is a government funded research organization w/ a heavy focus on security work?
MITRE
27
What is an encryption protocol used to secure data in transit?
TLS
28
What's used to logically separate network segments?
VLANs
29
What's intended to provide security to domain name system requests?
DNSSEC
30
What provides IP addresses and other network config info to systems automatically?
DHCP
31
Will the default SSH port stop attackers and 3Ps from accessing SSH as long as it hasn't been changed to a port outside of port 22?
Yes
32
What stores config management and info about relationships b/w configuration items?
Configuration Management Database
33
Who patches PaaS environments?
The vendor
34
What are designing services for availability, availability testing, and availability monitoring and reporting?
ITIL subprocesses for availability management
35
Do customers need to tell their vendors about breaches?
No
36
Do vendors need to tell their customers about breaches?
Yes
37
What's necessary to establish a configuration management database?
Having an inventory to create a baseline.
38
What can you do once a baseline is ceated?
Establish CMB, deploy new assets configured to meet baseline, and document deviations.
39
What adds functionality like use of GPUs (graphics processing unit), shared clipboards, and drag and drop b/w guest OS, shared folders, and similar features that require additional integration b/w guest OS and underlying hypervisor?
Guest OS virtualization tools
40
What focuses on whether security practices and procedures align to risk tolerance for the org and includes verification and testing like SOC2 Type 2 audit does.
Security review objective
41
What topics does the security review objective cover?
Design, testing, and incident management
42
Is manual static code review a good fit for CI/CD?
No b/c of speed requirements
43
Do WAFs and IPSs test code and make application more secure?
No
44
Who is responsible for network-based risks in IaaS?
Customer and provider
45
What does configuration management start with?
Baselining
46
What is the critical factor when transaction volume is key?
Network latency
47
Azure's best practices suggest creating disk snapshots for VM's OS and data disks and then ______.
Safely storing the snapshots and then comparing hashes b/w images and originals
48
Will comparing hashes of a snapshot validate it against the original?
No
49
Can VMs be exported as hashes?
No
50
Do businesses manage customer capacity?
No, they assess their own capacity, known as business capacity mgmt
51
What do data breach regulations typically focus on?
Customer notification
52
What is the process for preserving data for legal action?
Legal hold
53
What is a critical part of instance scheduling?
Tagging
54
What allows schedules to be easily applied to all instances w/ the proper tags?
Tagging
55
Is adding new hardware to increase performance an element of hardening?
No
56
What is the process of provisioning a specific element against an attack?
Hardening
57
Do audits protect against attacks?
No, they detect and direct responses to attacks
58
Are humans in the loop for patching?
Yes, and they can be installed in non-production environments to be validated before further installation
59
What speeds patching and patch accuracy via automation?
Automated patching systems
60
What controls the entirety of the virtual environment?
Management systems, and they should be isolated physically and virtually.
61
Does ITIL 4 categorize deployment management as part of release management?
Yes
62
Who is responsible for the fit for purpose for continual service improvement?
Process owner
63
Who improves ITSM processes and services?
CSI (continual service improvement) managers
64
Who ensures processes work together and support each other effectively?
Process architects
65
What performs firewall-like rules-based filtering?
Network security groups
66
What captures and observes attacker behaviors?
Honeypots
67
What detects and prevents attacks based on behaviors and signatures, respectivly?
IDSs and IPSs
68
Hardware redundancy, local sharing and balancing, and failure mode design are all:
common practices when designing redundancy into cloud datacenters
69
Will vendors allow customers to conduct PCI assessments of their underlying infrastructure?
No
70
Will IaaS vendors allow customers to scan their own internal systems?
Yes, but they may recommend that instances w/ lower resources are not scanned to avoid disruption
71
Are scanning tools required to be used in an IaaS environment?
No
72
Is external scanning prohibited?
Yes, b/c it can affect other customers
73
Is scheduling a time or date required for advanced/specialized testing?
Yes
74
Using load balancing to drain load from existing systems and then replacing them w/ new, patched instances is a common best practice for _____.
Cloud-hosted service environment patching
75
Could manual and scripting patching and re-IPing cause outages?
Yes, as systems are swapped over
76
1. Transferring users 2. Preventing new connections 3. Notifying customers
common practices for maintenance mode
77
Are HSMs used for boot security?
No
78
What allows you to add TPM 2.0 virtual crypto processor to a VM?
A virtual trusted platform module vTPM
79
What provides hardware-based, security-related functions such as random number generation, attestation, and key generation?
vTPM
80
What enables the guest operating system to create and store keys that are private, while not exposing the keys to the guest operating system and thereby reducing the virtual machine attack surface?
vTPM
81
What runs on top of an OS?
Type 2 hypervisor
82
What's ITIL's overall goal?
Restore service as soon as possible after an incident
83
What are top focuses of ITIL?
Identification, containment, resolution, and maintenance
84
What's an interruption of normal service, including reductions in the quality of services that may violate an SLA?
Incidents
85
What resolves the cause of problems?
Problem management
86
What restores services to normal levels?
Incident response
87
Is the number of individuals impacted a useful KPI for availability?
No
88
What is the basis of security management in ITIL?
Infosec policies - more specifically "underpinning infosec policies"
89
In what is automated testing conducted and code must pass testing before it's released?
CI/CD pipeline
90
Is human intervention/approval required for CI/CD pipelines?
No
91
What's the most common means of capturing disk images from VMs in an IaaS environment?
Snapshots
92
What makes using forensic image acquisition tools difficult in a cloud environment?
A lack of access to the underlying hardware
93
What is DBAN?
A wiping tool
94
Do copy utilities provide a complete forensically sound copy?
No
95
TerraForm, CloudFormation, Ansible, Chef, and Puppet are what kind of tools?
Infrastructure as Code
96
What ISO describes service management?
20000-1
97
What ISO describes an information security management system?
27001
98
What's the best tool to centralize logs and incident information?
SIEM
99
What can block legitimate traffic if it's improperly identified?
IPS
100
Which needs to be placed in-line with traffic? IDS or IPS
IPS
101
Do IPS and IDS use signature and behavior-based detection?
Yes
102
Can an IDS fail open or closed?
No, b/c it's not in-line
103
A system set to ________ does not shut down when failure conditions are present.
Fail open
104
________ is when a device or system is set, either physically or via software, to shut down and prevent further operation when failure conditions are detected.
Failing closed
105
An ________ sits in line with traffic flows and inspects all traffic before permitting it to continue on to its destination.
IPS
106
What shows which IP address contacted another IP address, source/destination ports, and volume of data?
Flow logging
107
AI features in SIEM devices are used to:
1. Analyze and learn network traffic patterns 2. Use log correlation and threat intelligence to identify unexpected/potentially malicious behavior
108
default gateway subnet mask DNS server info IP address Are all provided by
DHCP
109
A ________ is a router that connects your host to remote network segments.
default gateway
110
A _________ is a number that distinguishes the network address and the host address within an IP address.
subnet mask
111
________ is an Internet service that translates domain names (e.g., its.umich.edu) into IP addresses.
Domain Name System (DNS)
112
________ is a protocol for automatically assigning IP addresses and other configurations to devices when they connect to a network.
Dynamic Host Configuration Protocol (DHCP)
113
An ________ is a unique numerical identifier for every device or network that connects to the internet and is used for communicating across the internet.
Internet Protocol (IP) address
114
________ is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
Secure Boot
115
Disabling _________ b/w VMs and the console is a standard security practice.
cut and paste
116
Removing ________ is a standard security practice.
unnecessary hardware
117
Use of the VM console is considered direct access and should only be used for ________.
critical actions - use virtualization management platform for most actions
118
Are honeypots used to capture traffic to stop attacks?
No - just to study
119
What 3 things can stop attacks by preventing malicious traffic from entering the network?
network security groups, firewalls, and IPSs
120
What can be associated with subnets or individual virtual machine instances within that subnet to activate a rule or access control list (ACL) to allow or deny network traffic to your virtual machine instances in a virtual network.
Network security groups
121
use multiple vendors have SLAs in place use self-hosted failover capabilities
high availability techniques
122
Invest in redundant systems Additional monitoring
availability management techniques
123
T/F: Disk images, VM snapshots, and network packet capture require low-level access that can't typically be accessed in SaaS.
True
124
What measures performance and checks it against requirements set in SLAs and service-level requirements?
Service capacity management
125
What involves interpreting business needs into requirements for services and architecture?
Business capacity management
126
What focuses on the actual components of an infrastructure?
Component capacity management
127
________ is dedicated file storage that enables multiple users and heterogeneous client devices to retrieve data from centralized disk capacity.
Network-attached storage (NAS)
128
________ is a management platform for Windows endpoints providing inventory, software distribution, operating system imaging, settings and security management.
Microsoft Endpoint Configuration Manager
129
What mode is used to remove running systems for a VM cluster to allow for hardware/software upgrades?
Maintenance mode
130
What hides details of a system to make management simpler?
Abstraction
131
Like honeypots, these are set up to detect network attacks and techniques.
Honeynets
132
What's used to look for unexpected traffic indicating probes by potential attackers?
Darknets
133
What's used to provide secure access from a lower security zone to a higher one?
Bastion hosts
134
What's the next step after data/artifacts are identified in forensics?
Preservation
135
________ is the managing and provisioning of infrastructure through code instead of through manual processes.
Infrastructure as Code (IaC)
136
Benefits of ______ include: Increase consistency by removing human error Easily updated Increases speed
IaC
137
A ________ ensures uptime and availability by helping you manage hardware, application, and site failures.
clustered environment
138
The benefits of ________ include flexibility and scalability, availability and performance, reduced IT costs, and a customizable infrastructure.
server clustering
139
* Identifying/specifying attributes for each config item type/subcomponent * The relationship b/w each CI/subcomponent and others in the org Are all things _____ includes.
ITIL's config identification subprocess
140
What focuses on managing changes in the config management system?
Config control
141
What validates that configs match what's expected?
Config verification
142
Typically, ________measure input/output operations per second (IOPS), filesystem performance, caching, and autoscaling.
cloud performance metrics
143
Availability, capacity, throughput, latency, cpu capacity, and error rates are all ____ that should be monitored for _____.
metrics / IaaS
144
What are the components/services managed as part of a config mgmt effort?
Config items
145
What are used to evaluate changes and causes of incidents?
Config models
146
What describes config item relationships and settings?
Config records
147
Is latency usually billed?
No
148
Can customers obtain forensic data from underlying infrastructure as a service environment?
No
149
Memory for instance, disk volumes, and logs are all:
cloud forensic artifacts
150
Will SaaS providers allow 3Ps to scan their production services?
No
151
27037, 27041, 27043, and 27050-1 all relate to _____ ?
forensics
152
______ covers standards for infosec management and ____ describes security controls
27001 and 27002
153
What ISO series covers quality management?
9000
154
Do SOCs provide eDiscovery services?
No
155
________ is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings.
E-discovery
156
What ISO standard focuses on business capacity mgmt, service capacity mgmt, and component capacity mgmt?
20000-1
157
What plans focus on creating and deploying releases?
Release and deployment plans
158
What ISO standard requires orgs to establish, approve, and communicate their infosec policy?
20000-1
159
What moves VMs from heavily loaded hosts to those w/ more resources available to help balance load across the cluster?
Distributed resource scheduling
160
What's a form of load balancing where requests are distributed to each server in a cluster as they come in based on a list?
Round-robin load balancing
161
Powered-on time, temp, and drive health are all elements of _______.
Hardware monitoring
162
What allows an app to run in a secure location while still allowing access to it from a lower-trust device?
Selecting a virtual client that allows apps to run in a cloud-hosted environment
163
What includes detailed plans for returning systems and services to a working state and recovering data to a known consistent state?
ITIL Recovery plan
164
What focuses on how to ensure continuity during specified disasters for services and systems?
Service continuity plans
165
Is it best to engage a 3P when facing cloud forensic investigations?
Yes
166
Assignment of tasks, including deviation notification and documentation, are things _____ should include.
Change management policies
167
What should be isolated to ensure security of production activities?
Provisioning, management, and access to storage
168
Ping, power, and pipe refers to _______, _______, and ________ with services like HVAC.
connectivity, power, and facility space
169
Tier 1 datacenters are cheapest and needed only for _______.
occasional backup
170
Creating and maintaining proper chain of custody documentation provides ________.
nonrepudiation
171
What are logical overlays used to segregate network devices?
VLANs
172
What's used to create secure channels b/w networks over untrusted networks?
VPNs
173
What's used to prevent loops in networks?
STP - spanning tree protocol
174
What are three options for backup power?
Batteries, redundant utility lines, and generator
175
What is two power lines with separate routes so the fault of one line cannot compromise the functionality of the other?
Redundant utility lines
176
What is a chip that resides on motherboard, is multi-purpose, and provides OS w/ access to keys while preventing drive removal and data access?
TPM - Trusted Platform Module
177
What is also called a cryptographic coprocessor?
Trusted Platform Module
178
What are virtual TPMs part of?
The hypervisor
179
Can a TPM be added or removed at later date?
No, b/c it's a physical component of the system hardware
180
What uses tamper-proof hardened devices to provide crypto processing and protection of keys?
HSM
181
What can be used in place of software crypto libraries and acclerators?
HSM
182
What is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive?
Full disk encryption
183
What verifies the keys match before the secure boot process takes place?
Hardware root of trust
184
When certificates are used in FDE, they use a _______ for key storage.
Hardware root of trust
185
What offers the ability to protect devices at a lower level with passwords and is a low level software for booting a device?
UEFI - unified extensible firmware interface
186
What is a physical computing device that manages digital keys?
HSM
187
Are HSMs removable/external?
Yes
188
Key escrows use ____ to store and manage private keys
HSM
189
T/F: Hardware root of trust is less susceptible to attacks b/c security solutions are on a chip
True
190
* TPM - module embedded in system * SED - self encrypting drives * HSM - dedicated crypto processor These are the three foundations of a _____.
TEE (trusted execution environment)
191
What is a network architecture approach that allows the network to be intelligently and centrally controlled using software?
Software Defined Networks
192
Can SDNs reprogram the data plane?
Yes, at any time.
193
How do you secure an SDN?
With TLS.
194
What consists of cloud resources, where the VMs for one company are isolated from the resources of another company.
Virtual Private Cloud
195
How are VPCs isolated?
By using public and private networks.
196
How are virtual networks connected to other networks?
Via VPN gateway or network peering.
197
When do you use NAT gateways?
For VDIs
198
1. Secure build 2. Secure initial configuration 3. Host hardening and patching 4. Host lock down 5. Secure ongoing config maintenance Are all _____ best practices.
cloud host servers
199
1. Redundancy 2. Scheduled downtime/maintenance 3. Isolated network/robust access controls - access to virtual mgmt tools should be tightly controlled 4. Config mgmt/change mgmt - for tools to stay in hardened state. 5. Logging and monitoring - can create additional overhead
management tooling considerations
200
What are the two main forms of control for virtual hardware security?
Configuration and patching
201
Who owns patching in IaaS?
Customer
202
Who owns patching in PaaS?
CSP
203
What enables granular network segmentation in a zero trust network architecture?
VPC
204
What is a security feature that's similar to ACL that has distinct rules for inbound/outbound traffic?
Security groups
205
1. Prevent oversubscription 2. Don't share w/ other network traffic 3. Encrypt 4. Isolate and compartmentalize 5. Create separate isolated virtual switch
storage network controller best practices
206
What is the native remote access protocol for Windows operating systems.
Remote Desktop Protocol
207
What is the **native remote access protocol for Linux** operating systems, and common for remote management of network devices.
Secure Shell
208
What is a system for secure local access?
Secure terminal/console-based access
209
What is a bastion host at the boundary of lower and higher security zones.
Jumpbox
210
What are software tools that allow remote connection to a VM for use as if it is your local machine.
Virtual clients
211
What is a software feature that you can install on physical Linux machines to create virtual machines
KVM - kernel-based virtual machine
212
What extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
VPN
213
What means using VPN for all traffic, both to the Internet and corporate network?
Full tunnel
214
What uses an always on mode where both packet header and payload are encrypted?
Site to site
215
What uses VPN for traffic destined for the corporate network only, and Internet traffic direct through its normal route.
Split tunnel
216
This is where a connection is initiated from a users PC or laptop for a connection of shorter duration.
Remote access
217
- Session Encryption - Strong Authentication - Enhanced logging and reviews - Use of identity and access management tool - Single Sign On (SSO)
local and remote access controls
218
Use a _____ for sensitive functions and a _____ for day to day use.
dedicated admin account / standard account
219
What addresses the limitations of the legacy network perimeter based security model, treats user identity as the control plane, and assumes compromise / breach in verifying every request?
Zero Trust Security
220
Network Security Group (NSG) Network Firewalls Inbound and outbound traffic filtering/inspection Centralized security policy management and enforcement
elements of zero trust architecture
221
What acts as a virtual firewall for virtual networks and resource instances, carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances, and provides a virtual firewall for a collection of cloud resources with the same security posture?
Network security groups
222
What restricts services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic?
Segmentation
223
These have their own CIDR IP address range and cannot connect directly to the internet.
Private subnets
224
In segmentation, rules are enforced by the _____.
IP address ranges of each subnet
225
Within a virtual network, ____can be used to achieve isolation and port filtering through a network security group.
subnet
226
227
What uses these IP addresses: 10.0.0.0 172.16.x.x 172.31.x.x 192.168.0.0
Private subnet
228
This is where traffic moves laterally between servers within a data center.
East-West Traffic
229
This is where a collection of devices communicate with one another as if they made up a single physical LAN.
VLAN
230
This is where a subnet is placed between two routers or firewalls. Bastion host(s) are located within that subnet.
Screened subnet
231
This is a sandboxed area within the larger public cloud that takes the form of a VLAN?
VPC
232
Two methods for securing connection to VPC
VPN and network peering
233
A set of specifications primarily aimed at reinforcing the integrity of DNS with cryptographic authentication using digital signatures.
DNSSEC
234
What provides proof of origin and makes cache poisoning and spoofing attacks more difficult?
DNSSEC
235
Data in motion is most often encrypted using _____ or ______.
TLS or HTTPS
236
_____ uses an x.509 certificate with a public/private key pair.
TLS
237
What allows a SIEM to leverage IP addresses associated with a system event to track an IP address to a specific endpoint?
Dynamic Host Configuration Protocol
238
Digital signatures (public/private key pair) Message authentication code (session key) Hash-based message authentication code (hash and cryptographic key)
three ways to provide non-repudiation
239
This is a host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it's connected to.
Bastion host
240
Additional security measures like hash based message authentication code (HMAC) can be used to detect _____.
Intentional tampering
241
HMAC can simultaneously verify both
data integrity and message authenticity
242
A host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it's connected to.
Bastion host
243
Two common names for bastion hosts.
Jumpbox or jumpserver
244
What can be applied to a single VM image, or to a VM template created that is then used to deploy all VMs
Baselines
245
_____ is a high level description, _____ contains a security recommendation, and _____ is the implementation of the benchmark.
Control, Benchmark, Baseline
246
The U.S. Defense Information Systems Agency (DISA) produces baseline documents known as _____.
Security Technical Implementation Guides (STIGs)
247
Vendor-supplied baselines DISA STIGs NIST checklists CIS benchmarks
baseline options
248
What verifies the deployment of approved patches to system
System audits
249
What is the management of infrastructure (networks, VMs, load balancers, and connection topology) described in code
IaC
250
T/F: Binary code in the IaC model results in the same environment every time it is applied.
True
251
Cloud native controls support
IaC
252
What helps reduce errors and configuration drift?
Declarative (must know current state) and idempotent (applied multiple times w/out changing result).
253
These include high availability via redundancy, optimized performance via distributed workloads, and the ability to scale resources.
Cluster advantages
254
Often part of hypervisor or load balancer software, this is responsible for mediating access to shared resources in a cluster.
Cluster management agent
255
This is the coordination element in a cluster of VMware ESXi hosts that mediates access to the physical resources and handles resources available to a cluster, reservations and limits for the VMs running on the cluster, and maintenance features.
DRS - Distributed resource scheduling
256
This is pool storage, providing reliability, increased performance, or possibly additional capacity.
Storage clusters
257
Resiliency of the physical hypervisor cluster, networks, and storage are responsibility of the _____.
CSP
258
This concept says monitoring should include utilization, performance, and availability of 1) CPU, 2) memory, 3) storage and 4) network.
Core 4
259
In PaaS, _____ owns infrastructure backups, _____ owns backups of data.
CSP / Customer
260
In Iaas, _____ owns backup/recovery of VMs.
Customer
261
______ says backups should be stored on different hardware or availability zones.
Physical separation
262
Specifies requirements for "establishing, implementing, maintaining and continually improving a service management system (SMS)”
ISO 20000-1
263
Provides virtual management options analogous to physical admin options of a legacy datacenter.
Management plane
264
_____ is the automated configuration and management of resources in bulk
Orchestration
265
The web-based consumer interface for managing resources.
Management console
266
Supports management of the service lifecycle, including planning, design, transition, delivery and service improvement.
ISO 20000-1
267
Process of evaluating a change request to decide if it should be implemented
Change control
268
This reduces operational overhead and human error, reduces security risk, and enables more frequent releases while maintaining a strong security posture.
Automating change management
269
This specifies the requirements needed for an organization to plan, implement, operate, and continually improve the continuity capability.
ISO 22301:2019 Security and resilience BC management systems
270
ISO 27001 ISO 27017 ISO 27018 ISO 27701 NIST RMF SP 800 53 NIST CSF AICPA SOC 2
Security control standards
271
Security standard developed for CSPs
ISO 27017
272
Standard for cloud privacy
ISO 27018
273
Standard for privacy risk
ISO 27701
274
NIST RMF
Cybersecurity risk management
275
Critical element of continual service improvement
Monitoring and measurement
276
Any observable action
Event
277
Unplanned events with adverse impact
Incidents
278
6 steps of incident management
preparation - to ensure they can respond identification containment eradication recovery lessons learned
279
What does problem management use to identify underlying problem?
root cause analysis
280
CI/CD positively impacts the _____.
Frequency of releases
281
SLAs are focused on _ that define _ and _.
measurable outcomes / availability / levels of service
282
Availability means the service is up and _____.
useable
283
Responsibility for capacity management belongs to _____ at the platform level, but belongs to _____ for deployed apps and services
CSP / customer
284
What is the identification, collection, preservation, analysis, and review of electronic information?
eDiscovery
285
Guide for collecting, identifying, and preserving electronic evidence
ISO/IEC 27037:2012
286
Guide for incident investigation
ISO/IEC 27041:2015
287
Guide for digital evidence analysis.
ISO/IEC 27042:2015
288
Guide for incident investigation principles and processes
ISO/IEC 27043:2015
289
Offers a framework, governance, and best practices for forensics, eDiscovery, and evidence management
ISO 27050
290
Offers guidance on legal concerns related to security, privacy, and contractual obligations
CSA Security Guidance
291
Evidence collection process
1. Logs are essential 2. Document everything 3. Consider volatility
292
1. Use original physical media 2. Verify data integrity 3. Follow documented procedures 4. Establish and maintain communications
evidence collection best practices
293
1. Data location 2. Rights and responsibilities 3. Tools 4. Regulatory and jurisdiction 5. Breach notification laws 6. Control 7. Multitenancy 8. Data volatility and dispersion
cloud forensics challenges
294
5 attributes of useful evidence
1. Authentic 2. Accurate 3. Complete 4. Convincing 5. Admissible
295
1. Relevant 2. Material 3. Competent/Reliable 4. Obtained legally
admissible requirements in court
296
Volatility in order
1. CPU, cache, and register contents 2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows 4. Memory (RAM) 5. Temporary file system and swap/pagefile 6. Data on hard disk 7. Remotely logged data 8. Data stored on archival media and backups
297
T/F: Volatile evidence should be collected first.
True
298
1. Collection 2. Examination 3. Analysis 4. Reporting
4 phases of digital evidence handling
299
Proper evidence handling and decision making should be a part of _____.
the incident response procedures and training
300
With evidence preservation, collect _____ and work from _____.
originals / copies
301
1. locked cabinets/safes 2. dedicated/isolated storage facilities 3. environment maintenance 4. access restrictions/document/track activity 5. blocking interference
Protections for evidence storage
302
When either the forensic copy or the system image is being analyzed, the data and applications are _____ at collection.
hashed
303
Hashes can be used as a
checksum to ensure integrity later.
304
Data provenance effectively provides a historical record of _____.
data, its origin, and forensic activities performed on it
305
_____ is the process of tracking flow of data over time, showing where the data originated, how it has changed, and its ultimate destination.
Data lineage
306
An image or exact sector by sector, copy of a hard disk or other storage device taken using specialized software, preserving an exact copy of the original disk.
Forensic copy
307
Deleted files, slack space, system files and executables (and documents renamed to mimic system files and executables) are all part of a _____.
forensic image
308
Threat Prevention Threat Detection Incident Management Continuous Monitoring & Reporting Alert Prioritization Compliance Management
Key functions of SOC
309
Tools such as _____ automate monitoring and provide real time analysis of events.
IDSs or SIEMs
310
NIST SP 800 37: Risk Management Framework (RMF) specifies the creation of a continuous monitoring strategy for getting _____.
near real time risk information
311
What is hardware called in the cloud (virtual)?
Network Virtual Appliance
312
Typically caters specifically to application communications. Often that is HTTPS or Web traffic.
Application
313
An application installed on a host OS, such as Windows or Linux, both client and server operating systems.
Host-based
314
In the cloud, firewalls are implemented as _____
virtual network appliances (VNA).
315
Watch network traffic and restrict or block packets based on source and destination addresses or other static values, not 'aware' of traffic patterns or data flows. Typically, faster and perform better under heavier traffic loads.
Stateless firewall
316
Can watch traffic streams from end to end. Are aware of communication paths and can implement various IP security functions such as tunnels and encryption. Better at identifying unauthorized and forged communications.
Stateful firewalls
317
Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection.
Web application firewall
318
A deep packet inspection firewall that moves beyond port/protocol inspection and blocking, adds application level inspection, intrusion prevention, and brings intelligence from outside the firewall.
Next generation firewall
319
Generally responds passively by logging and sending notifications
IDS
320
Is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target
IPS
321
Can monitor activity on a single system only. A drawback is that attackers can discover and disable them.
HIDS
322
Can monitor activity on a network, and isn’t as visible to attackers.
NIDS
323
Can monitor activity on a network, and isn’t as visible to attackers.
NIPS
324
A system that often has pseudo flaws and fake data to lure intruders.
Honeypot
325
Honeypots only entice, not
entrap
326
A subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.
Deep learning
327
This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day. It tracks the devices that the user normally uses and the servers that they normally visit.
User entity behavior analysis (ueba)
328
Using Artificial intelligence and machine learning to identify attacks.
Sentiment analysis
329
Centralized alert and response automation with threat specific playbooks.
SOAR
330
Log centralization and aggregation Data integrity - on separate host w/ own access control Normalization of incoming data Automated or continuous monitoring - algorithms to ID potential attacks Alerting - auto generate alerts Investigative monitoring
SIEM key features
331
The key to optimizing event detection and visibility and scale security operations:
log collection
332
Log collectors Log aggregation Packet capture Data inputs
SIEM benefits
333
400 series HTTP response codes are
client side errors
334
500 series HTTP response codes are
server side errors
335
Network log files may be helpful in stopping
DDoS attack
336
Web log files collect info about each web session and show evidence of _____.
potential threats and attacks
337
These files contains information about hardware changes, updates to devices, time synchronization, group policy application, etc.
System files
338
These files contain information about software applications, when launched, success or failure, and warnings about potential problems or errors.
Application
339
These files contain information about a successful login, as well as unauthorized attempts to access the system and resources.
Security
340
These files contain virtually all DNS server level activity, such as zone transfer, DNS server errors, DNS caching, and DNSSEC.
DNS
341
These files contain information about login events, logging success or failure
Authentication
342
These systems provide information on the calls being made and the devices that they originate from. may also capture call quality by logging the Mean Optical Score (MOS), jitter, and loss of signal.
VoIP and Call Managers
343
This is used for internet based calls and the log files generally show: the 100 events, known as the INVITE, the initiation of a connection, that relates to ringing, and the 200 OK is followed by an acknowledgement.
Session Initiation Protocol (SIP) Traffic
344
Preparation Detection and analysis Containment, eradication, recovery Post-incident activity
incident response lifecycle
345
A much more powerful version of the vulnerability scanner that has higher privileges.
Credentialed scan
346
Has lower privileges than a credentialed scan. It will identify vulnerabilities that an attacker would easily find.
Non-credentialed scan
347
These are passive and merely report vulnerabilities. They do not cause damage to your system.
Non-intrusive scans
348
Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.
Intrusive scans
349
Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.
Configuration Review
350
Before applications are released, coding experts perform regression testing that will check code for deficiencies.
application scans
351
the overall score assigned to a vulnerability
cvss
352
a list of all publicly disclosed vulnerabilities
cve
353
* software flaws * missing patches * open ports * services that should not be running * weak passwords
Vulnerabilities reported by a vuln scanner
354
The most effective vulnerability scan
credentialed vulnerability scan