Domain 5 - Cloud Security Operations Flashcards
What are security issues relevant to Storage Controllers?
Storage controllers control storage devices - access control, data assembly, interface to storage device.
Relevant Security Issues:
a) Access Control
b) Encryption in transit and rest
c) Adequate isolation/segmentation to address confidentiality and availability.
How do you secure network configurations?
In public cloud, CSPs are responsible for managing the networking hardware (switches, routers and NICs.)
- Provide adequate physical and environmental security (power, connectivity, security, cooling etc.)
- Resiliency and redundancy (no SPOF)
- Flexible and scalable network architecture - SDN, sufficient physical connectivity, support for VLAN (802.1Q).
- Security capabilities for virtualized networks - e.g. Traffic mirroring
- Customer managed security controls - e.g. VPC/SG/NACL etc.
In a cloud environment, what are the hardware elements that need to be protected?
1) BIOS
2) TPM
3) Storage Controllers
4) Network Configurations
5) Virtualization Management tools.
6) Virtual HW Specific Security Configs
How do you secure the BIOS?
Per NIST, there are four security features for BIOS:
a) Authenticated updates
b) secure local updates
c) firmware integrity
d) non-bypassability
How do you secure the Virtualization Management tools?
Virtualization Management tools are critical.
- Harden them per instructions from vendor (e.g. VMWare vSphere) and industry standards (e.g. CIS benchmarks)
- Redundant - so there’s no SPOF
- Scheduled downtime and maintenance - enables patching and keeping up to date
- Isolate network and robust access controls - least privilege, encryption/VPN access, dedicated mgmt network
- Config and change management - formal change management procedures
- Logging and Monitoring
What security configuration steps secure the Virtual HW?
- Hypervisor configuration (more applicable to VMWare than to public cloud - e.g. limiting inter VM Communications)
- Patching virtualization tools
- VPC and SG settings that are controlled by the consumer
- Provisioning the right amount of virtual HW to control costs
- Using Infrastructure as Code and Autoscaling
- Using serverless computing to reduce cost and increase security.
What are the security features of a secure KVM (keyboard-video-mouse switch)?
Ideal for local administration (as opposed to remote admin via SSH/RDP/VNC).
- Isolated data ports - connected systems are physically isolated from each other (no data leaks)
- Tamper-evident/tamper-resistant designs
- Secure storage - e.g. buffers
- Secured firmware - firmware cannot be changed or only signed updates accepted
- Physical disconnect - KVM contains buttons to switch between systems
- USB Port and device restrictions - may allow keyboard and mouse USBs but not storage ones.
What are the protocols used for secure remote access to manage virtual resources?
- SSH
- RDP
- Virtual Network Computing - equivalent of RDP for Linux/Unix systems.
- Secure access to the management console (e.g. via HTTPS/TLS or secure APIs/CLIs).
What are concepts used to secure network traffic?
- Use of VLANs to segregate traffic
- Use of TLS for data in transit.
- Use of DHCP with IPSec
- Use of DNS with security extensions
- Use of VPNs.
- Software defined perimeter
What are the most common DNS attacks?
- Cache poisoning - malicious user updates a DNS record to point to an incorrect IP address; normally by initiating a zone transfer; DNS does not authenticate originator of zone transfers
- DNS Spoofing- Attacker spoofs a DNS service and redirects queries to bogus websites.
DNSSEC - DNS Security Extensions counter these - e.g. use of digital signatures.
What are the various types of VPN protocols?
- Open VPN
- IKEv2/IPSec
- SSL VPN/TLS VPN - e.g. normally from a browser
What is a Software Defined Perimeter architecture contain?
SDP Controller - authenticates and enforces access controls
SDP Hosts - authenticate to the SDP Controller; only accepts communication via SDP Controller
SDP Hosts initiate connect to other hosts via the SDP Controller.
What are TPMs and what do they do?
- Trusted Platform Module or Cryptographic co-processors.
- Support crypto functions (e.g. random number generation, asym keys, hashing)
- Store crypto keys and other sensitive data securely
- Used to form root of trust - TPMs sign hash of firmware
- Provide tamper resistance/evidence
- Implemented as a) dedicated HW b) part of another chip c) virtually in SW as part of the hypervisor
How do you harden an OS?
- Change default creds
- Lock/disable default accounts not needed
- Install security tools like anti-malware
- Configure security settings in OS
- Remove/disable un-needed applications, services (eg. Windows Media Player), and functions.
- Disable non-secure protocols like FTP
Creating a machine image (gold standard) is a good way for virtualization.
What are the ways to create baseline/standard secure OS?
- Customer defined VM images - customer spins up a VM, configures it (per CIS benchmarks) and creates a snapshot from which all other VMs are launched.
- CSP-defined images
- Vendor supplied images
- DISA STIG for hardening
- NIST Checklist
- CIS Benchmarks
What are the concepts of “limit” and “share” in virtualization?
In virtualization, a hypervisor mediates tenants’ access to shared/pooled resources (RAM, CPU Cores).
- Limit is the maximum allocation to a VM
- Share - a weighting, percentage based access to pooled resources.
Probably more common in VMWare types of deployments.
What are live migration tools?
- Probably common in VMWare (with vMotion)
- VMs are migrated from one host to another so that maintenance can be done.
- AWS doesn’t need to do live migration because of the Nitro architecture which can be updated without affecting customer VMs.
- Live migration affects availability, integrity and confidentiality (unencrypted transmission of worloads from one machine to another) of workloads.
What’s the difference between uptime and availability?
Uptime = amount of time system is up and running
A system may be up, but if it is not reachable because of network outage it is NOT available.
What are the Uptime Institutes, tiering system?
Uptime institute publishes specs for physical and environmental redundancy expressed as Tiers.
All tiers must have generators for power backup with 12 hours of fuel.
Tier 1 - “basic site” -No redundancy; protects disruptions from human error, but not unexpected failure or outage.
Tier 2 - “redundant site” partial redundancy (e.g for power and cooling); unplanned interruption may not cause an outage
Tier 3 - “Concurrent maintainability” is key. Redundancy for all critical components and distribution paths. Any part can be shutdown for maintenance without affecting IT operations.
Tier 4 - “Fault tolerant” - multiple independent and physically isolated systems . Systems have a fault tolerant sequence of operations with self-correcting mitigations in place.
AWS data centers are Tier 3+, and probably Tier 4.
What is Distributed Resource Scheduling?
- DRS is part of VMWare offering
- SW component that does resource management for a cluster of HW nodes.
- Handles reservations and limits for VMs
- Maintenance support - live migration
- Adding additional hosts in cluster for elasticity/scalability
- Energy management (power down hosts during low usage).
What is Microsoft’s Virtual Machine Manager and Dynamic Optimization?
- Similar to VMWare’s DRS.
- Power management, live migration
- Balancing workloads across multiple hosts
What’s the difference between tightly and loosely clustered storage?
Tightly coupled storage cluster - same manufacturer, better performance, updates and expansion must come from same manufacturer. Files are broken into blocks and written to disk (block writes are faster than file writes and also easier to mirror).
Loosely coupled - off-the-shelf parts, lower performance; file-level storage means lower performance
How do you ensure availability of Guest OS?
- Backup and recovery - creating instance snapshots from which new VMs are created.
- Resilience - architect for resiliency; using clustered architecture with live migration.
In AWS, only EBS volumes can be snapshoted. Live migrations are not supported. However, EC2 instances that become unavailable due to underlying host issues can be automatically recovered on another physical host.
How can you reduce risk associated with remote access?
- Session encryption (e.g. use TLS 1.3, session specific crypto keys to prevent replay attacks)
- Strong AuthN - MFA, Strong Password, Share Secret Keys for SSH.
- Separate privileged and non-privileged accounts; non-priv accounts for email and web-browsing; special accounts for cloud management
- Enhanced logging and frequent reviews - especially for admin accounts
- Use IAM Tools - e.g. IDaaS, CSP’s IAM
- Single Sign On
What is OS Baseline Compliance Monitoring and Remediation?
- Ensuring that OS conform to an approved baseline and don’t drift over time.
- No unauthorized changes are made
- Identify any unauthorized changes and roll back immediately.
- Changes are properly reviewed and approved via a Change Management process.
How do you enforce OS compliance to a baseline?
- Use a CMDB to document approved configs and enforce this through an audit
- Organization wide vulnerability scanning (e.g. see if any hosts are using non-secure FTP)
- Immutable architecture - periodically throw away VMs are rebuild from approved baseline.
What are the key steps in a Patch Management process?
- Vulnerability detection (done by researchers or vendors)
- Publication of patch (vendors develop patches, users must subscribe to notifications/feeds)
- Evaluation of patch applicability - is the patch applicable
- Test - testing in limited environments
- Apply and track - ensure that all systems are patched; track metrics for SLA
- Rollback, if needed
- Document - update CMDB and known baselines.
In the cloud a few additional techniques are available:
a) Using infrastructure as code - update code to utilize latest patched version
b) Immutable architecture - use IaaC to build new architectures from updated patched baselines
c) Software Composition Analysis (SCA) - used to identify vulnerabilities in open source code.
What elements of the cloud are monitored for capacity and performance?
Both CSP and customers do monitoring. Monitoring helps plan capacity and detect security issues (e.g. bitcoin mining).
- Network - bytes in/out, link status, dropped packets
- Compute - CPU utilization
- Storage and Memory - amount used, speed of access (IOPS, S3 vs. Glacier)
What elements are targets for HW Monitoring?
Normally done by CSPs.
- CPUs, RAM, Fans, Disk drives, network gear
- SSDs
- SAN Controllers (which report their own health)
- Environmental (heat, humidity and water)
Who has responsibility for backups?
- CSP: Hypervisor and host OS; SaaS application data; some PaaS VM data.
- CSC: IaaS VM backups
What are risks associated with backups?
- Sensitive data may be stored in unencrypted backups
- Backups may reside on the same system as the original
- Backups may become unusable over time (not current).
What are issues associated with network analysis tools?
- Traditional network analysis tools relied in packet capture from a SPAN or Mirror port on a switch.
- However, in the cloud, traffic between VMs on the same host do not pass through a switch and hence these tools are rendered useless.
What is a SPAN port?
- Switched Port Analyzer
- A port on a switch through which traffic is sent to a monitoring device.
- These are different from network TAPs - which are dedicated HW devices with an A port, B port and Monitor port.
- TAPs, unlike SPAN ports on switches don’t have capacity limitations since they are dedicated.
What are the different types of network firewalls?
- Stateless Firewalls (block traffic according to rules - does not work with VoIP where signaling and data happen on different ports)
- Stateful - maintains state. Allows communication on a high port if it sees prior traffic
- WAF, API GW, XML Parser - complex attacks like SQL which cannot be detected at the network layer
- Security Groups - abstraction of a FW for virtualized resources. VMs may be in different AZs but still in the same SG.
- Next Gen FW - a combination of FWs (Stateful, APIGW), combined with VPN and other security functions.
