Lesson 20 Cyber Security Resilience

Question 1

DNS Sinkhole

Answer 1

A sinkhole is a defense mechanism typically used against DDoS attacks. When a network device or server detects an incoming attack the “sinkhole” function attempts to send the malicious traffic to a honeypot/net (sandbox) for analysis, away from the originally indented target.

Question 2

RAID

Answer 2

Redundant Array of Independent Disks
- provides redundancy for storage devices

many disks can act as backups for each other to increase reliability and fault tolerance

RAID levels are fault tolerance levels

Question 3

RAID 1, level 1

Answer 3

Level 1 - RAID 1

• Mirrored drives
• all drives are identical, ie mirrored
• provides redundancy
• Drawback is storage capacity is 50% of entire disk array
• Not for performance, ie no speed increase
• only level to use mirroring, no stripping

Question 4

RAID 5 - level 5

Answer 4

RAID 5 - level 5

• striped drives with one parity bit
• minimum of three disks
• speed of level 0 and redundancy
• fault tolerance of 1
• one disk can fail without losing data
• size all disks together minus 1

Question 5

RAID 6 - Level 6

Answer 5

RAID 6 - Level 6

• striped drives with two distributed parity bits
  
  • allows for two disk failures without losing data
• minimum of four disks
• speed and more redundancy than level 5
• size add all disks together then subtract two

Question 6

RAID 0 - Level 0

Answer 6

RAID 0 - Level 0

• striping without parity
• data written across several disks simultaneously
• no redundancy
• minimum of 2 disks
• good for streaming media
• zero redundancy, if one disk fails all data is lost
• size is all disks added together

Question 7

RAID 10 - Level 10

Answer 7

RAID 10
Minimum of 4 disks with Mirrored strips
data is striped over half the drives and then mirrored to the remaining disks
no parity bits
increased speed and redundancy than level 6

has to have even number of disks
has mush less space
- half of all disks combined (add all together and divide by 2)

Question 8

High Availability

Answer 8

Percentage of time the system is online, measured over a defined period typically one year

Also means system is able to cope with rapid growth in demand

Converse is downtime, think MTD (max tolerable downtime)

Question 9

Scalability vs Elasticity

Answer 9

Scalability is the capacity to increase resources to meet demand within similar cost ratios
two types of scalability
-able to scale out - add more resources in parallel with existing resources
-able to scale up - increase the power of existing resources

Elasticity is the systems ability to handle changes on demand in real time

• quicker scalability demand in real time
• high elasticity means the system can handle a sudden demand in real time

Question 10

Fault Tolerance - meaning of and how to achieve

Answer 10

A fault tolerant system means the system can experience failures and still provide the same or nearly the same level of service

Fault tolerance is achieved through provisioning redundancy for critical components or single points of failure (SPoF)

Question 11

Power Redundancy

Answer 11

Protecting systems against power events which could harm system
Dual Power Supplies
Managed Power Distribution Units (PDUs)
Battery Backups and Uninterruptible Power Supplies (UPSs)
Generators

Question 12

NIC Teaming

Answer 12

Network Interface Card (NIC) Teaming to provide network redundancy at the adapter level
Means a server is installed with multiple NICs or NICs with multiple ports allowing each port to a separate network cable. Four 1 GB cables allow the network to have an overall bandwidth of 4 GB

Provides for high-bandwidth link in normal operation but if a one NIC or cable has a problem the network connection can still work but at a reduced speed

Question 13

Switching and Routing Redundancy

Answer 13

Design network cabling to allow for multiple paths between switches and routers allowing failure of one part of the network to not affect the rest of the network

Requires use of Spanning Tree Protocol (STP) to prevent loops

Question 14

Load Balancers

Answer 14

Service Level solutions to balance loads across devices/system

Load balancing switch will distribute workloads between available servers

Load balancing cluster will share data and session information between the cluster of servers to maintain a consistent service

Question 15

multipath I/O for disk redundancy

Answer 15

focused on the path/bus between the server and the storage devices or RAID

ensures there is controller redundancy and/or multiple paths to the storage devices

Question 16

Data replication

Answer 16

technology which maintains exact copies of data at more than one location

SAN - Storage Area Network - utilized fiber optic to connect storage devices, including across WAN links

Database replication needs to maintain consistency between the replicas

Virtual Machine (VM) - across locations may utilize VMs disk image and configuration settings

Question 17

Geographical Dispersal

Answer 17

data replication between hot and warm sites physically distant from one another

Question 18

Synchronous Replication

Answer 18

writes data to all replicas at the same time

Question 19

asynchronous replication

Answer 19

writes data to the primary storage first, then copies data to the replicas at scheduled intervals

Question 20

Backup Method Types

Answer 20

Full - all selected data is regardless of when it was previously backed up

Incremental - New files and modified files since last backup

Differential - All new and modified files since the last full backup

Backup/Restore time
Full - High/Low
Incr - Low/High
Diff - Moderate/Moderate

Archive
Full - cleared
Inra - cleared
Diff - Not cleared

Restoral process
Full - restore the last backup after the disaster
Incr - restore the last full backup plus all the incr backups since the last full backup after the disaster
Diff - restore the last full backup plus the last incr backup after the disaster
Don’t do: mix Incr and Diff - restore the last full backup plus all the incremental and only the last diff if it was the last backup in the cycle; CompTIA says to not to do this, should use full backups with differential or fullbackups with incremental

Question 21

Snapshots

Answer 21

Databases are in constant use, so use a snapshot in time as a backup

Point-in-time copy of data maintained by a file system

Windows snapshots on NTFS use the Volume Shadow Copy Service (VSS)

Virtual system managers can take a snapshot or cloned copies of VMs

• snapshot remains linked to the VM
• clone is a separate VM from the point the image was made

Question 22

Images

Answer 22

Used for OS backup solution, should not include user files

Can be done from the hard drive or from a VMs virtual hard disk

Question 23

Disaster Restoration Order

Know for test - important

Answer 23

Complex facilities must recover from a Site outage in a specific order as it can cause power shortages or problems in the network, OS or application layers due to dependencies

Order of Restoration
Enable and test:
1. Power delivery systems (grid power, PDUs, UPS, generators)
2. Switch infrastructure, then routining appliances and systems
3. Network security appliances (firewalls, IDS, process)
4. Critical network servers (DHCP, DNS, NTP, and directory services)
5. back-end and middleware (DBs and business logic). Verify data integrity.
6. front-end applications
7. Enable client workstations, devices, and client browser access

Question 24

Site Resiliency

hot, warm, cold sites

Answer 24

How fast as site can recover/failover to a backup site
Hot Site - can failover almost immediately, possibly a site with equipment updated with live data
Warm Site - similar to Hot Site, may need the latest data set to be loaded
Cold Site - may just be a location which needs to install equipment, etc.

Question 25

Deception Strategies

Answer 25

Utilize Active defense to engage the attackers, by luring or baiting with in the intent to pursue attribution. Attribution means to publicize attackers role and method to be used as threat intelligence.

Deception:
Honeypot a decoy computer system to attract attackers
Honeynets are a network of honeypots
Honeyfiles are files which contain fake data and can be made to be traceable
These are used with a lower defense level network to attract attackers with the intent of identifying attackers and their methods

Question 26

Disruption Strategies

Answer 26

Disruption:
aim is to raise the attack cost and tie up attackers resources
Examples:
bogus DNS entries listing non-existent hosts

web server configurations with multiple decoy directories or dynamically generated pages to slow down scanning

fake telemetry data returned when port scanning is detected or opening more bogus ports all designed to slow down scanning efforts

DNS sinkhole to route suspect traffic to a honeynet to be analyzed

Question 27

3-2-1 rule of Back up Storage

Answer 27

The 3-2-1 rule for offsite and online backup storage

a rule which states you should have 3 copies of your data, across 2 media types, with 1 copy offline and offsite

Question 28

Backup Media types

Answer 28

Disk
NAS (Network Attached Storage - RAID via Win SMB or FTP) - file level backup
Tape
SAN (Storage Area Networks) often used by Cloud
- easier to expand/change as needed, higher scalability than attached storage

Question 29

Non-persistence and recovery of systems

Answer 29

Non-persistence means that any given instance is completely static in terms of processing function
- data can be swapped out for a as new copy without suffering configuration problems

Mechanisms to provide this:

• Snapshot/revert to know state
• Rollback to know config
• Live boot media/boot from read-only storage to memory

For automation systems:

• Master image/gold copy of image
• Automated build from template

Question 30

Diversity and Defense in Depth

Answer 30

Use layered security to provide defense in depth which means to have a system which has many layers of security controls, thus reducing the attack surface for an attacker

Question 31

Control Diversity

Answer 31

Security layers of control should combine different technical and administrative controls functions of prevent, detect, correct, and deter.