Lesson 20 Cyber Security Resilience Flashcards
DNS Sinkhole
A sinkhole is a defense mechanism typically used against DDoS attacks. When a network device or server detects an incoming attack the “sinkhole” function attempts to send the malicious traffic to a honeypot/net (sandbox) for analysis, away from the originally indented target.
RAID
Redundant Array of Independent Disks
- provides redundancy for storage devices
many disks can act as backups for each other to increase reliability and fault tolerance
RAID levels are fault tolerance levels
RAID 1, level 1
Level 1 - RAID 1
- Mirrored drives
- all drives are identical, ie mirrored
- provides redundancy
- Drawback is storage capacity is 50% of entire disk array
- Not for performance, ie no speed increase
- only level to use mirroring, no stripping
RAID 5 - level 5
RAID 5 - level 5
- striped drives with one parity bit
- minimum of three disks
- speed of level 0 and redundancy
- fault tolerance of 1
- one disk can fail without losing data
- size all disks together minus 1
RAID 6 - Level 6
RAID 6 - Level 6
- striped drives with two distributed parity bits
- allows for two disk failures without losing data
- minimum of four disks
- speed and more redundancy than level 5
- size add all disks together then subtract two
RAID 0 - Level 0
RAID 0 - Level 0
- striping without parity
- data written across several disks simultaneously
- no redundancy
- minimum of 2 disks
- good for streaming media
- zero redundancy, if one disk fails all data is lost
- size is all disks added together
RAID 10 - Level 10
RAID 10
Minimum of 4 disks with Mirrored strips
data is striped over half the drives and then mirrored to the remaining disks
no parity bits
increased speed and redundancy than level 6
has to have even number of disks
has mush less space
- half of all disks combined (add all together and divide by 2)
High Availability
Percentage of time the system is online, measured over a defined period typically one year
Also means system is able to cope with rapid growth in demand
Converse is downtime, think MTD (max tolerable downtime)
Scalability vs Elasticity
Scalability is the capacity to increase resources to meet demand within similar cost ratios
two types of scalability
-able to scale out - add more resources in parallel with existing resources
-able to scale up - increase the power of existing resources
Elasticity is the systems ability to handle changes on demand in real time
- quicker scalability demand in real time
- high elasticity means the system can handle a sudden demand in real time
Fault Tolerance - meaning of and how to achieve
A fault tolerant system means the system can experience failures and still provide the same or nearly the same level of service
Fault tolerance is achieved through provisioning redundancy for critical components or single points of failure (SPoF)
Power Redundancy
Protecting systems against power events which could harm system
Dual Power Supplies
Managed Power Distribution Units (PDUs)
Battery Backups and Uninterruptible Power Supplies (UPSs)
Generators
NIC Teaming
Network Interface Card (NIC) Teaming to provide network redundancy at the adapter level
Means a server is installed with multiple NICs or NICs with multiple ports allowing each port to a separate network cable. Four 1 GB cables allow the network to have an overall bandwidth of 4 GB
Provides for high-bandwidth link in normal operation but if a one NIC or cable has a problem the network connection can still work but at a reduced speed
Switching and Routing Redundancy
Design network cabling to allow for multiple paths between switches and routers allowing failure of one part of the network to not affect the rest of the network
Requires use of Spanning Tree Protocol (STP) to prevent loops
Load Balancers
Service Level solutions to balance loads across devices/system
Load balancing switch will distribute workloads between available servers
Load balancing cluster will share data and session information between the cluster of servers to maintain a consistent service
multipath I/O for disk redundancy
focused on the path/bus between the server and the storage devices or RAID
ensures there is controller redundancy and/or multiple paths to the storage devices
Data replication
technology which maintains exact copies of data at more than one location
SAN - Storage Area Network - utilized fiber optic to connect storage devices, including across WAN links
Database replication needs to maintain consistency between the replicas
Virtual Machine (VM) - across locations may utilize VMs disk image and configuration settings
Geographical Dispersal
data replication between hot and warm sites physically distant from one another
Synchronous Replication
writes data to all replicas at the same time
asynchronous replication
writes data to the primary storage first, then copies data to the replicas at scheduled intervals
Backup Method Types
Full - all selected data is regardless of when it was previously backed up
Incremental - New files and modified files since last backup
Differential - All new and modified files since the last full backup
Backup/Restore time
Full - High/Low
Incr - Low/High
Diff - Moderate/Moderate
Archive
Full - cleared
Inra - cleared
Diff - Not cleared
Restoral process
Full - restore the last backup after the disaster
Incr - restore the last full backup plus all the incr backups since the last full backup after the disaster
Diff - restore the last full backup plus the last incr backup after the disaster
Don’t do: mix Incr and Diff - restore the last full backup plus all the incremental and only the last diff if it was the last backup in the cycle; CompTIA says to not to do this, should use full backups with differential or fullbackups with incremental
Snapshots
Databases are in constant use, so use a snapshot in time as a backup
Point-in-time copy of data maintained by a file system
Windows snapshots on NTFS use the Volume Shadow Copy Service (VSS)
Virtual system managers can take a snapshot or cloned copies of VMs
- snapshot remains linked to the VM
- clone is a separate VM from the point the image was made
Images
Used for OS backup solution, should not include user files
Can be done from the hard drive or from a VMs virtual hard disk
Disaster Restoration Order
Know for test - important
Complex facilities must recover from a Site outage in a specific order as it can cause power shortages or problems in the network, OS or application layers due to dependencies
Order of Restoration
Enable and test:
1. Power delivery systems (grid power, PDUs, UPS, generators)
2. Switch infrastructure, then routining appliances and systems
3. Network security appliances (firewalls, IDS, process)
4. Critical network servers (DHCP, DNS, NTP, and directory services)
5. back-end and middleware (DBs and business logic). Verify data integrity.
6. front-end applications
7. Enable client workstations, devices, and client browser access
Site Resiliency
hot, warm, cold sites
How fast as site can recover/failover to a backup site
Hot Site - can failover almost immediately, possibly a site with equipment updated with live data
Warm Site - similar to Hot Site, may need the latest data set to be loaded
Cold Site - may just be a location which needs to install equipment, etc.
Deception Strategies
Utilize Active defense to engage the attackers, by luring or baiting with in the intent to pursue attribution. Attribution means to publicize attackers role and method to be used as threat intelligence.
Deception:
Honeypot a decoy computer system to attract attackers
Honeynets are a network of honeypots
Honeyfiles are files which contain fake data and can be made to be traceable
These are used with a lower defense level network to attract attackers with the intent of identifying attackers and their methods
Disruption Strategies
Disruption:
aim is to raise the attack cost and tie up attackers resources
Examples:
bogus DNS entries listing non-existent hosts
web server configurations with multiple decoy directories or dynamically generated pages to slow down scanning
fake telemetry data returned when port scanning is detected or opening more bogus ports all designed to slow down scanning efforts
DNS sinkhole to route suspect traffic to a honeynet to be analyzed
3-2-1 rule of Back up Storage
The 3-2-1 rule for offsite and online backup storage
a rule which states you should have 3 copies of your data, across 2 media types, with 1 copy offline and offsite
Backup Media types
Disk
NAS (Network Attached Storage - RAID via Win SMB or FTP) - file level backup
Tape
SAN (Storage Area Networks) often used by Cloud
- easier to expand/change as needed, higher scalability than attached storage
Non-persistence and recovery of systems
Non-persistence means that any given instance is completely static in terms of processing function
- data can be swapped out for a as new copy without suffering configuration problems
Mechanisms to provide this:
- Snapshot/revert to know state
- Rollback to know config
- Live boot media/boot from read-only storage to memory
For automation systems:
- Master image/gold copy of image
- Automated build from template
Diversity and Defense in Depth
Use layered security to provide defense in depth which means to have a system which has many layers of security controls, thus reducing the attack surface for an attacker
Control Diversity
Security layers of control should combine different technical and administrative controls functions of prevent, detect, correct, and deter.
