Security and Compliance Flashcards
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information securit management system within the contect of teh organization’s overall business risks.
sure thing
the federal risk and authorization management program, or fedramp is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
yuppers
HIPPA is the federal health insurance portability and accountability act of 1996. the primary goal of the law is to make it easier for people to keep health insurance, protct the confidentiality and security of healthcare information and help the healcare industry control administrative costs.
yes
framework for improving critical infrastructure cybersecurity
“…a set of industry standards and best practices to help organizations manage cybersecurity risks.”
The payment card industry daat security standard PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.
PCI DSS v3.2
Build and maintain a secure network and systems
requirement1 : install and maintain a firewall config to protect cardholder data
requirement 2: do not use vendor supplied defaults for system password and other security parameters.
requierment 3: protect stored cardholder data
requierment 4: encrypt transmission of cardhoder data across open, public networks
requirement 5: protect all systems against malwayre and regularly upate anti virus software or programs
requirement 6: develop and maintain secure systems and applications
requirement 7: restrict accesst to cardholder data by business need to know
requirement 8: identify and authenticate access to ssytem components
requirement 9: restrict physical access to cardholder data
requirement 10: track and monitor alla ccess to network resources and cardholder data
requirement 11: regularly test security systems and processes
requirement 12: maintain a policy that adresses information security for all personnel.
you dont really need to know this
SAS70 - statement on auditing standards no 70
soc1 - service organization controls - accounting standards
FISMA - federal info sec modernization act
FIPS 140-2 is a US gvmt computer security satndard used to approve cryptographic modules. rated from level 1 ot level 4, with 4 being th highest security. Cloud HSM meeets the level 3 standard.
a ___ attack acan be achieved by multiple mechanisms, such as large packet floods, by using a combination of reflection and amplification techniques, or by using large botnets.
DDoS
_____ attacks can include things such as NTP, SSDP, DNS, CHargen, SNMP attacks, etc. and is where an attacker may send a third prty server (such as an NTP server) a request using a spoofed IP address. That server will then respond to that request with a greater payload than initial request (usually within the region of 28x54 times larger than the request) to the spoofed IP address.
THis means that if the attacker sends a packet with a spoofed IP address of 64 bytes, teh NTP server would respond with up to 3,456 bytes of traffic. Attackers can coordinate this and use multiple NTP servers a second to send legitimate NTP traffic to the target.
Amplification/Reflection
_____
free service that protects all aws customers on elastic load balancing (ELB), amazon CF and route53
- protects against SYN/UDP Floods, reflection attacks and other layer 3/layer4 attacks
- advanced provides enhanced protections for your apps running on elb, CF and route53 against larger and more sophisticated attack. $3000 per month.
Shield
aws ___ ___ provides
- always on, flow based monitoring of network traffic and active app monitoring ro provide near real time notifications of DDoS attacks.
- DDoS response team (DRT) 24x7 to manage and mitigate app layer DDoS attacks.
- Protects your AWS bill against higher fees due to elastic load balancing, CF and route53 usage spike during a DDoS attack.
- $3000/month
Shield advanced
what services can you use to mitigate DDoS attack?
CF
route53
elb’s
wafs
autoscaling
cw
T or F
you can purchase security products from 3rd party vendors on the MP
T
T or F
You can not enable MFA using the command line or by using the console
False, you can use both CLI and command line to enable MFA
Can you enforce the use of MFA with teh CLI by using the ____ token service
STS
You can report on who is using MFA on a per user basis using ____ _____
credential reports
____ grants users limited and temporary access to AWS resources
STS (security token service)
STS
____ - uses securty assertion markup language (SAML)
- grants temp access based off users AD creds
- does not need to be a user in IAM
- single sign on allows users to log in to aws console without assigning IAM creds
______ _____ - Use facebook/amazon/google/or other OpenID providers to login.
____ ___ ____ - let’s users from one aws account access resources in another
Federation
federation with mobile apps
cross account access
STS key terms:
_____ combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc)
______ _____ -a service that allows you to take an identity from point A an join it (federate it) to point B
_____ _____ - Services like AD, FB, Google, etc.
____ - a user of a service lik Facebook, etc.
Federation
Identity Broker
Identity Store
Identities
____ is a web app firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CF or an app loadbalancer or to API GW. it lets you control access to your content.
WAF