Security and Compliance Flashcards

1
Q

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information securit management system within the contect of teh organization’s overall business risks.

A

sure thing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

the federal risk and authorization management program, or fedramp is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

A

yuppers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HIPPA is the federal health insurance portability and accountability act of 1996. the primary goal of the law is to make it easier for people to keep health insurance, protct the confidentiality and security of healthcare information and help the healcare industry control administrative costs.

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

framework for improving critical infrastructure cybersecurity

“…a set of industry standards and best practices to help organizations manage cybersecurity risks.”

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The payment card industry daat security standard PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PCI DSS v3.2

Build and maintain a secure network and systems

requirement1 : install and maintain a firewall config to protect cardholder data

requirement 2: do not use vendor supplied defaults for system password and other security parameters.

requierment 3: protect stored cardholder data

requierment 4: encrypt transmission of cardhoder data across open, public networks

requirement 5: protect all systems against malwayre and regularly upate anti virus software or programs

requirement 6: develop and maintain secure systems and applications

requirement 7: restrict accesst to cardholder data by business need to know

requirement 8: identify and authenticate access to ssytem components

requirement 9: restrict physical access to cardholder data

requirement 10: track and monitor alla ccess to network resources and cardholder data

requirement 11: regularly test security systems and processes

requirement 12: maintain a policy that adresses information security for all personnel.

A

you dont really need to know this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SAS70 - statement on auditing standards no 70

soc1 - service organization controls - accounting standards

FISMA - federal info sec modernization act

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

FIPS 140-2 is a US gvmt computer security satndard used to approve cryptographic modules. rated from level 1 ot level 4, with 4 being th highest security. Cloud HSM meeets the level 3 standard.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

a ___ attack acan be achieved by multiple mechanisms, such as large packet floods, by using a combination of reflection and amplification techniques, or by using large botnets.

A

DDoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

_____ attacks can include things such as NTP, SSDP, DNS, CHargen, SNMP attacks, etc. and is where an attacker may send a third prty server (such as an NTP server) a request using a spoofed IP address. That server will then respond to that request with a greater payload than initial request (usually within the region of 28x54 times larger than the request) to the spoofed IP address.

THis means that if the attacker sends a packet with a spoofed IP address of 64 bytes, teh NTP server would respond with up to 3,456 bytes of traffic. Attackers can coordinate this and use multiple NTP servers a second to send legitimate NTP traffic to the target.

A

Amplification/Reflection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

_____

free service that protects all aws customers on elastic load balancing (ELB), amazon CF and route53

  • protects against SYN/UDP Floods, reflection attacks and other layer 3/layer4 attacks
  • advanced provides enhanced protections for your apps running on elb, CF and route53 against larger and more sophisticated attack. $3000 per month.
A

Shield

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

aws ___ ___ provides

  • always on, flow based monitoring of network traffic and active app monitoring ro provide near real time notifications of DDoS attacks.
  • DDoS response team (DRT) 24x7 to manage and mitigate app layer DDoS attacks.
  • Protects your AWS bill against higher fees due to elastic load balancing, CF and route53 usage spike during a DDoS attack.
  • $3000/month
A

Shield advanced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what services can you use to mitigate DDoS attack?

A

CF

route53

elb’s

wafs

autoscaling

cw

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T or F

you can purchase security products from 3rd party vendors on the MP

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

T or F

You can not enable MFA using the command line or by using the console

A

False, you can use both CLI and command line to enable MFA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Can you enforce the use of MFA with teh CLI by using the ____ token service

A

STS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You can report on who is using MFA on a per user basis using ____ _____

A

credential reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

____ grants users limited and temporary access to AWS resources

A

STS (security token service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

STS

____ - uses securty assertion markup language (SAML)

  • grants temp access based off users AD creds
  • does not need to be a user in IAM
  • single sign on allows users to log in to aws console without assigning IAM creds

______ _____ - Use facebook/amazon/google/or other OpenID providers to login.

____ ___ ____ - let’s users from one aws account access resources in another

A

Federation

federation with mobile apps

cross account access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

STS key terms:

_____ combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc)

______ _____ -a service that allows you to take an identity from point A an join it (federate it) to point B

_____ _____ - Services like AD, FB, Google, etc.

____ - a user of a service lik Facebook, etc.

A

Federation

Identity Broker

Identity Store

Identities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

____ is a web app firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CF or an app loadbalancer or to API GW. it lets you control access to your content.

A

WAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

WAF -

YOu can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for teh request to be allowed, and then the app load balancer or CF will either allow this content to be received or to give a HTTP ____ status code.

A

403

23
Q

At itsmost basic level, AWS WAF allows 3 different behaviors

  • allow ___requests except the one you specify
  • block ___ requests except the ones you specify
  • count the requests that ___ the properties you specify
A

all

all

match

24
Q

WAF integrates with what services?

A

APP load balancers

CloudFront

API GW

25
Q

AWF does not integrate with:

A

classic load balancers

network load balancers

26
Q

A ____ or virtual machine monitor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.

A

hypervisor

27
Q

Ec2 currently runs on Xen hypervisors. Xen can have guest operating systems runnign as either _____ or using ___ ___ ___

A

Paravirtualization

Hardware Virtual Machine

28
Q

____ guests are fully virtualized. The VMs on top of the hypervisors are not aware that they are sharing processing time with other VMs.

___ is a lighter form of virtualization and it used ot be quicker.

A

HVM

PV

29
Q

Tips

CHoose HVM over PV where possible

  • PV is isolated by layers, Guest OS sits on layer 1, Apps on layer 3
  • only AWS admins have access to hypervisors
  • aws staff do not have access to EC2, that is your responsibility as a customer
  • all storage memory and RAM memory is scrubbed before its delivered to you.
A

yes

30
Q

_____ _____ are ec2 instances that run in a VPC on hardware thats dedicated to a single customer. You dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts.

A

dedicated instances

31
Q

___ ____ may share hardware with other instances from the same AWS acount that are not dedicated instances

A

dedicated instances

32
Q

pay for dedicated instances on demand, save up to ___% by purchasing reserved instances, or save up to ___% by purchasing spot instances.

A

70, 90

33
Q

___ ____ gives you additional visibility and control over how instances are palced on a physical server, and you can consistently deploy your instances to the same physical server over time. As a result, dedicated hosts enable you to use your existing server bound software licenses and address corporate compliance and regulatory requirements.

A

dedicated hosts

34
Q

dedicated instances are charged by the instance, dedicated hosts are charged by the host.

A

True

35
Q

if you have specific regulatory requirements or licensing conditions, choose dedicated hosts.

A

T

36
Q

dedicated ____ give you much better visibility into things like sockets, cores, and host id.

A

hosts

37
Q

SSM agent needs to be installed on all of your managed instances

T or F

A

T

38
Q

SSM works with on prem and in cloud

A

T

39
Q

COnfidential info such as passwords, database connection strings, and license codes can be stored in ____ ___ ___

A

SSM parameter store

40
Q

SSM you can store in plain text or encrypt the data

A

T

41
Q

in SSM you can reference values by using their names

A

T

42
Q

T or F

you can access S3 objects using pre-sgned URLS

A

T

43
Q

Presigned URLs are typically done with SDk, but can also be done using CLI

A

T

44
Q

presigned URLs exist for a certain length of time in seconds. default is ___ hour

you can change this using “–expires-in” followed by the number of seconds.

A

1

45
Q

YOu can have aws config rules with s3 -

no public read access

no pubic write access

A

remember this

46
Q

____ is an autoamted security assessment service that helps improve the security ad compliance of apps deployed on aws. ____ automatically assesses apps for vulnerabilities or deviations from best practices. after performing an assessment, ___ produces a detailed list fo security findings by lvel of severity. these findings can b reviewed directly or as part of detailed assessment reports which are available via the amazon _____ console or API

A

inspector

47
Q

___ ____ is an online resource to help you reduce cost, increase performance, adn improve security by optimizing your aws environment.

it will advise you on cost optimization, preformance, security, fault tolerance

it does core checks and recommendations

A

Trusted advisor

48
Q

what service can you use to check service limits?

A

trusted advisor

49
Q

KMs is symmetric keys only

A

T

50
Q

CloudHSM is both symmetric and asymmetric keys

A

T

51
Q

____ files are used to validate the integrity of log files

A

digest

52
Q

cloudtrail log file integrity validation:

sha-256 hashing

sha-256 with RSA for digital signing

A

t

53
Q
A