Week 10: Security the Cloud - Key Strategies and Best Practices Flashcards

1
Q

With ___, we strive to implement security controls that provide proactive protection from threats

A

prevention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A sound security strategy must include ___to identify threats or compromises

A

detection

Timeliness and effectiveness of detection is critical to enable effective response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

With ___activities we seek to address threats as they are detected or afterward with remediation, recovery, and forensics

A

response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Addressing security risks can be done in various ways, but without a ___ and a ___ such efforts often prove ineffective

A

sound process

considered strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Whether building a cloud infrastructure or adopting a public cloud service, leveraging the right process and strategy for managing risk will have recurring benefits:

A

better security,
lower ongoing operational costs,
reputation for taking security seriously enough to plan ahead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

security controls equation

A

On one side, you have the costs involved in the consequences of a security breach or being subject to an exploit

On the other side, you have various costs associated with implementing security countermeasures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

There comes a point for any system where additional preventative actions ___

A

incur costs that bring fewer and fewer returns

diminishing returns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Actors on two sides of security controls equation

A

Engineers and security personnel vs business people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Effectively managing security risk involves multiple activities that extend over time and can be grouped into four stages

A

Planning
Implementation
Evaluation
Maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Risk Stages - Planning

A

This stage is a prerequisite to properly match security controls to address risks in an effective manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Risk Stages - Implementation

A

This stage involves placing and configuring security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Risk Stages - Evaluation

A

This stage involves assessing the efficacy of security controls and periodically reviewing their adequacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security Risk Stages - Maintenance

A

Periodically, it will become necessary to perform configuration changes and updates, including security-relevant modifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Example Framework for Managing Security Risks

A

NIST, and CoBIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security controls are countermeasures or safeguards to ___ or otherwise ___to security risks

A

prevent, avoid, counteract, detect,
respond

They can be technical mechanisms, manual practices, or procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Recommended Security Controls for Federal Information Systems and Organizations - which publication?

A

NIST Special Publication 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

NIST Special Publication 800-53 states that, in order for Federal Agencies to comply with federal standards, they must

A

determine the security category of their information systems in accordance with FIPS 199

derive the information system impact level from the security category in accordance with FIPS 200

apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

NIST-defined controls are divided into 3 broad classes

A

Technical, Operational, and Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security controls are further organized into ___that fall into these ___ (e.g., Access Control, AC)

A

18 families

3 classes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

each NIST security control has a unique identifier, for example

A

AC-14

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

In the U.S. federal government, non-classified systems are characterized according to low, moderate, or high-__information systems

A

impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The emphasis on security controls in this unclassified realm might not be as much on ___as it is on ___and ___

A

confidentiality
integrity
availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

FIPS 199 Impact Classification LOW

A

if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals

degradation in mission capability
minor damage
minor financial loss
minor harm to individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

FIPS 199 Impact Classification HIGH

A

if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

The implementation of information categories is achieved by adding new structures and mechanisms to label and enforce separation at the ___

A

OS level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Another set of security controls that are sometimes used in the classified world have to do with the concept of ___

A

“originator controlled” data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

“originator controlled” data

A

An illustrative example of this is an email that the original sender addresses to a set of trusted recipients

However, the original sender may wish to control the resending of those emails to other potential recipients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The Cloud Security Alliance Approach to cloud security

A

The Cloud Security Alliance developed a Cloud Controls Matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Cloud Controls Matrix

A

A framework of nearly 100 distinct control specifications

Version 1.0 was released in April 2010, version 3.0.1 in July 2014

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The CSA Cloud Controls Matrix emphasizes business information ___ in a form that provides ___and ___ for matching information security to cloud industry needs

A

security controls
structure
detail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Security is Often Ineffective (software perspective)

A

Software development practices are typically neither rigorous nor focused on engineering principles and verification

Software development often tends toward initial releases that saddle users or administrators with bugs and vulnerabilities followed by patching
- The result is that security is often an afterthought

Software frameworks and functionality scaffolding have grown huge

Installation and configuration of software is usually not performed following a rigorous and defined process that brings identical results

Discovery of new vulnerabilities extends over time to include even older and mature software

32
Q

cost effective and secure cloud demands ___, ___, and ___in system and infrastructure management

A

reliability
maturity
agility

33
Q

Where ___ are used to manage vulnerabilities, it is important that this be done without introducing new vulnerabilities

A

compensating controls

Implementing compensating security controls around poorly designed applications or systems only adds greater complexity

34
Q

Good security exhibits several qualities, including ___

A

simplicity

A goal for cloud security is ease of use and adoption of security controls

35
Q

Risk is viewed in terms of the ___that ___would exploit ___and compromise the value of information assets

A

probability
threats
vulnerabilities

36
Q

Security must be ___by exposing and mitigating new vulnerabilities

A

continually improved

37
Q

Exploits tend to take advantage of ___that otherwise do not cause issues

A

borderline circumstances

38
Q

____is a key strategy and a best practice for cloud computing security

A

Monitoring

39
Q

The scope of a policy will vary according to the type of cloud

There will be some overlap between SaaS, PaaS, and IaaS policies, but largely these will become increasingly ___moving from SaaS to IaaS

A

broader

40
Q

It is a best practice for a cloud provider and for cloud consumer organizations to create and define a clear ___for cloud security

A

policy

41
Q

Policies should be updated as needed, and they should be supplemented by the use of ___, ___, and related ___that enable implementation of policy

A

standards
procedures
guidelines

42
Q

___ is a core goal for cloud computing security

A

Risk management

43
Q

The objectives of risk management best practices are to ___, ___, and ___security risks in a cloud initiative

A

assess
address
reduce

44
Q

Among the considerations for residual risk are not only actual damages but also damages to the organization’s ___or ___

A

brand

reputation

45
Q

A best practice for risk management is to begin with an understanding and assessment of the ___ and orient the selection of ___along with appropriate security practices and procedures toward managing risks

A
risks (risk analysis) 
security controls (security life cycle framework)
46
Q

It is a best practice to implement a configuration and change management process that can:

A

govern proposed changes

identify possible security consequences

provide assurance that the current operational system is correct in version and configuration

47
Q

The relationship between configuration management and ___ procedures is often neglected in commercial implementations

A

security control

48
Q

The root cause of older and vulnerable configurations making their way back into production is typically a process failure in ___ or ___

A
configuration management (CM)
change control (CC)
49
Q

Systems are simply too large and too complex for purely manual processes in ___ and ___ to support ongoing security evaluation of the various changes that an operational system is subject to

A
configuration management (CM)
change control (CC)
50
Q

Audit best practices include

A

Following a regular schedule in using tools, like Nessus, to identify newly exposed vulnerabilities, configuration issues, weak passwords and to perform patch level verification

Periodically reviewing the security controls that are in place, and assessing their effectiveness with respect to current or anticipated risks

Using automated tools and manual procedures to verify policy compliance

Periodic use of an independent penetration testing service to determine if the system can withstand representative exploits

Reviewing system logs on a periodic basis to verify the correct operation of security monitoring

51
Q

Auditing seeks to verify ___, review the effectiveness of ___, and validate security ___

A

compliance
controls
processes

52
Q

Auditing in PaaS

A

For PaaS the adoption of such tools is MORE PROBLEMATIC as tenants have less control

53
Q

Auditing in IaaS and PaaS

A

should be performed by CSP or even tenants

54
Q

The objectives of vulnerability scanning are

A

Catalog all components so that the resulting list can be used to verify configuration management data

Identify any new vulnerabilities, and identify risky services

55
Q

In general, there are two classes of scanning

A

Performed from the outside of a machine

A more thorough scan requires that the scanner authenticate to the target to take a complete inventory of the system from the inside

56
Q

The use of a database to store___ makes these immediately available to auditors and automated tools for compliance and other tasks

A

vulnerability scan results

57
Q

It is a best practice to limit___ to the smallest set necessary for the users to perform their work

A

user privileges

58
Q

In the cloud, the ___ is already partially implemented by the nature of the model itself

A

segregation of duties

Requests for changes by the cloud provider will go through a configuration management process where they will be vetted by all the major business functions, security included

Depending on the cloud deployment model, the tenant will have a varying degree of responsibility for and control over configuration changes

59
Q

Highly sensitive functions should entail a ___ to assure that these functions are properly invoked

A

two-person rule

60
Q

The ___ is focused on best practices for building clouds

A

Cloud Computing Use Case Discussion Group

61
Q

NIST’s Consumer Best Practices

A

Selecting a CSP based on how their overall security compares to current practices

Selecting a CSP based on their willingness to offer transparency into key security practices, including risk assessment and incident response

62
Q

NIST’s Providers Best Practices

A

Providing network isolation between infrastructure control traffic and user traffic

Using a CMDB

Using integrity checking software to detect unauthorized changes

Implementing scalable and robust Identity Management

Using security as a form of competitive differentiation

63
Q

It is a best practice to automate the collection of security events from all security-relevant network devices, servers, and applications
These events should be
1. ___
2.___

A

archived in raw form to preserve a legal record of all security-relevant activity

assessed via automated means to detect situations warranting alerts

64
Q

Security Feedback

A

At a high level we seek to provide a feedback loop for the system

65
Q

In security monitoring, security feedback is based on three sets of information

A

Knowledge about the infrastructure
- CMDB

Event data
- Output

Security rules
- Used to assess the event data

66
Q

Security monitoring has several important purposes for CSPs and tenants

A
Threat Detection 
Verification of Security Controls 
Exposure of Bugs 
Legal Record of Activity 
Enabling Forensics
67
Q

The sheer amount of raw security event data that is generated in even a small cloud infrastructure demands that the collection, handling, analysis, and storage of data be ___

A

efficient

68
Q

Security-relevant data can be generated at ___

A

every level of a cloud infrastructure

69
Q

Event Stream

A

Generation of Security Events
Collection of Security Events
Correlation and Analysis Strategies

70
Q

Event Stream - Generation of Security Events

A

Security-relevant data can be generated at every level of a cloud infrastructure
All modern OSs are capable of generating security event data

71
Q

Event Stream - Collection of Security Events

A

Many tools are available to collect, forward, and manage security events, but syslog is the most common

72
Q

Event Stream - Correlation and Analysis Strategies

A

Having generated and collected events, we now seek to make sense of them through a variety of techniques, such as attack signatures

73
Q

In other words, the security around monitoring must __or __that of the system and its data

A

meet

exceed

74
Q

It is a best practice in cloud security to assure the security of ___and the integrity and availability of the ___

A

monitoring

event stream

75
Q

Cloud providers can be expected to offer broader and richer security ___and ___capabilities for their tenants

A

monitoring

alerting