Week 10: Security the Cloud - Key Strategies and Best Practices

Question 1

With ___, we strive to implement security controls that provide proactive protection from threats

Answer 1

prevention

Question 2

A sound security strategy must include ___to identify threats or compromises

Answer 2

detection

Timeliness and effectiveness of detection is critical to enable effective response

Question 3

With ___activities we seek to address threats as they are detected or afterward with remediation, recovery, and forensics

Answer 3

response

Question 4

Addressing security risks can be done in various ways, but without a ___ and a ___ such efforts often prove ineffective

Answer 4

sound process

considered strategy

Question 5

Whether building a cloud infrastructure or adopting a public cloud service, leveraging the right process and strategy for managing risk will have recurring benefits:

Answer 5

better security,
lower ongoing operational costs,
reputation for taking security seriously enough to plan ahead

Question 6

security controls equation

Answer 6

On one side, you have the costs involved in the consequences of a security breach or being subject to an exploit

On the other side, you have various costs associated with implementing security countermeasures

Question 7

There comes a point for any system where additional preventative actions ___

Answer 7

incur costs that bring fewer and fewer returns

diminishing returns

Question 8

Actors on two sides of security controls equation

Answer 8

Engineers and security personnel vs business people

Question 9

Effectively managing security risk involves multiple activities that extend over time and can be grouped into four stages

Answer 9

Planning
Implementation
Evaluation
Maintenance

Question 10

Security Risk Stages - Planning

Answer 10

This stage is a prerequisite to properly match security controls to address risks in an effective manner

Question 11

Security Risk Stages - Implementation

Answer 11

This stage involves placing and configuring security controls

Question 12

Security Risk Stages - Evaluation

Answer 12

This stage involves assessing the efficacy of security controls and periodically reviewing their adequacy

Question 13

Security Risk Stages - Maintenance

Answer 13

Periodically, it will become necessary to perform configuration changes and updates, including security-relevant modifications

Question 14

Example Framework for Managing Security Risks

Answer 14

NIST, and CoBIT

Question 15

Security controls are countermeasures or safeguards to ___ or otherwise ___to security risks

Answer 15

prevent, avoid, counteract, detect,
respond

They can be technical mechanisms, manual practices, or procedures

Question 16

Recommended Security Controls for Federal Information Systems and Organizations - which publication?

Answer 16

NIST Special Publication 800-53

Question 17

NIST Special Publication 800-53 states that, in order for Federal Agencies to comply with federal standards, they must

Answer 17

determine the security category of their information systems in accordance with FIPS 199

derive the information system impact level from the security category in accordance with FIPS 200

apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53

Question 18

NIST-defined controls are divided into 3 broad classes

Answer 18

Technical, Operational, and Management

Question 19

Security controls are further organized into ___that fall into these ___ (e.g., Access Control, AC)

Answer 19

18 families

3 classes

Question 20

each NIST security control has a unique identifier, for example

Answer 20

AC-14

Question 21

In the U.S. federal government, non-classified systems are characterized according to low, moderate, or high-__information systems

Answer 21

impact

Question 22

The emphasis on security controls in this unclassified realm might not be as much on ___as it is on ___and ___

Answer 22

confidentiality
integrity
availability

Question 23

FIPS 199 Impact Classification LOW

Answer 23

if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals

degradation in mission capability
minor damage
minor financial loss
minor harm to individuals

Question 24

FIPS 199 Impact Classification HIGH

Answer 24

if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

Question 25

The implementation of information categories is achieved by adding new structures and mechanisms to label and enforce separation at the ___

Answer 25

OS level

Question 26

Another set of security controls that are sometimes used in the classified world have to do with the concept of ___

Answer 26

“originator controlled” data

Question 27

“originator controlled” data

Answer 27

An illustrative example of this is an email that the original sender addresses to a set of trusted recipients However, the original sender may wish to control the resending of those emails to other potential recipients

Question 28

The Cloud Security Alliance Approach to cloud security

Answer 28

The Cloud Security Alliance developed a Cloud Controls Matrix

Question 29

Cloud Controls Matrix

Answer 29

A framework of nearly 100 distinct control specifications Version 1.0 was released in April 2010, version 3.0.1 in July 2014

Question 30

The CSA Cloud Controls Matrix emphasizes business information ___ in a form that provides ___and ___ for matching information security to cloud industry needs

Answer 30

security controls structure detail

Question 31

Security is Often Ineffective (software perspective)

Answer 31

Software development practices are typically neither rigorous nor focused on engineering principles and verification Software development often tends toward initial releases that saddle users or administrators with bugs and vulnerabilities followed by patching - The result is that security is often an afterthought Software frameworks and functionality scaffolding have grown huge Installation and configuration of software is usually not performed following a rigorous and defined process that brings identical results Discovery of new vulnerabilities extends over time to include even older and mature software

Question 32

cost effective and secure cloud demands ___, ___, and ___in system and infrastructure management

Answer 32

reliability maturity agility

Question 33

Where ___ are used to manage vulnerabilities, it is important that this be done without introducing new vulnerabilities

Answer 33

compensating controls Implementing compensating security controls around poorly designed applications or systems only adds greater complexity

Question 34

Good security exhibits several qualities, including ___

Answer 34

simplicity A goal for cloud security is ease of use and adoption of security controls

Question 35

Risk is viewed in terms of the ___that ___would exploit ___and compromise the value of information assets

Answer 35

probability threats vulnerabilities

Question 36

Security must be ___by exposing and mitigating new vulnerabilities

Answer 36

continually improved

Question 37

Exploits tend to take advantage of ___that otherwise do not cause issues

Answer 37

borderline circumstances

Question 38

____is a key strategy and a best practice for cloud computing security

Answer 38

Monitoring

Question 39

The scope of a policy will vary according to the type of cloud There will be some overlap between SaaS, PaaS, and IaaS policies, but largely these will become increasingly ___moving from SaaS to IaaS

Answer 39

broader

Question 40

It is a best practice for a cloud provider and for cloud consumer organizations to create and define a clear ___for cloud security

Answer 40

policy

Question 41

Policies should be updated as needed, and they should be supplemented by the use of ___, ___, and related ___that enable implementation of policy

Answer 41

standards procedures guidelines

Question 42

___ is a core goal for cloud computing security

Answer 42

Risk management

Question 43

The objectives of risk management best practices are to ___, ___, and ___security risks in a cloud initiative

Answer 43

assess address reduce

Question 44

Among the considerations for residual risk are not only actual damages but also damages to the organization’s ___or ___

Answer 44

brand | reputation

Question 45

A best practice for risk management is to begin with an understanding and assessment of the ___ and orient the selection of ___along with appropriate security practices and procedures toward managing risks

Answer 45

``` risks (risk analysis) security controls (security life cycle framework) ```

Question 46

It is a best practice to implement a configuration and change management process that can:

Answer 46

govern proposed changes identify possible security consequences provide assurance that the current operational system is correct in version and configuration

Question 47

The relationship between configuration management and ___ procedures is often neglected in commercial implementations

Answer 47

security control

Question 48

The root cause of older and vulnerable configurations making their way back into production is typically a process failure in ___ or ___

Answer 48

``` configuration management (CM) change control (CC) ```

Question 49

Systems are simply too large and too complex for purely manual processes in ___ and ___ to support ongoing security evaluation of the various changes that an operational system is subject to

Answer 49

``` configuration management (CM) change control (CC) ```

Question 50

Audit best practices include

Answer 50

Following a regular schedule in using tools, like Nessus, to identify newly exposed vulnerabilities, configuration issues, weak passwords and to perform patch level verification Periodically reviewing the security controls that are in place, and assessing their effectiveness with respect to current or anticipated risks Using automated tools and manual procedures to verify policy compliance Periodic use of an independent penetration testing service to determine if the system can withstand representative exploits Reviewing system logs on a periodic basis to verify the correct operation of security monitoring

Question 51

Auditing seeks to verify ___, review the effectiveness of ___, and validate security ___

Answer 51

compliance controls processes

Question 52

Auditing in PaaS

Answer 52

For PaaS the adoption of such tools is MORE PROBLEMATIC as tenants have less control

Question 53

Auditing in IaaS and PaaS

Answer 53

should be performed by CSP or even tenants

Question 54

The objectives of vulnerability scanning are

Answer 54

Catalog all components so that the resulting list can be used to verify configuration management data Identify any new vulnerabilities, and identify risky services

Question 55

In general, there are two classes of scanning

Answer 55

Performed from the outside of a machine A more thorough scan requires that the scanner authenticate to the target to take a complete inventory of the system from the inside

Question 56

The use of a database to store___ makes these immediately available to auditors and automated tools for compliance and other tasks

Answer 56

vulnerability scan results

Question 57

It is a best practice to limit___ to the smallest set necessary for the users to perform their work

Answer 57

user privileges

Question 58

In the cloud, the ___ is already partially implemented by the nature of the model itself

Answer 58

segregation of duties Requests for changes by the cloud provider will go through a configuration management process where they will be vetted by all the major business functions, security included Depending on the cloud deployment model, the tenant will have a varying degree of responsibility for and control over configuration changes

Question 59

Highly sensitive functions should entail a ___ to assure that these functions are properly invoked

Answer 59

two-person rule

Question 60

The ___ is focused on best practices for building clouds

Answer 60

Cloud Computing Use Case Discussion Group

Question 61

NIST's Consumer Best Practices

Answer 61

Selecting a CSP based on how their overall security compares to current practices Selecting a CSP based on their willingness to offer transparency into key security practices, including risk assessment and incident response

Question 62

NIST's Providers Best Practices

Answer 62

Providing network isolation between infrastructure control traffic and user traffic Using a CMDB Using integrity checking software to detect unauthorized changes Implementing scalable and robust Identity Management Using security as a form of competitive differentiation

Question 63

It is a best practice to automate the collection of security events from all security-relevant network devices, servers, and applications These events should be 1. ___ 2.___

Answer 63

archived in raw form to preserve a legal record of all security-relevant activity assessed via automated means to detect situations warranting alerts

Question 64

Security Feedback

Answer 64

At a high level we seek to provide a feedback loop for the system

Question 65

In security monitoring, security feedback is based on three sets of information

Answer 65

Knowledge about the infrastructure - CMDB Event data - Output Security rules - Used to assess the event data

Question 66

Security monitoring has several important purposes for CSPs and tenants

Answer 66

``` Threat Detection Verification of Security Controls Exposure of Bugs Legal Record of Activity Enabling Forensics ```

Question 67

The sheer amount of raw security event data that is generated in even a small cloud infrastructure demands that the collection, handling, analysis, and storage of data be ___

Answer 67

efficient

Question 68

Security-relevant data can be generated at ___

Answer 68

every level of a cloud infrastructure

Question 69

Event Stream

Answer 69

Generation of Security Events Collection of Security Events Correlation and Analysis Strategies

Question 70

Event Stream - Generation of Security Events

Answer 70

Security-relevant data can be generated at every level of a cloud infrastructure All modern OSs are capable of generating security event data

Question 71

Event Stream - Collection of Security Events

Answer 71

Many tools are available to collect, forward, and manage security events, but syslog is the most common

Question 72

Event Stream - Correlation and Analysis Strategies

Answer 72

Having generated and collected events, we now seek to make sense of them through a variety of techniques, such as attack signatures

Question 73

In other words, the security around monitoring must __or __that of the system and its data

Answer 73

meet | exceed

Question 74

It is a best practice in cloud security to assure the security of ___and the integrity and availability of the ___

Answer 74

monitoring | event stream

Question 75

Cloud providers can be expected to offer broader and richer security ___and ___capabilities for their tenants

Answer 75

monitoring | alerting