Cloud Operations

Question 1

How do you secure a KVM?

Answer 1

Combine Physical and Logical controls to protect against unauthorized electronic emanation surveillance

Question 2

Features of a Secure KVM

Answer 2

1. Push button control - physical access needed to control KVM
2. Firmware that has authenticated protection
3. Isolated data channels
4. Restricted USB functionality
5. Does not allow buffering

Question 3

Secure Shell (SSH)

Answer 3

A protocol used to administer remote devices over network using TCP, Port 22

uses symmetric and asymmetric cryptography

If using asymmetric, the ssh-keygen command is used to generate the public private key pair

Question 4

Remote Desktop Protocol (RDP)

List features

Answer 4

Allows a remote connection to a workstation or server via port 3389

Features include:

1. Encryption of the data in transit
2. Authentication via use of smart cards
3. Bandwidth reduction which optimizes the data transfer rate if a low speed connection is used
4. Resource sharing
5. Can disconnect the RDP connection temporarily without logging off the remote connection

Question 5

Customer Management Console-based Access

What securing features should it include?

Answer 5

A proprietary API that the CSP creates to allow the cloud customer to access, configure, and manage virtual machines

Securing Features should include:

1. NTK admin controls
2. Least privilege technical controls
3. Role-based access with MFA controls
4. Isolated and protected communication channels via TLS and VPN
5. Any command line interface (CLI) should be protected by using SSH

Question 6

DNSSEC

Answer 6

provides for integrity of DNS resolver request, responses and zone transfer

Question 7

List DNSSEC resource records?

Answer 7

DNSKEY - holds public key that resolvers can use to verify DNSSEC signatures in RRSIG records

RRSIG - a record that holds DNSSEC digital signature for a records

Question 8

To prevent DNS hijacking and unauthorized manipulation of resolve request what should you ensure of your email domain?

Answer 8

Ideally ensure your email domain has a
DMARC - Domain Based Message Authentication Reporting and Compliance

policy with

SPF - Sender Policy Framework

and/or

DKIM - Domain Keys Identified Mail

and that you enforce such policies provided by other domains on your email system

Question 9

List DNS Attacks

Answer 9

DNS cache poisoning

Hijack DNS servers

MiTM can send a fake DNS response

DNS Shawdowing - attacker compromises registry account and registers subdomains to host fake sites

Question 10

How can MiTM DNS attacks be addressed?

Answer 10

DNS Security - DNSSEC - designed to prevent DNS cache poisoning - uses digital signatures to verify that DNS data is coming from authenticated source

Question 11

Virtual LAN (VLAN)

Answer 11

Methods of separating layer 3 networks using a layer 2 switch

You still need a router and ACLs to properly forward and control

Used to create isolation beyond traffic segmentation

Maximum allowed networks in VLAN is 4096

Question 12

VXLAN

Answer 12

VXLAN (X is for extensible) is an encapsulation protocols that provide data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network

VXLAN is the most commonly used protocol to create overlay networks that encapsulates layer 2 over layer 3 (L2oL3) enabling the user of virtual networks, and allows for 16.7 million separate networks or VXLANs

Question 13

How does VXLAN enable cloud?

Answer 13

It supports virtualization of the data center network while addressing the needs of multi tenant data centers by providing the necessary segmentation on a large scale.

VXLAN allows for scalability and allows cloud providers to effectively separate and isolate tenants from each other.

Question 14

VXLAN Tunnel End Point (VTEP)

Answer 14

is a hypervisor based function that allows VMs to communicate via source and destination IP addresses

Question 15

Virtual Private Network (VPN)

Answer 15

Allows two private networks to communicate with each other over a public network (Internet)

Question 16

OpenVPN

Answer 16

A open source VPN solution that provides up to 256-bit encryption.

It is very customizable, can bypass firewalls and can support several types of encryption algorithms.

Question 17

Point to Point Tunneling (PPTP)

AKA

Answer 17

Uses a 128 bit encryption called Microsoft Point to Point Encryption (MPPE) which is weak and has been compromised.

Question 18

Secure Socket Tunneling Protocol

Answer 18

Developed by Microsoft to replace PPTP and is proprietary. Offers 256-bit encryption.

Question 19

SoftEther

Answer 19

An open source VPN protocol that uses 256-bit encryption.

Used on workstations and mobile devices.

Question 20

Layer 2 Tunneling Protocol (L2TP)

Answer 20

A VPN joint effort by Cisco and Microsoft. Typically secured by using IPSEC.

256 bit encryption.
Used everywhere.
Supports multi threading, but slower.

Question 21

Internet Key Exchange v2 (IKE)

Answer 21

An IPSEC protocol based on the ISAKMP framework and the Oakley key negotiation protocol

IKE is for building and managing Security Associations (SA’s), it encrypts the AH or ESP

2 ways to exchange keys Diffie Helman (DH) style negotiation (routers) or public keys (users)

Question 22

IP Security (IPSEC)

Answer 22

A layer 3 protocol used to secure IP traffic for VPNs

Question 23

IP SEC Transport Mode

Answer 23

Only the payload portion of each packet is protected (end to end encryption for ex between client and server)

Question 24

IP SEC Tunnel Mode

Answer 24

The entire original packet is protected including IP header (link encryption e.g. firewall to firewall)

Question 25

IPSEC Authentication Header

Answer 25

Authenticates sender (source IP) and does an integrity check AH Transport mode protects integrity of payload only AH Tunnel mode protects integrity of header and payload

Question 26

IPSEC Encapsulating Security Payload

Answer 26

Same as Authentication Header plus encrypts for confidentiality ESP Transport mode encrypts payload only, the original IP header is left unecrypted ESP Tunnel mode encryptions headers and payload

Question 27

IPSEC Security Association (SA's)

Answer 27

One way connection using either AH or ESP services Each SA is uniquely identified in packet using 3 indicators 1. Security Parameter index (session ID# used for tracking) 2. Destination IP Address 3. An AH or ESP identifier to indicate which is being used

Question 28

Internet Security Association and Key Management Protocol (ISAKMP)

Answer 28

A framework for choosing encryption algorithms and key exchange methods

Question 29

Oakley

Answer 29

A key negotiation protocol using the Diffie Hellman approach

Question 30

Transport Layer Security 1.3 (TLS)

Answer 30

Originally used SSL v1, 2, 3 but SSL has been deprecated TLS v1.1 and 1.2 should not be used as they are vulnerable to attacks. Use TLS v 1.3. Commonly used for end to end encryption,

Question 31

TLS Negotiation

Answer 31

1. Client Hello contains: - Protocol Version - TLS 1.3 - Asymmetric Algorithm for session Key - RSA - Symmetric Algorithm for encrypting data in transit - Salsa - Hashing Algorithm - SHA256 2. Server chooses TLS 1.3, RSA, Salsa, SHA256 - Answers these conditions and sends server certificate to client - Optional: If client has a certificate, client sends to server (mutual authentication) 3. Session Key negotiated between client and server. 4. All traffic encrypted

Question 32

Firewalls

Answer 32

Firewalls can be software or hardware based form of protecting a host or network. Every firewall comes with an implicit deny-all rule. Ingress filtering - analyzing traffic coming into the firewall Egress filtering - analyzing traffic leaving the firewall

Question 33

Stateless Firewall

Answer 33

A firewall that filters egress and ingress based on IP and port number regardless of session

Question 34

Dynamic firewall

Answer 34

does the same as stateless but adds engines defined by signatures, behavior, anomalies, heuristics and artificial intelligence

Question 35

Next-Generation (Next-Gen) Firewall

Answer 35

A standard firewall but adds intrusion detection/prevention technology and traffic management through segmentation policies

Question 36

List Firewall Categories

Answer 36

Software Firewall Hardware Firewall Application Firewall Database Firewall

Question 37

Software Firewall

Answer 37

A firewall that is installed on the host or is built into the operating system of the host

Question 38

Hardware Firewall

Answer 38

An actual piece of HW that serves as a firewall

Question 39

Application Firewall

Answer 39

Works at Layer 7 of OSI, example WAF used to protect web application and backend DB, and performs input validation

Question 40

Database Firewall

Answer 40

A layer 7 firewall used to protect DB, ex DB Activity Monitor

Question 41

1. Network-based IDS/IPS? 2. Host-based IPS/IDS? 3. Why wold you employ both on your network?

Answer 41

1. system that scans network traffic looking for attacks or intrusion 2. systems only scan a single host they are installed on, sometimes called HBSS (Host based security sytem) 3. To apply defense in depth, host based can better detect internal threats, Network based can't read encrypted traffic, devices can be taken offline

Question 42

IDS/IPS scanning technologies?

Answer 42

Signature based - pattern matching or knowledge based, scan based on attack signatures and used to find known threats Behavior-based - anomaly-based or profile based - system must learn, build normal profiles (baseline) and later it scans for deviations from the profiles (network must be secure as the IDPS learns - Used to find new or unknown threats

Question 43

IDS/IPS alert veracity measures?

Answer 43

True Positive - the system correctly identifies an intrusion True Negative - correctly determines that no intrusion is present False Positive - the system mistakenly identifies legitimate traffic as an intrusion False Negative - Mistakenly allows threat to enter the network

Question 44

Honeypot/Honeynet

Answer 44

Fake target on the network designed to lure-in attackers - protects the real network from attacks - allows security personnel to observe attacker's actions - acts as a type of early warning system - a honeynet is multiple honeypots networked together

Question 45

Padded Cell

Answer 45

Designed to work with the IDS, the attacker is sent to a sandboxed honeypot where they can do no harm

Question 46

Application Baseline

Answer 46

A baseline is the minimum settings, permissions, or requirements to meet the objective

Question 47

IT Asset Management (ITAM)

Answer 47

A database of all assets, firmware, and version numbers their locations, who is in possession

Question 48

Configuration Management Database (CMDB)

Answer 48

Works with ITAM. It is a single repository containing all settings, configurations, and other information about assets. It is a good practice to automate the creation, application, management, updating, tracking, and compliance checking for baselines

Question 49

Security Content Automation Protocol (SCAP)

Answer 49

Method for using specific standards (baselines) to enable automated vulnerability scanning and policy compliance evaluation of systems in an organization This allows you to scan systems to see if they're compliant You download a SCAP content module (standard), load it into a SCAP scanner, then scan your devices to see if they conform to the standard

Question 50

Security Technical Implementation Guides (STIGs)

Answer 50

The configuration standards for DoD information assurance enabled devices and systems

Question 51

Cloud Computing Security Requirements Guide (CC SRG)

Answer 51

A collection of security requirements applicable to a given technology family, product category, or the organization in general CC SRG provide non-specific requirements to implement the STIG control guidance in a cloud environment

Question 52

Center for Internet Security (CIS)

Answer 52

A community driven non profit that has globally recognized best practices for security IT systems and data

Question 53

CIS Critical Security Controls

Answer 53

A group of best practices used to mitigate attacks against system and networks

Question 54

CIS Benchmarks

Answer 54

Guidelines for hardening specific operating system, middleware, software applications, and network devices

Question 55

Stand Alone Hosts

Answer 55

a dedicated hosting solution for individual processes and resources. To create an isolated, secured, dedicated hosting environment, use a stand alone host. Note this doesn't meet the 5 essential characteristics of cloud.

Question 56

Shared Host

Answer 56

configuration offers multi-tenant, secured hosting capabilities

Question 57

Clustered Host

Answer 57

Logically and physically connected to other hosts within a management framework. This framework allows central management of resources for the collection of hosts, the application, and the VMs running on any member of the cluster. Cluster host allow for failover or movement between host members.

Question 58

Storage Cluster

Answer 58

Using two or more storage servers working in unison for better performance, capacity, and reliability.

Question 59

Cluster Storage Architectures

Answer 59

1. Tightly Coupled Cluster - uses a proprietary physical backplane that the controller nodes connect 2. Loosely Coupled Cluster - uses building blocks that can start small and grow with demand, which in turn is more cost effective

Question 60

Maintenance Mode

Answer 60

Utilized when updating or configuring different components of cloud environment including VMs

Question 61

When in maintenance mode ensure the following?

Answer 61

1. Customer access should be blocked; New logins are prevented 2. Alerts should be disabled 3. Logging remains enabled and continues 4. All active production instances are removed

Question 62

Live Migration

Answer 62

the transferring of the operation of one VM to another in such a way that it is completely transparent to the user

Question 63

Information Technology Infrastructure Library (ITIL) v4

Answer 63

A standard for achieving quality IT services and addresses service value streams (SVS). SVS's are used to create value through IT-enabled services.

Question 64

Core Components of ITIL

Answer 64

1. Service Value Chain 2. Practices 3. Guiding Principles 4. Governance 5. Continual Improvement

Question 65

ITIL Change Management

Answer 65

The practice of ensuring changes in an organization are smoothly and successfully implemented and the lasting benefits are achieved by managing the human aspects of the changes.

Question 66

What are the 3 types of changes in ITIL? Descriptions?

Answer 66

1. Standard change - low risk, pre-authorized, routine changes. Well understood and fully documented. Implemented without needing additional authorization 2. Normal changes - use standard process to schedule, assess, and authorize change. Is triggered by creating a change request. 3. Emergency changes - must be implemented as soon as possible. Not typically included in a change schedule. Assessment and authorization is expedited.

Question 67

Continuity Management

Answer 67

The practice of ensuring that services AVAILABILITY and PERFORMANCE are maintained at sufficient level in the event of a disaster

Question 68

Information Security Management

Answer 68

The practice of protecting an organization by understanding and managing risk to the CIA of information.

Question 69

Continual Service Improvement Management

Answer 69

The practice of aligning an organizations practices and services with the changing business needs through the ongoing identification and improvement of all elements involved in the effective management of products and services

Question 70

Release Managment

Answer 70

The practice of making new and changed services and features available for use

Question 71

Patch Management

Answer 71

The process of applying updates to fix functionality, features, or security

Question 72

Incident Management

Answer 72

The practices of minimizing the negative impact of incidents by restoring normal service operations as quickly as possible

Question 73

Incident Management - Event

Answer 73

Changes in a system state that have significance for the management of a service or other configuration item

Question 74

Incident Management - Incident

Answer 74

An unplanned interruption or degradation in the quality of a service

Question 75

Incident Management - Breach

Answer 75

proof that a system had unauthorized access

Question 76

Incident Management - Disclosure

Answer 76

proof that confidential information has been shared outside of owner defined clearance levels

Question 77

How are incidents in Incident Management prioritized?

Answer 77

By high, medium, low based on: 1. Impact - how is the incident going to affect the organization 2. Urgency - how fast the incident needs to be resolved 3. Priority = Impact X Urgency

Question 78

List Incident Responses Phases in Order

Answer 78

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned

Question 79

Problem Management

Answer 79

The practice of reducing the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds or known errors

Question 80

Problem Management - Problem

Answer 80

Unknown cause of an incident, often identified as a result of several incidents

Question 81

Problem Management - Known Error

Answer 81

the known root cause of a problem

Question 82

Problem Management - Workaround

Answer 82

a momentary fix

Question 83

Deployment Management

Answer 83

The practice of moving new and changed hardware, software, documentation, processes, or any other service components to live environments

Question 84

Approaches to Deployment Management

Answer 84

1. Phased - deployments conducted in phases 2. Continuous delivery - frequent deployments 3. Big Bang deployment - updates deployed all at once 4. Pull deployments - updates are self selected by the user

Question 85

Configuration Management

Answer 85

The practice of ensuring that accurate and reliable information about configuration or services and the configuration items that a support them, is available when needed

Question 86

Service Level Management

Answer 86

The practice of setting clear business based targets for service performance so that the delivery of service can be properly assessed, monitored, and managed against these targets Objective is end to end visibility

Question 87

Availability Management

Answer 87

The practice of ensuring that services deliver agreed levels of availability to meet the needs of the customer and users

Question 88

Capacity and Performance Management

Answer 88

The practice of ensuring that services achieve agreed and expected performance levels, satisfying current and future demand in a cost effective way

Question 89

What questions should be asked when managing communications to relevant parties?

Answer 89

1. Who is the target of communication? 2. What goal are we trying to achieve and what risk is involved? 3. When is the best time to communicate? 4. Where is the communication pathway managed from? 5. Why is communication needed? 6. How is communication being transmitted?

Question 90

When considering supporting vendor or partner needed communication paths with the organization what needs to be in place?

Answer 90

Onboarding Management Offboarding

Question 91

Hardware Monitoring, why is it essential, what are Common Areas to monitor, and what may be an early warning of failure?

Answer 91

Is essential for the secure and reliable operations of cloud environment Data performance (I/O) of underlying components may provide early indicators of HW failure Common areas: 1. Network 2. CPU 3. Disk 4. RAM/Memory

Question 92

SOMS Flow Diagram

Answer 92

1. Establish the framework 2. Policy 3. Planning 4. Implementation and Operation 5. Performance Evaluation 6. Management Review

Question 93

What is SOMS What is ISO?

Answer 93

Security Operations Management Systems for security operations Used to establish a Security Operations Center ISO 18788

Question 94

A successful SOMS has the following

Answer 94

1. Leadership and commitment 2. Statement of conformance 3. Policy 4. Organizational roles, responsibilities, and authorities 5. Planning 6. Legal and other requirements 7. Internal/external requirements risk communication and consultation (whistle blower or grievance procedures) 8. Competence training and awareness 9. User of force (use of less-lethal, lethal, and law enforcement engagement) 10. Background screening 11. Occupational health and safety 12. Security operations and risk treatment objectives CLUB PISS POOL

Question 95

Application Performance Monitoring goal? CAMP?

Answer 95

Cloud application performance management (CAMP) is the process of monitoring resources that support application program performance in private and hybrid cloud environments The goal of the application monitoring is to provide admins with the ability to identify a poor user experience quickly so cloud issue can be resolved

Question 96

Real User Monitoring (RUM)

Answer 96

Monitoring users live as they utilize a system by capturing and analyzing every transaction of every user

Question 97

Synthetic Performance Monitoring

Answer 97

The use of scripts and agents to run preprogrammed scenarios to determine predictable outputs An automated test of a cloud service

Question 98

What should an organization do to establish and maintain successful log management activities?

Answer 98

1. Establish policies and procedures for log management 2. Develop standard process for performing log management 3. Define its logging requirements and goals as a part of the planning process 4. Develop policies that clearly define mandatory requirements and suggested recommendations for log management 5. Ensure that related policies and procedures incorporate and support log management requirements

Question 99

Security Information and Event Management (SIEM)

Answer 99

technology provides real time reporting and analysis of security events that generate alerts information sourced from network hardware and applications available as software, appliances, or managed services and is also used to log security data and generate reports for compliance purposes will collect logs and information from many disparate sources to aggregate and correlate the data

Question 100

List Goals of Security Information and Event Management (SIEM)

Answer 100

Centralize collection of log data Enhance analysis capabilities Dashboarding Automated Response