Term
| With a ____, the CONSUMER dictates the technology and operating procedures. |
|
Definition
| MSP (Managed Service Provider) |
|
|
Term
| With a ____, the SERVICE PROVIDER dictates the technology and operational procedures. |
|
Definition
| CSP (Cloud Service Provider) |
|
|
Term
| Definition of Risk - "AT VIP CARD" |
|
Definition
| Asset, Threat, Vulnerability, Impact, Probability, Control = what's left? Risk Determined (residual risk) |
|
|
Term
|
Definition
| Relative Attack Surface Quotient |
|
|
Term
| As RASQ increases, security... |
|
Definition
|
|
Term
| Compare and contrast SLA and OLA? |
|
Definition
SLA = Service Level Agreement, agreement between two separate entities for technology services
OLA = Operational Level Agreement, agreement between departments within the same organization regarding service levels within the same organization |
|
|
Term
| Key Cloud Computing Drivers: Elasticity (define, plus sub-bullets V and S) |
|
Definition
Elasticity = The environment transparently manages a user's resource utilization based on dynamically changing needs
Virtualization - Each user has a single view of the available resources, independently
Scalability - Users have access to a large number of resources that scale based on demand |
|
|
Term
| Key Cloud Computing Drivers - Simplicity (define, plus sub-bullets R and C) |
|
Definition
Simplicity = IT Environment complexities are reduced
Risk reduction - users can use the cloud to test ideas and concepts before making major investments in technology
Cost - pay only for the resources that are needed, no infrstructure maintenance or upgrade costs |
|
|
Term
| Key Cloud computing drivers - Business Expandability (define, plus sub-bullets M and C/I) |
|
Definition
Business Expandability - allows the business to address business needs without respect to geography
Mobility - can access data and applications from anywhere
Collaboration/Innovation - Users can work simultaneously on common data and information from anywhere |
|
|
Term
| Name three advantages of thin clients |
|
Definition
less viruses
less processing power needed on the client
less potential for data loss because little data is sent to the client |
|
|
Term
|
Definition
Economic Denial of Service
Hackers/threat actors purposely access cloud resources in a repetitive manner with the purpose of driving up cloud computing bills and putting a victim organization out of business/causing business harm |
|
|
Term
|
Definition
| A trusted security zone, beyond which resources are untrusted |
|
|
Term
| What's the difference between a clone and a backup? |
|
Definition
Clone = a copy of a "reference image" that's used to produce another server
Backup is a copy of the *data* on a server, but not a copy of the OS |
|
|
Term
| In Desktop As A Service (DaaS), what's the difference between implicit vs. explicit entitlements? |
|
Definition
Implicit entitlements are those that come via a user's membership in a group
Explicit entitlements are those that come via a user's job role/ID |
|
|
Term
| What's a Global Policy Object? |
|
Definition
| A cloud computing policy that's applied across all cloud computing resources for a given customer (for example - no caching, to reduce the risk of exposing company data to ephemeral, client data storage) |
|
|
Term
| What's one reason why an attacker would login multiple times to a given cloud resource? |
|
Definition
| To gain access to data that's been distributed throughout a cloud environment. With each login they may be assigned to a different physical resource, any one of which might have the specific piece of data they are looking for. |
|
|
Term
| Explain the advantage of distributed data in a multi-tenant cloud environment |
|
Definition
| If you have data distributed among many different physical assets in a multi-tenant cloud environment, a breach to any one of those assets would only expose a small portion of the overall data record, and may not be of value to the attacker. |
|
|
Term
| In cloud data security, what is anonymization? |
|
Definition
| Anonymization is when cloud service provider has client data distributed among many different physical assets in a multi-tenant cloud environment, a breach to any one of those assets would only expose a small portion of the overall data record, and may not be of value to the attacker. |
|
|
Term
| What are some of the risks associated with a distributed/multi-tenant Security Environment? |
|
Definition
Data co-mingled with that of other organizations
If servers are required for legal reasons for another tenant, your data may be lost/exposed |
|
|
Term
| What are some of the legal/regulatory risks associated with cloud computing? |
|
Definition
Co-mingling with other organization's assets
Jurisdiction/location of servers
Privacy requirements differ by location/jurisdiction/country |
|
|
Term
| What is an accessibilty/availability zone? |
|
Definition
| Where your data is stored by a cloud service provider and from where your users/customers can access it. |
|
|
Term
|
Definition
| A treaty-like agreement between the US and EU that attempts (poorly) to bridge the gap of differing data privacy regulations and definitions between the two jurisdictions. |
|
|
Term
|
Definition
| Cloud infrastructure that is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). May be owned, managed and operated by the organization, a third party, or some combination, and may exist on or off premises. |
|
|
Term
| What is a community clioud? |
|
Definition
| cloud infrastructure that is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g. missing, security requirements, etc). May be owned, managed and operated by one or more of the organizations in the community, a third party or a combination |
|
|
Term
|
Definition
| Cloud infrastructure provisioned for open use byt he general public. May be owned, managed and operated by a business, academis, or govt org, or a compbination. *Exists on the premises of the cloud provider* |
|
|
Term
|
Definition
| Cloud infrastructure that is a composition of two or more distance cloud infrastrucutres (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary tech that enables data and application portability (e.g. cloud bursting for load balancing between clouds). |
|
|
Term
| Name the three primary types of Cloud Service Models |
|
Definition
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS) |
|
|
Term
|
Definition
| A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications. |
|
|
Term
|
Definition
Cloud Application Management for Platforms.
A specification designed to ease management of applications - including packaging and deployment - across public and private cloud computing platforms. |
|
|
Term
| What is IDaaS? Spell out IAAA.... |
|
Definition
IDentity as a Service - Identity and Access Management as a service provided by a cloud service provider
Identity management
Authentication
Authorization
Accounting/Audibility |
|
|
Term
| What is the *opposite* of SSO? |
|
Definition
| Opposite of Single Sign On (SSO) is "complete mediation", where you are forced to login and present credentials for each and every asset you try to access. |
|
|
Term
| Name some problems created by Infrastructure as a Service |
|
Definition
API connections (trusted vs. untrusted connections, interoperability problems)
Latency (due to loosely coupled components/systems)
Audit isn't taken care of for you, you need to ensure that auditibility is there
Privacy - need to ensure proper privacy provisions are in place because *you* are in charge of making that happen |
|
|
Term
| What are the four types of risk? (ACID) |
|
Definition
Audit
Control
Inherent
Detection |
|
|
Term
| What are the four pillars of data quality (ACID) |
|
Definition
Atomicity (all or none)
Consistency
Isolated (as in transactional)
Durability |
|
|
Term
| What's the difference between a Penetration Test and a Vulnerability Scan? |
|
Definition
Penetration tests look for new vulnerabilities
Vulnerability scans search for known vulnerabilities |
|
|
Term
| What is cryptographic agility? |
|
Definition
| The ability to change cryptographic methods without disruption to your system |
|
|
Term
|
Definition
Return on Security Investment
Cost of a potential breach less cost of security countermeasures to prevent such a breach |
|
|
Term
| What are the key benefits of the IaaS service model? |
|
Definition
Usage is metered and priced on basis of units consumed
Ability to scale up and down based on usage
Reduced cost of ownership
Reduced energy and cooling costs |
|
|
Term
| What are the key benefits of the PaaS service model? |
|
Definition
OS can be changed and upgraded frequently
Globally distributed development teams able to work collaboratively
Services are available and can be obtained from diverse sources across international boundaries
Upfront and recurring or ongoing costs can be significantly reduced |
|
|
Term
| What are the key benefits to the SaaS service delivery model? |
|
Definition
Ease of use and limited./minimal administration
Automatic updates and patch management
Standardization and compatibility
Global accessibility |
|
|
Term
| How do you restrict / role manage SaaS? |
|
Definition
Restricted interface (like SharePoint)
View-based controls (e.g. database views) |
|
|
Term
|
Definition
| An open source cloud computing and IaaS platform for enabling private clouds. |
|
|
Term
| What are the 5 key characteristics of clouding computing, without which it is NOT cloud computing... (OBRRM) |
|
Definition
On-Demand Self-Service
Broad Network Access (always on, always accessible)
Resource Pooling
Rapid Elasticity (pay per use)
Measured Service |
|
|
Term
| Key components and characteristics of IaaS Cloud Service Deployment Model |
|
Definition
Scale
Converged network and IT capacity pool
Self-service and on-demand capacity
High reliability and resilience |
|
|
Term
|
Definition
Usage is metered and priced on basis of units consumed
Ability to scale up and down based on actual usage
Reduced ownership
Reduced energy and cooling costs |
|
|
Term
| Key capabilities and characteristics of PaaS cloud deployment model |
|
Definition
Support multiple programming languages and frameworks
Multiple hosted environments (dev/test/prod)
Flexibility
Allow choice and reduce "lock-in"
Ability to "auto-scale" (key driver for apps that experience seasonal peaks and drops in load) |
|
|
Term
|
Definition
Operating system can be changed and upgraded frequently
Supports globally distributed development teams working in same environment
Services are available and can be obtained from diverse sources that cross international borders
Upfront and recurring/ongoing costs significantly reduced |
|
|
Term
| What are the two delivery models of SaaS? |
|
Definition
Hosted application management (e.g. Webex)
Software on Demand (network based copies of software like word/excel) |
|
|
Term
| Key characteristics of SaaS cloud deployment model |
|
Definition
Access apps anywhere, anytime
Overall reduction of costs
Application and software licencing (rent, not buy)
Reduced support costs
Back end systems and capabilities |
|
|
Term
|
Definition
Ease of use and limited/minimal administration
Automatic updates and patch management
Standardization and compatibility
Global accessibility |
|
|
Term
| Benefits of Public Cloud deployment model |
|
Definition
Easy and inexpensive to setup (hardware, app and bandwidth covered by the provider)
Streamlined and easy-to-provision resources
Scalability to meed customer needs
No wasted resources - pay as you consume |
|
|
Term
| Benefits of Private Cloud deployment model |
|
Definition
Increased control over data, underlying systems and applications
Ownership and retention of governance controls (no multi-tenancy)
Assurance over data location, removal of multiple jurisdiction legal and compliance requirements |
|
|
Term
| Benefits of hybrid cloud environments |
|
Definition
Retain ownership and oversight of critical tasks and processes
Re-use previous investments in technology
Control over most critical business components and systems
Cost-effective means to fulfilling non-critical business functions
"Cloud bursting" and disaster recovery can be enhanced by hybrid cloud deployments |
|
|
Term
| What is a Community Cloud? |
|
Definition
Provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns or mission, security requirements, policy, compliance considerations, etc.
May be owned, managed and operated by one or more of the organizations in the community, a third party or some combination ... |
|
|
Term
|
Definition
| A collection of computer resources that are to be protected at the same level and are associated in some way. |
|
|
Term
| What is zero knowledge cloud storage? |
|
Definition
| Where the cloud provider cannot see the customer's data because that data is encrypted client-side before it reaches the cloud provider, and the cloud provider does not have access to the encryption key. |
|
|
Term
| What are X.509 certificates used for within a cloud environment? |
|
Definition
| Validating users and devices within a cloud environment using a standard certificate format. |
|
|
Term
| What is a certificate revocation list? |
|
Definition
| Published by the Certificate Authority, its a list of certificates that have been revoked. Authenticating clients look at this list before validating a cert. |
|
|
Term
| What is online certificate status protocol? (OCSP) |
|
Definition
| A protocol used for obtaining the revocation status for X.509 certificates. |
|
|
Term
| IPsec Transport Mode - what's encrypted? |
|
Definition
|
|
Term
| IPsec tunnel mode - what's encrypted? |
|
Definition
|
|
Term
|
Definition
| Internet Key Exchange - how key exchange is handled in IPSEC |
|
|
Term
|
Definition
| Payload, headers and trailers are all encrypted - all data along a com path (telephone, T1, satellite link) |
|
|
Term
| What's better IPSEC or SSL/TLS? |
|
Definition
| IPSEC because entire link is encrypted, not just app-to-app communications |
|
|
Term
| What is S-RPC, and how does it handle key exchange? |
|
Definition
| Secure - Remote Procedure Call. Key exchange handled using Diffie-Hellman key exchange |
|
|
Term
| Name two ways to defend against man-in-the-middle attacks |
|
Definition
Time/date stamps
Sequencing
Two-way authentication using CA (in TLS)
DNSSEC
Calculating latency expectations and comparing response times |
|
|
Term
|
Definition
Secure Multipurpose Internet Mail Extensions
- Standard for encrypting and digtally signing email containing attachments
- Developd to countermeasure message interception and forgery
- Provides data integrity, confidentiality and authentication (but not non-repudia |
|
|
Term
| What is Homomorphic Encryption? |
|
Definition
Enables the processing of encrypted data without the need to decrypt the data.
- Strongest form of encryption
- Process, not an algorithm
- Allows the cloud customer to upload data to a CSP for processing without the requirement to decipher the data first |
|
|
Term
| Contrast Remote Key Management Service with Client Side Key Management. Which is better? |
|
Definition
Remote Key Management Service is where the cloud customer owns, operates and maintains a key management system on premises, and their systems deployed in the cloud connect the KMS.
Client Side Key Management - similar to Remote Key Management service, except that most of the processing and control is done on the customer/cloud user side. Client side looks ot put the customer or cloud user in complete control of encryption and decryption keys.
FOR THE EXAM: Client-side Key Management viewed as better |
|
|
Term
|
Definition
| Where a cloud customer may be unable to leave, migrate or transfer to an alternate provider due to technical or non-technical constraints. |
|
|
Term
| Name three methods or approaches to ensuring interoperability and transfer of large data sets to alternate providers? |
|
Definition
Standardization
Centralized Directory Service
SLA provisions regarding open/standardized operation methods |
|
|
Term
| What is cryptographic erasure? |
|
Definition
When you encrypt data and then throw away/destroy the key.
Better than overwriting data (which can be recovered from a magnetic disc).
However, keys must be destroyed correctly and not leave any exposure to side-channel/"implementation" attacks (forensics). |
|
|
Term
| What type of drives require cryptographic erasure of data? |
|
Definition
| Solid state drives (flash, etc) - because they aren't magnetic media and can't be degaussed. |
|
|
Term
| What is a Type I Hypervisor? |
|
Definition
Run directly on the hardware with VM resources provided by the hypervisor
"bare metal" or hardware hypervisors
Examples: VMWare ESXI and Citrix XenServer |
|
|
Term
| What is a Type II Hypervisor? |
|
Definition
Run on a host operating system to provide virtualization services.
Operating System Hypervisor
Examples: VMWare Workstation and Microsoft Virtual PC |
|
|
Term
| Which type of Hypervisor is viewed as less secure? |
|
Definition
| Type II - OS - because more vulnerabilities associated with OS/software layer than hardware layer, and software vulnerabilities are more attractive to attackers. |
|
|
Term
|
Definition
Software that routes network packets to a given virtual OS instance in a virtualized environment.
NOTE WELL: If a vswitch goes down, many instances affected. With a hardware switch, only those endpoints physically connected to the bad ports and/or the switch go down. |
|
|
Term
|
Definition
| The act of investigating and understanding the risks a company faces |
|
|
Term
|
Definition
| The development and implementation of policies and procedures to aid in protecting the company, its assets and its people from threats |
|
|
Term
|
Definition
| The development and implementation of policies and procedures to aid in protecting the company, its assets and its people from threats |
|
|
Term
|
Definition
| Common type of attack where the malicious software crashes the guest OS to get out of it, then running malicious code on the host OS. Allows malicious VMs to take complete control of the host OS. |
|
|
Term
| Name several types of Hypervisor attacks |
|
Definition
VM Escape
Hyperjacking
BLUEPILL
Vitriol
SubVir
DKSM |
|
|
Term
| What threats are introduced with multi-tenancy in a cloud environment? |
|
Definition
Information leakage among separate tenants (when sharing same storage areas, servers/VMs, etc
Increased attack surface potentially leading to VM-to-VM or VM-to-hypervisor compromise. |
|
|
Term
| Should PaaS tenants have shell access to the servers that run the platform software? Why or why not? |
|
Definition
| No - shouldn't have shell access. This limits the chance and likelihood of configuration or system changes impacting multiple tenants. |
|
|
Term
| Name one major challenge of security in a PaaS implementation |
|
Definition
| User level permissions - keeping them separated between clients and keeping them from inadventently growing over time. |
|
|
Term
| Name one major security challenge for SaaS |
|
Definition
| Data segregation - keeping one customer's data separate from another's in a multi-tenancy environment. |
|
|
Term
| Name 3-5 of the OWASP Top 10 Web Application Vulnerabilities/exploits: |
|
Definition
Injection
Cross-Site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Insecure direct object references
Broken authentication and session management
Missing function-level access control
Unvalidated redirects and forwards |
|
|
Term
| Name the 6 phases of the Cloud Secure Data Life Cycle |
|
Definition
Create
Store
Use
Share
Archive
Destroy |
|
|
Term
| During what phase of the Cloud Data Life Cycle should information classification happen? |
|
Definition
|
|
Term
| For BCP with the cloud, what are two critical success factors? |
|
Definition
1) Clearly state and ensure the SLA addresses which components of the business continuity/disaster recovery are covered and to what degree
2) Understanding your responsibilities vs. the cloud provider's responsibilities |
|
|
Term
| What does the ISO/IEC 27001 Standard include? |
|
Definition
| Standards for information security management system / best practices |
|
|
Term
| What does NIST SP 800-53 contain? |
|
Definition
| A catalog of controls for information technology |
|
|
Term
| What do the SOC I/II/III standards involve? |
|
Definition
| Vendor assurance, conducted by a third party |
|
|
Term
| What does the PCI DSS standard cover? |
|
Definition
| Payment card data security |
|
|
Term
| What does FIPS 140-2 cover? |
|
Definition
Standards for encryption for devices
(Note: This is a NIST standard) |
|
|
Term
| What do SOC I, II and III cover? |
|
Definition
SOC I = financial statements
SOC II = IT managed service providers and cloud providers (more comprehensive info than SOC III - for existing customers)
SOC III = Also covers IT managed service providers, but is written for an audience of potential future customers, contains less specific info and is more broadly distributed than SOC II |
|
|
Term
| What's the difference between a SOC Type I vs. Type II assessment? |
|
Definition
Type I = point in time
Type II = over a range of time |
|
|
Term
| What SOC assessment would a consumer of Cloud services typically look for? |
|
Definition
|
|
Term
| Which SOC assessments use the 5 "Trust Service Principles"? |
|
Definition
|
|
Term
| What are the 5 SOC "Service Trust Principles"? |
|
Definition
Security
Availability
Processing Integrity
Confidentiality
Privacy |
|
|
Term
|
Definition
"Common Criteria"
Developed for evaluating information security products, and ensuring that they meet an agreed-upon security standard for government entitles and agencies. |
|
|
Term
| What are the two key components of the Common Criteria (ISO/IEC 15480)? |
|
Definition
Protection Profiles (=security requirements)
Evaluation Assurance Levels (EAL) - range from EAL1 to EAL7, with EAL7 being the highest assurance level |
|
|
Term
| For FIPS 140-2, how many security levels are there and what's the highest? |
|
Definition
| 4, with Security Level 4 being the highest |
|
|
Term
| What does a "Cloud Developer" do? |
|
Definition
| Focuses on development for the cloud infrastructure *itself*. |
|
|
Term
| What is a Cloud Services Broker (CSB)? |
|
Definition
| Third party entity or company that looks to enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers. |
|
|
Term
|
Definition
| An open source cloud computing and IaaS platform for enabling private clouds. |
|
|
Term
| What's the difference between Eucalyptus and Apache Cloud Stack? |
|
Definition
| Both are open source IaaS software resources, but Eucalyptus focuses on private clouds, whereas Apache covers all cloud deployment models. |
|
|
Term
| What does the Jericho Forum's Cloud Model illustrate? |
|
Definition
| How combinations of cloud service models, deployment models, physical locations of resources and attribution of management of ownership can be interwoven to produce various cloud deployment scenarios, in order to understand how cloud computing affects the way in which security might be approached. |
|
|
Term
| The lower down the cloud stack you go, the more the burden of security is placed on the ....... |
|
Definition
|
|
Term
| What are some of the benefits of Security As a Service? |
|
Definition
Cost-cutting
Consistent and uniform protection
Constant virus definition updates that are not reliant on user compliance
Greater security expertise than is typically available within an organization
Faster user provisioning
Outsourcing of administrative tasks, such as log management, to save time and money and allow an organization to devote more time to its core competencies
A web interface that allows in-house administration of some tasks as well as a view of the security environment and ongoing activities |
|
|
