Domain 3

Cloud Infrastructures chapter 1:

The following models have a mix of shared responsibilities, SaaS, PaaS, LaaS and On Prem

• On Prem is fully managed by the customer, while LaaS and backwards has the least to most provider management

Infrastructure as code: defines servers, network, and applications as code,

modify the infrastructure and create versions, multiple infrastructures can be created,

Function as a Service: server less architecture, Applications are separated into individual autonomous functions (removes the OS from the equation)

The developer still creates the server side logic, all OS security concerns the 3parties

Microservices and APIs: Monolithic is outdates

APIs: application programming interfaces, is glue for microservices work together to act as the application, scalable resilient, and security and compliance is better.

Network Infrastructure:

Physical Isolation: devices are physically separate(need air gap) to prevent communication with one another. (No opportunity of mixing data)

Virtual Local Area network: logical segmentations, separated logically instead of physically

Software Defined Network: 3 separate planes: data, control and management planes. Split the functions into separate logical units. Perfectly built for the cloud.

• Infrastructure Layer(Data plane): process the network frames, and packets. Forwarding, trunking, and encrypting, NAT

• Control Layer (Control plane)L manages the actions of the data plane, routing tables, session tables, nat tables, Dynamic routing protocol updates

• Application layer(management plane): config changes, and manages traffic.

decentralized: most orgs are physically decentralized there are many locations, cloud providers, and OS it is difficult to manage and protect so many diverse systems.

Centralized: correlated alerts, consolidates log files analysis and comprehensive systems status and maintenance/patching.

virtualization: each vm needs its own os and adds overhead and complexing which is expensive but can run many different OS on the same hardware but need own instance for each OS

Containers: multiple applications are contained and can switch out and use the same host operating system the applications don’t interact with each other and are self contained.

IOT: weak defaults, not security professionals

SCADA(Supervisory Control and Data Acquisition System): larger machinery that are pieced together with network. IT is very large scale also known as multi-state industrial control Systems. (ICS) Required extensive segmentation, DOS (most secure in the works)

RTOS(Real time operating system): deterministic process scheduling there is no wait time for other processes, industrial equipment auto mobiles, military environments

Mean time to Repair(MTTR): the amount of time it takes to replace unavailable resources with available resources.

Secure Infrastructures Chapter 2:

Security zones: allows logically separate devices to a specific zone such as trusted or untrusted zone. It is more flexible an secure than IP address ranges. Simplifies security policies.

Application level Encryption: data is encrypted any data that is being passed within the application is encrypted

Network level encryption: that would include IPsec tunnels, VPN connections

Intrusion Prevention System(IPS): which stops it before it gets into the network. could be a known vulnerability there is also Intrusions detection system (IDS) that alerts you

Failure modes:

• fail open: when a system fails and data continues to flow

• fail close: when a system fails and data does not flow

Device connections

Active monitoring: system is connected inline and use IPS(watches real time) IPS could be blocking general could block more traffic than needed so its not always favorable

Passive monitoring: A copy of the network traffic is examined using a tap or port monitor, data can’t be blocked real time and intrusion detection is commonly passive (switch) (known as the IDS) Port mirror (SPAN_ or network tap (common with IDS)

jump server: access secure network zones it is a device inside the private networks that is hardened and monitored. usually a two step connection need SSH/TUnnel/VPN to the jump server and need proper auth. Compromising the jump server would be a significant breach.

Proxies server: sits in the middle of a conversation and makes requests. Communicates to the internet to the servers. and Validates the response is not malicious, could also could be used for caching and saves bandwidth and time. Could also perform URL filtering and content scanning

Load balancer: can provide tcp offload, ssl offload, and caching there can also be prioritization and content switching

Collectors: Details collected by the sensors are being sent to one centralized database called collectors, they sometimes use proprietary console that work with ips and firewalls Siem(security information and event manager) powerful reporting tool. Also includes the different types of log.

Extensible Auth Protocol(EAP): works with wireless access points 802.1x manages auth process on networks

IEEE 802.1x : port based network access control (NAC) cant access network until you authenticate

Network based firewall: filter traffic by port number or application OSI layer 4(tcp/udp) vs layer 5 and traditional vs NGFW( application based)

(unified threat management) UTM: URL filtering, malware inspection, spam filter, CSU/DSU, router swithc, firewall and IDS/ips can also be used as a bandwidth shaper or vpn endpoint

Only operate at layer 4 so look at ports,

NeXT gen firewall OSI layer : can be also known as application layer gateways state full multilayer inspection and deep packet inspection. Every packet must be analyzed. controls traffic flow based on application (looks at application) does not specifically look at only port

web application firewall: based input based on http/https major focus for payment card industry.

• Cloud: On-demand access to a shared pool of configurable computing resources, such as storage, applications, and services over the Internet.

• Responsibility matrix: A framework that delineates the responsibilities of different parties in a cloud computing environment.

• Hybrid considerations: Factors involving the integration of private and public cloud services and infrastructure.

• Third-party vendors: External providers that deliver various cloud computing services and solutions.

• Infrastructure as code (IaC): A practice of managing and provisioning computing infrastructure through machine-readable definition files rather than through physical hardware configuration.

• Serverless: A cloud computing execution model where the cloud provider dynamically manages the allocation of resources, allowing developers to build and run applications without dealing with server management.

• Microservices: An architectural style that structures an application as a collection of small, loosely coupled services, independently deployable.

• Network infrastructure: The hardware and software resources of a network that enable network connectivity, communication, operations, and management.

  • Physical isolation: The configuration where devices are physically separated to prevent unauthorized communication.

  • Air gapped: A security measure where a secure system is physically isolated from unsecured systems.

  • Logical segmentation: Dividing a network into separate segments that are distinct from each other without physical separation.

  • Software-defined networking (SDN): A network architecture that separates the control plane from the data plane, enabling easier management and configuration of network resources.

• On-premises: Infrastructure that is deployed and operated on the premises of the organization rather than hosted in the cloud.

• Centralized vs. decentralized: Centralized systems concentrate operations and resources in one location, while decentralized systems distribute them across various locations.

• Containerization: The encapsulation of an application and its dependencies in a container that can run in any environment.

• Virtualization: A technology that allows multiple virtual instances of operating systems to run on a single physical hardware system.

• IoT (Internet of Things): A network of interconnected devices that communicate and exchange data using the Internet.

• Industrial control systems (ICS)/supervisory control and data acquisition (SCADA): Systems used for industrial automation and control, managing large-scale machinery and processes.

• Real-time operating system (RTOS): An operating system designed to serve real-time applications, ensuring that tasks are executed within specific timing constraints.

• Embedded systems: Specialized computing systems that perform dedicated functions within larger systems, often embedded within hardware.

Chapter 10 notes

ACL default rule is to deny all

SIEM software: collects and analyzes data from various network sources to identify security events. Provide real time alerts, essential for a proactive defense network .

After ensuring the servers are secure you need to ensure the hosts are secure as well. EDR, MDM, and MFA are great for safeguard user devices from malware and unauthorized access.

Cloud Services:

Infrastructure as a service(IaaS): csp will provide network infrastructure (hardware devices for the network) default settings need to be reconfigured . Customers need to configure and patch devices and install an OS.

Software as a Service(Saas): these would be examples like goldmine and salesforce csp hosts a predefined software application accessed through a webserver.

Platform as a Service(Paas): offers developers the necessary environment to build application seamlessly. Applications that include the full suite like Azure, Mysql including IOS, android and window devices.

Security as a Service(SECaas): provides Identity and access management(IAM) which grants secure access to applications from anywhere at any time.

Anything as a service(Xaas): describes a multitude of other available cloud services such as network as a service(Naas)

data management: maintain control and visibility over data

third - party vendors: are external suppliers or service providers engaged by organizations to deliver specific products or services.

The following are risks associated with relying on third party vendors: Data breaches, security vulnerabilities, compliance challenges, operational disruptions.

Infrastructure as code (IaC): is the practice of defining and managing IT infrastructure through machine readable code or scripts. usually written in YAML and JSON the following are the benefits for having IaC : Efficiency redefined, consistency and reproducibility, version control and collaboration, and provider tools.

Serverless: is a type of computing that offloads operational overhead, enabling developers to focus solely on writing and deploying code. The CSP handles everything, no provision is required on the companies end. It good for applications that have heavy or unpredictable loads.

Customers are still responsible for the data in the application and managing the application.

Microservices: breaks down the application into a collection of smaller, self contained services that communicate with each other with APIs

Network infrastructure: is a mixture of networking devices, protocols, and routing packets that all work together in an interconnected environment.

Address resolution protocol: when connections are made to switch, each port is allocated to a MAC address. Is used to map an IP address to MAC address.

Layer 3 switch (multilayer switch): is network switch that operates at data link and network layer of the OSI model.

Load balancer: distributes incoming traffic evenly across multiple servers, ensuring efficient handling of high traffic loads.

NIPS: uses signature based detection, anomaly detection and behavior analyses to identify and prevent unauth access.

Air-gapped network: physically isolated, there are no devices within that network that have a cable or wireless connection from which data might be stolen.

subnetting: breaks down the network into smaller networks called subnets. reduces broadcast domain.

Virtual local area network: allows you to group multiple network ports together, creating a distinct and separate network within the larger network.

SDN(Software Defined Networking)

Management plane: monitors network traffic.

Control plane: servers as the networks brain, Centralized entity that makes high level decisions about traffic routing.

Data plane: consists of switches, routers, and access points. responsible for forwarding data packets based on instructions received from the control plane.

Centralized vs Decentralized

centralized organizations have a hierarchical structure where decision making authority is concentrated at the top. Decentralized is distributed decisions making authority across various levels.

Blockchain is an example of decentralized uses public ledger to record transactions

Containerization: bundles software into containers. They are portable, self sufficiently units that package all the essential components of an application including its code libraries dependencies and configurations. (allow deployment regardless of OS)

Virtualization: csp has total control over the image. only mouse clicks and keyboard strokes are exchanged between the desktop and the virtual machine.

IOT: embedded with sensors, software and connectivity capabilities. Can exchange data over central systems. real time data monitoring, automation and smarter decision making.

Cons: lack of standardization, data privacy concerns, insecure communications, lifecycle management, physical attacks, supply chain risks, user awareness

SCADA: monitoring, managing, and controlling industrial process, allowing for seamless coordination and oversight across different phases of production.

SCADA system runs on the same software as client computers and is vulnerable to the same threats. The below are the scada levels.

plant level: lowest level of scada includes the physical equipment and process on the factory floor

controller level: responsible for real time control of the physical processes. Includes Programmable logic controllers(PLC) that receive input from sensors on the plant floor

coordinating computer level: Human machine interface systems that provide a centralized view of the plants operations. Collect data from controller level display it to operations

programing logic controller level: manages and controls the overall production process. Needs to coordinate multiple production lines

SCADA is a prime target for cybercrime they deal with crucial services such as : energy, facilities, manufacturing, logistics, industrial

RTOS(real time operating systems): light control or navigation systems where everything happens in real time. ensure high priority tasks are executed within a predetermined time frame.

Geo-Zone Redundant Storage(GZRS):the data is duplicated across these various regions and zones dispersed regions

Chapter 11 Infrastructure Considerations:

Device Placement: Determines the strategic positioning of security Network is divided into three sperate zones LAN, screened subnet, WAN

LAN: ips, ids, load balancers, switches and sensors,

Screened subnet(DMZ): ips, ids, jump server, proxy server, reverse proxy load balancer, sensors

Demilitarized Zone (DMZ): is where you would place resources that can be accessed by both the trusted and untrusted zones (boundary layer between wan and lan as a buffer zone)

WAN: router and ACL (untrusted zone there is no control over it)

Fail-closed: when a problem is encountered it automatically goes into a closed or blocked state to prevent unauth access

fail open: defaults to pen state that allows for unrestricted access

device attributesL

active devices: are proactive force within your network security arsenal . Can block and mitigate threats in real time such as IPS

passive devices: observers such as ids without actively blocking traffic

inline: devices that are placed directly in the data path of network traffic. Firewalls are an example they control the inbound and outbound of the traffic

tap/monitor: tap into traffic and duplicate and monitor it does not affect orginal data flow packet sniffer

Network appliances:

Jump servers: connect via SSH or the remote desktop protocol and from there they access and manage servers switches routers and other internal network

Proxy server intermediary between clients seeking resources on the internet or external network. maintains log file of these requests to allow admins to track users internet usage.

• url filtering: checks against a predefined list (like blocking social media during work hours)

• content filtering: access to gambling websites can be blocked from key words like gambling or by category

• web page caching: reduces bandwidth usage and increase browsing speed but real time stock data cant be cached due to its dynamic nature.,

• reverse proxy server: is placed in the boundary network performs authentication and decryption of secure sessions to enable it to filter incoming traffic.

• Load balancer: 4 can balanced based on packet header, port number and destination address. layer 7 can be more sophisticated can be based on content based routing for web applications, apis, and servicers that require application level awareness.

Least utilized host uses the layer 7 load balancer

affinity: it uses layer 4 load balancer it is not as dynamic as the least utilized host and the request will always be sent to that same web server every time a request is submitted.

DNS round robin: lowest IP address first, rotates around web 1 3 4 and keeps the sequence going back to web 1. It does not detect the status of servers so it might forward a request even if a server is down

sensors; detect and analyze unusual network.

Port Security: Is designed to restrict access to the switch to restrict access on who can control the network and and what type of traffic is allowed.

Sticky Mac: simplifies the port security process of storing the mac addresses of authorized devices. If mac address is not matched it denies access

Disabling ports: is a proactive approach to network security

802.1x authentication: offers more flexible secure method of network access control and introduces the RADIUS server. It allows or denies based on authentication by using certificates

EAP different types of auths for the 802.1x authentication

Firewall Types:

Web application firewalls: shields web applications from cyber threats safeguards attacks against sql injections XSS and DDOS attacks. WAF operates on layer 7of the OSI reference model.

UTM: can provide malware inspection DLP content filter, url giltering, all in one security solution.

NGFW: is the power house in network security operating at layer 7 with added advantage of harnessing cloud powered threat intel.

Layer 4: referred as a stateless firewall is a gatekeeper of network traffic. decided if packets should exchanged based on predefined rules. Packet filtering firewall

layer 7: inspects at the application layer enabling deep packet inspection

Tunneling: used to secure and encrypt data s it travels over potentially untrusted networks ensuring privacy.

TLS: uses certificates for auth, sent to Raidus server then the vpn gateway provides secure communication for the local network.

IPsec: can create secure sessions between client and computer and server. There are two different portions:

Authenticated header: sha1 or md5 hashing algorithms provides data integrity

Encapsulated security payload: is part of hte IPsec packe in which data is stored and encrypted via symmetric encryption via DES, 3DES, or AES

summary for 3.2

• Infrastructure considerations: Key network design factors

• Device placement: Where devices are located

• Security zones: Network segments with distinct security policies

• Attack surface: Vulnerable points exposed to threats

• Connectivity: Network connections between devices

• Failure modes: How devices respond to failures

  • Fail-open: Device allows traffic on failure

  • Fail-closed: Device blocks traffic on failure

• Device attribute: Device characteristics

  • Active vs. passive: Device interaction level

  • Inline vs. tap/monitor: Traffic handling approach

• Network appliances: Devices with specific functions

  • Jump server: Secure access intermediary

  • Proxy server: Intermediary for client-server requests

  • IPS/IDS: Intrusion prevention and detection

  • Load balancer: Distributes network traffic evenly

• Sensors: Monitor network traffic for anomalies

• Port security: Protects physical network ports

  • 802.1X: Port-based network access control

  • Extensible Authentication Protocol (EAP): Authentication framework

• Firewall types: Various firewall categories

  • Web application firewall (WAF): Protects web apps

  • Unified threat management (UTM): Comprehensive security

  • Next-generation firewall (NGFW): Advanced firewall features

  • Layer 4/Layer 7: OSI model-based filtering

• Secure communication/access: Protects data and access

  • Virtual private network (VPN): Secure remote access

  • Remote access: Connecting to a network remotely

  • Tunneling: Secure data transmission method

  • Transport Layer Security (TLS): Data encryption protocol

  • Internet protocol security (IPSec): Secure network protocol

  • Software-defined wide area network (SD-WAN): Dynamic network management

  • Secure access service edge (SASE): Cloud-based network security

• Selection of effective controls: Choosing security measures

Chapter 12 Compare and contrast concepts and strategies to protect data

Regulated data: is subjected to specific laws and regulations

Personally identifiable information: ssn, dln, email address and phone numbers are specific to individuals

Protected health information: unique to person such as health history, including diagnoses etc

Financial data: related to electronic payment, bank account details etc.

legal data: such as court cases, very confidential and subjected to privacy laws

intellectual property: IP rights are you creative innocations and may include trade secrets patents etc subjected to copyrights laws.

consumer data: purchase histories, online behabior

government data: contracting workers with government and how they use and dispose data.

trade secrets: include business deals and require ndas

Regulations:

general data protection regulation(GDPR): EU laws guarding personal data rights and privary in the digital realm

hipaa : us regulations securing the privacy of health information

ccpa: california legislation empowering consumer data rights and privacy

subranes oxley acts (sox): us law ensuring financial transparency and accountability for public companies.

GLBA : us act imposing privacy and security rules on financial institutions

data protections acts: this is a statute law in UK to protect and regulate personal data handling and safe guard privacy

MD5 uses 128 bits

secure hash (sha1) uses 160 bits

sha 256 uses 256 bit

sha 512 uses 512 bit

sha 3 uses 512 bit

ROT13: logical operation that means rotate by 13 places and is variation of the caesar cipher. 26 letter in alphabet

Chapter 13: Importance of resilience and recovery in security architecture

Clustering: involves grouping multiple servers or nodes together to operate as a single system. active and passive nodes share a quorum disk reinforced by a witness server and vip at the forefront

VIP: the forefront of the cluster the public facing interface acts as the entry point for external requests. Make sures if active node fails the cluster remains accessible to users.

Active passive node configuration: a pair of nodes, one active and once passive access by virtual ip passive node is on stand by if active node fails

Quorum disk: is shared storage resource that members of the cluster share.

witness server: additional layer of reliability the server assist in determining the state of the cluster. Avoid split brain scenarios

Heartbeat communications: is the communication between the active and passive nodes there are regular exchanges of status and updates.

Site Considerations:

hot site: best site for rapid recover, fully operational that mirrors your primary data centers. most expensive option fastest way to recover from downtime.

warm site: fully functional but data sync lags behind the hot site, data can be sent via courier, so it would take 3-4 hours more cost effective than a hot site.

cold site: where the budget is very limited, empty shell provides essentials for recovery, slowest option, there is amore extended downtime needed for recovery.

Geographical dispersions: strategic distribution of data centers, servers enhance resilience by reducing the risk of a single point of failure.

Cloud data Replication:

Local Redundant Storage(LRS): three copies of your data are replicated within a single physical location or data center. Data is stored in the same zone. Most cost effect solution but leaves data to be vulnerable to total loss in even of a local disaster or power, also not meant for high availability scenarios.

Zone Redundant Storage: replicates data between three separate availability zones within you primary cloud region. does not protect against regional catastrophes

GEO Redundant Stage creates three copies of you data within a single physical location in the primary region, however stores one copy of the data in a secondary region with geographical distance. Protects against regional damage

GEO zone Redundant Storage: replicates data between three sperate availabity zones within your primary region and one copy to secondary region.

Continuity of operations (Coop): is comprehensive strat that enables orgs to continue essential functions and services during and after disruptive events.

table top exercise: disaster recovery plan in a controlled enviorment. can identify gaps in the plan. easiest exercise its all paper based

failover: allows orgs to verify reliability of the critical systems.

Simulation: white team overseeing and assessing responses based on predefined disaster scenarios from the recovery plan.

Parallel Processing: Allows for multiple processes to work simultaneously.

Full back: A full back up of the data that occurs during the weekend when the stem load is lower.

Incremental backup: reduce storage usage ensuring continuity saves storage, space, requires less time, suitable for orgs with limited resources.

differential backup: uses more space than incremental but less than full back up grows progressively larger every day.