Notes To Know Flashcards
What is the difference between encryption and tokenization?
Tokenization only protects against internal threats, while encryption protects against internal and external threats.
What is the most risk form of cloud service?
Infrastructure as a Service (IaaS) has the most risk and potential security vulnerabilities.
How is cloud data in transit encrypted?
It is encrypted with a PKI, which is a public key infrastructure
What is a hypervisor?
‘sIt allows multiple OS’s to share a single hardware host.
Type 1 Hypervisor
Installed directly on the hardware. Called a bare metal hypervisor.
Type 2 Hypervisor
Installed on an existing OS. An example is a VMWare. It is more vulnerable because the attack vector is larger.
Advanced Persistent Threat (API)
Old threats that keep coming back or stay within a system. It is a stealthy threat within a system.
OWASP
Open Web Application Security Project: Top ten security threats. The list is updated every few years. For web application security.
List the Cloud Data Life Cycle
- Create
- Store
- Use
- Share
- Archive
- Destroy
What is one of the most important aspects of Cloud
Cost
What is ISO 27001
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). Has 35 control objectives and 114 controls and 14 domains.
What is ISO 27002
The standard is also intended to provide a guide for the development of security standards and effective security management practices. Organizational information security standards.
NIST 800-53
NIST 800-53 is a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
12 Domains / requirements
200 controls
Not a law, which means you can’t be put in jail for violation
What are the common criteria
It is a 7 standards level testing program broken into Evaluation Assurance Level (EAL). EAL 1 offers the lowest security while EAL 7 offers the highest security.
What is FIPS 140-2?
cryptography modules that cover hardware and software
Security level 1 is the lowest level of security
Security level 4 highest level of security
What is provided as an IaaS?
- Computer network hardware
- Data center (physical facility)
What is included in a PaaS?
- Data center
- Computer and network hardware
- virtual infrastructure including the hypervisor and VMs
- The Operating Systems (OS)
What is included as a SaaS?
Everything from IaaS and PaaS, as well as the software and applications.
What is 27017:2015?
information security controls applicable to the provision and use of cloud services
ISO 27001 favors which technology
It does not favor any specific technology.
Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?
ISO 27002
Soc 2 Type 1
The SOC 2, Type 1 report only describes IT security controls designed by the target but not how effectively those controls function
Soc 2 Type 2
The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.
