Mock Exam C

XCCDF specifies a format for configuration files. These are the checklists that the SCAP scanner (the vulnerability assessment tool) will use. They are written in an XML format. Within the US government and DoD, these files are more commonly known as Secure Technical Implementation Guide (STIG). More information can be obtained from the following public site: https://public.cyber.mil/stigs/. Open Vulnerability and Assessment Language (OVAL) OVAL is an open international standard and is free for public use. It enables vendors to create output that is consistent. If I view a report that has been run using the Nessus tool, it will match the output created by another vendor’s OVAL-compliant tool.

Instance store volumes (Amazon Web Services) – For IaaS customers
The data on NVMe instance store volumes is encrypted using an XTS-AES-256 cipher, implemented on a
hardware module on the instance. The keys used to encrypt data that’s written to locally-attached NVMe
storage devices are per-customer, and per volume. The keys are generated by, and only reside within, the
hardware module, which is inaccessible to AWS personnel.
Storage based would be Self Encrypting Hard Drive (SED)

OpenID Connect: If you’ve used your Google to sign in to applications like YouTube, or Facebook to log into an online shopping cart, then you’re familiar with this authentication option. OpenID Connect is an open standard that organisations use to authenticate users. IdPs use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information. OpenID is a Federation service – sending JWT to authenticate the user with a 3rd party vendor site.

To Authorize your data being used by the vendor site you will also use Oauth

OAuth (Open Authorization^[1][2]) is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.^[3][4] This mechanism is used by companies such as Amazon,^[5] Google, Facebook, Microsoft, and Twitter to permit the users to share information about their accounts with third-party applications or websites

NIST SP800-61

Preparation includes – Section 3.1.2 Preventing Incidents

Risk Assessments, Host Security, Network Security, User Awareness Training

A Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them

CASBs were created with one thing in mind: protecting proprietary data stored in external, third-party media. CASBs deliver capabilities not generally available in traditional controls such as secure web gateways (SWGs) and enterprise firewalls. CASBs provide policy and governance concurrently across multiple cloud services and provide granular visibility into and control over user activities

Before we can design the detailed elements of BCDR (Business Continuity Disaster Recovery) we need to complete a comprehensive BIA (Business Impact Analysis/Assessment).

https://aws.amazon.com/secrets-manager/
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT
resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys,
and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets
Manager APIs, eliminating the need to hardcode sensitive information in plain text

Not VDI as we are using SaaS solutions.

DLP stops data exfiltration, Watermarking prevents print violations, proxy offers a layer of security, MFA stops admins gaining un-authorised access

RC4 is deprecated – it is a weak symmetric cipher. All the other choices offer strong security

MITRE ATT&CK is a documented collection of information about the malicious behaviours advanced persistent threat (APT) groups have used at various stages in real-world cyberattacks