Multilingual and Platform Independent Cloud Certification and Education App for AWS, Azure, Google Cloud

Cloud Edu Cert

Data Center Proxies - Data Collectors - Data Unblockers

The Cloud Education Certification App is an EduFlix App for AWS, Azure, Google Cloud Certification Prep.

Technology is changing and is moving towards the cloud. The cloud will power most businesses in the coming years and is not taught in schools. How do we ensure that our kids and youth and ourselves are best prepared for this challenge?

Building mobile educational apps that work offline and on any device can help greatly in that sense.

The ability to tab on a button and learn the cloud fundamentals and take quizzes is a great opportunity to help our children and youth to boost their job prospects and be more productive at work.

The App covers the following certifications :
AWS Cloud Practitioner Exam Prep CCP CLF-C01, Azure Fundamentals AZ 900 Exam Prep, AWS Certified Solution Architect Associate SAA-C02 Exam Prep, AWS Certified Developer Associate DVA-C01 Exam Prep, Azure Administrator AZ 104 Exam Prep, Google Associate Cloud Engineer Exam Prep, Data Analytics for AWS DAS-C01, Machine Learning for AWS and Google, AWS Certified Security – Specialty (SCS-C01), AWS Certified Machine Learning – Specialty (MLS-C01), Google Cloud Professional Machine Learning Engineer and more…

The App covers the following cloud categories:

AWS Technology, AWS Security and Compliance, AWS Cloud Concepts, AWS Billing and Pricing , AWS Design High Performing Architectures, AWS Design Cost Optimized Architectures, AWS Specify Secure Applications And Architectures, AWS Design Resilient Architecture, Development With AWS, AWS Deployment, AWS Security, AWS Monitoring, AWS Troubleshooting, AWS Refactoring, Azure Pricing and Support, Azure Cloud Concepts , Azure Identity, governance, and compliance, Azure Services , Implement and Manage Azure Storage, Deploy and Manage Azure Compute Resources, Configure and Manage Azure Networking Services, Monitor and Backup Azure Resources, GCP Plan and configure a cloud solution, GCP Deploy and implement a cloud solution, GCP Ensure successful operation of a cloud solution, GCP Configure access and security, GCP Setting up a cloud solution environment, AWS Incident Response, AWS Logging and Monitoring, AWS Infrastructure Security, AWS Identity and Access Management, AWS Data Protection, AWS Data Engineering, AWS Exploratory Data Analysis, AWS Modeling, AWS Machine Learning Implementation and Operations, GCP Frame ML problems, GCP Architect ML solutions, GCP Prepare and process data, GCP Develop ML models, GCP Automate & orchestrate ML pipelines, GCP Monitor, optimize, and maintain ML solutions, etc..

Cloud Education and Certification

The App covers the following Cloud Services, Framework and technologies:

AWS: VPC, S3, DynamoDB, EC2, ECS, Lambda, API Gateway, CloudWatch, CloudTrail, Code Pipeline, Code Deploy, TCO Calculator, SES, EBS, ELB, AWS Autoscaling , RDS, Aurora, Route 53, Amazon CodeGuru, Amazon Bracket, AWS Billing and Pricing, Simply Monthly Calculator, cost calculator, Ec2 pricing on-demand, IAM, AWS Pricing, Pay As You Go, No Upfront Cost, Cost Explorer, AWS Organizations, Consolidated billing, Instance Scheduler, on-demand instances, Reserved instances, Spot Instances, CloudFront, Workspace, S3 storage classes, Regions, Availability Zones, Placement Groups, Amazon lightsail, Redshift, EC2 G4ad instances, DAAS, PAAS, IAAS, SAAS, NAAS, Machine Learning, Key Pairs, AWS CloudFormation, Amazon Macie, Amazon Textract, Glacier Deep Archive, 99.999999999% durability, AWS Codestar, Amazon Neptune, S3 Bucket, EMR, SNS, Desktop As A Service, Emazon EC2 for Mac, Aurora Postgres SQL, Kubernetes, Containers, Cluster.

Azure: Virtual Machines, Azure App Services, Azure Container Instances (ACI), Azure Kubernetes Service (AKS), and Windows Virtual Desktop, Virtual Networks, VPN Gateway, Virtual Network peering, and ExpressRoute, Container (Blob) Storage, Disk Storage, File Storage, and storage tiers, Cosmos DB, Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and SQL Managed Instance, Azure Marketplace, Azure consumption-based mode, management groups, resources and RG, Geographic distribution concepts such as Azure regions, region pairs, and AZ Internet of Things (IoT) Hub, IoT Central, and Azure Sphere, Azure Synapse Analytics, HDInsight, and Azure Databricks, Azure Machine Learning, Cognitive Services and Azure Bot Service, Serverless computing solutions that include Azure Functions and Logic Apps, Azure DevOps, GitHub, GitHub Actions, and Azure DevTest Labs, Azure Mobile, Azure Advisor, Azure Resource Manager (ARM) templates, Azure Security, Privacy and Workloads, General security and network security, Azure security features, Azure Security Centre, policy compliance, security alerts, secure score, and resource hygiene, Key Vault, Azure Sentinel, Azure Dedicated Hosts, Concept of defense in depth, NSG, Azure Firewall, Azure DDoS protection, Identity, governance, Conditional Access, Multi-Factor Authentication (MFA), and Single Sign-On (SSO),Azure Services, Core Azure architectural components, Management Groups, Azure Resource Manager,

Google Cloud Platform: Compute Engine, App Engine, BigQuery, Bigtable, Pub/Sub, flow logs, CORS, CLI, pod, Firebase, Cloud Run, Cloud Firestore, Cloud CDN, Cloud Storage, Persistent Disk, Kubernetes engine, Container registry, Cloud Load Balancing, Cloud Dataflow, gsutils, Cloud SQL,

Cloud Education Certification: Eduflix App for Cloud Education and Certification (AWS, Azure, Google Cloud)

Features:
– Practice exams
– 1000+ Q&A updated frequently.
– 3+ Practice exams per Certification
– Scorecard / Scoreboard to track your progress
– Quizzes with score tracking, progress bar, countdown timer.
– Can only see scoreboard after completing the quiz.
– FAQs for most popular Cloud services
– Cheat Sheets
– Flashcards
– works offline

Note and disclaimer: We are not affiliated with AWS, Azure, Microsoft or Google. The questions are put together based on the certification study guide and materials available online. The questions in this app should help you pass the exam but it is not guaranteed. We are not responsible for any exam you did not pass.

Important: To succeed with the real exam, do not memorize the answers in this app. It is very important that you understand why a question is right or wrong and the concepts behind it by carefully reading the reference documents in the answers.

CyberSecurity 101 and Top 25 AWS Certified Security Specialty Questions and Answers Dumps

AWS Certified Security – Specialty Questions and Answers Dumps

Data Center Proxies - Data Collectors - Data Unblockers

Almost 4.57 billion people were active internet users as of July 2020, encompassing 59 percent of the global population.  94% of enterprises use cloud. 77% of organizations worldwide have at least one application running on the cloud. This results in an exponential growth of cyber attacks. Therefore, CyberSecurity is one  the biggest challenge to individuals and organizations worldwide:  158,727 cyber attacks per hour, 2,645 per minute and 44 every second of every day.  

In this blog, we cover the Top 25 AWS Certified Security Specialty Questions and Answers Dumps and all latest and relevant information about CyberSecurity including:

I- The AWS Certified Security – Specialty (SCS-C01) examination is intended for  individuals who perform a security role. This exam validates an examinee’s ability to effectively demonstrate knowledge about securing the AWS platform.

It validates an examinee’s ability to demonstrate:

An understanding of specialized data classifications and AWS data protection mechanisms.

An understanding of data-encryption methods and AWS mechanisms to implement them.

An understanding of secure Internet protocols and AWS mechanisms to implement them.

A working knowledge of AWS security services and features of services to provide a secure production environment.

Competency gained from two or more years of production deployment experience using AWS security services and features.

The ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements.

AWS Certified Security Specialty
AWS Certified Security Specialty

An understanding of security operations and risks.

Below are the Top 25 AWS Certified Security Specialty Questions and Answers Dumps including Notes, Hint and References:

Question 1:  When requested through an STS API call, credentials are returned with what three components?

A)  Security Token, Access Key ID, Signed URL
B) Security Token, Access Key ID, Secret Access Key
C) Signed URL, Security Token, Username
D) Security Token, Secret Access Key, Personal Pin Code
 

ANSWER1:

B

Notes/Hint1:

Security Token, Access Key ID, Secret Access Key

Reference1: Security Token, Access Key ID, Secret Access Key

Get mobile friendly version of the quiz @ the App Store

Back to Top

Question 2: A company has AWS workloads in multiple geographical locations. A Developer has created an Amazon Aurora database in the us-west-1 Region. The database is encrypted using a customer-managed AWS KMS key. Now the Developer wants to create the same encrypted database in the us-east-1 Region. Which approach should the Developer take to accomplish this task?

A) Create a snapshot of the database in the us-west-1 Region. Copy the snapshot to the us-east-1 Region and specify a KMS key in the us-east-1 Region. Restore the database from the copied snapshot.
B) Create an unencrypted snapshot of the database in the us-west-1 Region. Copy the snapshot to the useast-1 Region. Restore the database from the copied snapshot and enable encryption using the KMS key from the us-east-1 Region
C) Disable encryption on the database. Create a snapshot of the database in the us-west-1 Region. Copy the snapshot to the us-east-1 Region. Restore the database from the copied snapshot.
D) In the us-east-1 Region, choose to restore the latest automated backup of the database from the us-west1 Region. Enable encryption using a KMS key in the us-east-1 Region
 

ANSWER2:

A

Notes/Hint2:

If a user copies an encrypted snapshot, the copy of the snapshot must also be encrypted. If a user copies an encrypted snapshot across Regions, users cannot use the same AWS KMS encryption key for the copy as used for the source snapshot, because KMS keys are Region specific. Instead, users must specify a KMS key that is valid in the destination Region

Reference2: copies an encrypted snapshot, KMS Keys are Region-specific

Get mobile friendly version of the quiz @ the App Store

Question 3: A corporate cloud security policy states that communication between the company’s VPC and KMS must travel entirely within the AWS network and not use public service endpoints. Which combination of the following actions MOST satisfies this requirement? (Select TWO.) 

A) Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company’s VPC endpoint ID.
 
B) Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
 
C) Create a VPC endpoint for AWS KMS with private DNS enabled.
 
D) Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN. E) Add the following condition to the AWS KMS key policy: “aws:SourceIp”: “10.0.0.0/16“.
 

ANSWER3:

A and C

Notes/Hint3: 

An IAM policy can deny access to AWS KMS except through your VPC endpoint with the following condition statement: 
“Condition”:  {
     “StringNotEquals”: { 
             “aws:sourceVpce”: “vpce-0295a3caf8414c94a” 
                 } 
}
 If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname resolves to your VPC endpoint.

Reference3: AWS KMS

Get mobile friendly version of the quiz @ the App Store

Question 4: An application team is designing a solution with two applications. The security team wants the applications’ logs to be captured in two different places, because one of the applications produces logs with sensitive data. Which solution meets the requirement with the LEAST risk and effort? 

A) Use Amazon CloudWatch Logs to capture all logs, write an AWS Lambda function that parses the log file, and move sensitive data to a different log.
 
B) Use Amazon CloudWatch Logs with two log groups, with one for each application, and use an AWS IAM policy to control access to the log groups, as required.
 
C) Aggregate logs into one file, then use Amazon CloudWatch Logs, and then design two CloudWatch metric filters to filter sensitive data from the logs.
 
 D) Add logic to the application that saves sensitive data logs on the Amazon EC2 instances’ local storage, and write a batch script that logs into the Amazon EC2 instances and moves sensitive logs to a secure location.
 

ANSWER4:

B

Notes/Hint4: 

Each application's log can be configured to send the log to a specific Amazon CloudWatch Logs log group.

Reference4: Amazon CloudWatch Logs log group.

Get mobile friendly version of the quiz @ the App Store

Question 5: A security engineer must set up security group rules for a three-tier application: 

  • Presentation tier – Accessed by users over the web, protected by the security group presentation-sg
  • Logic tier – RESTful API accessed from the presentation tier through HTTPS, protected by the security group logic-sg
  • Data tier – SQL Server database accessed over port 1433 from the logic tier, protected by the security group data-sg
Which combination of the following security group rules will allow the application to be secure and functional? (Select THREE.)
 
A) presentation-sg: Allow ports 80 and 443 from 0.0.0.0/0
B) data-sg: Allow port 1433 from presentation-sg
C) data-sg: Allow port 1433 from logic-sg
D) presentation-sg: Allow port 1433 from data-sg
 E) logic-sg: Allow port 443 from presentation-sg
F) logic-sg: Allow port 443 from 0.0.0.0/0
 

ANSWER5:

A C and E

Notes/Hint5: 

In an n-tier architecture, each tier’s security group allows traffic from the security group sending it traffic only. The presentation tier opens traffic for HTTP and HTTPS from the internet. Since security groups are stateful, only inbound rules are required.

Reference5: n-tier architecture

Get mobile friendly version of the quiz @ the App Store

Question 6: A security engineer is working with a product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services, and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the engineer take to enable users to be authenticated into the web application and call APIs? (Select THREE). 

A) Create a custom authorization service using AWS Lambda.
 
B) Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
 
C) Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
 
D) Configure an Amazon Cognito identity pool to integrate with social login providers.
 
E) Update DynamoDB to store the user email addresses and passwords.
 
F) Update API Gateway to use an Amazon Cognito user pool authorizer.

ANSWER6:

B, C and F

Notes/Hint6: 

When Amazon Cognito receives a SAML assertion, it needs to be able to map SAML attributes to user pool attributes. When configuring Amazon Cognito to receive SAML assertions from an identity provider, you need ensure that the identity provider is configured to have Amazon Cognito as a relying party. Amazon API Gateway will need to be able to understand the authorization being passed from Amazon Cognito, which is a configuration step.

Reference6: user pool attributes Amazon API Gateway 

Get mobile friendly version of the quiz @ the App Store

Question 7: A company is hosting a web application on AWS and is using an Amazon S3 bucket to store images. Users should have the ability to read objects in the bucket. A security engineer has written the following bucket policy to grant public read access:

Attempts to read an object, however, receive the error: “Action does not apply to any resource(s) in statement.” What should the engineer do to fix the error? 
 
A) Change the IAM permissions by applying PutBucketPolicy permissions.
 
B) Verify that the policy has the same name as the bucket name. If not, make it the same.
 
C) Change the resource section to “arn:aws:s3:::appbucket/*”.
 
D) Add an s3:ListBucket action.
 

ANSWER7:

C

Notes/Hint7: 

The resource section should match with the type of operation. Change the ARN to include /* at the end, as it is an object operation.

Reference7: IAM Policy – Access to S3 bucket

Get mobile friendly version of the quiz @ the App Store

Question 8: A company decides to place database hosts in its own VPC, and to set up VPC peering to different VPCs containing the application and web tiers. The application servers are unable to connect to the database. Which network troubleshooting steps should be taken to resolve the issue? (Select TWO.)

 A) Check to see if the application servers are in a private subnet or public subnet.
B) Check the route tables for the application server subnets for routes to the VPC peering connection.
C) Check the NACLs for the database subnets for rules that allow traffic from the internet.
D) Check the database security groups for rules that allow traffic from the application servers.
E) Check to see if the database VPC has an internet gateway.
 

ANSWER8:

B and D

Notes/Hint8: 

You must configure the route tables in each VPC to route to each other through the peering connection. You also must add rules to the security group for the databases to accept requests from the application server security group in the other VPC. 

Reference8: route tables ,  rules to the security groupsecurity group in the other VPC

Get mobile friendly version of the quiz @ the App Store

Question 9: A company is building a data lake on Amazon S3. The data consists of millions of small files containing sensitive information. The security team has the following requirements for the architecture: 

  • Data must be encrypted in transit. 
  • Data must be encrypted at rest. 
  • The bucket must be private, but if the bucket is accidentally made public, the data must remain confidential. 
Which combination of steps would meet the requirements? (Select TWO.) 
 
A) Enable AES-256 encryption using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) on the S3 bucket.
 
B) Enable default encryption with server-side encryption with AWS KMS-managed keys (SSE-KMS) on the S3 bucket.
 
C) Add a bucket policy that includes a deny if a PutObject request does not include aws:SecureTransport.
 
D) Add a bucket policy with aws:SourceIp to allow uploads and downloads from the corporate intranet only.
 
E) Enable Amazon Macie to monitor and act on changes to the data lake’s S3 bucket.

ANSWER9:

B and C

Notes/Hint9: 

Bucket encryption using KMS will protect both in case disks are stolen as well as if the bucket is public. This is because the AWS KMS key would need to have privileges granted to it for users outside of AWS. HTTPS will protect data in transit.

Reference9: Bucket encryption using KMS, privileges granted data in transit

Get mobile friendly version of the quiz @ the App Store

Question 10: A security engineer must ensure that all API calls are collected across all company accounts, and that they are preserved online and are instantly available for analysis for 90 days. For compliance reasons, this data must be restorable for 7 years. Which steps must be taken to meet the retention needs in a scalable, cost-effective way? 

A) Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket with versioning enabled. Set a lifecycle policy to move the data to Amazon Glacier daily, and expire the data after 90 days.
 
B) Enable AWS CloudTrail logging across all accounts to S3 buckets. Set a lifecycle policy to expire the data in each bucket after 7 years.
 
C) Enable AWS CloudTrail logging across all accounts to Amazon Glacier. Set a lifecycle policy to expire the data after 7 years.
 
D) Enable AWS CloudTrail logging across all accounts to a centralized Amazon S3 bucket. Set a lifecycle policy to move the data to Amazon Glacier after 90 days, and expire the data after 7 years.
 

ANSWER10:

D

Notes/Hint10: 

Meets all requirements and is cost effective by using lifecycle policies to transition to Amazon Glacier.

Reference10: lifecycle policies

Get mobile friendly version of the quiz @ the App Store

Question 11: A security engineer has been informed that a user’s access key has been found on GitHub. The engineer must ensure that this access key cannot continue to be used, and must assess whether the access key was used to perform any unauthorized activities. Which steps must be taken to perform these tasks? 

A) Review the user’s IAM permissions and delete any unrecognized or unauthorized resources.
B) Delete the user, review Amazon CloudWatch Logs in all regions, and report the abuse.
C) Delete or rotate the user’s key, review the AWS CloudTrail logs in all regions, and delete any unrecognized or unauthorized resources.
D) Instruct the user to remove the key from the GitHub submission, rotate keys, and re-deploy any instances that were launched.
 

ANSWER11:

C

Notes/Hint11: 

 Removes keys and audits the environment for malicious activities.

Reference11: malicious activities

Get mobile friendly version of the quiz @ the App Store

Question 12: You have a CloudFront distribution configured with the following path patterns: When users request objects that start with ‘static2/’, they are receiving 404 response codes. What might be the problem?

A) CloudFront distributions cannot have multiple different origin types

B) The ‘*’ path pattern must appear after the ‘static2/*’ path

C) CloudFront distributions cannot have origins in different AWS regions
 
D) The ‘*’ path pattern must appear before ‘static1/*’ path
        

ANSWER12:

C

Notes/Hint12: 

CloudFront distributions cannot have origins in different AWS regions

Reference12: CloudFront

Get mobile friendly version of the quiz @ the App Store

Question 13: An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?

A) Access the data through an Internet Gateway.”,
B) Access the data through a VPN connection.”,
C) Access the data through a NAT Gateway.”,
D) Access the data through a VPC endpoint for Amazon S3″,
 

ANSWER13:

D

Notes/Hint13: 

VPC endpoints for Amazon S3 provide secure connections to S3 buckets that do not require a gateway or NAT instances. NAT Gateways and Internet Gateways still route traffic over the Internet to the public endpoint for Amazon S3. There is no way to connect to Amazon S3 via VPN.

Reference13: S3 VPC Endpoints

Get mobile friendly version of the quiz @ the App Store

Question 14: An organization is building an Amazon Redshift cluster in their shared services VPC. The cluster will host sensitive data. How can the organization control which networks can access the cluster?

A) Run the cluster in a different VPC and connect through VPC peering
B) Create a database user inside the Amazon Redshift cluster only for users on the network
 C) Define a cluster security group for the cluster that allows access from the allowed networks
  D) Only allow access to networks that connect with the shared services network via VPN
 

ANSWER14:

C

Notes/Hint14: 

A security group can grant access to traffic from the allowed networks via the CIDR range for each network. VPC peering and VPN are connectivity services and cannot control traffic for security. Amazon Redshift user accounts address authentication and authorization at the user level and have no control over network traffic

Reference14: AWS Security best practice

Get mobile friendly version of the quiz @ the App Store

Question 15: From a security perspective, what is a principal?

A) An identity
B) An anonymous user
C) An authenticated user
D) A resource
 

ANSWER15:

B and C

Notes/Hint15: 

An anonymous user falls under the definition of a principal. A principal can be an anonymous user acting on a system.  An authenticated user falls under the definition of a principal. A principal can be an authenticated user acting on a system

Reference15: IAM

Get mobile friendly version of the quiz @ the App Store

Question 16: A company is storing an access key (access key ID and secret access key) in a text file on a custom AMI. The company uses the access key to access DynamoDB tables from instances created from the AMI. The security team has mandated a more secure solution. Which solution will meet the security team’s mandate?

A) Put the access key in an S3 bucket, and retrieve the access key on boot from the instance.
B) Pass the access key to the instances through instance user data.
C) Obtain the access key from a key server launched in a private subnet
D) Create an IAM role with permissions to access the table, and launch all instances with the new role
 

ANSWER16:

D

Notes/Hint16: 

IAM roles for EC2 instances allow applications running on the instance to access AWS resources without having to create and store any access keys. Any solution involving the creation of an access key then introduces the complexity of managing that secret

Reference16: IAM Roles for EC2

Get mobile friendly version of the quiz @ the App Store

Question 17: While signing in REST/ Query requests, for additional security, you should transmit your requests using Secure Sockets Layer (SSL) by using ____.”,

A) HTTP
B) Internet Protocol Security(IPsec)
C) TLS (Transport Layer Security)
D) HTTPS
 

ANSWER17:

D

Notes/Hint17: 

REST/ Query requests should use HTTPS

Reference17: Rest API

Get mobile friendly version of the quiz @ the App Store

Question 18: You are using AWS Envelope Encryption for encrypting all sensitive data. Which of the followings is True with regards to Envelope Encryption?

A) Data is encrypted be encrypting Data key which is further encrypted using encrypted Master Key.
B) Data is encrypted by plaintext Data key which is further encrypted using encrypted Master Key.
C) Data is encrypted by encrypted Data key which is further encrypted using plaintext Master Key.
D) Data is encrypted by plaintext Data key which is further encrypted using plaintext Master Key.”,
 

ANSWER18:

D

Notes/Hint18:

With Envelope Encryption, unencrypted data is encrypted using plaintext Data key. This Data is further encrypted using plaintext Master key. This plaintext Master key is securely stored in AWS KMS & known as Customer Master Keys.

Reference18: KMS

Get mobile friendly version of the quiz @ the App Store

Question 19: Your company has developed a web application and is hosting it in an Amazon S3 bucket configured for static website hosting. The users can log in to this app using their Google/Facebook login accounts. The application is using the AWS SDK for JavaScript in the browser to access data stored in an Amazon DynamoDB table. How can you ensure that API keys for access to your data in DynamoDB are kept secure?

A) Create an Amazon S3 role in IAM with access to the specific DynamoDB tables, and assign it to the bucket hosting your website
B) Configure S3 bucket tags with your AWS access keys for your bucket hosting your website so that the application can query them for access.
C) Configure a web identity federation role within IAM to enable access to the correct DynamoDB resources and retrieve temporary credentials
D) Store AWS keys in global variables within your application and configure the application to use these credentials when making requests.
 

ANSWER2:

C

Notes/Hint19: 

With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and distribute long-term security credentials with your application. Option A is invalid since Roles cannot be assigned to S3 buckets Options B and D are invalid since the AWS Access keys should not be used

Reference19: About Web Identity Federation

Get mobile friendly version of the quiz @ the App Store

Question 20: Your application currently makes use of AWS Cognito for managing user identities. You want to analyze the information that is stored in AWS Cognito for your application. Which of the following features of AWS Cognito should you use for this purpose?

A) Cognito Data
B) Cognito Events
C) Cognito Streams
D) Cognito Callbacks
 

ANSWER20:

C

Notes/Hint20: 

Amazon Cognito Streams gives developers control and insight into their data stored in Amazon Cognito. Developers can now configure a Kinesis stream to receive events as data is updated and synchronized. Amazon Cognito can push each dataset change to a Kinesis stream you own in real time. All other options are invalid since you should use Cognito Streams

Reference20: Cognito Streams

Question 21: Which of the following statements is correct in relation to kMS / (Choose 2)
A) KMS Encryption keys are regional
B) You cannot export your customer master key
C) You can export your customer master key.
D) KMS encryption Keys are global”,
 

ANSWER21:

A and B

Notes/Hint21:

AWS Key Management Service FAQs: You cannot export your customer master key, KMS Encryption keys are regional

Reference21: AWS Key Management Service FAQs

Question 22: Which of the following statements are correct? (Choose 2)

A) The Customer Master Key is used to encrypt and decrypt the Envelope Key or Data Key
B) The Envelope Key or Data Key is used to encrypt and decrypt plain text files.
C) The envelope Key or Data Key is used to encrypt and decrypt the Customer Master Key.
D) The Customer MasterKey is used to encrypt and decrypt plain text files.
 

ANSWER22:

A and B

Notes/Hint22:

AWS Key Management Service Concepts: The Customer Master Key is used to encrypt and decrypt the Envelope Key or Data Key, The Envelope Key or Data Key is used to encrypt and decrypt plain text files.

Reference22: KMS

Question 23: Which of the following is an encrypted key used by KMS to encrypt your data
A) Customer Managed Key
 B) Encryption Key
C) Envelope Key
D) Customer Master Key
 

ANSWER23:

C

Notes/Hint23:

Your Data key also known as the Enveloppe key is encrypted using the master key. This approach is known as Envelope encryption. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key

Reference23: Envelope encryption

Question 24: Which command can you use to encrypt a plain text file using CMK?

A) aws kms-encrypt
B) aws iam encrypt
C) aws kms encrypt
D) aws encrypt
 

ANSWER24:

C

Notes/Hint24:

aws kms encrypt –key-id 1234abcd-12ab-34cd-56ef-1234567890ab —plaintext fileb://ExamplePlaintextFile –output text –query CiphertextBlob > C:\\Temp\\ExampleEncryptedFile.base64

Reference24: AWS CLI Encrypt

Question 25: If an EC2 instance uses an instance role, key rotation is automatic and handled by __.

A) A script containing a valid IAM username and password stored on the EC2 instance.
B) ssh-keygen on the EC2 instance
C) The EC2 service
D) IAM/STS
 

ANSWER25:

D

Notes/Hint25:

Instance role key rotation is handled by IAM/STS.

Reference25: IAM/STS

Get mobile friendly version of the quiz @ the App Store

Back to Top

II- SOURCES:

0- Djamga Cloud Security Playlist on Youtube:

1- Developer Certified Exam Prep Pro App

2- Prepare for Your AWS Certification Exam

Back to Top

CYBERSECURITY KEY TERMS

1- Security Key Terms:

    • Cryptography:  Practice and study of techniques for secure communication in the presence of third parties called adversaries.
    • Hacking: catch-all term for any type of misuse of a computer to break the security of another computing system to steal data, corrupt systems or files, commandeer the environment or disrupt data-related activities in any way.
    • Cyberwarfare: Uuse of technology to attack a nation, causing comparable harm to actual warfare. There is significant debate among experts regarding the definition of cyberwarfare, and even if such a thing exists
    • Penetration testing: Colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Not to be confused with a vulnerability assessment.
      • Malwares: Any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware. 
    • Malware Analysis Tool: Any .Run Malware hunting with live access to the heart of an incident https://any.run/Malware Analysis Total:  VirusTotal – Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community https://www.virustotal.com/gui/
    • VPN: A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, although not an inherent, part of a VPN connection.
    • Antivirus: Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
    • DDos: A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack.
    • Fraud Detection: Set of activities undertaken to prevent money or property from being obtained through false pretenses. Fraud detection is applied to many industries such as banking or insurance. In banking, fraud may include forging checks or using stolen credit cards.
    • Spywares: Spyware describes software with malicious behavior that aims to gather information about a person or organization and send such information to another entity in a way that harms the user; for example by violating their privacy or endangering their device’s security.
    • Spoofing: Disguising a communication from an unknown source as being from a known, trusted source
    • Pharming: Malicious websites that look legitimate and are used to gather usernames and passwords.
    • Catfishing: Creating a fake profile for fraudulent or deceptive purposes
    • SSL: Stands for secure sockets layer. Protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the Internet.
    • Phishing emails: Disguised as trustworthy entity to lure someone into providing sensitive information
    • Intrusion detection System: Device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system.
    • Encryption: Encryption is the method by which information is converted into secret code that hides the information’s true meaning. The science of encrypting and decrypting information is called cryptography. In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext.
    • MFA: Multi-factor authentication (MFA) is defined as a security mechanism that requires an individual to provide two or more credentials in order to authenticate their identity. In IT, these credentials take the form of passwords, hardware tokens, numerical codes, biometrics, time, and location.
    • Vulnerabilities:vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.
    • SQL injections: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
    • Cyber attacks: In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset.
    • Confidentiality: Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits access or places restrictions on certain types of information.
    • Secure channel: In cryptography, a secure channel is a way of transferring data that is resistant to overhearing and tampering. A confidential channel is a way of transferring data that is resistant to overhearing, but not necessarily resistant to tampering.
    • Tunneling: Communications protocol that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.
    • SSH: Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.
    • SSL Certificates: SSL certificates are what enable websites to move from HTTP to HTTPS, which is more secure. An SSL certificate is a data file hosted in a website’s origin server. SSL certificates make SSL/TLS encryption possible, and they contain the website’s public key and the website’s identity, along with related information.
    • Phishing: Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
    • Cybercrime: Cybercrime, or computer-oriented crime, is a crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Cybercrime may threaten a person, company or a nation’s security and financial health.
    • Backdoor: A backdoor is a means to access a computer system or encrypted data that bypasses the system’s customary security mechanisms. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes.
    • Salt and Hash: A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate rainbow table attacks by forcing attackers to re-compute them using the salts.
    • Password: A password, sometimes called a passcode,[1] is a memorized secret, typically a string of characters, usually used to confirm the identity of a user.[2] Using the terminology of the NIST Digital Identity Guidelines,[3] the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol,[4] the verifier is able to infer the claimant’s identity.
    • Fingerprint: fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfaces such as glass or metal.
    • Facial recognition: Facial recognition works better for a person as compared to fingerprint detection. It releases the person from the hassle of moving their thumb or index finger to a particular place on their mobile phone. A user would just have to bring their phone in level with their eye.
    • Asymmetric key ciphers versus symmetric key ciphers (Difference between symmetric and  Asymmetric encryption): The basic difference between these two types of encryption is that symmetric encryption uses one key for both encryption and decryption, and the asymmetric encryption uses public key for encryption and a private key for decryption.
    • Decryption: The conversion of encrypted data into its original form is called Decryption. It is generally a reverse process of encryption. It decodes the encrypted information so that an authorized user can only decrypt the data because decryption requires a secret key or password.
    • Algorithms: Finite sequence of well-defined, computer-implementable instructions, typically to solve a class of problems or to perform a computation.
    • DFIR: Digital forensic and incident response: Multidisciplinary profession that focuses on identifying, investigating, and remediating computer network exploitation. This can take varied forms and involves a wide variety of skills, kinds of attackers, an kinds of targets. We’ll discuss those more below.
      • OTP: One Time Password: A one-time password, also known as one-time PIN or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device
    • Proxy Server and Reverse Proxy Server:A proxy server is a go‑between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server.

LATEST CYBER SECURITY NEWS

 

Cybersecurity Certification

cybersecurity certification roadmap
cybersecurity certification roadmap

WireShark Cheat Sheet

Wireshark Cheat Sheet
Wireshark Cheat Sheet

HACKING TOOLS CHEAT SHEET

hacking Cheat Sheet
hacking Cheat Sheet

Top CyberSecurity All Time Posts

Show All Around Defender Primers

Show Offensive * Exploit Database

Offensive * Exploit Database – The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. https://www.exploit-db.com/

CYBERSECURITY NEWS

  • Krebs On Security In depth security news and investigation https://krebsonsecurity.com/
  • Dark Reading Cyber security’s comprehensive news site is now an online community for security professionals. https://www.darkreading.com/
  • The Hacker News – The Hacker News (THN) is a leading, trusted, widely-acknowledged dedicated cybersecurity news platform, attracting over 8 million monthly readers including IT professionals, researchers, hackers, technologists, and enthusiasts. https://thehackernews.com
  • SecuriTeam – A free and independent source of vulnerability information. https://securiteam.com/
  • SANS NewsBites – “A semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.” Published for free on Tuesdays and Fridays. https://www.sans.org/newsletters/newsbites

CYBERSECURITY YOUTUBE CHANNELS

YouTube Channels

This list was originally forked/curated from here: https://wportal.xyz/collection/cybersec-yt1 on (7/29/2020) Attribution and appreciation to d4rckh

CYBERSECURITY PODCASTS:

Podcasts

  • Risky Business Published weekly, the Risky Business podcast features news and in-depth commentary from security industry luminaries. Hosted by award-winning journalist Patrick Gray, Risky Business has become a must-listen digest for information security professionals. https://risky.biz/
  • Pauls Security Weekly This show features interviews with folks in the security community; technical segments, which are just that, very technical; and security news, which is an open discussion forum for the hosts to express their opinions about the latest security headlines, breaches, new exploits and vulnerabilities, “not” politics, “cyber” policies and more. https://securityweekly.com/category-shows/paul-security-weekly/
  • Security Now – Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. https://twit.tv/shows/security-now
  • Daily Information Security Podcast (“StormCast”) Stormcasts are daily 5-10 minute information security threat updates. The podcast is produced each work day, and typically released late in the day to be ready for your morning commute. https://isc.sans.edu/podcast.html
  • ShadowTalk Threat Intelligence Podcast by Digital Shadow_. The weekly podcast highlights key findings of primary-source research our Intelligence Team is conducting, along with guest speakers discussing the latest threat actors, campaigns, security events and industry news. https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk
  • Don’t Panic – The Unit 42 Podcast Don’t Panic! is the official podcast from Unit 42 at Palo Alto Networks. We find the big issues that are frustrating cyber security practitioners and help simplify them so they don’t need to panic. https://unit42.libsyn.com/
  • Recorded Future Recorded Future takes you inside the world of cyber threat intelligence. We’re sharing stories from the trenches and the operations floor as well as giving you the skinny on established and emerging adversaries. We also talk current events, technical tradecraft, and offer up insights on the big picture issues in our industry. https://www.recordedfuture.com/resources/podcast/
  • The Cybrary Podcast Listen in to the Cybrary Podcast where we discuss a range topics from DevSecOps and Ransomware attacks to diversity and how to retain of talent. Entrepreneurs at all stages of their startup companies join us to share their stories and experience, including how to get funding, hiring the best talent, driving sales, and choosing where to base your business. https://www.cybrary.it/info/cybrary-podcast/
  • Cyber Life The Cyber Life podcast is for cyber security (InfoSec) professionals, people trying to break into the industry, or business owners looking to learn how to secure their data. We will talk about many things, like how to get jobs, cover breakdowns of hot topics, and have special guest interviews with the men and women “in the trenches” of the industry. https://redcircle.com/shows/cyber-life
  • Career Notes Cybersecurity professionals share their personal career journeys and offer tips and advice in this brief, weekly podcast from The CyberWire. https://www.thecyberwire.com/podcasts/career-notes

Below podcasts Added from here: https://infosec-conferences.com/cybersecurity-podcasts/

  • Down the Security Rabbithole http://podcast.wh1t3rabbit.net/ Down the Security Rabbithole is hosted by Rafal Los and James Jardine who discuss, by means of interviewing or news analysis, everything about Cybersecurity which includes Cybercrime, Cyber Law, Cyber Risk, Enterprise Risk & Security and many more. If you want to hear issues that are relevant to your organization, subscribe and tune-in to this podcast.
  • The Privacy, Security, & OSINT Show https://podcasts.apple.com/us/podcast/the-privacy-security-osint-show/id1165843330 The Privacy, Security, & OSINT Show, hosted by Michael Bazzell, is your weekly dose of digital security, privacy, and Open Source Intelligence (OSINT) opinion and news. This podcast will help listeners learn some ideas on how to stay secure from cyber-attacks and help them become “digitally invisible”.
  • Defensive Security Podcast https://defensivesecurity.org/ Hosted by Andrew Kalat (@lerg) and Jerry Bell (@maliciouslink), the Defensive Security Podcasts aims to look/discuss the latest security news happening around the world and pick out the lessons that can be applied to keeping organizations secured. As of today, they have more than 200 episodes and some of the topics discussed include Forensics, Penetration Testing, Incident Response, Malware Analysis, Vulnerabilities and many more.
  • Darknet Diaries https://darknetdiaries.com/episode/ Darknet Diaries Podcast is hosted and produced by Jack Rhysider that discuss topics related to information security. It also features some true stories from hackers who attacked or have been attacked. If you’re a fan of the show, you might consider buying some of their souvenirs here (https://shop.darknetdiaries.com/).
  • Brakeing Down Security https://www.brakeingsecurity.com/ Brakeing Down Security started in 2014 and is hosted by Bryan Brake, Brian Boettcher, and Amanda Berlin. This podcast discusses everything about the Cybersecurity world, Compliance, Privacy, and Regulatory issues that arise in today’s organizations. The hosts will teach concepts that Information Security Professionals need to know and discuss topics that will refresh the memories of seasoned veterans.
  • Open Source Security Podcast https://www.opensourcesecuritypodcast.com/ Open Source Security Podcast is a podcast that discusses security with an open-source slant. The show started in 2016 and is hosted by Josh Bressers and Kurt Siefried. As of this writing, they now posted around 190+ podcasts
  • Cyber Motherboard https://podcasts.apple.com/us/podcast/cyber/id1441708044 Ben Makuch is the host of the podcast CYBER and weekly talks to Motherboard reporters Lorenzo Franceschi-Bicchierai and Joseph Cox. They tackle topics about famous hackers and researchers about the biggest news in cybersecurity. The Cyber- stuff gets complicated really fast, but Motherboard spends its time fixed in the infosec world so we don’t have to.
  • Hak5 https://shop.hak5.org/pages/videos Hak5 is a brand that is created by a group of security professionals, hardcore gamers and “IT ninjas”. Their podcast, which is mostly uploaded on YouTube discusses everything from open-source software to penetration testing and network infrastructure. Their channel currently has 590,000 subscribers and is one of the most viewed shows when you want to learn something about security networks.
  • Threatpost Podcast Series https://threatpost.com/category/podcasts/ Threatpost is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide. With an award-winning editorial team produces unique and high-impact content including security news, videos, feature reports and more, with their global editorial activities are driven by industry-leading journalist Tom Spring, editor-in-chief.
  • CISO-Security Vendor Relationship Podcast https://cisoseries.com Co-hosted by the creator of the CISO/Security Vendor Relationship Series, David Spark, and Mike Johnson, in 30 minutes, this weekly program challenges the co-hosts, guests, and listeners to critique, share true stories. This podcast, The CISO/Security Vendor Relationship, targets to enlighten and educate listeners on improving security buyer and seller relationships.
  • Getting Into Infosec Podcast Stories of how Infosec and Cybersecurity pros got jobs in the field so you can be inspired, motivated, and educated on your journey. – https://gettingintoinfosec.com/
  • Unsupervised Learning Weekly podcasts and biweekly newsletters as a curated summary intersection of security, technology, and humans, or a standalone idea to provoke thought, by Daniel Miessler. https://danielmiessler.com/podcast/

SECURITY BOOKS:

CYBERSECURITY TRAINING:

Training

  • WebSecurity Academy Free online web security training from the creators of Burp Suite https://portswigger.net/web-security
  • Mosse Cyber Security Institute Introduction to cybersecurity free certification with 100+ hours of training, no expiry/renewals, https://www.mosse-institute.com/certifications/mics-introduction-to-cyber-security.html
  • BugCrowd University Free bug hunting resources and methodologies in form of webinars, education and training. https://www.bugcrowd.com/hackers/bugcrowd-university/
  • Certified Network Security Specialist Certification and training; Expires Aug 31 2020 Use coupon code #StaySafeHome during checkout to claim your free access. Offer is valid till 31/08/2020. £500.00 Value https://www.icsi.co.uk/courses/icsi-cnss-certified-network-security-specialist-covid-19
  • Metasploit Unleashed Most complete and in-depth Metasploit guide available, with contributions from the authors of the No Starch Press Metasploit Book. https://www.offensive-security.com/metasploit-unleashed/
  • AWS Cloud Certified Get skills in AWS to be more marketable. Training is quality and free. https://www.youtube.com/watch?v=3hLmDS179YE Have to create an AWS account, Exam is $100.
  • SANS Faculty Free Tools List of OSS developed by SANS staff. https://www.sans.org/media/free/free-faculty-tools.pdf?msc=sans-free-lp
  • “Using ATT&CK for Cyber Threat Intelligence Training” – 4 hour training The goal of this training is for students to understand the following: at: https://attack.mitre.org/resources/training/cti/
  • Coursera -“Coursera Together: Free online learning during COVID-19” Lots of different types of free training. https://blog.coursera.org/coursera-together-free-online-learning-during-covid-19/
  • Fortinet Security Appliance Training Free access to the FortiGate Essentials Training Course and Network Security Expert courses 1 and 2 https://www.fortinet.com/training/cybersecurity-professionals.html
  • Chief Information Security Officer (CISO) Workshop Training – The Chief Information Security Office (CISO) workshop contains a collection of security learnings, principles, and recommendations for modernizing security in your organization. This training workshop is a combination of experiences from Microsoft security teams and learnings from customers. – https://docs.microsoft.com/en-us/security/ciso-workshop/ciso-workshop
  • CLARK Center Plan C – Free cybersecurity curriculum that is primarily video-based or provide online assignments that can be easily integrated into a virtual learning environments https://clark.center/home
  • Hack.me is a FREE, community based project powered by eLearnSecurity. The community can build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security. https://hack.me/
  • Hacker101 – Free classes for web security – https://www.hacker101.com/
  • ElasticStack – Free on-demand Elastic Stack, observability, and security courses. https://training.elastic.co/learn-from-home
  • Hoppers Roppers – Community built around a series of free courses that provide training to beginners in the security field. https://www.hoppersroppers.org/training.html
  • IBM Security Learning Academy Free technical training for IBM Security products. https://www.securitylearningacademy.com/
  • M.E. Kabay Free industry courses and course materials for students, teachers and others are welcome to use for free courses and lectures. http://www.mekabay.com/courses/index.htm
  • Open P-TECH Free digital learning on the tech skills of tomorrow. https://www.ptech.org/open-p-tech/
  • Udemy – Online learning course platform “collection from the free courses in our learning marketplace” https://www.udemy.com/courses/free/
  • Enroll Now Free: PCAP Programming Essentials in Python https://www.netacad.com/courses/programming/pcap-programming-essentials-python Python is the very versatile, object-oriented programming language used by startups and tech giants, Google, Facebook, Dropbox and IBM. Python is also recommended for aspiring young developers who are interested in pursuing careers in Security, Networking and Internet-of-Things. Once you complete this course, you are ready to take the PCAP – Certified Associate in Python programming. No prior knowledge of programming is required.
  • Packt Web Development Course Web Development Get to grips with the fundamentals of the modern web Unlock one year of free online access. https://courses.packtpub.com/pages/free?fbclid=IwAR1FtKQcYK8ycCmBMXaBGvW_7SgPVDMKMaRVwXYcSbiwvMfp75gazxRZlzY
  • Stanford University Webinar – Hacked! Security Lessons from Big Name Breaches 50 minute cyber lecture from Stanford.You Will Learn: — The root cause of key breaches and how to prevent them; How to measure your organization’s external security posture; How the attacker lifecycle should influence the way you allocate resources https://www.youtube.com/watch?v=V9agUAz0DwI
  • Stanford University Webinar – Hash, Hack, Code: Emerging Trends in Cyber Security Join Professor Dan Boneh as he shares new approaches to these emerging trends and dives deeper into how you can protect networks and prevent harmful viruses and threats. 50 minute cyber lecture from Stanford. https://www.youtube.com/watch?v=544rhbcDtc8
  • Kill Chain: The Cyber War on America’s Elections (Documentary) (Referenced at GRIMMCON), In advance of the 2020 Presidential Election, Kill Chain: The Cyber War on America’s Elections takes a deep dive into the weaknesses of today’s election technology, an issue that is little understood by the public or even lawmakers. https://www.hbo.com/documentaries/kill-chain-the-cyber-war-on-americas-elections
  • Intro to Cybersecurity Course (15 hours) Learn how to protect your personal data and privacy online and in social media, and why more and more IT jobs require cybersecurity awareness and understanding. Receive a certificate of completion. https://www.netacad.com/portal/web/self-enroll/c/course-1003729
  • Cybersecurity Essentials (30 hours) Foundational knowledge and essential skills for all cybersecurity domains, including info security, systems sec, network sec, ethics and laws, and defense and mitigation techniques used in protecting businesses. https://www.netacad.com/portal/web/self-enroll/c/course-1003733
  • Pluralsight and Microsoft Partnership to help you become an expert in Azure. With skill assessments and over 200+ courses, 40+ Skill IQs and 8 Role IQs, you can focus your time on understanding your strengths and skill gaps and learn Azure as quickly as possible.https://www.pluralsight.com/partners/microsoft/azure
  • Blackhat Webcast Series Monthly webcast of varying cyber topics. I will post specific ones in the training section below sometimes, but this is worth bookmarking and checking back. They always have top tier speakers on relevant, current topics. https://www.blackhat.com/html/webcast/webcast-home.html
  • Federal Virtual Training Environment – US Govt sponsored free courses. There are 6 available, no login required. They are 101 Coding for the Public, 101 Critical Infrastructure Protection for the Public, Cryptocurrency for Law Enforcement for the Public, Cyber Supply Chain Risk Management for the Public, 101 Reverse Engineering for the Public, Fundamentals of Cyber Risk Management. https://fedvte.usalearning.gov/public_fedvte.php
  • Harrisburg University CyberSecurity Collection of 18 curated talks. Scroll down to CYBER SECURITY section. You will see there are 4 categories Resource Sharing, Tools & Techniques, Red Team (Offensive Security) and Blue Teaming (Defensive Security). Lot of content in here; something for everyone. https://professionaled.harrisburgu.edu/online-content/
  • OnRamp 101-Level ICS Security Workshop Starts this 4/28. 10 videos, Q&A / discussion, bonus audio, great links. Get up to speed fast on ICS security. It runs for 5 weeks. 2 videos per week. Then we keep it open for another 3 weeks for 8 in total. https://onramp-3.s4xevents.com
  • HackXOR WebApp CTF Hackxor is a realistic web application hacking game, designed to help players of all abilities develop their skills. All the missions are based on real vulnerabilities I’ve personally found while doing pentests, bug bounty hunting, and research. https://hackxor.net/
  • Suricata Training 5-part training module using a simulation as a backdrop to teach how to use Suricata. https://rangeforce.com/resource/suricata-challenge-reg/
  • flAWS System Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). Multiple levels, “Buckets” of fun. http://flaws.cloud/
  • Stanford CS 253 Web Security A free course from Stanford providing a comprehensive overview of web security. The course begins with an introduction to the fundamentals of web security and proceeds to discuss the most common methods for web attacks and their countermeasures. The course includes video lectures, slides, and links to online reading assignments. https://web.stanford.edu/class/cs253
  • Linux Journey A free, handy guide for learning Linux. Coverage begins with the fundamentals of command line navigation and basic text manipulation. It then extends to more advanced topics, such as file systems and networking. The site is well organized and includes many examples along with code snippets. Exercises and quizzes are provided as well. https://linuxjourney.com
  • Ryan’s Tutorials A collection of free, introductory tutorials on several technology topics including: Linux command line, Bash scripting, creating and styling webpages with HTML and CSS, counting and converting between different number systems, and writing regular expressions. https://ryanstutorials.net
  • The Ultimate List of SANS Cheat Sheets Massive collection of free cybersecurity cheat sheets for quick reference (login with free SANS account required for some penetration testing resources). https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/
  • CYBER INTELLIGENCE ANALYTICS AND OPERATIONS Learn:The ins and outs of all stages of the intelligence cycle from collection to analysis from seasoned intel professionals. How to employ threat intelligence to conduct comprehensive defense strategies to mitigate potential compromise. How to use TI to respond to and minimize impact of cyber incidents. How to generate comprehensive and actionable reports to communicate gaps in defenses and intelligence findings to decision makers. https://www.shadowscape.io/cyber-intelligence-analytics-operat
  • Linux Command Line for Beginners 25 hours of training – In this course, you’ll learn from one of Fullstack’s top instructors, Corey Greenwald, as he guides you through learning the basics of the command line through short, digestible video lectures. Then you’ll use Fullstack’s CyberLab platform to hone your new technical skills while working through a Capture the Flag game, a special kind of cybersecurity game designed to challenge participants to solve computer security problems by solving puzzles. Finally, through a list of carefully curated resources through a series of curated resources, we’ll introduce you to some important cybersecurity topics so that you can understand some of the common language, concepts and tools used in the industry. https://prep.fullstackacademy.com/
  • Hacking 101 6 hours of free training – First, you’ll take a tour of the world and watch videos of hackers in action across various platforms (including computers, smartphones, and the power grid). You may be shocked to learn what techniques the good guys are using to fight the bad guys (and which side is winning). Then you’ll learn what it’s like to work in this world, as we show you the different career paths open to you and the (significant) income you could make as a cybersecurity professional. https://cyber.fullstackacademy.com/prepare/hacking-101
  • Choose Your Own Cyber Adventure Series: Entry Level Cyber Jobs Explained YouTube Playlist (videos from my channel #simplyCyber) This playlist is a collection of various roles within the information security field, mostly entry level, so folks can understand what different opportunities are out there. https://www.youtube.com/playlist?list=PL4Q-ttyNIRAqog96mt8C8lKWzTjW6f38F
  • NETINSTRUCT.COM Free Cybersecurity, IT and Leadership Courses – Includes OS and networking basics. Critical to any Cyber job. https://netinstruct.com/courses
  • HackerSploit – HackerSploit is the leading provider of free and open-source Infosec and cybersecurity training. https://hackersploit.org/
  • Resources for getting started (Free and Paid)Practice
    • DetectionLab (Free)
    • LetsDefend.io (Free/Paid)
    • DetectionLabELK (Free)

    Log Analysis

    Network Monitoring

    Linux Distributions

    Memory Analysis Tools

    Professional Training

    • FOR578: Cyber Threat Intelligence (Paid)
    • SEC511: Continuous Monitoring & Security Operations (Paid)
    • SEC445: SIEM Design & Implementation (Paid)
    • AEGIS Certification (Paid)

    Conferences

CYBERSECURITY COURSES: (Multi-week w/Enrollment)

College Courses

  • Computer Science courses with video lectures Intent of this list is to act as Online bookmarks/lookup table for freely available online video courses. Focus would be to keep the list concise so that it is easy to browse. It would be easier to skim through 15 page list, find the course and start learning than having to read 60 pages of text. If you are student or from non-CS background, please try few courses to decide for yourself as to which course suits your learning curve best. https://github.com/Developer-Y/cs-video-courses?utm_campaign=meetedgar&utm_medium=social&utm_source=meetedgar.com
  • Cryptography I -offered by Stanford University – Rolling enrollment – Cryptography is an indispensable tool for protecting information in computer systems. In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. https://www.coursera.org/learn/crypto
  • Software Security Rolling enrollment -offered by University of Maryland, College Park via Coursera – This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them — such as buffer overflows, SQL injection, and session hijacking — and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a “build security in” mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. https://www.coursera.org/learn/software-security
  • Intro to Information Security Georgia Institute of Technology via Udacity – Rolling Enrollment. This course provides a one-semester overview of information security. It is designed to help students with prior computer and programming knowledge — both undergraduate and graduate — understand this important priority in society today. Offered at Georgia Tech as CS 6035 https://www.udacity.com/course/intro-to-information-security–ud459
  • Cyber-Physical Systems Security Georgia Institute of Technology via Udacity – This course provides an introduction to security issues relating to various cyber-physical systems including industrial control systems and those considered critical infrastructure systems. 16 week course – Offered at Georgia Tech as CS 8803 https://www.udacity.com/course/cyber-physical-systems-security–ud279
  • Finding Your Cybersecurity Career Path – University of Washington via edX – 4 weeks long – self paced – In this course, you will focus on the pathways to cybersecurity career success. You will determine your own incoming skills, talent, and deep interests to apply toward a meaningful and informed exploration of 32 Digital Pathways of Cybersecurity. https://www.edx.org/course/finding-your-cybersecurity-career-path
  • Building a Cybersecurity Toolkit – University of Washington via edX – 4 weeks self-paced The purpose of this course is to give learners insight into these type of characteristics and skills needed for cybersecurity jobs and to provide a realistic outlook on what they really need to add to their “toolkits” – a set of skills that is constantly evolving, not all technical, but fundamentally rooted in problem-solving. https://www.edx.org/course/building-a-cybersecurity-toolkit
  • Cybersecurity: The CISO’s View – University of Washington via edX – 4 weeks long self-paced – This course delves into the role that the CISO plays in cybersecurity operations. Throughout the lessons, learners will explore answers to the following questions: How does cybersecurity work across industries? What is the professionals’ point of view? How do we keep information secure https://www.edx.org/course/cybersecurity-the-cisos-view
  • Introduction to Cybersecurity – University of Washington via edX – In this course, you will gain an overview of the cybersecurity landscape as well as national (USA) and international perspectives on the field. We will cover the legal environment that impacts cybersecurity as well as predominant threat actors. – https://www.edx.org/course/introduction-to-cybersecurity
  • Cyber Attack Countermeasures New York University (NYU) via Coursera – This course introduces the basics of cyber defense starting with foundational models such as Bell-LaPadula and information flow frameworks. These underlying policy enforcements mechanisms help introduce basic functional protections, starting with authentication methods. Learners will be introduced to a series of different authentication solutions and protocols, including RSA SecureID and Kerberos, in the context of a canonical schema. – https://www.coursera.org/learn/cyber-attack-countermeasures
  • Introduction to Cyber Attacks New York University (NYU) via Coursera – This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. https://www.coursera.org/learn/intro-cyber-attacks
  • Enterprise and Infrastructure Security New York University (NYU) via Coursera – This course introduces a series of advanced and current topics in cyber security, many of which are especially relevant in modern enterprise and infrastructure settings. The basics of enterprise compliance frameworks are provided with introduction to NIST and PCI. Hybrid cloud architectures are shown to provide an opportunity to fix many of the security weaknesses in modern perimeter local area networks. https://www.coursera.org/learn/enterprise-infrastructure-security
  • Network Security Georgia Institute of Technology via Udacity – This course provides an introduction to computer and network security. Students successfully completing this class will be able to evaluate works in academic and commercial security, and will have rudimentary skills in security research. The course begins with a tutorial of the basic elements of cryptography, cryptanalysis, and systems security, and continues by covering a number of seminal papers and monographs in a wide range of security areas. – https://www.udacity.com/course/network-security–ud199
  • Real-Time Cyber Threat Detection and Mitigation – New York University (NYU) via Coursera This course introduces real-time cyber security techniques and methods in the context of the TCP/IP protocol suites. Explanation of some basic TCP/IP security hacks is used to introduce the need for network security solutions such as stateless and stateful firewalls. Learners will be introduced to the techniques used to design and configure firewall solutions such as packet filters and proxies to protect enterprise assets. https://www.coursera.org/learn/real-time-cyber-threat-detection

 

CYBERSECURITY JOBS:

 CYBERSECURITY Cheat sheets

SANS Massive List of Cheat Sheets Curated from here: https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/

General IT Security * Windows and Linux Terminals & Command Lines https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/bltea7de5267932e94b/5eb08aafcf88d36e47cf0644/Cheatsheet_SEC301-401_R7.pdf

Digital Forensics and Incident Response

Penetration Testing * Swiss Army Knife collection of PenTesting Cheatsheets https://github.com/swisskyrepo/PayloadsAllTheThings

Cloud Security Cheat sheets

CYBERSECURITY Q&A

 

‎AWS Certified Developer A. PRO

Source: What is the best cheap Wi-Fi cracking/hacking adapter?

Hey everyone, I’ve started getting into hacking, and would like to know the cheapest but best Wi-Fi cracking/deauthing/hacking adapter. I’m on a fairly tight budget of 20AUD and am willing to compromise if needed. Priority is a card with monitor mode, then cracking capabilities, then deauthing, etc. Thank you guys! By the way, if there are any beginner tips you are willing to give, please let me know!

 

 

How SSL Certificates Work

  • A browser or server attempts to connect to a website (i.e. a web server) secured with SSL. The browser/server requests that the web server identify itself.
  • The web server sends the browser/server a copy of its SSL certificate.
  • The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.
  • The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  • Encrypted data is shared between the browser/server and the web server.

diagram of how ssl certificates work

There are many benefits to using SSL certificates. Namely, SSL customers can:

  • Utilize HTTPs, which elicits a stronger Google ranking
  • Create safer experiences for your customers
  • Build customer trust and improve conversions
  • Protect both customer and internal data
  • Encrypt browser-to-server and server-to-server communication
  • Increase security of your mobile and cloud apps

 

Penetration Testing Terms

Penetration Testing Terms to know:

  • Authentication — The process of checking if a user is allowed to gain access to a system. eg. Login forms with username and password.
  • Authorization — Checking if the authenticated user has access to perform an action. eg. user, admin, super admin roles.
  • Audit — Conduct a complete inspection of an organization’s network to find vulnerable endpoints or malicious software.
  • Access Control List — A list that contains users and their level of access to a system.
  • Aircrack-ng — Wifi penetration testing software suite. Contains sniffing, password cracking, and general wireless attacking tools.
  • Backdoor — A piece of code that lets hackers get into the system easily after it has been compromised.
  • Burp Suite — Web application security software, helps test web apps for vulnerabilities. Used in bug bounty hunting.
  • Banner Grabbing — Capturing basic information about a server like the type of web server software (eg. apache) and services running on it.
  • Botnet — A network of computers controlled by a hacker to perform attacks such as Distributed Denial of Service.
  • Brute-Force Attack — An attack where the hacker tries different login combinations to gain access. eg. trying to crack a 9 -digit numeric password by trying all the numbers from 000000000 to 999999999
  • Buffer Overflow — When a program tries to store more information than it is allowed to, it overflows into other buffers (memory partitions) corrupting existing data.
  • Cache — Storing the response to a particular operation in temporary high-speed storage is to serve other incoming requests better. eg. you can store a database request in a cache till it is updated to reduce calling the database again for the same query.
  • Cipher — Cryptographic algorithm for encrypting and decrypting data.
  • Code Injection — Injecting malicious code into a system by exploiting a bug or vulnerability.
  • Cross-Site Scripting — Executing a script on the client-side through a legitimate website. This can be prevented if the website sanitizes user input.
  • Compliance — A set of rules defined by the government or other authorities on how to protect your customer’s data. Common ones include HIPAA, PCI-DSS, and FISMA.
  • Dictionary Attack — Attacking a system with a pre-defined list of usernames and passwords. eg. admin/admin is a common username/password combination used by amateur sysadmins.
  • Dumpster Diving — Looking into a company’s trash cans for useful information.
  • Denial of Service & Distributed Denial of Service — Exhausting a server’s resources by sending too many requests is Denial of Service. If a botnet is used to do the same, its called Distributed Denial of Service.
  • DevSecOps — Combination of development and operations by considering security as a key ingredient from the initial system design.
  • Directory Traversal — Vulnerability that lets attackers list al the files and folders within a server. This can include system configuration and password files.
  • Domain Name System (DNS) — Helps convert domain names into server IP addresses. eg. Google.com -> 216.58.200.142
  • DNS Spoofing — Trikcnig a system’s DNS to point to a malicious server. eg. when you enter ‘facebook.com’, you might be redirected to the attacker’s website that looks like Facebook.
  • Encryption — Encoding a message with a key so that only the parties with the key can read the message.
  • Exploit — A piece of code that takes advantage of a vulnerability in the target system. eg. Buffer overflow exploits can get you to root access to a system.
  • Enumeration — Mapping out all the components of a network by gaining access to a single system.
  • Footprinting — Gathering information about a target using active methods such as scanning and enumeration.
  • Flooding — Sending too many packets of data to a target system to exhaust its resources and cause a Denial of Service or similar attacks.
  • Firewall — A software or hardware filter that can be configured to prevent common types of attacks.
  • Fork Bomb — Forking a process indefinitely to exhaust system resources. Related to a Denial of Service attack.
  • Fuzzing — Sending automated random input to a software program to test its exception handling capacity.
  • Hardening — Securing a system from attacks like closing unused ports. Usually done using scripts for servers.
  • Hash Function — Mapping a piece of data into a fixed value string. Hashes are used to confirm data integrity.
  • Honey Pot — An intentionally vulnerable system used to lure attackers. This is then used to understand the attacker’s strategies.
  • HIPAA — The Health Insurance Portability and Accountability Act. If you are working with healthcare data, you need to make sure you are HIPAA compliant. This is to protect the customer’s privacy.
  • Input Validation — Checking user inputs before sending them to the database. eg. sanitizing form input to prevent SQL injection attacks.
  • Integrity — Making sure the data that was sent from the server is the same that was received by the client. This ensures there was no tampering and integrity is achieved usually by hashing and encryption.
  • Intrusion Detection System — A software similar to a firewall but with advanced features. Helps in defending against Nmap scans, DDoS attacks, etc.
  • IP Spoofing — Changing the source IP address of a packet to fool the target into thinking a request is coming from a legitimate server.
  • John The Ripper — Brilliant password cracking tool, runs on all major platforms.
  • Kerberos — Default authorization software used by Microsoft, uses a stronger encryption system.
  • KeyLogger — A software program that captures all keystrokes that a user performs on the system.
  • Logic Bombs — A piece of code (usually malicious) that runs when a condition is satisfied.
  • Light Weight Directory Access Protocol (LDAP) — Lightweight client-server protocol on Windows, central place for authentication. Stores usernames and passwords to validate users on a network.
  • Malware — Short for “Malicious Software”. Everything from viruses to backdoors is malware.
  • MAC Address — Unique address assigned to a Network Interface Card and is used as an identifier for local area networks. Easy to spoof.
  • Multi-factor Authentication — Using more than one method of authentication to access a service. eg. username/password with mobile OTP to access a bank account (two-factor authentication)
  • MD5 — Widely used hashing algorithm. Once a favorite, it has many vulnerabilities.
  • Metasploit — All in one penetration testing framework that helps to successfully exploit vulnerabilities and gain access to target systems.
  • Meterpreter — An advanced Metasploit payload that lives in memory and hard to trace.
  • Null-Byte Injection — An older exploit, uses null bytes (i.e. %00, or 0x00 in hexadecimal) to URLs. This makes web servers return random/unwanted data which might be useful for the attacker. Easily prevented by doing sanity checks.
  • Network Interface Card(NIC) — Hardware that helps a device connect to a network.
  • Network Address Translation — Utility that translates your local IP address into a global IP address. eg. your local IP might be 192.168.1.4 but to access the internet, you need a global IP address (from your router).
  • Nmap — Popular network scanning tool that gives information about systems, open ports, services, and operating system versions.
  • Netcat — Simple but powerful tool that can view and record data on a TCP or UDP network connections. Since it is not actively maintained, NCat is preferred.
  • Nikto — A popular web application scanner, helps to find over 6700 vulnerabilities including server configurations and installed web server software.
  • Nessus — Commercial alternative to NMap, provides a detailed list of vulnerabilities based on scan results.
  • Packet — Data is sent and received by systems via packets. Contains information like source IP, destination IP, protocol, and other information.
  • Password Cracking — Cracking an encrypted password using tools like John the Ripper when you don’t have access to the key.
  • Password Sniffing — Performing man-in-the-middle attacks using tools like Wireshark to find password hashes.
  • Patch — A software update released by a vendor to fix a bug or vulnerability in a software system.
  • Phishing — Building fake web sites that look remarkably similar to legitimate websites (like Facebook) to capture sensitive information.
  • Ping Sweep — A technique that tries to ping a system to see if it is alive on the network.
  • Public Key Cryptography — Encryption mechanism that users a pair of keys, one private and one public. The sender will encrypt a message using your public key which then you can decrypt using your private key.
  • Public Key Infrastructure — A public key infrastructure (PKI) is a system to create, store, and distribute digital certificates. This helps sysadmins verify that a particular public key belongs to a certain authorized entity.
  • Personally Identifiable Information (PII) — Any information that identified a user. eg. Address, Phone number, etc.
  • Payload — A piece of code (usually malicious) that performs a specific function. eg. Keylogger.
  • PCI-DSS — Payment Card Industry Data Security Standard. If you are working with customer credit cards, you should be PCI-DSS compliant.
  • Ransomware — Malware that locks your system using encryption and asks you to pay a price to get the key to unlock it.
  • Rainbow Table — Pre calculated password hashes that will help you crack password hashes of the target easily.
  • Reconnaissance — Finding data about the target using methods such as google search, social media, and other publicly available information.
  • Reverse Engineering — Rebuilding a piece of software based on its functions.
  • Role-Based Access — Providing a set of authorizations for a role other than a user. eg. “Managers” role will have a set of permissions while the “developers” role will have a different set of permissions.
  • Rootkit — A rootkit is a malware that provides unauthorized users admin privileges. Rootkits include keyloggers, password sniffers, etc.
  • Scanning — Sending packets to a system and gaining information about the target system using the packets received. This involved the 3-way-handshake.
  • Secure Shell (SSH) — Protocol that establishes an encrypted communication channel between a client and a server. You can use ssh to login to remote servers and perform system administration.
  • Session — A session is a duration in which a communication channel is open between a client and a server. eg. the time between logging into a website and logging out is a session.
  • Session Hijacking — Taking over someone else’s session by pretending to the client. This is achieved by stealing cookies and session tokens. eg. after you authenticate with your bank, an attacker can steal your session to perform financial transactions on your behalf.
  • Social Engineering — The art of tricking people into making them do something that is not in their best interest. eg. convincing someone to provide their password over the phone.
  • Secure Hashing Algorithm (SHA) — Widely used family of encryption algorithms. SHA256 is considered highly secure compared to earlier versions like SHA 1. It is also a one-way algorithm, unlike an encryption algorithm that you can decrypt. Once you hash a message, you can only compare with another hash, you cannot re-hash it to its earlier format.
  • Sniffing — performing man-in-the-middle attacks on networks. Includes wired and wireless networks.
  • Spam — Unwanted digital communication, including email, social media messages, etc. Usually tries to get you into a malicious website.
  • Syslog — System logging protocol, used by system administrators to capture all activity on a server. Usually stored on a separate server to retain logs in the event of an attack.
  • Secure Sockets Layer (SSL) — Establishes an encrypted tunnel between the client and server. eg. when you submit passwords on Facebook, only the encrypted text will be visible for sniffers and not your original password.
  • Snort — Lightweight open-source Intrusion Detection System for Windows and Linux.
  • SQL Injection — A type of attack that can be performed on web applications using SQL databases. Happens when the site does not validate user input.
  • Trojan — A malware hidden within useful software. eg. a pirated version of MS office can contain trojans that will execute when you install and run the software.
  • Traceroute — Tool that maps the route a packet takes between the source and destination.
  • Tunnel — Creating a private encrypted channel between two or more computers. Only allowed devices on the network can communicate through this tunnel.
  • Virtual Private Network — A subnetwork created within a network, mainly to encrypt traffic. eg. connecting to a VPN to access a blocked third-party site.
  • Virus — A piece of code that is created to perform a specific action on the target systems. A virus has to be triggered to execute eg. autoplaying a USB drive.
  • Vulnerability — A point of attack that is caused by a bug / poor system design. eg. lack of input validation causes attackers to perform SQL injection attacks on a website.
  • War Driving — Travelling through a neighborhood looking for unprotected wifi networks to attack.
  • WHOIS — Helps to find information about IP addresses, its owners, DNS records, etc.
  • Wireshark — Open source program to analyze network traffic and filter requests and responses for network debugging.
  • Worm — A malware program capable of replicating itself and spreading to other connected systems. eg. a worm to built a botnet. Unlike Viruses, Worms don’t need a trigger.
  • Wireless Application Protocol (WAP) — Protocol that helps mobile devices connect to the internet.
  • Web Application Firewall (WAF) — Firewalls for web applications that help with cross-site scripting, Denial of Service, etc.
  • Zero-Day — A newly discovered vulnerability in a system for which there is no patch yet. Zero-day vulnerabilities are the most dangerous type of vulnerabilities since there is no possible way to protect against one.
  • Zombie — A compromised computer, controlled by an attacker. A group of zombies is called a Botnet.

CyberSecurity Post COVID-19

How does Covid19 affect cyber risk?

  1. Increased distributed working: With organizations embracing work from home, incremental risks have been observed due to a surge in Bring Your Own Device (BYOD), Virtual Private Network (VPN), Software As A Service (SaaS), O365 and Shadow IT, as it could be exploited by various Man-in-the-Middle (MITM) attack vectors.
  2. Reimagine Business Models: Envisioning new business opportunities, modes of working, and renewed investment priorities. With reduced workforce capability, compounded with skill shortages, staff who are focusing on business as usual tasks can be victimized, via social engineering.
  3. Digital Transformation and new digital infrastructure: With the change in nature for organizations across the industrial and supply chain sector – security is deprioritized. Hardening of the industrial systems and cloud based infrastructure is crucial as cyber threats exploit these challenges via vulnerability available for unpatched systems.
  4. With an extreme volume of digital communication, security awareness is lowered with increased susceptibility. Malicious actors are using phishing techniques to exploit such situations.

Re-evaluate your approach to cyber

    • Which cyber scenarios your organization appears to be preparing for or is prepared?
    •  Is there a security scenario that your organization is currently ignoring – but shouldn’t be?
    • What would your organization need to do differently in order to win, in each of the identified cyber scenarios?
  • What capabilities, cyber security partnerships, and workforce strategies do you need to strengthen?

The organizations should reflect the following scenarios at a minimum and consider:

    • Which cyber scenarios your organization appears to be preparing for or is prepared?
    •  Is there a security scenario that your organization is currently ignoring – but shouldn’t be?
    • What would your organization need to do differently in order to win, in each of the identified cyber scenarios?
    • What capabilities, cyber security partnerships, and workforce strategies do you need to strengthen?
  • To tackle the outcome from the above scenarios, the following measures are the key:

Inoculation through education: Educate and / or remind your employees about –

    • Your organization’s defense – remote work cyber security policies and best practices
    • Potential threats to your organization and how will it attack – with a specific focus on social engineering scams and identifying COVID-19 phishing campaigns
  • Assisting remote employees with enabling MFA across the organization assets

Adjust your defenses: Gather cyber threat intelligence and execute a patching sprint:

    • Set intelligence collection priorities
    • Share threat intelligence with other organizations
    • Use intelligence to move at the speed of the threat
  • Focus on known tactics, such as phishing and C-suite fraud.
  • Prioritize unpatched critical systems and common vulnerabilities.

Enterprise recovery: If the worst happens and an attack is successful, follow a staged approach to recovering critical business operations which may include tactical items such as:

    • Protect key systems through isolation
    • Fully understand and contain the incident
    • Eradicate any malware
    • Implement appropriate protection measures to improve overall system posture
    • Identify and prioritize the recovery of key business processes to deliver operations
  • Implement a prioritized recovery plan

Cyber Preparedness and Response: It is critical to optimize the detection capability thus, re-evaluation of the detection strategy aligned with the changing landscape is crucial. Some key trends include:

    • Secure and monitor your cloud environments and remote working applications
    • Increase monitoring to identify threats from shadow IT
  • Analyze behavior patterns to improve detection content

Finding the right cyber security partner: To be ready to respond identify the right partner with experience and skillset in Social Engineering, Cyber Response, Cloud Security, and Data Security.

Critical actions to address

At this point, as the organizations are setting the direction towards the social enterprise, it is an unprecedented opportunity to lead with cyber discussions and initiatives. Organizations should immediately gain an understanding of newly introduced risks and relevant controls by:

    • Getting a seat at the table
    • Understanding the risk prioritization:
    • Remote workforce/technology performance
    • Operational and financial implications
    • Emerging insider and external threats
  • Business continuity capabilities

Assessing cyber governance and security awareness in the new operating environment

Assessing the highest areas of risk and recommend practical mitigation strategies that minimize impact to constrained resources.

Keeping leadership and the Board apprised of ever-changing risk profile

Given the complexity of the pandemic and associated cyber challenges, there is reason to believe that the recovery phase post-COVID-19 will require unprecedented levels of cyber orchestration, communication, and changing of existing configurations across the organization.

CyberSecurity: Protect Yourself on Internet

    • Use two factor authentication when possible. If not possible, use strong unique passwords that are difficult to guess or crack. This means avoiding passwords that use of common words, your birthdate, your SSN, names and birthdays of close associates, etc.
    • Make sure the devices you are using are up-to-date and have some form of reputable anti-virus/malware software installed.
    • Never open emails, attachments, programs unless they are from a trusted source (i.e., a source that can be verified). Also disregard email or web requests that ask you to share your personal or account information unless you are sure the request and requestor are legitimate.
    • Try to only use websites that are encrypted. To do this, look for either the trusted security lock symbol before the website address and/or the extra “s” at the end of http in the URL address bar.
    • Avoid using an administrator level account when using the internet.
    • Only enable cookies when absolutely required by a website.
    • Make social media accounts private or don’t use social media at all.
    • Consider using VPNs and encrypting any folders/data that contains sensitive data.
  • Stay away from using unprotected public Wi-Fi networks.
    • Social media is genetically engineered in Area 51 to harvest as much data from you as possible. Far beyond just having your name and age and photograph.

    • Never use the same username twice anywhere, or the same password twice anywhere.

    • Use Tor/Tor Browser whenever possible. It’s not perfect, but it is a decent default attempt at anonymity.

    • Use a VPN. Using VPN and Tor can be even better.

    • Search engines like DuckDuckGo offer better privacy (assuming they’re honest, which you can never be certain of) than Google which, like social media, works extremely hard to harvest every bit of data from you that they can.

    • Never give your real details anywhere. Certainly not things like your name or pictures of yourself, but even less obvious things like your age or country of origin. Even things like how you spell words and grammatical quirks can reveal where you’re from.

    • Erase your comments from websites after a few days/weeks. It might not erase them from the website’s servers, but it will at least remove them from public view. If you don’t, you can forget they exist and you never know how or when they can and will be used against you.

  • With Reddit, you can create an account fairly easily over Tor using no real information. Also, regularly nuke your accounts in case Reddit or some crazy stalker is monitoring your posts to build a profile of who you might be. Source: Reddit

 Notable Hackers

  • Adrian Lamo – gained media attention for breaking into several high-profile computer networks, including those of The New York Times, Yahoo!, and Microsoft, culminating in his 2003 arrest. Lamo was best known for reporting U.S. soldier Chelsea Manning to Army criminal investigators in 2010 for leaking hundreds of thousands of sensitive U.S. government documents to WikiLeaks.
  • Albert Gonzales – an American computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 to 2007: the biggest such fraud in history.
  • Andrew Auernheimer (known as Weev) – Went to jail for using math against AT&T website.
  • Barnaby Jack – was a New Zealand hacker, programmer and computer security expert. He was known for his presentation at the Black Hat computer security conference in 2010, during which he exploited two ATMs and made them dispense fake paper currency on the stage. Among his other most notable works were the exploitation of various medical devices, including pacemakers and insulin pumps.
  • Benjamin Delpy – Mimikatz
  • DVD-Jon – He wrote the DeCSS software, which decodes the Content Scramble System used for DVD licensing enforcement.
  • Eric Corley (known as Emmanuel Goldstein) – 2600
  • Gary McKinnon – a Scottish systems administrator and hacker who was accused in 2002 of perpetrating the “biggest military computer hack of all time,” although McKinnon himself states that he was merely looking for evidence of free energy suppression and a cover-up of UFO activity and other technologies potentially useful to the public. 👽🛸
  • George Hotz aka geohot – “The former Facebook engineer took on the giants of the tech world by developing the first iPhone carrier-unlock techniques,” says Mark Greenwood, head of data science at Netacea, “followed a few years later by reverse engineering Sony’s PlayStation 3, clearing the way for users to run their own code on locked-down hardware. George sparked an interest in a younger generation frustrated with hardware and software restrictions being imposed on them and led to a new scene of opening up devices, ultimately leading to better security and more openness.”
  • Guccifer 2.0 – a persona which claimed to be the hacker(s) that hacked into the Democratic National Committee (DNC) computer network and then leaked its documents to the media, the website WikiLeaks, and a conference event.
  • Hector Monsegur (known as Sabu) – an American computer hacker and co-founder of the hacking group LulzSec. He Monsegur became an informant for the FBI, working with the agency for over ten months to aid them in identifying the other hackers from LulzSec and related groups.
  • Jacob Appelbaum – an American independent journalist, computer security researcher, artist, and hacker. He has been employed by the University of Washington, and was a core member of the Tor project, a free software network designed to provide online anonymity.
  • James Forshaw – one of the world’s foremost bug bounty huners
  • Jeanson James Ancheta – On May 9, 2006, Jeanson James Ancheta (born 1985) became the first person to be charged for controlling large numbers of hijacked computers or botnets.
  • Jeremy Hammond – He was convicted of computer fraud in 2013 for hacking the private intelligence firm Stratfor and releasing data to the whistle-blowing website WikiLeaks, and sentenced to 10 years in prison.
  • John Draper – also known as Captain Crunch, Crunch or Crunchman (after the Cap’n Crunch breakfast cereal mascot), is an American computer programmer and former legendary phone phreak.
  • Kevin Mitnick – Free Kevin
  • Kimberley Vanvaeck (known as Gigabyte) – a virus writer from Belgium known for a long-standing dispute which involved the internet security firm Sophos and one of its employees, Graham Cluley. Vanvaeck wrote several viruses, including Quis, Coconut and YahaSux (also called Sahay). She also created a Sharp virus (also called “Sharpei”), credited as being the first virus to be written in C#.
  • Lauri Love – a British activist charged with stealing data from United States Government computers including the United States Army, Missile Defense Agency, and NASA via computer intrusion.
  • Michael Calce (known as MafiaBoy) – a security expert from Île Bizard, Quebec who launched a series of highly publicized denial-of-service attacks in February 2000 against large commercial websites, including Yahoo!, Fifa.com, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN.
  • Mudge – Peiter C. Zatko, better known as Mudge, is a network security expert, open source programmer, writer, and a hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow.
  • Phineas Fisher – vigilante hacker god
  • PRAGMA – Also known as Impragma or PHOENiX, PRAGMA is the author of Snipr, one of the most prolific credential stuffing tools available online.
  • The 414s – The 414s were a group of computer hackers who broke into dozens of high-profile computer systems, including ones at Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank, in 1982 and 1983.
  • The Shadow Brokers – is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products.[6] The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA’s Tailored Access Operations unit.

Notable Viruses & Worms

History

  • The Strange History of Ransomware
    The first ransomware virus predates e-mail, even the Internet as we know it, and was distributed on floppy disk by the postal service. It sounds quaint, but in some ways this horse-and-buggy version was even more insidious than its modern descendants. Contemporary ransomware tends to bait victims using legitimate-looking email attachments — a fake invoice from UPS, or a receipt from Delta airlines. But the 20,000 disks dispatched to 90 countries in December of 1989 were masquerading as something far more evil: AIDS education software.

How to protect sensitive data for its entire lifecycle in AWS

How to protect sensitive data for its entire lifecycle in AWS
How to protect sensitive data for its entire lifecycle in AWS

You can protect data in-transit over individual communications channels using transport layer security (TLS), and at-rest in individual storage silos using volume encryption, object encryption or database table encryption. However, if you have sensitive workloads, you might need additional protection that can follow the data as it moves through the application stack. Fine-grained data protection techniques such as field-level encryption allow for the protection of sensitive data fields in larger application payloads while leaving non-sensitive fields in plaintext. This approach lets an application perform business functions on non-sensitive fields without the overhead of encryption, and allows fine-grained control over what fields can be accessed by what parts of the application. Read m ore here…

AWS Certification Exam Prep: DynamoDB Facts, Summaries and Questions/Answers.

DynamoDB

Data Center Proxies - Data Collectors - Data Unblockers

AWS DynamoDB facts and summaries, AWS DynamoDB Top 10 Questions and Answers Dump

Definition 1: Amazon DynamoDB is a fully managed proprietary NoSQL database service that supports key-value and document data structures and is offered by Amazon.com as part of the Amazon Web Services portfolio. DynamoDB exposes a similar data model to and derives its name from Dynamo, but has a different underlying implementation. Dynamo had a multi-master design requiring the client to resolve version conflicts and DynamoDB uses synchronous replication across multiple datacenters for high durability and availability.

Definition 2: DynamoDB is a fast and flexible non-relational database service for any scale. DynamoDB enables customers to offload the administrative burdens of operating and scaling distributed databases to AWS so that they don’t have to worry about hardware provisioning, setup and configuration, throughput capacity planning, replication, software patching, or cluster scaling.

Amazon DynamoDB explained

  • Fully Managed
  • Fast, consistent Performance
  • Fine-grained access control
  • Flexible
Amazon DynamoDB explained
Amazon DynamoDB explained

AWS DynamoDB Facts and Summaries

  1. Amazon DynamoDB is a low-latency NoSQL database.
  2. DynamoDB consists of Tables, Items, and Attributes
  3. DynamoDb supports both document and key-value data models
  4. DynamoDB Supported documents formats are JSON, HTML, XML
  5. DynamoDB has 2 types of Primary Keys: Partition Key and combination of Partition Key + Sort Key (Composite Key)
  6. DynamoDB has 2 consistency models: Strongly Consistent / Eventually Consistent
  7. DynamoDB Access is controlled using IAM policies.
  8. DynamoDB has fine grained access control using IAM Condition parameter dynamodb:LeadingKeys to allow users to access only the items where the partition key vakue matches their user ID.
  9. DynamoDB Indexes enable fast queries on specific data columns
  10. DynamoDB indexes give you a different view of your data based on alternative Partition / Sort Keys.
  11. DynamoDB Local Secondary indexes must be created when you create your table, they have same partition Key as your table, and they have a different Sort Key.
  12. DynamoDB Global Secondary Index Can be created at any time: at table creation or after. They have a different partition Key as your table and a different sort key as your table.
  13. A DynamoDB query operation finds items in a table using only the primary Key attribute: You provide the Primary Key name and a distinct value to search for.
  14. A DynamoDB Scan operation examines every item in the table. By default, it return data attributes.
  15. DynamoDB Query operation is generally more efficient than a Scan.
  16. With DynamoDB, you can reduce the impact of a query or scan by setting a smaller page size which uses fewer read operations.
  17. To optimize DynamoDB performance, isolate scan operations to specific tables and segregate them from your mission-critical traffic.
  18. To optimize DynamoDB performance, try Parallel scans rather than the default sequential scan.
  19. To optimize DynamoDB performance: Avoid using scan operations if you can: design tables in a way that you can use Query, Get, or BatchGetItems APIs.
  20. When you scan your table in Amazon DynamoDB, you should follow the DynamoDB best practices for avoiding sudden bursts of read activity.
  21. DynamoDb Provisioned Throughput is measured in Capacity Units.
    • 1 Write Capacity Unit = 1 x 1KB Write per second.
    • 1 Read Capacity Unit = 1 x 4KB Strongly Consistent Read Or 2 x 4KB Eventually Consistent Reads per second. Eventual consistent reads give us the maximum performance with the read operation.
  22. What is the maximum throughput that can be provisioned for a single DynamoDB table?
    DynamoDB is designed to scale without limits. However, if you want to exceed throughput rates of 10,000 write capacity units or 10,000 read capacity units for an individual table, you must Contact AWS to increase it.
    If you want to provision more than 20,000 write capacity units or 20,000 read capacity units from a single subscriber account, you must first contact AWS to request a limit increase.
  23. Dynamo Db Performance: DAX is a DynamoDB-compatible caching service that enables you to benefit from fast in-memory performance for demanding applications.
    • As an in-memory cache, DAX reduces the response times of eventually-consistent read workloads by an order of magnitude, from single-digit milliseconds to microseconds
    • DAX improves response times for Eventually Consistent reads only.
    • With DAX, you point your API calls to the DAX cluster instead of your table.
    • If the item you are querying is on the cache, DAX will return it; otherwise, it will perform and Eventually Consistent GetItem operation to your DynamoDB table.
    • DAX reduces operational and application complexity by providing a managed service that is API compatible with Amazon DynamoDB, and thus requires only minimal functional changes to use with an existing application.
    • DAX is not suitable for write-intensive applications or applications that require Strongly Consistent reads.
    • For read-heavy or bursty workloads, DAX provides increased throughput and potential operational cost savings by reducing the need to over-provision read capacity units. This is especially beneficial for applications that require repeated reads for individual keys.
  24. Dynamo Db Performance: ElastiCache
    • In-memory cache sits between your application and database
    • 2 different caching strategies: Lazy loading and Write Through: Lazy loading only caches the data when it is requested
    • Elasticache Node failures are not fatal, just lots of cache misses
    • Avoid stale data by implementing a TTL.
    • Write-Through strategy writes data into cache whenever there is a change to the database. Data is never stale
    • Write-Through penalty: Each write involves a write to the cache. Elasticache node failure means that data is missing until added or updated in the database.
    • Elasticache is wasted resources if most of the data is never used.
  25. Time To Live (TTL) for DynamoDB allows you to define when items in a table expire so that they can be automatically deleted from the database. TTL is provided at no extra cost as a way to reduce storage usage and reduce the cost of storing irrelevant data without using provisioned throughput. With TTL enabled on a table, you can set a timestamp for deletion on a per-item basis, allowing you to limit storage usage to only those records that are relevant.
  26. DynamoDB Security: DynamoDB uses the CMK to generate and encrypt a unique data key for the table, known as the table key. With DynamoDB, AWS Owned, or AWS Managed CMK can be used to generate & encrypt keys. AWS Owned CMK is free of charge while AWS Managed CMK is chargeable. Customer managed CMK’s are not supported with encryption at rest.
  27. Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting your data at rest using an AWS Key Management Service (AWS KMS) managed encryption key for DynamoDB. This functionality eliminates the operational burden and complexity involved in protecting sensitive data.
  28. DynamoDB is a alternative solution which can be used for storage of session management. The latency of access to data is less , hence this can be used as a data store for session management
  29. DynamoDB Streams Use Cases and Design Patterns:
    How do you set up a relationship across multiple tables in which, based on the value of an item from one table, you update the item in a second table?
    How do you trigger an event based on a particular transaction?
    How do you audit or archive transactions?
    How do you replicate data across multiple tables (similar to that of materialized views/streams/replication in relational data stores)?
    As a NoSQL database, DynamoDB is not designed to support transactions. Although client-side libraries are available to mimic the transaction capabilities, they are not scalable and cost-effective. For example, the Java Transaction Library for DynamoDB creates 7N+4 additional writes for every write operation. This is partly because the library holds metadata to manage the transactions to ensure that it’s consistent and can be rolled back before commit.

    You can use DynamoDB Streams to address all these use cases. DynamoDB Streams is a powerful service that you can combine with other AWS services to solve many similar problems. When enabled, DynamoDB Streams captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours. Applications can access a series of stream records, which contain an item change, from a DynamoDB stream in near real time.

    AWS maintains separate endpoints for DynamoDB and DynamoDB Streams. To work with database tables and indexes, your application must access a DynamoDB endpoint. To read and process DynamoDB Streams records, your application must access a DynamoDB Streams endpoint in the same Region

  30. 20 global secondary indexes are allowed per table? (by default)
  31. What is one key difference between a global secondary index and a local secondary index?
    A local secondary index must have the same partition key as the main table
  32. How many tables can an AWS account have per region? 256
  33. How many secondary indexes (global and local combined) are allowed per table? (by default): 25
    You can define up to 5 local secondary indexes and 20 global secondary indexes per table (by default) – for a total of 25.
  34. How can you increase your DynamoDB table limit in a region?
    By contacting AWS and requesting a limit increase
  35. For any AWS account, there is an initial limit of 256 tables per region.
  36. The minimum length of a partition key value is 1 byte. The maximum length is 2048 bytes.
  37. The minimum length of a sort key value is 1 byte. The maximum length is 1024 bytes.
  38. For tables with local secondary indexes, there is a 10 GB size limit per partition key value. A table with local secondary indexes can store any number of items, as long as the total size for any one partition key value does not exceed 10 GB.
  39. The following diagram shows a local secondary index named LastPostIndex. Note that the partition key is the same as that of the Thread table, but the sort key is LastPostDateTime.
    DynamoDB secondary indexes example
    AWS DynamoDB secondary indexes example
  40. Relational vs Non Relational (SQL vs NoSQL)
Relational vs Non Relational
Relational vs Non Relational
SQL vs NOSQL
SQL vs NOSQL
SQL vs NoSQL in AWS
SQL vs NoSQL in AWS

Top
Reference: AWS DynamoDB

AWS DynamoDB Questions and Answers Dumps

Q0: What should the Developer enable on the DynamoDB table to optimize performance and minimize costs?

  • A. Amazon DynamoDB auto scaling
  • B. Amazon DynamoDB cross-region replication
  • C. Amazon DynamoDB Streams
  • D. Amazon DynamoDB Accelerator

D. DAX is a DynamoDB-compatible caching service that enables you to benefit from fast in-memory performance for demanding applications. DAX addresses three core scenarios:

  1. As an in-memory cache, DAX reduces the response times of eventually-consistent read workloads by an order of magnitude, from single-digit milliseconds to microseconds.
  2. DAX reduces operational and application complexity by providing a managed service that is API-compatible with Amazon DynamoDB, and thus requires only minimal functional changes to use with an existing application.
  3. For read-heavy or bursty workloads, DAX provides increased throughput and potential operational cost savings by reducing the need to over-provision read capacity units. This is especially beneficial for applications that require repeated reads for individual keys.

Reference: AWS DAX

Top

Q2: A security system monitors 600 cameras, saving image metadata every 1 minute to an Amazon DynamoDb table. Each sample involves 1kb of data, and the data writes are evenly distributed over time. How much write throughput is required for the target table?

  • A. 6000
  • B. 10
  • C. 3600
  • D. 600

B. When you mention the write capacity of a table in Dynamo DB, you mention it as the number of 1KB writes per second. So in the above question, since the write is happening every minute, we need to divide the value of 600 by 60, to get the number of KB writes per second. This gives a value of 10.

You can specify the Write capacity in the Capacity tab of the DynamoDB table.

Reference: AWS working with tables

Q3: You are developing an application that will interact with a DynamoDB table. The table is going to take in a lot of read and write operations. Which of the following would be the ideal partition key for the DynamoDB table to ensure ideal performance?

  • A. CustomerID
  • B. CustomerName
  • C. Location
  • D. Age

Answer- A
Use high-cardinality attributes. These are attributes that have distinct values for each item, like e-mailid, employee_no, customerid, sessionid, orderid, and so on..
Use composite attributes. Try to combine more than one attribute to form a unique key.
Reference: Choosing the right DynamoDB Partition Key

Top

Q4: A DynamoDB table is set with a Read Throughput capacity of 5 RCU. Which of the following read configuration will provide us the maximum read throughput?

  • A. Read capacity set to 5 for 4KB reads of data at strong consistency
  • B. Read capacity set to 5 for 4KB reads of data at eventual consistency
  • C. Read capacity set to 15 for 1KB reads of data at strong consistency
  • D. Read capacity set to 5 for 1KB reads of data at eventual consistency

Answer: B.
The calculation of throughput capacity for option B would be:
Read capacity(5) * Amount of data(4) = 20.
Since its required at eventual consistency , we can double the read throughput to 20*2=40

Reference: Read/Write Capacity Mode

Top

Q5: Your team is developing a solution that will make use of DynamoDB tables. Due to the nature of the application, the data is needed across a couple of regions across the world. Which of the following would help reduce the latency of requests to DynamoDB from different regions?

  • A. Enable Multi-AZ for the DynamoDB table
  • B. Enable global tables for DynamoDB
  • C. Enable Indexes for the table
  • D. Increase the read and write throughput for the tablez

Answer: B
Amazon DynamoDB global tables provide a fully managed solution for deploying a multi-region, multimaster database, without having to build and maintain your own replication solution. When you create a global table, you specify the AWS regions where you want the table to be available. DynamoDB performs all of the necessary tasks to create identical tables in these regions, and propagate ongoing data changes to all of them.
Reference: Global Tables

Top

Q6: An application is currently accessing  a DynamoDB table. Currently the tables queries are performing well. Changes have been made to the application and now the performance of the application is starting to degrade. After looking at the changes , you see that the queries are making use of an attribute which is not the partition key? Which of the following would be the adequate change to make to resolve the issue?

  • A. Add an index for the DynamoDB table
  • B. Change all the queries to ensure they use the partition key
  • C. Enable global tables for DynamoDB
  • D. Change the read capacity on the table

Answer: A
Amazon DynamoDB provides fast access to items in a table by specifying primary key values. However, many applications might benefit from having one or more secondary (or alternate) keys available, to allow efficient access to data with attributes other than the primary key. To address this, you can create one or more secondary indexes on a table, and issue Query or Scan requests against these indexes.

A secondary index is a data structure that contains a subset of attributes from a table, along with an alternate key to support Query operations. You can retrieve data from the index using a Query, in much the same way as you use Query with a table. A table can have multiple secondary indexes, which gives your applications access to many different query patterns.

Reference: Improving Data Access with Secondary Indexes

Top

Q7: Company B has created an e-commerce site using DynamoDB and is designing a products table that includes items purchased and the users who purchased the item.
When creating a primary key on a table which of the following would be the best attribute for the partition key? Select the BEST possible answer.

  • A. None of these are correct.
  • B. user_id where there are many users to few products
  • C. category_id where there are few categories to many products
  • D. product_id where there are few products to many users

Answer: B.
When designing tables it is important for the data to be distributed evenly across the entire table. It is best practice for performance to set your primary key where there are many primary keys to few rows. An example would be many users to few products. An example of bad design would be a primary key of product_id where there are few products but many users.
When designing tables it is important for the data to be distributed evenly across the entire table. It is best practice for performance to set your primary key where there are many primary keys to few rows. An example would be many users to few products. An example of bad design would be a primary key of product_id where there are few products but many users.
Reference: Partition Keys and Sort Keys

Top

Q8: Which API call can be used to retrieve up to 100 items at a time or 16 MB of data from a DynamoDB table?

  • A. BatchItem
  • B. GetItem
  • C. BatchGetItem
  • D. ChunkGetItem

Answer: C. BatchGetItem

The BatchGetItem operation returns the attributes of one or more items from one or more tables. You identify requested items by primary key.

A single operation can retrieve up to 16 MB of data, which can contain as many as 100 items. BatchGetItem will return a partial result if the response size limit is exceeded, the table's provisioned throughput is exceeded, or an internal processing failure occurs. If a partial result is returned, the operation returns a value for UnprocessedKeys. You can use this value to retry the operation starting with the next item to get.Reference: API-Specific Limits

Top

Q9: Which DynamoDB limits can be raised by contacting AWS support?

  • A. The number of hash keys per account
  • B. The maximum storage used per account
  • C. The number of tables per account
  • D. The number of local secondary indexes per account
  • E. The number of provisioned throughput units per account

Answer: C. and E.

For any AWS account, there is an initial limit of 256 tables per region.
AWS places some default limits on the throughput you can provision.
These are the limits unless you request a higher amount.
To request a service limit increase see https://aws.amazon.com/support.

Reference: Limits in DynamoDB

Top

Q10: Which approach below provides the least impact to provisioned throughput on the “Product”
table?

  • A. Create an “Images” DynamoDB table to store the Image with a foreign key constraint to
    the “Product” table
  • B. Add an image data type to the “Product” table to store the images in binary format
  • C. Serialize the image and store it in multiple DynamoDB tables
  • D. Store the images in Amazon S3 and add an S3 URL pointer to the “Product” table item
    for each image

Answer: D.

Amazon DynamoDB currently limits the size of each item that you store in a table (see Limits in DynamoDB). If your application needs to store more data in an item than the DynamoDB size limit permits, you can try compressing one or more large attributes, or you can store them as an object in Amazon Simple Storage Service (Amazon S3) and store the Amazon S3 object identifier in your DynamoDB item.
Compressing large attribute values can let them fit within item limits in DynamoDB and reduce your storage costs. Compression algorithms such as GZIP or LZO produce binary output that you can then store in a Binary attribute type.
Reference: Best Practices for Storing Large Items and Attributes

Top

Q11: You’re creating a forum DynamoDB database for hosting forums. Your “thread” table contains the forum name and each “forum name” can have one or more “subjects”. What primary key type would you give the thread table in order to allow more than one subject to be tied to the forum primary key name?

  • A. Hash
  • B. Range and Hash
  • C. Primary and Range
  • D. Hash and Range

Answer: D.
Each forum name can have one or more subjects. In this case, ForumName is the hash attribute and Subject is the range attribute.

Reference: DynamoDB keys

Top

Amazon Aurora explained:

  • High scalability
  • High availability and durability
  • High Performance
  • Multi Region
Amazon Aurora explained
Amazon Aurora explained

Amazon ElastiCache Explained

  • In-Memory data store
  • High availability and reliability
  • Fully managed
  • Supports two pop
  • Open source engine
Amazon ElastiCache Explained
Amazon ElastiCache Explained

Amazon Redshift explained

  • Fast, fully managed, petabyte-scale data warehouse
  • Supports wide range of open data formats
  • Allows you to run SQL queries against large unstructured data in Amazon Simple Storage Service
  • Integrates with popular Business Intelligence (BI) and extract, Transform, Load  (ETL) solutions.
Amazon Redshift explained
Amazon Redshift explained

Amazon Neptune Explained

  • Fully managed graph database
  • Supports open graph APIs
  • Used in Social Networking
  • Amazon Neptune Explained
    Amazon Neptune Explained

AWS Certification Exam Prep: S3 Facts, Summaries, Questions and Answers

Data Center Proxies - Data Collectors - Data Unblockers

AWS S3 Facts and summaries, AWS S3 Top 10 Questions and Answers Dump

Definition 1: Amazon S3 or Amazon Simple Storage Service is a “simple storage service” offered by Amazon Web Services that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its global e-commerce network.

Definition 2: Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

AWS S3 Explained graphically:

Amazon S3 Explained in pictures
Amazon S3 Explained

Amazon S3 Explained in pictures
Amazon S3 Explained in pictures
Amazon S3 Explained graphically
Amazon S3 Explained graphically

AWS S3 Facts and summaries

  1. S3 is a universal namespace, meaning each S3 bucket you create must have a unique name that is not being used by anyone else in the world.
  2. S3 is object based: i.e allows you to upload files.
  3. Files can be from 0 Bytes to 5 TB
  4. What is the maximum length, in bytes, of a DynamoDB range primary key attribute value?
    The maximum length of a DynamoDB range primary key attribute value is 2048 bytes (NOT 256 bytes).
  5. S3 has unlimited storage.
  6. Files are stored in Buckets.
  7. Read after write consistency for PUTS of new Objects
  8. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
  9. S3 Storage Classes/Tiers:
    • S3 Standard (durable, immediately available, frequently accesses)
    • Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering): It works by storing objects in two access tiers: one tier that is optimized for frequent access and another lower-cost tier that is optimized for infrequent access.
    • S3 Standard-Infrequent Access – S3 Standard-IA (durable, immediately available, infrequently accessed)
    • S3 – One Zone-Infrequent Access – S3 One Zone IA: Same ad IA. However, data is stored in a single Availability Zone only
    • S3 – Reduced Redundancy Storage (data that is easily reproducible, such as thumbnails, etc.)
    • Glacier – Archived data, where you can wait 3-5 hours before accessing

    You can have a bucket that has different objects stored in S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA.

  10. The default URL for S3 hosted websites lists the bucket name first followed by s3-website-region.amazonaws.com . Example: enoumen.com.s3-website-us-east-1.amazonaws.com
  11. Core fundamentals of an S3 object
    • Key (name)
    • Value (data)
    • Version (ID)
    • Metadata
    • Sub-resources (used to manage bucket-specific configuration)
      • Bucket Policies, ACLs,
      • CORS
      • Transfer Acceleration
  12. Object-based storage only for files
  13. Not suitable to install OS on.
  14. Successful uploads will generate a HTTP 200 status code.
  15. S3 Security – Summary
    • By default, all newly created buckets are PRIVATE.
    • You can set up access control to your buckets using:
      • Bucket Policies – Applied at the bucket level
      • Access Control Lists – Applied at an object level.
    • S3 buckets can be configured to create access logs, which log all requests made to the S3 bucket. These logs can be written to another bucket.
  16. S3 Encryption
    • Encryption In-Transit (SSL/TLS)
    • Encryption At Rest:
      • Server side Encryption (SSE-S3, SSE-KMS, SSE-C)
      • Client Side Encryption
    • Remember that we can use a Bucket policy to prevent unencrypted files from being uploaded by creating a policy which only allows requests which include the x-amz-server-side-encryption parameter in the request header.
  17. S3 CORS (Cross Origin Resource Sharing):
    CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.

    • Used to enable cross origin access for your AWS resources, e.g. S3 hosted website accessing javascript or image files located in another bucket. By default, resources in one bucket cannot access resources located in another. To allow this we need to configure CORS on the bucket being accessed and enable access for the origin (bucket) attempting to access.
    • Always use the S3 website URL, not the regular bucket URL. E.g.: https://s3-eu-west-2.amazonaws.com/acloudguru
  18. S3 CloudFront:
    • Edge locations are not just READ only – you can WRITE to them too (i.e put an object on to them.)
    • Objects are cached for the life of the TTL (Time to Live)
    • You can clear cached objects, but you will be charged. (Invalidation)
  19. S3 Performance optimization – 2 main approaches to Performance Optimization for S3:
    • GET-Intensive Workloads – Use Cloudfront
    • Mixed Workload – Avoid sequencial key names for your S3 objects. Instead, add a random prefix like a hex hash to the key name to prevent multiple objects from being stored on the same partition.
      • mybucket/7eh4-2019-03-04-15-00-00/cust1234234/photo1.jpg
      • mybucket/h35d-2019-03-04-15-00-00/cust1234234/photo2.jpg
      • mybucket/o3n6-2019-03-04-15-00-00/cust1234234/photo3.jpg
  20. The best way to handle large objects uploads to the S3 service is to use the Multipart upload API. The Multipart upload API enables you to upload large objects in parts.
  21. You can enable versioning on a bucket, even if that bucket already has objects in it. The already existing objects, though, will show their versions as null. All new objects will have version IDs.
  22. Bucket names cannot start with a . or – characters. S3 bucket names can contain both the . and – characters. There can only be one . or one – between labels. E.G mybucket-com mybucket.com are valid names but mybucket–com and mybucket..com are not valid bucket names.
  23. What is the maximum number of S3 buckets allowed per AWS account (by default)? 100
  24. You successfully upload an item to the us-east-1 region. You then immediately make another API call and attempt to read the object. What will happen?
    All AWS regions now have read-after-write consistency for PUT operations of new objects. Read-after-write consistency allows you to retrieve objects immediately after creation in Amazon S3. Other actions still follow the eventual consistency model (where you will sometimes get stale results if you have recently made changes)
  25. S3 bucket policies require a Principal be defined. Review the access policy elements here
  26. What checksums does Amazon S3 employ to detect data corruption?

    Amazon S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs) to detect data corruption. Amazon S3 performs these checksums on data at rest and repairs any corruption using redundant data. In addition, the service calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data.

Top
Reference: AWS S3

AWS S3 Top 10 Questions and Answers Dump

Q0: You’ve written an application that uploads objects onto an S3 bucket. The size of the object varies between 200 – 500 MB. You’ve seen that the application sometimes takes a longer than expected time to upload the object. You want to improve the performance of the application. Which of the following would you consider?

  • A. Create multiple threads and upload the objects in the multiple threads
  • B. Write the items in batches for better performance
  • C. Use the Multipart upload API
  • D. Enable versioning on the Bucket

C. All other options are invalid since the best way to handle large object uploads to the S3 service is to use the Multipart upload API. The Multipart upload API enables you to upload large objects in parts. You can use this API to upload new large objects or make a copy of an existing object. Multipart uploading is a three-step process: You initiate the upload, you upload the object parts, and after you have uploaded all the parts, you complete the multipart upload. Upon receiving the complete multipart upload request, Amazon S3 constructs the object from the uploaded parts, and you can then access the object just as you would any other object in your bucket.

Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html

Top

Q2: You are using AWS SAM templates to deploy a serverless application. Which of the following resource will embed application from Amazon S3 buckets?

  • A. AWS::Serverless::Api
  • B. AWS::Serverless::Application
  • C. AWS::Serverless::Layerversion
  • D. AWS::Serverless::Function

Answer – B
AWS::Serverless::Application resource in AWS SAm template is used to embed application frm Amazon S3 buckets.
Reference: Declaring Serverless Resources

Top

Q3: A static web site has been hosted on a bucket and is now being accessed by users. One of the web pages javascript section has been changed to access data which is hosted in another S3 bucket. Now that same web page is no longer loading in the browser. Which of the following can help alleviate the error?

  • A. Enable versioning for the underlying S3 bucket.
  • B. Enable Replication so that the objects get replicated to the other bucket
  • C. Enable CORS for the bucket
  • D. Change the Bucket policy for the bucket to allow access from the other bucket

Answer – C

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

Cross-Origin Resource Sharing: Use-case Scenarios The following are example scenarios for using CORS:

Scenario 1: Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1.amazonaws.com. Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket, website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can congure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1.amazonaws.com.

Scenario 2: Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preight check) for loading web fonts. You would congure the bucket that is hosting the web font to allow any origin to make these requests.

Reference: Cross-Origin Resource Sharing (CORS)

Top

Q4: Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images. You also need to manage the storage of these images. Which two of the following approaches should you use? Choose two answers from the options below

  • A. Create an Amazon S3 bucket per user, and use your application to generate the S3 URL for the appropriate content.
  • B. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code.
  • C. Authenticate your users at the application level, and use AWS Security Token Service (STS)to grant token-based authorization to S3 objects.
  • D. Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user’s objects to that bucket.

Answer- C
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). The token can then be used to grant access to the objects in S3.
You can then provides access to the objects based on the key values generated via the user id.

Reference: The AWS Security Token Service (STS)

Top

Q5: Both ACLs and Bucket Policies can be used to grant access to S3 buckets. Which of the following statements is true about ACLs and Bucket policies?

  • A. Bucket Policies are Written in JSON and ACLs are written in XML
  • B. ACLs can be attached to S3 objects or S3 Buckets
  • C. Bucket Policies and ACLs are written in JSON
  • D. Bucket policies are only attached to s3 buckets, ACLs are only attached to s3 objects

Answer: A. and B.
Only Bucket Policies are written in JSON, ACLs are written in XML.
While Bucket policies are indeed only attached to S3 buckets, ACLs can be attached to S3 Buckets OR S3 Objects.
Reference:

Top

Q6: What are good options to improve S3 performance when you have significantly high numbers of GET requests?

  • A. Introduce random prefixes to S3 objects
  • B. Introduce random suffixes to S3 objects
  • C. Setup CloudFront for S3 objects
  • D. Migrate commonly used objects to Amazon Glacier

Answer: C
CloudFront caching is an excellent way to avoid putting extra strain on the S3 service and to improve the response times of reqeusts by caching data closer to users at CloudFront locations.
S3 Transfer Acceleration optimizes the TCP protocol and adds additional intelligence between the client and the S3 bucket, making S3 Transfer Acceleration a better choice if a higher throughput is desired. If you have objects that are smaller than 1GB or if the data set is less than 1GB in size, you should consider using Amazon CloudFront's PUT/POST commands for optimal performance.
Reference: Amazon S3 Transfer Acceleration

Top

Q7: If an application is storing hourly log files from thousands of instances from a high traffic
web site, which naming scheme would give optimal performance on S3?

  • A. Sequential
  • B. HH-DD-MM-YYYY-log_instanceID
  • C. YYYY-MM-DD-HH-log_instanceID
  • D. instanceID_log-HH-DD-MM-YYYY
  • E. instanceID_log-YYYY-MM-DD-HH

Answer: A. B. C. D. and E.
Amazon S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data, which can save significant processing time for no additional charge. Each S3 prefix can support these request rates, making it simple to increase performance significantly.
This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications.

Reference: Amazon S3 Announces Increased Request Rate Performance

Top

Q8: You are working with the S3 API and receive an error message: 409 Conflict. What is the possible cause of this error

  • A. You’re attempting to remove a bucket without emptying the contents of the bucket first.
  • B. You’re attempting to upload an object to the bucket that is greater than 5TB in size.
  • C. Your request does not contain the proper metadata.
  • D. Amazon S3 is having internal issues.

Answer:A.

Reference: S3 Error codes

Top

Q9: You created three S3 buckets – “mywebsite.com”, “downloads.mywebsite.com”, and “www.mywebsite.com”. You uploaded your files and enabled static website hosting. You specified both of the default documents under the “enable static website hosting” header. You also set the “Make Public” permission for the objects in each of the three buckets. You create the Route 53 Aliases for the three buckets. You are going to have your end users test your websites by browsing to http://mydomain.com/error.html, http://downloads.mydomain.com/index.html, and http://www.mydomain.com. What problems will your testers encounter?

  • A. http://mydomain.com/error.html will not work because you did not set a value for the error.html file
  • B. There will be no problems, all three sites should work.
  • C. http://www.mywebsite.com will not work because the URL does not include a file name at the end of it.
  • D. http://downloads.mywebsite.com/index.html will not work because the “downloads” prefix is not a supported prefix for S3 websites using Route 53 aliases

Answer: B.
It used to be that the only allowed domain prefix when creating Route 53 Aliases for S3 static websites was the “www” prefix. However, this is no longer the case. You can now use other subdomain.

Reference: Hosting a Static Website on Amazon S3

Top

Q10: Which of the following is NOT a common S3 API call?

  • A. UploadPart
  • B. ReadObject
  • C. PutObject
  • D. DownloadBucket

Answer: D.

Reference: s3api

Top

Other AWS Facts and Summaries