CompTIA Security SY0-601 Exam: Basics of Cybersecurity Resilience

Objective: Given a scenario, implement cybersecurity resilience.

Topics:
- redundancy
- redundant array of inexpensive disks (RAID)
- dual power supply unit (PSU)
- uninterruptible power supply (UPS)
- generator
- managed power distribution unit (PDU)
- full backup
- differential backup
- incremental backup
- snapshot
- network load balancers
- network interface card (NIC) teaming
- high availability
- replication
- non-persistence
- defense in depth

Redundancy
Equipment will fail; as one movie character has suggested, “The world is an imperfect place.” When a single drive crashes, sometimes the only way to sustain operations is to have another copy of all the data. Redundancy and diversity are commonly applied principles for fault tolerance against accidental faults. Fault tolerance allows a system to continue functioning even when one of the components has failed. One way to ensure fault tolerance is to implement RAID solutions, which maintain duplicated data across multiple disks so that the loss of one disk does not cause the loss of data. Many RAID solutions can also support hot-swapping of failed drives and redundant power supplies so that replacement hardware can be installed without ever taking the server offline.
Diversity refers to having multiple versions of software packages in which redundant software versions are different. Redundancy is replication of a component in identical copies to compensate for random hardware failures. Multiple versions are used to protect against software failures. Maintaining multiple diverse versions will hopefully cover any individual software faults. Redundancy and diversity should be designed into critical facilities and applications. For example, storage area networks (SANs) are used to provide servers accessibility to storage devices and disks that contain critical data. To ensure redundancy, the data on a SAN is duplicated using SAN-to-SAN replication. Unlike with a backup, this occurs as changes are made. If one SAN fails, the other is available to provide the data. VM replication provides the same function for virtual machines. When replication occurs, the VM replicas are updated. In the event of a disaster, the VM can simply be powered on.

In addition to people, one of the most important assets to an organization is its data. Planning for every server setup should involve consideration of how to salvage data in the event that a component fails. Decisions about how to store and protect data depend on how the organization uses its data. The main goal of preventing and effectively dealing with any type of disruption is to ensure availability. This is often accomplished through redundancy. Redundancy is usually dispersed geographically, as well as through backup equipment and databases or hot sparing of system components. Of course, you can use RAID and clustering to accomplish and ensure availability as well, but neglecting single points of failure can be disastrous. A single point of failure is any piece of equipment that can bring down your operation if it stops working. To determine the number of single points of failure in an organization, start with a good map of everything the organization uses to operate. Pay special attention to items such as the Internet connection, routers, switches, and proprietary business equipment.
After you identify the single points of failure, perform a risk analysis. In other words, compare the consequences of the device failing to the cost of redundancy. For example, if all your business is web based, it is a good idea to have some redundancy in case the Internet connection goes down. However, if the majority of your business is telephone based, you might look for redundancy in the phone system instead of with the ISP. In some cases, the ISP might supply both Internet and phone services. The point here is to be aware of where your organization is vulnerable and understand the risks so you can devise an appropriate backup plan.
In disaster recovery planning, you might need to consider redundant connections between branches or sites. Internally, for total redundancy, you might need two network cards in computers connected to different switches. With redundant connections, all devices are connected to each other more than once to create fault tolerance. Then, a single device or cable failure does not affect performance because the devices are connected by more than one means. This extra hardware and cabling make this a relatively expensive solution. This type of topology can also be found in enterprise-wide networks, with routers connected to other routers for fault tolerance.

Almost everything in IT depends primarily on electricity. Power is critical for redundancy. Without redundant power, it might not matter what other steps you’ve taken. When it comes to providing for power redundancy, the following are key considerations:
- Dual supply: Computers and networking equipment contain power supply units (PSUs), which provide power conversion to properly power the equipment. Dual PSUs or redundant power supplies are common for servers and enterprise networking equipment. Each provides half the power that’s needed, and if one fails, the other takes over at 100%.
- UPS: An uninterruptible power supply (UPS) is used to protect electronic equipment and provide immediate emergency power in case of failure. A UPS typically stores energy via battery and serves as a short-term solution to power down equipment properly (for example, in small and home offices) or until emergency generators kick in for larger organizations.
- Generator: When power fails and the needs are beyond what a UPS can provide, generators can provide power. Generators range from the gasoline-powered versions homeowners are familiar with to fuel-powered, room-size generators capable of delivering massive amounts of electricity to power entire data centers.
- Managed PDU: For a home office user, a managed power distribution unit (PDU) is much like a power strip. For data centers, however, PDUs distribute power to the critical equipment. Many PDUs come with advance functions to improve the power quality and provide load balancing as well as remote monitoring.

Remember that the key options for power redundancy include UPSs, generators, dual supplies, and managed PDUs.
Along with power and equipment loss, telephone and Internet communications might be out of service for a while when disaster strikes. Organizations must consider this factor when formulating a disaster recovery plan. Relying on a single Internet connection for critical business functions could prove disastrous to your business. With a redundant ISP, a backup ISP could be standing by in case an outage occurs at the main ISP. Traffic could then be switched over to the redundant ISP, and the organization could continue to do business without any interruptions.
In addition to helping with disaster recovery, using multiple ISPs can also relieve network traffic congestion and provide network isolation for applications. As organizations become global, dealing with natural disasters will become more common. Organizations might consider using solutions such as wireless ISPs in conjunction with VoIP to quickly restore phone and data services. Organizations might look to ISP redundancy to prevent application performance failure and supplier diversity. For example, businesses that transfer large files can use multiple ISPs to segregate voice and file transfer traffic to a specific ISP. More organizations are implementing technologies such as VoIP. When planning deployment, using multiple ISPs can improve network traffic performance, aid in disaster recovery, and ensure quality of service.
For risk mitigation, redundancy and diversity controls that can be implemented against threats include replication to different data centers, replication to different geographic areas, redundant components, replication software systems, distinct security zones, different administrative control, and different organizational control.

High Availability
One way to increase availability or provide high availability is to use server clustering. A server cluster is the combination of two or more servers that appear as one. Clustering increases availability by ensuring that if a server is out of commission because of failure or planned downtime, another server in the cluster takes over the workload. To provide load balancing to avoid functionality loss because of directed attacks meant to prevent valid access, continuity planning might include clustering solutions that allow multiple nodes to perform support while transparently acting as a single host to the user. High-availability clustering might also be used to ensure that automatic failover occurs in case hardware failure renders the primary node incapable of providing normal service.
Load balancing is the primary reason to implement server clustering. Load balancing provides high availability by distributing workloads across multiple computing resources. Load balancing aims to optimize the use of resources, maximize throughput, minimize response time, and avoid overload of any single resource. Load balancing is especially useful when traffic volume is high and it prevents one server from being overloaded while another sits idle. Load balancing can be implemented with hardware, software, or a combination of both. Typically, load balancing occurs in organizations with high website traffic, as well as in cloud-based environments.
You might need to set up redundant servers so that the business can still function in case of hardware or software failure. If a single server hosts vital applications, a simple equipment failure could result in days of downtime as the problem is repaired. In addition, some manufacturers provide redundant power supplies in mission-critical servers.
To ensure high availability and reliability, server redundancy is implemented. This means multiple servers are used to perform the same task. For example, if you have a web-based business with more than one server hosting your site, when one of the servers crashes, the requests can be redirected to another server. This provides a highly available website. If you do not host your own website, confirm whether the vendor you are using provides high availability and reliability.
Mission-critical businesses today demand 100% uptime 24 hours a day, 7 days a week. Availability is vital, and many businesses cannot function without redundancy. Redundancy can take several forms, including automatic failover, failback, and virtualization. Perhaps the most notable advantage of server redundancy is load balancing.
Cross-site replication might be included in high-availability solutions that also require high levels of fault tolerance. In addition, individual servers can be configured to allow for the continued function of key services even in the event of hardware failure.

Load Balancers
Network load balancers are reverse proxy servers configured in a cluster to provide scalability and high availability.
Load balancing distributes IP traffic to multiple copies of a TCP/IP service, such as a web server, each running on a host within the cluster. Load balancing is important for enterprise-wide services, such as Internet sites with high traffic requirements, web, FTP, media streaming, and content delivery networks or hosted applications that use thin-client architectures, such as Windows Terminal Services or Remote Desktop Services.
Network load balancing distributes the workload among multiple servers while providing a mechanism for server availability by health-checking each server. From the client’s point of view, the cluster appears to be a single server.
As enterprise traffic increases, network administrators can simply plug another server into a cluster. If server or application failure occurs, a load balancer can provide automatic failover to ensure continuous availability.

Load-balancing strategies involve scheduling via algorithms. Scheduling strategies are based on which tasks can be executed in parallel and where to execute these tasks. Several common algorithms are used:
- Round-robin: Traffic is sent in a sequential, circular pattern to each node of a load balancer.
- Random: Traffic is sent to randomly selected nodes.
- Least connections: Traffic is sent to the node with the fewest open connections.
- Weighted round-robin: Traffic is sent in a circular pattern to each node of a load balancer, based on the assigned weight number.
- Weighted least connections: Traffic is sent to the node with the fewest open connections, based on the assigned weight number.

Each method works best in different situations. When servers that have identical equipment and capacity are used, the round-robin, random, and least connections algorithms work well. When the load-balancing servers have disproportionate components such as processing power, size, or RAM, a weighted algorithm allows the servers with the maximum resources to be utilized properly.
Session affinity is a method in which all requests in a session are sent to a specific application server by overriding the load-balancing algorithm. Session affinity, also called a sticky session, ensures that all requests from the user during the session are sent to the same instance. Session affinity enhances application performance by using in-memory caching and cookies to track session information.
Some load balancers integrate IP load balancing and network intrusion prevention into one appliance. This provides failover capabilities in case of server failure, distribution of traffic across multiple servers, and integrated protection from network intrusions. Performance is also optimized for other IP services, such as Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Remote Authentication Dial-In User Service (RADIUS), and Trivial File Transfer Protocol (TFTP).
To mitigate risks associated with failures of the load balancers, you can deploy two servers in what is called an active/passive or active/active configuration. In active/passive configuration, all traffic is sent to the active server. The passive server is promoted to active if the active server fails or is taken down for maintenance. In active/active configuration, two or more servers work together to distribute the load to network servers. Because all load balancers are active, they run almost at full capacity. If one of the load balancers fails, network traffic runs slowly, and user sessions time out. Virtual IP (VIP) addresses are often implemented in the active/active configuration. In this case, at least one physical server has more than one virtual IP address assigned, usually through a TCP or UDP port number. Using VIP addresses spreads traffic among the load-balancing servers. VIP addresses provide a connection-based workload balancing solution, so if the interface cannot handle the load, traffic bottlenecks and becomes slow.

NIC Teaming
Network interface card (NIC) teaming allows a NIC to be grouped with multiple physical NICs to form a logical network device known as a bond. This provides for fault tolerance and load balancing. When it is configured properly, the system sees the multiple NICs as a single network interface. NIC teaming is used in virtualized environments where a virtualized software NIC interacts with the physical NICs. In a fault-tolerance scenario, one of the physical NICs can be configured to take over for a failed NIC, eliminating the network interface as a single point of failure. Alternatively, NIC teaming can provide for load balancing. Incoming traffic requires a switch to appropriately balance the load between multiple NICs. Outgoing traffic, however, is balanced across the NICs.

RAID
The most common approach to data availability and redundancy is redundant array of inexpensive disks (RAID). RAID organizes multiple disks into a large, high-performance logical disk. In other words, if you have three hard drives, you can configure them to look like one large drive. Disk arrays are created to stripe data across multiple disks and access them in parallel, which allows the following:
- Higher data transfer rates on large data accesses
- Higher I/O rates on small data accesses
- Uniform load balancing across all the disks
Large disk arrays are highly vulnerable to disk failures. To address this issue, you can use redundancy in the form of error-correcting codes to tolerate disk failures. This method enables a redundant disk array to retain data for a much longer time than could an unprotected single disk. With multiple disks and a RAID scheme, a system can stay up and running when a disk fails, as well as during the time the replacement disk is being installed and data is being restored. 



Common RAID configurations

The two major goals when implementing disk arrays are data striping for better performance and redundancy for better reliability.

RAID comes in many flavors, and following are the more common ones:
- RAID Level 0: Striped disk array without fault tolerance: RAID 0 implements a striped disk array. The data is broken into blocks, and each block is written to a separate disk drive. Implementing RAID 0 requires a minimum of two disks.
- RAID Level 1: Mirroring and duplexing: This solution, called mirroring and duplexing, requires a minimum of two disks and offers 100% redundancy because all data is written to both disks. The difference between mirroring and duplexing is the number of controllers. Mirroring uses one controller, whereas duplexing uses one controller for each disk. In RAID 1, disk usage is 50%; the other 50% is for redundancy.
- RAID Level 2: Hamming code error-correcting code (ECC): In RAID 2, each bit of a data word is written to a disk. RAID 2 requires the use of extra disks to store an error-correcting code. A typical setup requires 10 data disks and 4 ECC disks. All modern disk drives incorporate ECC, so RAID 2 offers little additional protection. No commercial implementations of RAID 2 exist today. The controller required is complex, specialized, and expensive, and the performance is not very good.
- RAID Level 3: Parallel transfer with parity: In RAID 3, the data block is striped and written on the data disks. Implementing RAID 3 requires a minimum of three drives. In a parallel transfer with parity, data is interleaved bit-wise over the data disks, and a single parity disk is added to tolerate any single disk failure.
- RAID Level 4: Independent data disks with shared parity disk: With this level of RAID, entire blocks are written onto a data disk. Implementing RAID 4 requires a minimum of three drives. RAID 4 is similar to RAID 3, except that data is interleaved across disks of arbitrary size instead of in bits.
- RAID Level 5: Independent data disks with distributed parity blocks: In RAID 5, each entire block of the data and the parity are striped. RAID 5 requires a minimum of three disks. Because it writes both the data and the parity over all the disks, it has the best small read/large write performance of any redundancy disk array.
- RAID Level 6: Independent data disks with two independent parity schemes: This extension of RAID 5 allows for additional fault tolerance by using two-dimensional parity. RAID 6 uses Reed–Solomon codes to protect against up to two disk failures using the bare minimum of two redundant disk arrays.
- RAID Level 10 (also called 1+0): High reliability combined with high performance: RAID 10 combines RAID 1 and RAID 0 and requires a minimum of four disks. A variant of RAID 10 is called 0+1. This solution is a striped array that has RAID 1 arrays. Disks are mirrored in pairs for redundancy and improved performance, and data is striped across multiple disks. Both versions provide fault tolerance and increased performance.

Know the different levels of RAID and the number of disks required to implement each one. The following are the most common forms of RAID:
- RAID 0: Spanned volume, no redundancy, highest write speed, highest performance. Requires a minimum of two drives.
- RAID 1: Mirroring, 100% duplication of data across all drives, lowest performance. Requires a minimum of two drives.
- RAID 3: Parallel transfer with parity bit, data written to all drives simultaneously while parity is calculated and written to its own nonredundant drive. Requires a minimum of three drives.
- RAID 5: Parallel transfer with distributed parity, data written to all drives simultaneously, parity written in segments across all drives for redundancy of parity as well as data segments, highest read rates. Requires a minimum of three drives.
- RAID 10: (Also called 1+0.) Combines RAID 1 and RAID 0. A variant exists, called 0+1. Both provide fault tolerance and increased performance. Requires a minimum of three drives.

When choosing a method of redundancy, opt for a level of RAID that the operating system supports. Not all operating systems support all versions of RAID. For example, Microsoft Windows Server supports RAID levels 0, 1, and 5. Additional fault tolerance may be considered for the path between the CPU and the RAID systems. This is known as multipath. In addition to hardware RAID, you can use software RAID. Software RAID is the best option when an organization does not have the budget for additional drives and when an organization is using older servers. Software RAID can provide more flexibility, but it requires more CPU cycles and power. It operates on a partition-by-partition basis and tends to be slightly more complicated than hardware RAID.
Another point to remember is that even if you set up a server for redundancy, you must still back up your data. RAID does not protect you from multiple disk failures. Regular backups enable you to recover from data loss that results from errors unrelated to disk failure (such as human, hardware, and software errors).

Backups
Data can be backed up on many media. Cloud backups are common, even for desktop environments. Many organizations choose to back up data to a cloud environment using one of the many services available. Cloud services offer continuous backup options so that you can easily recover your files without losing data associated with normal backup procedures and without having offsite storage that is not immediately available. Enterprise solutions have options for protecting physical and virtual environments that include software, appliance, and offsite replication. In addition to the cloud, organizations typically rely on various media. Tape traditionally has provided a viable long-term archival option. Other options include disks, network attached storage (NAS), and SANs.
The backup procedures in use can also affect what is recovered following a disaster. Disaster recovery plans should identify the type and regularity of the backup process.

The following types of backups are used:
- Full
- Differential
- Incremental
- Copies and snapshots

When choosing a backup strategy, a company should consider the following factors:
- How often will data need to be restored? As a matter of convenience, if files are restored regularly, a full backup might be chosen because it can be done with one tape.
- How quickly does the data need to be restored? If large amounts of data are backed up, the incremental backup method might work best.
- How long does the data need to be kept before it is overwritten? In a development arena where data is constantly changing, a differential backup method might be the best choice.
Snapshots and copies are appropriate for certain use cases but should not be considered formal backup options, especially for transactional systems.

When backups are complete, they must be clearly marked or labeled so that they can be properly safeguarded. In addition to these backup strategies, organizations employ tape rotation and retention policies. The various methods of tape rotation include the following:
- Grandfather-father-son backup: This is the most common rotation scheme for rotating backup media. The basic method is to define three sets of backups. The first set, the son, represents daily backups. A second set, the father, is used to perform full backups. The final set of three tapes, the grandfather, is used to perform full backups on the last day of each month.
- Tower of Hanoi: Based on the mathematics of the Tower of Hanoi puzzle, this is a recursive method in which every tape is associated with a disk in the puzzle. The disk movement to a different peg corresponds with a backup to a tape.
- Ten-tape rotation: This simple and cost-effective method for small businesses provides a data history of up to two weeks. Friday backups are full backups. Monday through Thursday backups are incremental.

All tape-rotation schemes can protect your data, but each one has different cost considerations. For example, the Tower of Hanoi is more difficult to implement and manage but costs less than the grandfather-father-son method. In some instances, it might be beneficial to copy, or image, a hard drive for backup purposes. For example, in a development office, where large amounts of data change constantly, spending money on a complex backup system to back up all the developers’ data might not be the best plan. The company might find it less expensive and more efficient to buy another hard drive for each developer and have the developers back up data that way. If the drive is imaged, then a machine that suffers a hard drive failure can be swiftly returned to good running order.
Recovery planning documentation and backup media contain many details that an attacker can exploit when seeking access to an organization’s network or data. Therefore, planning documentation, backup scheduling, and backup media must include protections against unauthorized access or potential damage. The data should be protected by at least a password and, ideally, encryption. When backups are complete, they must be clearly labeled so that they can be properly safeguarded. Imagine having to perform a restore for an organization that stores its backup tapes unlabeled in a plastic bin in the server room. The rotation is supposed to be on a two-week basis. When you go to get the needed tape, you discover that the tapes are not marked, and they are not in any particular order. How much time will you spend just trying to find the proper tape? Also, is it really a good practice to keep backup tapes in the same room with the servers? What happens if a fire occurs?
Considering how backup media is handled is just as important as determining how it should be marked. You certainly don’t want to store optical media in a place where it can easily be scratched or store tapes in a high-temperature area. Make sure that you also have offsite copies of your backups stored where they are protected from unauthorized access, as well as fire, flood, and other environmental hazards that might affect the main facility. Normal backups should include all data that cannot be easily reproduced. Secure recovery services are another method of offsite storage and security for organizations to consider. In military environments, a common practice is to have removable storage media locked in a proper safe or container at the end of the day.
Distance must be considered when storing backups offsite. Think about your own personal home computer. Assuming that you have made backups, where are those backups? Sure, a copy that exists on the same computer might protect you if the original is deleted. But what if the hard drive crashes? Perhaps you considered this and moved a backup to a remote disk that resides in another room. If your house is consumed by fire, though, both will be lost. This is why many organizations must consider offsite backups. This option involves offsite tape storage through trusted third parties. Vendors offer a wide range of offsite tape-vaulting services, highly secure facilities that can include secure transportation services, chain of custody control for tapes in transit, and environmentally controlled storage vaults.

Full Backups
A full backup is a complete backup of all data. This is the most time- and resource-intensive form of backup, requiring the largest amount of data storage. In the event of a total loss of data, restoration from a complete backup is faster than other methods. A full backup copies all selected files and resets the archive bit, a file attribute used to track incremental changes to files for the purpose of the backup. The operating system sets the archive bit any time changes occur, such as when a file is created, moved, or renamed. This method enables you to restore using just one tape. Therefore, order of restoration doesn’t matter: It is just a single restore. Theft poses the most risk because all data resides on one tape; only encryption can protect the data at that point.

Differential Backups
A differential backup is incomplete for full recovery without a valid full backup. For example, if the server dies on Thursday, two tapes are needed: the full backup from Friday and the differential from Wednesday. Differential backups require a variable amount of storage, depending on the regularity of normal backups and the number of changes that occur during the period between full backups. Theft of a differential tape is riskier than with an incremental tape because larger chunks of sequential data can be stored on the tape the further away in time it is made from the last full backup.
A differential backup includes all data that has changed since the last full backup, regardless of whether or when the last differential backup was made, because this backup does not reset the archive bit.

Incremental Backups
An incremental backup is incomplete for full recovery without a valid full backup and all incremental backups since the last full backup. For example, if the server dies on Thursday, four tapes are needed: the full backup from Friday and the incremental tapes from Monday, Tuesday, and Wednesday. Incremental backups require the smallest amount of data storage and require the least amount of backup time, but they typically require the most time for restoration. If an incremental tape is stolen, it might not be valuable to the offender, but it still represents risk to the company.
An incremental backup includes all the data that has changed since the last incremental backup. This type of backup resets the archive bit. Be prepared to know how many backup tapes will be required to restore the system, given the date of a full backup and the date of either an incremental or differential backup.

Copies and Snapshots
A copy, or snapshot, is like a full backup in that it copies all selected files. However, it doesn’t reset the archive bit. From a security perspective, losing a tape with a snapshot is the same as losing a tape with a full backup. Some important considerations separate these types of backups from the others. First, a snapshot often resides on the same system from which it was taken. Certainly, this can be useful if, for example, a snapshot was taken from a virtual machine image, and you now need to revert to that image. Or consider a simpler example of a copy of a document being stored on the same computer in case the original gets corrupted. Neither of these situations helps if disaster strikes the entire primary hard drive of the system, though.
Traditional backup solutions are integrated within the operating system. It is important for such a solution to be able to interact with other transactional applications, such as databases, where data might be processing and residing only in memory. Therefore, a copy is only a very specific point-in-time capture at the storage level and thus might not be enough to perform a restoration.
A snapshot preserves the entire state and data of the virtual machine at the time it is taken. A snapshot includes the virtual machine settings and the state of the machine’s virtual drives. The contents of the virtual machine’s memory can also be included in the snapshot, but this is not recommended and rarely needed.
Snapshots can capture sensitive data that is present on the system at a point in time and can inadvertently put personal information at risk.
Snapshots eliminate the need to create multiple VMs if an organization repeatedly needs to return a machine to the same state. In an environment that uses VM templates, using disk-based snapshots is a quick way to make a new VM from the template for provisioning.
A snapshot can also be used as a restore point when testing software or configuration changes. When you take a snapshot of a virtual machine, a new child disk is created for each attached disk. Keep in mind that, for a snapshot to work, the base disk is needed. Therefore, snapshots should not be used as a backup solution. Best practice for performance is to keep only two or three snapshots—and only for a short period of time. Inherent changes occur in the VM, and the snapshot file can grow quickly, filling up space in the datastore. Restoring a snapshot is often done using software automation.
Although VMware is the most popular product for VMs, Microsoft also offers a virtualized solution in Hyper-V. The Microsoft Hyper-V term for a snapshot is a checkpoint. Checkpoints work the same way as snapshots in VMware, with certain limitations. For example, they cannot be used in a VM designated as an Active Directory Domain Services role, such as a domain controller.

Non-persistence
A persistent system is one that is generally removable in the event of a failure. For example, if a CPU dies, the system information and data are generally recoverable when the system is restored. In a non-persistent system, if a failure occurs, the information is lost. This is similar to what happens to memory contents when a system is shut down. Cloud environments tend to be fluid and work differently than physical desktop environments. Persistent cloud environments tend to be more difficult to support than non-persistent environments, especially with data storage or volumes.
Sometimes persistence is not desired. Non-persistence is related to the concept of elasticity. Because cloud environments are fluid, snapshots actually provide a way to capture persistence.
The primary purpose of a snapshot is to allow the user to revert to an earlier state if something causes the VM to not work properly. The parent snapshot of a virtual machine is the snapshot on which the current state is based. When the first snapshot is taken, that stored state becomes the parent snapshot of the VM.

Revert to Known State or Good Configuration
When you revert to a known state in a VM, you can revert to an earlier snapshot. Reverting is used to go to the parent snapshot of the VM. When you do this, you immediately discard the current disk and memory states and then revert to the disk and memory states of the parent snapshot. Some VM products have an option to use a “go to” feature that allows the user to choose any snapshot, not just the parent one. This can be helpful in a software development environment where several snapshots are used to test changes to a program or product. Options also can enable you to automatically revert to the parent snapshot whenever the machine is powered off.
When a system reverts to an earlier snapshot, the reverted snapshot becomes the parent snapshot of the virtual machine.
In a non-persistent or cloud environment, sometimes virtual networking components change or are misconfigured. Rollback is used to prevent loss of connectivity to a host by rolling back to a previous valid or known configuration. This is similar to the Windows Roll Back Driver option except that it relates to the network instead of to individual machine drivers. Networking events that can cause rollbacks include host networking changes and modifications to distributed switches. Invalid host networking configuration changes cause host networking rollbacks. Network change that disconnects a host, such as when updating DNS and routing settings, also triggers a rollback. Invalid updates to distributed switches can cause rollbacks to occur as well. For example, VLAN changes in a distributed port group can cause one or more hosts to be out of synchronization with the distributed switch. If the situation cannot be fixed manually, you can roll back the switch or port group to a previous configuration.
Similarly, operating systems may provide support during the boot process to revert to a previously working configuration. This option provides for further troubleshooting in case of a failure due to a failed update, malware, or a system conflict. Some versions of Windows, for example, have included the boot recovery option Last Known Good Configuration. This option was removed from Windows 10, which instead provides a recovery environment with a Safe Mode option that provides similar functions.

Live Boot Media
Live boot media is considered non-persistent because actions that occur between reboots do not persist. With live boot media, system RAM acts as a disk. When the media is removed and the system reboots, the RAM is cleared. Live boot media keeps the original media configuration. USB drives can be created with persistent storage through a persistent overlay file. Although there is some room for persistence, it has limitations and might not work with all OS distributions.
A saved VM such as a virtual disk can be booted using a CD-ROM, USB, or other similar storage device. Live boot media is often used in instances when an organization needs a very secure environment in an unsecure location. For example, bootable media is a live device that creates a secure, non-persistent environment on a personal or public computer. This live media provides a trusted environment for remotely accessing sensitive government services on nongovernment equipment.

Defense in Depth
Defense in depth is based on the premise that implementing security at different levels or layers to form a complete security strategy provides better protection and greater resiliency than implementing an individual security defense. Each component provides a different type of security protection, and when they are implemented together, they help improve the overall security posture of the organization.
Defense in depth is a comprehensive security approach for protecting the integrity of organizational information assets. Vendor and control diversity contributes to a strong defense-in-depth strategy.
Defense in depth is rooted in military strategy and requires a balanced emphasis on people, technology, and operations to maintain information assurance (IA). Defense in depth stems from the philosophy that complete security against threats can never be achieved; the components that comprise a layered security strategy only impede threat progress until either the attacker gives up or the organization can respond to the threat.
Defense in depth relies on diversity across key areas such as controls, technologies, cryptography, and vendors. The idea is to create rational security layers within the environment for improved security. Control diversity, for example, involves layers of different categorical controls that are physical, technical, and administrative. Diversity is important across technology and vendors. Many organizations, for example, check files for malware against malware protection from two competing vendors, thus increasing the odds of catching what one vendor may have missed. Vendor diversity requires a variety of suppliers for the purchase of goods and services for the organization. This approach keeps an organization from relying on a small number of vendors or possibly only one particular vendor for its technology needs.
It is a common misconception that the smaller number of vendors the organization uses, the less risk the organization faces.

Dependence on a small number of vendors can create a number of risks for an organization, including the following:
- Technological inefficiency
- High equipment and service costs
- Supply-chain rigidity
- Lack of innovation
- Increased risk
Having a larger, more diversified list of vendors helps mitigate risk and provides greater resiliency, reducing single points of failure and the likelihood of unnecessary or unplanned expenditures.

Quiz:

1. Which of the following RAID configurations can be configured with only two drives? (Select all that apply.) A. Raid 0 B. Raid 1 C. Raid 3 D. Raid 5

2. A weekly full backup is performed on a system every Sunday at 1 a.m., and differential backups are performed daily at 1 a.m. If the system is restored on Wednesday at 3 p.m., how many of the individual backups are required to completely restore the system? A. 1 B. 2 C. 3 D. 4

3. Which one of the following best describes an outcome of vendor diversity? A. Lack of innovation B. Rigidity C. Resiliency D. Greater risk

4. Which solution gives you enough time to safely power down equipment until power is fully restored? A. NIC teaming B. Load balancer C. PDU D. UPS

Answer 1: A and B. RAID 0 and RAID 1 both have a two-drive minimum. The other two choices, C and D, are incorrect as RAID 3 and RAID 5 have a three-drive minimum.
Answer 2: B. A differential backup will require two tapes to completely restore the system: the full tape backup from Sunday and the differential tape backup from Wednesday. Answer A is incorrect. If you use only the tape from Sunday, you will still be missing the data between that tape and the differential tape from Wednesday. Answers C and D are also incorrect.
Answer 3: C. Vendor diversity provides an organization with resiliency. Answers A, B, and D are associated with a lack of vendor diversity and not with having a diverse set of vendors to rely on.
Answer 4: D. An uninterruptible power supply (UPS) gives you enough time to safely power down equipment until power is fully restored. UPSs are used to protect electronic equipment and provide immediate emergency power in case of failure. Answer A is incorrect because NIC teaming allows a NIC to be grouped with multiple physical NICs to form a logical network device known as a bond. This provides for fault tolerance and load balancing. B is incorrect because network load balancers are reverse proxy servers configured in a cluster to provide scalability and high availability. Answer C is incorrect because a power distribution unit (PDU) is like a power strip that distributes power to the critical equipment. Many PDUs have advanced functions to improve power quality and provide load balancing as well as remote monitoring.