Chapter 60 Β· Tricks

Other Infrastructure β€” Exam Tricks

The four concepts that trip up test-takers, plus a performance-based scenario practice set.

Trick 1
Containers share the host OS kernel β€” VM isolation is stronger, but containers are not weak

This distinction is the most frequently tested virtualization concept and the one students most often get backwards. The key facts:

  • VMs: Each VM has its own complete guest OS. A kernel vulnerability in one VM's guest OS affects only that VM. VM escape (breaking out of a VM to affect the hypervisor or other VMs) requires a separate, harder-to-exploit hypervisor vulnerability.
  • Containers: All containers on a host share the host OS kernel. A kernel vulnerability in the host OS is a potential attack surface for all containers on that host simultaneously. Container escape to the host OS affects all tenants.

The exam pattern: "Which provides stronger isolation between applications β€” VMs or containers?" β†’ VMs, because each has its own OS and the hypervisor enforces hardware-level boundaries. "Which is more lightweight and starts faster?" β†’ Containers, because there is no OS to boot.

The nuance the exam tests: Containers are not insecure β€” they provide strong process isolation under normal conditions. The shared kernel is a theoretical attack surface, not an inherent vulnerability. The question is always about the type of isolation and its worst-case failure mode.

VM = full guest OS per workload = stronger isolation. Container = shared host kernel = lighter and faster but shared failure domain.
Trick 2
SCADA attacks are not data breaches β€” they are physical events

The exam wants you to understand why SCADA/ICS security is categorically different from standard IT security. The difference is consequence:

  • Standard IT breach: Data is exposed or stolen β€” financial harm, reputational damage, regulatory penalties. The system continues operating.
  • SCADA attack: A pipeline valve is opened at the wrong time, a chemical is dosed at 65Γ— the normal concentration, an electrical grid is destabilized, a manufacturing robot operates outside its safety envelope. The consequence is physical: equipment destruction, worker injuries, environmental contamination, or disruption of critical public services.

Why this changes the security model: For data systems, acceptable controls include firewalls and monitoring that detect and respond. For SCADA, the control must prevent the attack entirely β€” there may be no opportunity to detect and respond before physical harm occurs. This is why a firewall between corporate IT and SCADA is insufficient β€” the acceptable risk level demands a physical air gap.

Exam question pattern: "A manufacturing company's SCADA system is connected to the corporate network through a firewall. What is the MOST appropriate security improvement?" β†’ Physical segmentation / air gap between SCADA and corporate IT. Not "upgrade the firewall" β€” not "add IDS." Physical separation.

SCADA attack = physical consequence. Required control = physical air gap from corporate IT, not just a logical firewall boundary.
Trick 3
Redundancy β‰  High Availability β€” the difference is manual vs. automatic failover

Students conflate redundancy and high availability because both involve having multiple systems. The exam distinguishes them based on the failover mechanism:

  • Redundancy: There is a spare. If the primary fails, the spare can be used β€” but someone (or some process) must activate it. A cold spare server in a closet is redundant. Recovery time: potentially hours.
  • High Availability (HA): The system is designed to remain operational without manual intervention when a component fails. Failover is automatic. The passive standby is always synchronized and ready. Recovery time: seconds.

Active/Active vs. Active/Passive:

  • Active/Passive: Primary + synchronized standby. Brief interruption possible during failover (seconds). Standby is "wasted" capacity in normal operation.
  • Active/Active: Both systems handle traffic simultaneously. If one fails, the other absorbs full load seamlessly β€” zero interruption. Both must each be sized for full load. More expensive, zero downtime on failure.

Cost relationship: Redundancy < Active/Passive HA < Active/Active HA. Each level adds cost at every layer (network, power, hardware). The business decision is whether the cost of downtime justifies the cost of additional availability.

Redundancy = spare available (manual activation). HA = automatic failover always operational. Active/Active = zero interruption + scalability, highest cost.
Trick 4
RTOS and embedded systems are secured through isolation, not endpoint tools

The exam frequently presents scenarios where a standard IT security recommendation (install EDR, apply patches, enable logging) conflicts with the technical reality of specialized infrastructure. The key insight:

  • RTOS: Deterministic timing requirements mean that any software introducing latency (background scanning, memory inspection, telemetry uploads) violates the real-time guarantee. You cannot install antivirus on an ABS computer or a pacemaker. Security must be implemented through network isolation, physical access controls, and compensating controls at the boundary.
  • Embedded systems: Closed, purpose-built firmware β€” cannot load arbitrary software. No OS interface, no agent installation possible. Long lifecycles mean firmware may be years out of date with no patch available. Security is implemented through network isolation and boundary controls.

The exam trap: A question describes a medical device, industrial robot, or traffic controller with a known vulnerability and asks which security control should be applied. Wrong answers: "install EDR," "apply OS patches," "deploy endpoint monitoring." Correct answer: "segment the device onto an isolated network" or "apply compensating controls at the network boundary" or "replace the device when end-of-support is reached."

Additional IoT pattern: IoT devices with weak default credentials β†’ correct first action is always changing default credentials and placing the device on a dedicated VLAN, not deploying an agent or patching (which may not be possible).

RTOS/embedded = cannot run endpoint security tools. Solution = network isolation + boundary controls. IoT = change defaults + dedicated VLAN.
Performance Task Practice
Three Scenarios β€” Apply the Concepts

Scenario A: A retail company's IT team discovers that 40 Wi-Fi-enabled smart TVs in employee break rooms are on the same network as the point-of-sale (POS) systems processing payment card data. A vulnerability scanner shows the TVs are running firmware that is 3 years old with 7 known CVEs, and all are using the default factory password. The IT director says "they're just TVs, not a real risk." How should the security team respond, and what specific controls should be implemented?

Show Answer

The IT director is wrong β€” IoT devices on the same network as PCI-scope systems are a critical risk.

IoT devices (including smart TVs) are designed by consumer electronics manufacturers, not security engineers. The combination of 3-year-old firmware with 7 known CVEs and factory default passwords means these TVs are trivially exploitable. A smart TV on the same network as POS systems gives an attacker who compromises a TV a direct Layer 2 path to payment card data β€” a PCI-DSS violation with significant regulatory and financial consequences.

Immediate controls:

  1. Network isolation (highest priority): Move all 40 TVs to a dedicated IoT VLAN with ACLs blocking all communication to the POS VLAN and all other corporate systems. The TVs should only be able to reach internet streaming services, not internal systems.
  2. Default credential change: Change factory default passwords on all TVs immediately. Disable remote management interfaces if not required.
  3. Firmware updates: Check the manufacturer's support page for available firmware updates and apply them. If firmware updates are not available (end-of-support), plan for device replacement.
  4. Inventory: Add all IoT devices to the asset inventory with manufacturer, model, firmware version, and end-of-support date. Establish a process for tracking manufacturer security advisories.

Why this matters for PCI-DSS: The Cardholder Data Environment (CDE) must be isolated from all other systems. An IoT device on the same network as POS systems may bring the TVs into PCI audit scope β€” a significant compliance problem. Network isolation reduces PCI scope to only the CDE VLAN.

Scenario B: A hospital is migrating its electronic health record (EHR) application from VMs to containers to improve deployment speed. The security team raises a concern. The CTO argues that containers provide the same security isolation as VMs. The security team disagrees. What is the specific technical reason the security team is correct, and what compensating controls should be implemented if the migration proceeds?

Show Answer

The security team is correct β€” container isolation is fundamentally different from VM isolation.

The technical reason: VMs run a complete guest OS, and VM isolation is enforced at the hypervisor (hardware abstraction) level. Compromising one VM does not affect neighboring VMs unless a hypervisor vulnerability is exploited. Containers share the host OS kernel β€” all containers on the same host run on the same kernel. A host kernel vulnerability is a shared attack surface for all containers simultaneously. A container escape to the host OS gives an attacker access to all containers on that host, including their filesystems and processes.

For a healthcare environment with PHI, this is a meaningful risk: if a web application container is compromised via a code injection vulnerability, and the attacker then exploits a container escape, they can access the EHR data in neighboring containers β€” something that would require a separate hypervisor exploit in the VM model.

Compensating controls if the migration proceeds:

  1. Keep host kernel patched aggressively: The shared kernel means kernel CVEs must be patched immediately β€” a vulnerability in the host kernel is a vulnerability in every container.
  2. Run containers as non-root: Container processes should run as a non-privileged user, not root. If a container is compromised, the attacker should not have root privileges on the host.
  3. Apply seccomp and AppArmor profiles: Restrict the system calls available to containers, limiting what a compromised container can do even if it attempts a kernel exploit.
  4. Container image scanning: Scan all container images for known vulnerabilities before deployment. Do not run containers with unpatched base images.
  5. Separate sensitive workloads on separate hosts: Place EHR containers on hosts dedicated to EHR workloads β€” do not co-locate with lower-trust applications. This limits the blast radius of a container escape.

Scenario C: A financial services firm's primary authentication server fails at 9 AM on a Monday. The server was configured with a "redundant" cold spare β€” an identical server stored in a locked cabinet. It takes the IT team 4 hours to rack the spare, restore the last backup (from 11 PM Sunday), and bring authentication services back online. During those 4 hours, no employees can log in. Management asks the security team to redesign the authentication infrastructure to prevent this from happening again. What should the team recommend, and what is the cost tradeoff?

Show Answer

Recommendation: Active/Passive High Availability configuration for the authentication server.

What changed and why: The current cold spare provides redundancy but not high availability. "Redundancy" means a spare exists β€” it does not mean the spare is always ready to serve requests. The 4-hour recovery time is the cost of manual activation: physical deployment, configuration, backup restoration, and testing before the service resumes.

Active/Passive HA configuration:

  • A second authentication server (the passive node) is always powered on, configured, and continuously synchronized with the primary in real time
  • A heartbeat mechanism monitors the primary's health every few seconds
  • When the primary fails, the passive node detects the failure and automatically promotes itself to active within seconds
  • Authentication services resume automatically β€” no manual intervention required
  • Failover time: 10–30 seconds vs. 4 hours for the cold spare

Cost tradeoff:

  • Active/Passive HA requires: second server hardware (same spec as primary), HA clustering software license, network infrastructure for heartbeat and synchronization link, additional management overhead for monitoring two nodes
  • The business case: 4 hours of authentication outage Γ— number of employees who cannot work Γ— average hourly cost per employee = the cost of the outage. If that cost exceeds the HA infrastructure cost, the investment is justified β€” a straightforward business decision
  • If zero-interruption failover is required (e.g., during active authentication sessions), Active/Active HA should be evaluated β€” both servers handle authentication requests simultaneously; failure of either is absorbed with no service interruption