3.1

Question 1

When using a cloud responsibility matrix, how do you know who is responsible for security?

Answer 1

Each CSP has their own policies
Contractual agreements

Question 2

5 security considerations when using a hybrid cloud (more than one CSP for additional clouds)

Answer 2

Authentication across platforms
Firewall configurations
Server settings
^These 3 things need to match between clouds

Log monitoring - each CSP might have different types of logs using different terminology

Data leakage - data is constantly transferred from one cloud to another across the public internet

Question 3

Enables the management and maintenance of security for third-party technologies/applications implemented in your organization’s private cloud

Answer 3

Vendor risk management policy

Question 4

True/False

You must perform a third-party impact assessment for incident response

Answer 4

True

Question 5

True/False

You can trust third party process to have robust security practices, so you don’t need to constantly monitor them for unusual activity or changes in availability

Answer 5

False

You cannot trust that third parties have not been compromised, so you always need to be monitoring them.

Question 6

A method of defining cloud infrastructure (servers, networks, application instances, databases) as code, rather than as hardware.

This allows the administrator to quickly build, modify, and create versions of the infrastructure

Answer 6

Infrastructure as code

Question 7

True/False

IaC allows an administrator to build out code and then copy/paste this layout to other CSPs. This way, the administrator can create their perfect layout and use it again and again.

Answer 7

True

Question 8

FaaS stands for

Answer 8

Function as a Service

Question 9

A cloud computing service where an application instance is serverless.

Instead of accessing the application, you are accessing only the individual, autonomous functions of the application. The microservices.

This method removes the emphasis on the OS. These microservices can run on any OS needed.

Answer 9

FaaS

Question 10

How does serverless FaaS work?

Answer 10

Developers separate applications into individual, autonomous functions that are stored in the cloud server

Once the function is no longer needed, it is removed from the cloud

Question 11

Why is it called serverless?

Answer 11

Because the developers do not need to worry about server infrastructure or server space.

Backend computing is provided on an as-used basis.

Question 12

Difference between IaaS, PaaS, and serverless

Answer 12

IaaS is paid for as pre-purchased units of capacity. The client can set up a data collection system, etc.

PaaS charges the client for the resources used. However, the client must request the provider for more resources. The client does not have to set up the OS or anything about the underlying infrastructure. It is used for building apps.

Serverless is paid for as an as-used basis. Resources are automatically scaled. There is no backend/resource management at all. Serverless microservices are much more lightweight than PaaS applications, so it is faster.

Question 13

True/False

In serverless architecture, ALL security concerns are the responsibility of the third party

Answer 13

True

Question 14

True/False

In serverless architecture, microservices can be triggered and ephemeral

Answer 14

True

Question 15

An application that is built as a single unified unit. It does everything, and all code needs to be present for the application to execute correctly. Takes care of user interface, business logic, I/O, etc.

It is self-contained and independent from other application. It is made from ONE code base.

Answer 15

Monolithic application

Question 16

What enables the use of microservices in cloud architecture? It acts as the “glue” between microservices.

It allows you to programmatically control the way that an application works

Answer 16

APIs

Question 17

True/False

In comparison to a monolithic architecture, microservice architecture is more secure, more resilient, and more scalable.

Answer 17

True

Question 18

A physical or digital separation that prevents a system from being reached by anyone or anything.

This means that this device also cannot connect to other computers or networks either wirelessly or physically.

Answer 18

Air gap

Question 19

Why would an organization utilize airgapping?

Answer 19

Separate database servers and web servers

A managed service provider might use it to put one customer on one switch, and a different customer on another, physically isolated switch

It prevents attackers from gaining access

Question 20

Describe physical segmentation

Answer 20

Each segment has its separate physical devices and infrastructure. Not easily scalable, since more segments means more hardware needed.

Question 21

Describe logical segmentation

Answer 21

VLANs are used. You can configure one switch to have a group of interfaces belong to VLAN A, and the other group of interfaces to belong to VLAN B. This saves on hardware costs and is more scalable than physical segmentation.

Question 22

True/False

Because logical segments are connected by the same physical switch, the VLANs have an inherent ability to communicate with each other.

Answer 22

False

The segmented VLANs need a Layer 3 device/router to communicate.

Question 23

SDN stands for

Answer 23

Software-Defined Networking

Question 24

The 3 functional planes involved in SDN

Answer 24

Data plane
Control plane
Management plane

Question 25

The functional plane that:
Processes network frames and packets
Forwards packets
Enables trunking, encrypting, and NAT

Answer 25

Data plane

Question 26

The functional plane that:
Manages routing tables, session tables, NAT tables
Executes dynamic routing protocol updates
Tells the data plane how to get data from point A to point B

Answer 26

Control plane

Question 27

The functional plane that:
Enables configuration changes for the device through SSH, a browser, or an API

Answer 27

Management plane

Question 28

True/False

Logically separating networking devices into multiple control planes allows you to extend the functionality and management of a single device, as well as use the device for the cloud.

Answer 28

True

Question 29

A network architecture created by separating network devices into logical functional planes.

Answer 29

SDN

Question 30

True/False

It is easier to secure a decentralized network than a centralized network

Answer 30

False

It’s difficult to manage diverse systems, especially when they’re in separate physical locations

Question 31

True/False

Using a centralized management console to control the security of decentralized/diverse devices can introduce a single point of failure and potential performance issues due to lack of scalability.

Answer 31

True

Question 32

What is the main challenge with virtualization/VMs?

Answer 32

Each VM needs to have its own OS, even if every VM is identical.

This adds overhead and complexity, and causes virtualization to be expensive.

Question 33

VMs can sometimes be inefficient–especially when the organizations runs multiple identical VMs. What solves this problem?

Answer 33

Using containers instead of VMs

Question 34

How do containers solve the VM inefficiency problem?

Answer 34

Multiple applications can run simultaneously on one OS/hardware.

Each container has only the application–no OS. It uses the OS on the host machine.

Question 35

True/False

Containers are self-contained and cannot interact with each other, even if they are operating on the same machine. Just like VMs.

Answer 35

True

Question 36

SCADA stands for

Answer 36

Supervisory Control and Data Acquisition System

Question 37

SCADA is AKA

Answer 37

ICS

Question 38

ICS stands for

Answer 38

Industrial Control System

Question 39

How do you secure SCADA/ICS?

Answer 39

Extensive segmentation

NO access should come from outside! Compromise can affect the system severely.

Question 40

RTOS stands for

Answer 40

Real-Time Operating System

Question 41

An OS where no one process can take complete control over the device’s resources

Answer 41

Non-deterministic OS

Question 42

Does industrial/manufacturing/automobile/military equipment commonly use deterministic or non-deterministic OSs?

Answer 42

Deterministic

Question 43

An OS that may allow one process to take complete control over the device’s resources.

Answer 43

Deterministic OS

Question 44

Why can deterministic OSs be helpful in some situations?

Answer 44

Some processes MUST take priority for safety. For example, when you press your brake while driving your car, that will take priority over everything else.

Question 45

True/False

Security is critical in RTOSs because the operations they perform are extremely necessary

Answer 45

True

Question 46

A small device that’s part of a larger device, machine, or system, and is designed to control a specific function within it. They are less complex than computers and only exist inside other systems.

They normally only have a limited amount of tasks they can perform, but advanced ones can control entire OSs.

Answer 46

Embedded system

Question 47

True/False

Embedded systems are often created/built for ONE sole purpose, and to do that thing very well and efficiently.

Answer 47

True

Question 48

Examples of embedded systems

Answer 48

Traffic light controllers
Digital watches
Medical imaging systems

Question 49

HA means that something is ____ available.

Answer 49

ALWAYS

Question 50

MTTR stands for

Answer 50

Mean Time to Repair

Question 51

The average time it takes to fix a system/piece of equipment after it has failed

Answer 51

Mean Time to Repair

Question 52

A metric that measures how quickly a system delivers responses after having been given a request

Answer 52

Responsiveness

Question 53

A metric measuring the ease with which you can increase or decrease capacity for use.

Answer 53

Scalability

Question 53

The ability to automatically acquire and release resources as needed to meet changing demands

Answer 53

Elasticity

Question 54

Difference between scalability and elasticity

Answer 54

Scalability deals with long-term changes

Elasticity deals with short-term, daily changes

Question 55

True/False

When scaling your network infrastructure according to demand, it is important to also extend the security functions of your network

Answer 55

True

Question 56

The acting of transferring risk to a third party

Answer 56

Risk transference

Question 57

Cybersecurity insurance is a method of

Answer 57

Risk transference

Question 58

True/False

An organization that rarely patches is a significant security concern.

Answer 58

True

Question 59

What types of systems often do not have patches released for them?

Answer 59

Embedded systems

ex. HVAC controls, time clocks

Question 60

True/False

Because embedded systems almost never have patches available, it is recommended to implement additional security measures around them. ex. Firewalls

Answer 60

True

Question 61

UPS stands for

Answer 61

Uninterruptable Power Supply

Question 62

The component that provides the heavy lifting in processing

Answer 62

Compute component

Question 63

True/False

The compute component is AKA a CPU

Answer 63

False

The compute component is more than just a single CPU.

Question 64

In a cloud architecture, the component that does the actual thinking and processing of the data.

It may be a single processor in a datacenter, or it may be multiple CPUs across multiple clouds.

Using this in a multi-cloud architecture (as referenced above) enhances scalability with the cost of some additional complexity.

Answer 64

Compute engine