5. Cloud Platform, Infrastructure, and Operational Security Flashcards
Charles is working with internal auditors to review his organization’s cloud infrastructure. Which of the following is not a common goal of internal audits?
A. Testing operational integrity
B. Improving practices
C. Providing attestation of compliance to a standard to a 3rd party
D. Validating practices against an industry standard
Answer: C. Providing attestation of compliance to a standard to a 3rd party
Internal audits typically attempt to test operational integrity and identify areas for improvement. They may also validate practices against an industry standard. They are not typically done to provide attestations to third parties.
Maria’s organization wants to ensure that logins by most malicious actors would be prohibited if a system administrator’s credentials were compromised. What technology is commonly used to check for potential malicious logins from international attacks?
A. Geofencing
B. IPOrigin
C. Multifactor
D. Biometric authentication
Answer: A. Geofencing
Geofencing is often used as part of a set of controls to prevent unauthorized logins. Auditing against logins that occur from new or unapproved locations and even preventing logins from unauthorized locations can be a useful preventative control. IPOrigin was made up for
this question and both multifactor and biometric logins are used to prevent unauthorized access, not to check for potential malicious logins.
Alaina wants to ensure that her system instances for a web application hosted in her cloud data center have proper security for data at rest. What solution should she select to help ensure this?
A. Disk or volume hashing
B. Use only ephemeral disks or volumes
C. Use read-only disks or volumes
D. Disk or volume encryption
Answer: D. Disk or volume encryption
Alaina’s best option to secure data at rest in the cloud for virtualized systems is to use disk or volume encryption. Hashing is one way, but it doesn’t make sense for data storage. Ephemeral disks or volumes may be associated with instances that have a short life span, but they should still be encrypted, and read- only disks could still be exposed.
Jason wants to validate that the open-source software package he has downloaded matches the official release. What technique is commonly used to validate packages?
A. Encryption
B. Rainbow tables
C. Decryption
D. Hashing
Answer: D. Hashing
MD5 or SHA1 hashing is often used to check the hash of downloaded software against a published official hash for the package or software. Encryption and decryption are not used for validation, and rainbow tables are used for password cracking.
Naomi’s organization has adopted the CIS security controls for Windows. What type of solution have they adopted?
A. A SOC template
B. An ISO standard
C. A security baseline
D. A NIST standard
Answer: C. A security baseline
The CIS security controls are a security baseline adopted by many organizations. Naomi’s organization should still review and modify the controls to match its needs. SOC is an auditing report type, and both ISO and NIST provide standards, but the CIS security controls aren’t ISO or NIST standards.
Yarif’s organization wants to process sensitive information in a cloud environment. The organization is concerned about data throughout its lifecycle. What protection should it select for its compute elements if security is a priority and cost is less important?
A. Memory encryption.
B. Dedicated hardware instances.
C. Shared hardware instances.
D. Avoid installing virtualization tools.
Answer: B. Dedicated hardware instances.
Using dedicated hardware instances, while expensive, is the most secure option for protecting compute from potential side channel attacks or attacks against the underlying hypervisor layer for cloud- hosted systems. Memory encryption may exist at the hypervisor level,
but, cloud providers do not typically make this an accessible option, and virtualization tools are not a major security benefit or detractor in this scenario.
Valerie’s organization uses a security baseline as part of its systems configuration process. Which of the following is not a typical part of a baselining process?
A. Limiting administrator access
B. Removing anti-malware agents
C. Closing unused ports
D. Removing unnecessary services and libraries
Answer: B. Removing anti-malware agents
Removing anti- malware agents is not a typical part of a baselining process. Installing one might be! Limiting administrator access, closing unused ports, and disabling unneeded services are all common baselining activities.
Hrant wants to ensure that traffic inside of his organization’s Azure Virtual Network (VNet), Azure’s basic building block for customer IaaS instances. What should he do to protect it?
A. VNet traffic is already secure; he does not need to do anything.
B. Set up VPN tunnels between each system.
C. Set up and use a bastion host for all secure traffic.
D. Use end-to-end encryption for all communications.
Answer: D. Use end-to-end encryption for all communications.
While virtual networks in cloud environments are typically well isolated, Hrant’s best choice is to use end-to-end encryption for all communications. A VPN for each system is impractical, and bastion hosts are used to provide access from less secure to more secure zones or networks.
Asha is configuring a virtualized environment and wants to back up a virtualized server, including its memory state. What type of backup should she perform?
A. A full backup
B. A snapshot
C. An incremental backup
D. A differential backup
Answer: B. A snapshot
Snapshots in virtual environments not only capture the current state of the machine, they also allow point-in-time restoration. Full, incremental, and differential backups back up the drive of a system but not the memory state.
Felix is planning for his organization’s third- party audit process after recently switching to a cloud SaaS provider. What information will Felix most likely be unable to provide?
A. Access logs
B. Operating system logs
C. Activity logs
D. User and account privilege information
Answer: B. Operating system logs
A Software as Service (SaaS) environment will not be able to provide operating system logs to third- party auditors since the service provider is unlikely to provide them to customers.
Access and activity logs as well as user and account privilege information are all likely to be available.
Mark has set up a series of tasks that make up a workflow to ensure that his cloud-hosted web application environment scales, updates, and maintains itself. What cloud management plane feature is he leveraging?
A. Maintenance
B. Scheduling
C. Orchestration
D. Virtualization
Answer: C. Orchestration
Orchestration describes the broad set of capabilities that allow automated task- based control of services, processes, or workflows. It can handle maintenance and uses scheduling, but its uses are broader than both. Virtualization is a key component of the cloud but does
not describe this specific use appropriately.
Amanda downloads VeraCrypt, a free, open- source disk encryption software package. When she downloads the software, she sees the following information on the downloads page:
What will she need to validate the signature and ensure that the software is legitimate?
A. VeraCrypt’s private key
B. Her private key
C. VeraCrypt’s public key
D. Her public key
Answer: C. VeraCrypt’s public key
To validate the software, she’ll need VeraCrypt’s public key. Fortunately, VeraCrypt provides the key and the signatures on the same page for easy access.
Ting sets a system up in her Amazon VPC that exists in a low-security, public internet–facing zone, and also has an interface connected to a high-security subnet that is used to house application servers so that she can administer those systems. What type of security solution has she configured?
A. A firewall hopper
B. A bastion host
C. A bridge
D. A bailey system
Answer: B. A bastion host
Bastion hosts are used to connect from a lower- security zone to a higher- security zone.
Ting has configured one to allow inbound access and will need to pay particular attention to the security and monitoring of the system.
The remainder of the answers were made up for this question, although network bridges do exist.
Lisa’s organization installs virtualization tools on each virtual machine it sets up. Which of the following is not a common function of virtualization tools?
A. Access to sound and video cards
B. Mapping storage
C. Improved networking
D. Control of the underlying host operating system
Answer: D. Control of the underlying host operating system
Common functionality of guest OS tools include mapping storage; supporting improved networking; and video output, sound, or input capabilities. They don’t usually allow control of the underlying host operating system.
Susan’s organization is a cloud service provider that runs its hypervisor directly on the underlying hardware for its systems. What type of hypervisor is Susan running?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
Answer: A. Type 1
Type 1 hypervisors run directly on the underlying hardware or the “bare metal,” and Type 2 hypervisors run inside of another operating system, like Windows or Linux. There are no Type 3 or 4 hypervisors.
The CIO of Gurvinder’s company wants him to have its audit company perform an audit of its cloud infrastructure provider. Why are cloud infrastructure vendors unlikely to allow audits of their systems and infrastructure by customer-sponsored 3rd parties?
A. They do not want to have problems with their service identified.
B. Audits may disrupt their other customers or lead to risks of data exposure for those customers.
C. It is required for compliance with industry-standard best practices.
D. It would have to be reported as a potential data breach.
Answer: B. Audits may disrupt their other customers or lead to risks of the data exposure for those customers.
Allowing access to their environments for auditors has the potential to lead to disruption of service for the wide range of customers they support. If they allow audits for their
multitude of customers, they’d also be in a perpetual audit process, which is costly and time-consuming.
Organizations typically do want to identify problems with their service. Not allowing auditors access is not required by best practices and would not be reported as a
data breach.
Michelle wants to securely store her organization’s secrets using a cloud service. What tool should she select?
A. TPM as a service
B. GPG as a service
C. HSM as a service
D. SSD as a service
Answer: C. HSM as a service
A hardware security module (HSM) service will provide the functionality Michelle is looking for. A TPM, or trusted platform module, is associated with local system security rather than for organization-wide secrets storage and management. GPG is an encryption package and won’t do what she needs, and SSDs are storage devices, not encryption management tools.
Helen wants to apply rules to traffic in her cloud-hosted environment. What cloud tool allows rules permitting traffic to pass or be blocked to be set based on information like the destination or source host or IP address, port, and protocol?
A. Security groups
B. Stateless IDS
C. VPC boundaries
D. Stateful IPS
Answer: A. Security groups
Security groups act like firewalls in cloud environments, allowing rules that control traffic by host, port, and protocol to be set to allow or disallow traffic. Stateless and stateful IDSs and IPSs were made up for this question, and VPC boundaries are not a technical solution or tool.
Jaime wants to set up a tool that will allow him to capture and analyze attacker behavior, including command-line activity and uploaded toolkits targeted at systems in his environment. What type of tool should he deploy?
A. A dark web
B. A honeypot
C. A network IPS
D. A network IDS
Answer: B. A honeypot
Honeypots are intentionally vulnerable systems set up to capture attacker behavior and include tools to allow analysis. The phrase the dark web is used to describe TOR accessible, nonpublic internet sites. Network intrusion detection and prevention (IDS and IPS) systems can be used to detect attacks, and while they may capture information like uploaded toolkits, they won’t capture command- line activities in most scenarios, since attackers encrypt the traffic containing the commands.
Chris is using a third-party vulnerability scanning application in his cloud-hosted environment. Which of the following issues is he unlikely to be able to detect with a vulnerability scanner?
A. Malware
B. Defined vulnerabilities
C. Zero-day exploits
D. Programming flaws
Answer: C. Zero-day exploits
Vulnerability scanners can’t detect zero-day exploits because they won’t have detection rules or definitions for them.
Zero-day exploits haven’t been announced or detected and thus won’t be part of their library. Malware, known vulnerabilities, and programming flaws may all be detected by vulnerability scanners.
