Cloud Processes Flashcards

1
Q

What are the steps to Cloud Hardening Practices?

A
  1. Isolate (4)
    Networks
    Cloud Mgmt Networks ie PROD/ DEV
    IP storage network
    Subscriber data network - SP isolates custom data
    networks from mgmt networks
  2. Secure (2)
    Subscriber Access to Resources – supply w/ mgmt
    console encrypted use SSL
    Restoration of Svc - opt secure restoration of Svcs
  3. Strong Authentic / Authorize – use least privilege
  4. Lib of secure templates – misconfiguration is sec risk,
    stored in Repos or LIB of templates, Keep templates
    patch and update
  5. Resource Mgmt = used to prevent DoS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the (4) Cloud Hardening Isolate steps?

What do we isolate?

A
  1. Networks
  2. Cloud Mgmt Networks ie PROD/ DEV
  3. IP storage network
  4. Subscriber data network - SP isolates custom data
    networks from mgmt networks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the (2) Cloud Hardening Secure steps?

What do we Secure?

A
  1. Subscriber Access to Resources – supply w/ mgmt
    console encrypted use SSL
  2. Restoration of Svc - opt secure restoration of Svcs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Due Diligence with Cloud? (4)

A
  1. EULA/SLAs – good to meet operational rqmts.
  2. ISO 27001: method to demonstrate implem of good
    SEC practices. (FISMA)
  3. SSAE 16: These reports required by customers w/
    SOX Sarbanes Oxley (SOX)
  4. SOC 2/3: Svc org relevant to Security, Availability,
    processing, Integrity, Confidentiality, or Privacy.
    Report beyond traditional FIN audit scope.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is the BEST way to mitigate the security and privacy issues associated with cloud computing?

A. Allowing only cloud administrators to have access to cloud resources
B. Removing firewalls and access control routers from the network
C. Implementation and enforcement of a comprehensive security policy
D. Removing virtualized hardware from the organization

A

C. Implementation and enforcement of a comprehensive security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Purpose of FEDRAMP CONOPS? (3)

A
  1. (FISMA) Ensure cloud-based svcs have adequate info
    Sec
    2.(DeDupe) Eliminate duplication of effort and reduce
    risk mgmt costs
  2. (Elasticity/On Demand) Enable rapid and cost-
    effective procurement of info sys/svcs for federal
    agencies
  • FEDRAMP CONOPS: *Exam
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is a definition of virtualization?

A. Virtualization is a method to organize servers in a more efficient manner to double the number of
accessible users
B. Virtualization is a set of techniques for hiding software resources behind hardware abstractions.
C. Virtualization is a set of techniques for hiding hardware resources behind software abstractions.
D. Virtualization is a method to structure data in a more efficient manner with less cost to the user.

A

C. Virtualization is a set of techniques for hiding hardware resources behind software abstractions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does scalability work with cloud computing?

A. Servers and storage can be added quickly.
B. Servers and storage can be released quickly.
C. Users can be added and removed quickly.
D. All of the above is correct.

A

D. All of the above is correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following can be deployed by a cloud provider to reduce storage costs?

A. Journaling file systems
B. Two-factor authentication
C. Data de-duplication
D. Data encryption

A

C. Data de-duplication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Cloud Service Subscribers leading practices for Hardening (5)?

A
  1. Secure OS *same in cloud as data center
    2.Encrypt Critical data *Adds layer protection
  2. Security Compute profile *Patches, AV status, File level
    access restrictions same as internal corporate network
  3. OS Mgmt *Virtual machines patches incl DMZ
  4. Security Authentication/Authorization * i.e.: multi-
    factor in user instances, AC & failures through portal or
    via method to pull data back to Enterprise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Top SLA Factors(14)?

A
  1. Change Cntl, CM, CR
  2. Data Asset Mgmt
  3. DR/ BCP
  4. Secure Config/Server Hardening
  5. Malware / IPS
  6. Network Vuln / PEN Testing
  7. SW Lifecycle / Patch Mgmt
  8. Security Incident Handling
  9. Secure Network Protocols / Data Transport
  10. Security Event Logging
  11. Secure Application / Program Interfaces
  12. Data Protection/Portability/Retention/Destruction
  13. Encryption / Key Mgmt
  14. Application / Db Logging
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key Attribute of Cloud Networking (5)?

A
  1. Scalability
  2. Low Latency
  3. Reliable APIs * REST, SOAP, Java Script
  4. Program Mgmt *Reduce long term costs, Pkt
    prioritizing, SDN, OpenFlow
  5. Self Heal Resiliency *Containers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following can cause user response times to deteriorate?

A. High CPU usage and low network bandwidth
B. High network latency and high volume of data stored
C. Low network bandwidth and high network latency
D. Low network bandwidth and high volume of data stored

A

B. High network latency and high volume of data stored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is SDN?

A

Software Defined Netwkg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What Protocol does SDN use?

A

OpenFlow Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does SDN work?

Why is it popular?

A

Control is decoupled from hardware (where traffic destination occurs) and given to SW application called controller

  1. Dynamic, manageable, cost-effective, adaptable, ideal
    for high-bandwidth
  2. Could improve automated Malware Quarantine AMQ
    & Security zones across layers
17
Q

Leading practices SDN?

A
  1. SSL/TLS btw controller / Switch
  2. Develop threat stategy to avoid certain malware
    attacks
18
Q

Warnings or issues with SDN?

A
  • Defense in Depth – security must be implement all
    layers of SDN
  • Single point failure
19
Q

Security Advantages of Virtualization?(3)

A
  1. Better Forensics, faster recovery after attack
  2. Patch safer/more effective i.e.: rollbacks
  3. More cost effective sec devices: i.e.: IDS, Vulnerability scanner, appliances, uses VMs…
20
Q

Virtual Infrastructure (Best Practices)?

A

Use basic principals like:

  1. Hardening / lock-down
  2. Defense in Depth
  3. Authorization/ Authentication/ Accounting
  4. Sep of Duties & Least Privilege
  5. Admin Controls
21
Q

What are the (6) Greatest Virtualization Attack Vectors ?

A
  1. Hyper V
  2. VM Escape
  3. VLAN Attacks
  4. VM Theft
  5. Hyper Jacking
  6. VM Hopping
22
Q

How does Hyper-V occur?

A

Vulnerability: Escalation of Privilege function parameter in hyper call from existing running VM to hyper-visor

23
Q

How does VM Escape occur?

A

Breaking out of VM w/ host OS

24
Q

How does VLAN Attacks occur?

A

Attacking Network resources on VLAN (VLAN hopping) by Switch Spoofing / Double Tagging. Fix Switch port config.

25
Q

How does VM Theft occur?

A

Ability to steal VM file electronically. Mount and run later.

26
Q

How does Hyper Jacking occur?

A

(Physical) Insert Rogue hyper-visor. Hacker can control any VM running on physical server

27
Q

How does VM Hopping occur?

A

Hacker jumps from one Virtual Server to other on same physical HW

28
Q

MelStar has BU policy to take complete BU of their IT system and move that offsite using portable HDD? Org uses snapshot BU for their VMs. Which security threat is this BU most prone to?

A. VM Escape
B. Hyper Jacking
C. VM Hopping
D. VM Theft

A

D. VM Theft

29
Q
ABC Co has bus requirement for creating multi Sec zones btw data and transport layer. Choose one. 
A. SDN
B. Controller
C. SDN Service Mgr
D. AMQ
A

A. SDN

30
Q
An attacker subscribes to cloud svc as consumer. From the VM that has been allocated, it tries to get access to VMs of other consumers and manages to get access to VMs on same physical server. What kind of attack generated?
A. VM Hopping
B. VM Escape
C. VM Theft
D. VM Jacking
A

A. VM Hopping