Enisa Cloud Security - Benefits, Risks, and Recommendations for Information Security Flashcards
According to ENISA, is cloud computing a benefit or a risk to security?
A. benefit
B. risk
C. neither
D. both
Answer: D
According to the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (page 4), cloud computing’s economies of scale and flexibility are “both a friend and a foe from a security point of view.”
According to ENISA, which of the following is not one of the top security benefits of cloud computing?
A. benefits of scale
B. market differentiation
C. training opportunities
D. standardized interfaces
Answer: C
According to the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (pages 7-8), all the answers except for D are top security benefits of the cloud.
According to ENISA, which of the following is not one of the top security risks associated with cloud computing?
A. insecure or incomplete data deletion
B. wide potential for human error
C. data protection
D. compliance risks
Answer: B
According to the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (pages 9-10), all of the answers except for B are top security risks associated with cloud computing. This is a nuanced question, because “malicious insiders” is one of the top security risks listed in the ENISA document. The crucial difference between the answer listed and the element listed in the ENISA guidance is malice versus error; the intent of the person involved.
According to ENISA, vendor lock-in is rated as a __________ level of risk in the cloud.
A. high
B. medium
C. low
D. not applicable
Answer: A
See page 25 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
Which of the following standards is not mentioned by ENISA in the context of secure software assurance?
A. HIPAA
B. OWASP
C. SANS
D. SAFECode
Answer: A
HIPAA is a US federal law that applies to medical providers and their business associates; all the other answers are software security standards mentioned in the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (see page 73).
According to ENISA, which is more difficult and less common: attacking the resource isolation mechanisms in a cloud environment (such as the hypervisor), or attacking the operating systems (OSs) in a traditional computing environment?
A. cloud resource isolation mechanisms
B. traditional Oss
C. they are equally difficult and common
D. neither type of attack ever occurs
Answer: A
According to the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security, attacks on cloud resource isolation mechanisms is more difficult and less common than attacking traditional OSs (see page 9 of that document). Therefore, A is correct, and B and C are incorrect.
Attacks on both occur constantly, so D is incorrect.
Which of the following is not an example of an economic denial of service attack against a cloud environment, according to ENISA?
A. identity theft
B. cache poisoning
C. unexpected resource consumption
D. attacker consuming the customer’s metered service
Answer: B
Cache poisoning is not one of the types of attacks listed in the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security entry on economic denial of service (see page 41). All the other answers are listed in that entry.
Which of the following is not a cloud customer asset that might be affected by the risks associated with licensing, according to ENISA?
A. company reputation
B. software
C. service delivery
D. certification
Answer: B
Typically, the software is the asset being licensed, not something affected by failure to properly license it. All the other answers are assets affected by licensing risks. See page 47 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
What is “VM hopping”?
A. the attacker exceeds the resources of the target VM (such as CPU or RAM)
B. the attacker makes multiple copies of the target’s VM
C. the attacker deletes the target’s VM
D. the attacker exploits a vulnerability in the hypervisor and can access other VMs
Answer: D
This is the definition of VM hopping, from the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security, page 54.
Which of the following is not one of the fundamental legal issues associated with all cloud scenarios?
A. data protection
B. user training
C. intellectual property
D. professional negligence
Answer: B
User training is a security issue, but not necessarily a legal issue associated with cloud computing. See page 97 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
__________ is one way to enhance portability, and avoid vendor lock-in.
A. use only a single cloud vendor for all cloud computing needs
B. adopt an open standard, such as OVF (the open virtualization standard)
C. use only private clouds
D. use cloud providers only in a single geographic region
Answer: B
The ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (page 27) recommends using standards such as OVF to ease cloud migrations.
Each of the other answers does not help with portability, and may, in fact, make migration more difficult.
Which party is typically the data controller, in most cloud service arrangements?
A. the cloud provider
B. the cloud customer
C. the regulator
D. the data subject
Answer: B
The cloud customer is typically the data controller. See page 66 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
Which party is typically the data processor, in most cloud service arrangements?
A. the cloud provider
B. the cloud customer
C. the regulator
D. the data subject
Answer: A
The cloud provider is typically the data processor. See page 66 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
In an IaaS cloud service model, who is responsible for monitoring guest systems?
A. the auditor
B. the regulator
C. the cloud provider
D. the cloud customer
Answer: D
See page 68 of the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security.
Which of the following is one of the underlying vulnerabilities associated with malicious probes and scans of the cloud environment?
A. increase in shadow IT
B. social engineering
C. the possibility that internal network probing will occur
D. governmental overreach
Answer: C
According to the the ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security (page 42), internal probes are one of the underlying vulnerabilities related to malicious probes/scans.
All the other answers are not included in the list of underlying vulnerabilities for that risk in that document.