Lesson 9: Understanding Cloud Security Concepts

Question 1

An organization has received formal notice that it must not allow any modifications to specific information within the organization. What kind of process is this?

A.File integrity monitoring
B.Role-based access control
C.Network segmentation
D.Legal hold

Answer 1

D.Legal hold

Legal hold is a formal process that prevents the modification of specific data in the expectation of legal proceedings.

Question 2

What cloud records management feature or solution would be most beneficial in a use case where lawyers may want to go through years of data to convict a person suspected of money laundering? (Select all that apply.)

A.Retention
B.Versioning
C.Destruction
D.Write once read many

Answer 2

A.Retention
D.Write once read many

Data retention is managed on a schedule that defines how long specific types of data must be kept. This data may contain personal information or financial records.

Write once read many (WORM) solutions store data in a way that cannot be legitimately changed. This makes long-term storage of essential and immutable information possible. Legal and financial data benefit from WORM storage.

Question 3

An HR supervisor has asked the cloud administrator to check the log files to find out when a particular employee logged off the system on the previous day. Which goal of IAM does this satisfy?

A.Authentication
B.Authorization
C.Auditing
D.Confidentiality

Answer 3

C.Auditing

Recording all user actions in log files or keeping a record of what an identity did and when it occurred, satisfies the IAM (Identity and Access Management) goal of auditing.

Question 4

What term describes policies that are set to control the entire lifecycle of data, from creation through destruction?

A.Versioning
B.Retention
C.Records management
D.WORM

Answer 4

C.Records management

Records management refers to the policies that control data throughout its lifecycle and includes the creation of data, the use of data, the modification of data, and the deletion of data.

Question 5

The helpdesk receives a call from a frustrated user. The system has required the user to change their password and the user has tried several different ones, but the system will not accept them. Why won’t the system accept the user’s passwords?

A.The user is not on the application allow listing.

B.The passwords do not meet the password policy requirements.

C.The system has locked out the user’s account.

D.The administrator hasn’t assigned the user any permissions.

Answer 5

B.The passwords do not meet the password policy requirements.

The system won’t accept the user’s passwords since the passwords that the user is attempting to use do not meet the password policy requirements.

Question 6

A systems technician is enabling drive encryption for devices in the enterprise. What are the tools available for the technician to achieve this? (Select all that apply.)

A.Encrypting File System
B.LUKS
C.gzip
D.BitLocker

Answer 6

B.LUKS
D.BitLocker

Linux Unified Key Setup (LUKS) is also another tool for drive encryption. For drive encryption, the data is protected while the server is offline. If the drive is stolen, the contents are encrypted.

Bitlocker is a tool for drive encryption. For drive encryption, the entire drive (or partition) is encrypted during the shutdown process and decrypted during startup.

Question 7

An administrator is reviewing the roles and features installed on the organization’s servers, comparing them to what each server’s purpose is, and removing the roles and features that are unnecessary. What practice is the administrator engaged in?

A.Baselining
B.Hardening
C.Endpoint detection and response
D.Configuration management

Answer 7

B.Hardening

The administrator is engaged in the practice of hardening. Hardening is removing everything unnecessary on the server and using the most current version of everything necessary for the server.

Question 8

An employee sent a digitally signed resignation email to the HR department. Which goal of encryption proves that the employee sent the email?

A.Confidentiality
B.Digital signatures
C.Integrity
D.Non-repudiation

Answer 8

D.Non-repudiation

The goal of encryption that proves the employee sent the email is non-repudiation. In non-repudiation, the author encrypts the message using a method that nobody else could have used.

Question 9

On the most fundamental level, every network allows access to system resources based on what?

A.Permissions
B.Passwords
C.Active Directory
D.Identity

Answer 9

D.Identity

On the most fundamental level, every network allows access to system resources based on identity. Organizations apply permissions and passwords to identities.

Question 10

An administrator created a build and tested it extensively to correct the bugs and other issues, and then released it for use. What kind of build did the administrator create?

A.Stable
B.Long-term support
C.Beta
D.Deprecated

Answer 10

A.Stable

The administrator has released a stable build. A stable build is the final release of the build after testing, but before the build enters the long-term support lifecycle phase.

Question 11

A cloud administrator receives an email alert. The alert only indicates suspicious activity and no action was taken. What type of software sent the alert?

A.HIDS
B.IPS
C.Antivirus
D.Firewall

Answer 11

A.HIDS

The administrator received the alert from a Host-Based Intrusion Detection System (HIDS). HIDS detects behavior that is different from standard behavior and alerts administrators.

Question 12

The finance director recently learned how easy it is to intercept data and has concerns about someone tapping into the network to get the financial data. The cloud administrator assures the director that the financial data is encrypted before it leaves the program and that it stays encrypted unless being used by the program. What kind of encryption is the financial data using?

A.API endpoint
B.Operating system
C.Application
D.Filesystem

Answer 12

C.Application

The financial data is using application encryption, which encrypts the data before it leaves the application and protects the data on the network, in storage, and in databases.

Question 13

An organization was unable to relocate all on-premises resources to the cloud and now has concerns about the potential for data loss between the on-premises and cloud networks. What solution can the cloud administrator implement to mitigate this risk?

A.RBAC
B.FIM
C.WORM
D.CASB

Answer 13

D.CASB

The administrator can implement a Cloud Access Security Broker (CASB) software. This software monitors the data flow between the cloud and on-premises networks specifically searching for potential data loss incidents.

Question 14

A cloud administrator can manage permissions for users or groups to access cloud resources using which of the following?

A.Multifactor Authentication (MFA)
B.Identity and Access Management (IAM)
C.Single Sign-on (SSO)
D.Security Assertion Markup Language (SAML)

Answer 14

B.Identity and Access Management (IAM)

Identity and Access Management (IAM) begins with policies to govern user access to data and cloud resources. Those policies are enforced by technical methods such as centralized user management and non-technical means such as physical security.

Question 15

A cloud server administrator is configuring NetIQ eDirectory for directory services. Given the system’s design, which protocol would be most suitable to ensure seamless operation and standard compliance?

A.LDAP
B.HTTPS
C.Secure Shell
D.X.500

Answer 15

D.X.500

X.500 is a set of protocols that define how global directories should be structured. Enabling it would ensure the seamless operation of NetIQ eDirectory with compliant systems.

Question 16

What type of operating system (OS) build is due for retirement and may no longer have active support?

A.Beta
B.Deprecated
C.Stable
D.Long-term support

Answer 16

B.Deprecated

A deprecated operating system (OS) is due for retirement and may no longer be actively supported. This may contain unaddressed bugs or vulnerabilities. Microsoft stops selling older operating systems, but it is easy to obtain old Linux versions.

Question 17

A security technician is setting up multi-factor authentication to cloud solutions. Which of the following are authentication factors that could be used? (Select all that apply.)

A.Location
B.Current time
C.Security Assertion Markup Language
D.One-time passwords

Answer 17

A.Location
B.Current time
D.One-time passwords

Location is an additional authentication factor available. Examples include an IP address, network segment, or geographical location.

The current time is an additional authentication factor available. For instance, it could be authorization only during assigned business hours.

One-time passwords (OTPs) are additional authentication factors available. These could be things such as one-time password generators that send passwords to your phone.

Question 18

A security architect is setting up solutions for a medium sized company. The company wants security products that will actively block. Which of the following solutions should the architect recommend? (Select all that apply.)

A.Event viewer
B.Endpoint detection and response (EDR) systems
C.Software firewall
D.Host-based intrusion detection systems

Answer 18

B.Endpoint detection and response (EDR) systems
C.Software firewall

Endpoint detection and response (EDR) systems take a somewhat different approach. EDRs continually monitor the system for changes that indicate threats or exploits. Data is centralized for more accuracy.

There are two kinds of firewalls: Network (perimeter) and host-based (local). Network firewalls filter traffic in and out of a network segment or between two independent networks.

Question 19

A cloud architect establishes a Data Loss Prevention (DLP) program for their companies’ cloud infrastructure. Which of the following are goals the architect should work towards? (Select all that apply.)

A.Segment networks into logical data areas
B.Identify confidential data in use
C.Apply protection automatically
D.Monitor for exfiltration

Answer 19

B.Identify confidential data in use
C.Apply protection automatically
D.Monitor for exfiltration

The first goal of Data Loss Prevention (DLP) is to identify confidential data in use, in storage, and transit, and then understand how that data is used.

Another goal of DLP is to apply protection automatically to data by using technology. In some cases, a DLP system is required by industry or government regulations. In other cases, companies focus on it to mitigate legal threats in the event of a breach.

The last goal of DLP is to conduct exfiltration monitoring, detection, and response.

Question 20

A security architect wants to set up permissions dynamically based on assigned functions within the company. What type of permissions structure would best suit their objective?

A.Rule-based Access Control
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-based Access Control (RBAC)

Answer 20

D.Role-based Access Control (RBAC)

User groups are associated with Role-based Access Control (RBAC), which manages access based on a user’s assigned role or job function within the organization.

Question 21

An administrator has configured access permissions for the organization’s cloud network such that users can only log in between 6 a.m. and 6 p.m., and only if they are in the headquarters building. What security mechanism is this an example of?

A.Authentication
B.Authorization
C.Multifactor authentication
D.Auditing

Answer 21

B.Authorization

Authorization is a goal of identity and access management in which identity has specific access to resources based on permissions.

Question 22

An organization is planning to implement Multifactor Authentication (MFA). Currently, users must enter a password to access resources. What other valid forms of authentication can the organization implement to successfully achieve MFA? (Select all that apply.)

A.Smart cards and PINs
B.Fingerprint scanners
C.Windows PIN
D.Security questions

Answer 22

A.Smart cards and PINs
B.Fingerprint scanners

If the organization required users to use smart cards with corresponding PINs (something users have), along with passwords (something users know), this would successfully achieve MFA.

If the organization required users to use fingerprint scanners (who users are), along with passwords (something users know), this would successfully achieve MFA.

Question 23

An administrator is using Active Directory (AD) to manage permissions for users, permitting file and folder owners to manage other users’ access to those resources. What kind of access control is this?

A.Mandatory access control
B.Discretionary access control
C.Role-based access control
D.Rule-based access control

Answer 23

B.Discretionary access control

Windows New Technology File System (NTFS) permissions allow users to manage access levels for other users on resources they own. This is an example of discretionary access control.

Question 24

An employee saved a file to the cloud network and then made a hash of the file. Two weeks later, the employee ran another hash on the same file. When the employee compared the values of the two hashes, they were exactly the same. Which goal of encryption has the employee demonstrated?

A.Confidentiality
B.Integrity
C.Non-repudiation
D.File integrity monitoring

Answer 24

B.Integrity

By comparing the two hashes of the file taken at different times, the employee has verified that the file did not change and demonstrated the encryption goal of integrity.