Module 19 - Cloud Computing ( EC Mode Part 01 )

Question 1

Which of the following cloud services provides features such as single sign-on, multi-factor authentication, identity governance and administration, access management, and intelligence collection?

A. IDaaS
B. PaaS
C. IaaS
D. SaaS

Answer 1

Answer: A. IDaaS (Identity as a Service)

Explanation:

IDaaS is a cloud-based service that provides secure and seamless access to applications, services, and resources. It includes features such as single sign-on (SSO), multi-factor authentication (MFA), identity governance and administration, access management, and intelligence collection.

A. IDaaS (Identity as a Service):
IDaaS is a cloud-based service that provides secure and seamless access to applications, services, and resources. It includes features such as single sign-on (SSO), multi-factor authentication (MFA), identity governance and administration, access management, and intelligence collection.

B. PaaS (Platform as a Service):
PaaS provides a platform for developers to build and deploy applications without having to manage the underlying infrastructure. It typically includes tools and frameworks for developing, testing, and deploying applications.

C. IaaS (Infrastructure as a Service):
IaaS provides access to virtualized computing resources over the internet. It includes features such as virtual machines, storage, and networking, and allows users to manage and scale their own infrastructure.

D. SaaS (Software as a Service):
SaaS provides access to software applications over the internet, typically through a web browser. Users do not need to install or maintain the software themselves, as it is hosted and managed by the SaaS provider.

Question 2

Which of the following cloud deployment models is a combination of two or more clouds that remain unique entities but are bound together, where an organization makes available and manages some resources in-house and provides other resources externally?

A. Hybrid cloud
B. Public cloud
C. Community cloud
D. Multi-cloud

Answer 2

Answer: A. Hybrid cloud

Public Cloud:
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. Therefore, he is liable for the creation and constant maintenance of the public cloud and its IT resources. Public cloud services may be free or based on a pay-per-usage model (e.g., Amazon Elastic Compute Cloud (EC2), Google App Engine, Windows Azure Services Platform, IBM Bluemix).

Multi Cloud:
It is a dynamic heterogeneous environment that combines workloads across multiple cloud vendors that are managed via one proprietary interface to achieve long-term business goals. The multi cloud uses multiple computing and storage services from different cloud vendors. It distributes cloud assets, software, applications, etc. across various cloud-hosting environments.

Community Cloud:
It is a multi-tenant infrastructure shared among organizations from a specific community with common computing concerns, such as security, regulatory compliance, performance requirements, and jurisdiction. The community cloud can be either on- or off-premises and governed by the participated organizations or by a third-party managed service provider (e.g., Optum Health Cloud, Salesforce Health Cloud).

Hybrid Cloud:
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but are bound together to offer the benefits of multiple deployment models. In this model, the organization makes available and manages some resources in-house and provides other resources externally (e.g., Microsoft Azure, Zymr, Parangat, Logicalis).

Question 3

Which of the following is the layer in the cloud storage architecture that performs several functions such as data de-duplication and data replication?

A. Back-end layer
B. Middleware layer
C. Application layer
D. Front-end layer

Answer 3

Answer: B. Middleware layer

Explanation:

Front-end layer:
The Front-end layer is accessed by the end user where it provides APIs for the management of data storage.

Middleware layer:
The Middleware layer performs several functions such as data de-duplication and replication of data.

Back-end layer:
The Back-end layer is where the hardware is implemented.

Application Layer:
The Application layer is a cloud security control layer that includes software development lifecycle, binary analysis, scanners, web app firewalls, transactional security, and other security mechanisms. It focuses on securing applications and data from external threats and attacks.

Question 4

In one of the following characteristics of cloud computing, cloud systems employ the “pay-per-use” metering method, and subscribers pay for cloud services by monthly subscription or according to the usage of resources such as storage levels, processing power, and bandwidth. Which is this characteristic of cloud computing?

A. Measured service
B. Distributed storage
C. Virtualization technology
D. Distributed storage

Answer 4

Answer: A. Measured service

Explanation:

Distributed storage:
Distributed storage in the cloud offers better scalability, availability, and reliability of data. However, cloud distributed storage can potentially raise security and compliance concerns.

Automated management:
By minimizing user involvement, cloud automation speeds up the process and reduces labor costs and the possibility of human error.

Measured service:
Cloud systems employ the “pay-per-use” metering method. Subscribers pay for cloud services by monthly subscription or according to the usage of resources such as storage levels, processing power, and bandwidth. Cloud service providers monitor, control, report, and charge consumption of resources by customers with complete transparency.

Virtualization technology:
Virtualization technology in the cloud enables the rapid scaling of resources in a way that non-virtualized environments cannot achieve.

Question 5

In which of the following characteristics of cloud computing does cloud automation expedite the process, reduce labor costs, and minimize the possibility of human error by minimizing user involvement?

A. Resource pooling
B. Automated management
C. Broad network access
D. Rapid elasticity

Answer 5

Answer: B. Automated management

Broad network access:
Cloud resources are available over the network and accessed through standard procedures via a wide variety of platforms, including laptops, mobile phones, and personal digital assistants (PDAs).

Rapid elasticity:
The cloud offers instant provisioning of capabilities to rapidly scale up or down, according to demand. To the consumers, the resources available for provisioning seem to be unlimited and can be purchased in any quantity at any point of time.

Resource pooling:
The cloud service provider pools all the resources together to serve multiple customers in the multi-tenant environment, with physical and virtual resources dynamically assigned and reassigned on demand by the consumer of the cloud.

Automated management:
By minimizing user involvement, cloud automation speeds up the process and reduces labor costs and the possibility of human error.

Question 6

Which of the following actors in the NIST cloud deployment reference architecture acts as an intermediary for providing connectivity and transport services between cloud consumers and providers?

A. Cloud auditor
B. Cloud carrier
C. Cloud consumer
D. Cloud provider

Answer 6

Answer: B. Cloud carrier

Explanation:

Cloud Carrier:
A cloud carrier acts as an intermediary that provides connectivity and transport services between CSPs and cloud consumers. The cloud carrier provides access to consumers via a network, telecommunication, or other access devices.

Cloud Auditor:
A cloud auditor is a party that performs an independent examination of cloud service controls to express an opinion thereon. Audits verify adherence to standards through a review of the objective evidence.

Cloud Consumer:
A cloud consumer is a person or organization that maintains a business relationship with the cloud service providers (CSPs) and utilizes the cloud computing services.

Cloud Provider:
A cloud provider is a person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access.

Question 7

Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. There are various types of employees working in the company, including technical teams, sales teams, and work-from-home employees. Highlander takes care of the security patches and updates of official computers and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date with the latest patches. The phones are not used to directly connect to any other resources in the Highlander, Incorporated, network.

The database that hosts the information collected from the insurance application is hosted on a cloud-based file server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based file server, and the company uses work folders to synchronize offline copies back to their devices. Apart from Highlander employees, no one can access the cloud service.

Quiz: What type of cloud service is Highlander using?

A. Public cloud
B. Hybrid cloud
C. Private cloud
D. Community cloud

Answer 7

Answer: C. Private cloud

Explanation:

Private Cloud:
A private cloud, also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely. The organization can implement the private cloud within a corporate firewall. Organizations deploy private cloud infrastructures to retain full control over corporate data.

Public Cloud:
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. In this model, the cloud provider is liable for the creation and constant maintenance of the public cloud and its IT resources.

Community Cloud:
It is a multi-tenant infrastructure shared among organizations from a specific community with common computing concerns such as security, regulatory compliance, performance requirements, and jurisdiction.

Hybrid Cloud:
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but bound together for offering the benefits of multiple deployment models.

Question 8

Which of the following three service models are the standard cloud service models?

A. SaaS, IaaS, and hybrid
B. SaaS, PaaS, and IaaS
C. XaaS, private, and public
D. Private, public, and community

Answer 8

Answer: B. SaaS, PaaS, and IaaS

Explanation:

Option (a) is the only selection that includes all of the correct cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Options (b) to (d) do not contain all three correct cloud service models. They contain one or two of the models, plus a cloud deployment type, such as private cloud or hybrid cloud.

Question 9

What type of cloud service model will the new e-mail system be running on if XYZ Corp. migrates its legacy on-premise e-mail system to a cloud-based e-mail provider?

A. IaaS
B. XaaS
C. PaaS
D. SaaS

Answer 9

Answer: D. SaaS

Explanation:

SaaS is a correct cloud service model because it involves purchasing the use of software that is based in the cloud and accessed over the Internet.

IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) are also valid cloud service models. IaaS provides virtualized computing resources over the internet, while PaaS offers a platform for developing, running, and managing applications without the complexity of infrastructure management.

XaaS is not a specific cloud service model, but rather a term used to refer to “anything as a service,” which can encompass a variety of cloud service models and deployment types.

Therefore, the statement that IaaS/PaaS/XaaS are not correct cloud service models is incorrect.

Question 10

Which of the following services and deployment models would meet the requirements of XYZ Partners LLC, a cloud-based startup that needs to run their Windows server VMs and directory services from the cloud and must be SOC 2 compliant while storing sensitive PII?

A. XaaS and community
B. PaaS and public
C. IaaS and private
D. SaaS and hybrid

Answer 10

Answer: C. IaaS and private

Explanation:

IaaS is a correct cloud service model that allows access to individual VMs and provides granular control over everything. A private deployment model ensures that only the individual company’s data is stored on the cloud, providing added security.

PaaS is also a valid cloud service model that provides a platform for developing, running, and managing applications without the complexity of infrastructure management. However, the statement that public cloud is not as secure as private is debatable and depends on the specific security measures implemented by the cloud service provider.

SaaS is another correct cloud service model that provides access to software applications that are hosted in the cloud and accessed over the internet.

Hybrid is a valid cloud deployment model that combines two or more cloud service models (private, public, or community) to provide the benefits of multiple deployment models. However, the statement that it is not as secure as private is debatable and depends on the specific security measures implemented by the cloud service provider.

XaaS is not a specific cloud service model but rather a term used to refer to “anything as a service,” which can encompass a variety of cloud service models and deployment types. Community cloud is a valid cloud deployment model that is shared among organizations with common computing concerns, such as security, compliance, and jurisdiction.

Therefore, the statement that PaaS and public, SaaS and hybrid, and XaaS and community are not correct cloud service models or deployment types is incorrect.

Question 11

In which of the following cloud deployment models does the provider make services such as applications, servers, and data storage available to the public over the Internet?

A. Community cloud
B. Public cloud
C. Private cloud
D. Hybrid cloud

Answer 11

Answer: B. Public cloud

Explanation:

Public Cloud:
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. The cloud provider is responsible for creating and maintaining the public cloud and its IT resources.

Private Cloud:
A private cloud, also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely.

Community Cloud:
It is a multi-tenant infrastructure shared among organizations from a specific community with common computing concerns such as security, regulatory compliance, performance requirements, and jurisdiction.

Hybrid Cloud:
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but are bound together to offer the benefits of multiple deployment models.

Question 12

Which of the following NIST cloud reference architecture factors manages cloud services in terms of use, performance, and delivery, and who also maintains a relationship between cloud providers and consumers?

A. Cloud consumer
B. Cloud provider
C. Cloud broker
D. Cloud carrier

Answer 12

Answer: C. Cloud broker

Explanation:

Cloud Consumer:
A cloud consumer is a person or organization that maintains a business relationship with cloud service providers and uses cloud computing services. The cloud consumer browses the CSP’s service catalog, requests the desired services, sets up service contracts with the CSP (either directly or via a cloud broker), and uses the service.

Cloud Provider:
A cloud provider is a person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access.

Cloud Broker:
Integration of cloud services is becoming too complicated for cloud consumers to manage. Thus, a cloud consumer may request cloud services from a cloud broker, rather than directly contacting a CSP. The cloud broker is an entity that manages cloud services regarding use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers.

Cloud Carrier:
A cloud carrier acts as an intermediary that provides connectivity and transport services between CSPs and cloud consumers. The cloud carrier provides access to consumers via a network, telecommunication, and other access devices.

Question 13

Which of the following is a cloud-computing and remote-access service that offers anything as a service over the Internet based on the user’s demand?

A. DaaS
B. FWaaS
C. MBaaS
D. XaaS

Answer 13

Answer: D. XaaS

Explanation:

Anything-as-a-Service (XaaS):
Anything as a service or everything as a service (XaaS) is a cloud-computing and remote-access service that offers anything as a service over the Internet based on the user’s demand. XaaS offers secure services such as customer relationship management (CRM), cloud computing, and directory services (e.g., NetApp, AWS Elastic Beanstalk, Heroku, and Apache Stratos).

Firewalls-as-a-Service (FWaaS):
This cloud computing service protects users and organizations from both internal and external threats by filtering the network traffic. FWaaS includes enhanced data analysis capabilities, including the ability to detect malware attacks, in addition to security functionality such as packet filtering, network analyzing, and IPsec (e.g., Zscaler Cloud Firewall, SecurityHQ, Secucloud, Fortinet, Cisco, and Sophos).

Desktop-as-a-Service (DaaS):
This cloud computing service offers on-demand virtual desktops and apps to subscribers. Cloud service providers are responsible for providing infrastructure, computing power, data storage, backup, patching, and maintenance. Cloud providers deliver DaaS as a multi-tenancy subscription. The provider charges for the service with a predictable pay-as-you-need model (e.g., Amazon WorkSpaces, Citrix Managed Desktops, and Azure Windows Virtual Desktop).

Mobile Backend-as-a-Service (MBaaS):
This cloud computing service allows app developers to integrate their front-end applications with backend infrastructure through an application programming interface (API) and software development kit (SDK). This service reduces the time developers spend on developing backend functionality. It provides user management, push notifications, cloud storage, database management, and geolocation to develop applications (e.g., Google’s Firebase, AWS Amplify, Kinvey, Apple’s CloudKit, and Backendless Cloud).

Question 14

Identify the cloud computing service that protects users and organizations from both internal and external threats by filtering network traffic and includes the ability to detect malware attacks, in addition to security functionalities such as packet filtering, network analyzing, and IPsec.

A. IDaaS
B. CaaS
C. FWaaS
D. FaaS

Answer 14

Answer: C. FWaaS

Explanation:

Identity-as-a-Service (IDaaS):
This cloud computing service offers authentication services to the subscribed enterprises and is managed by a third-party vendor to provide identity and access management services. It provides services such as Single-Sign-On (SSO), Multi-Factor-Authentication (MFA), Identity Governance and Administration (IGA), access management, and intelligence collection. These services allow subscribers to access sensitive data more securely both on and off-premises (e.g., OneLogin, Centrify Identity Service, Microsoft Azure Active Directory, Okta).

Firewalls-as-a-Service (FWaaS):
This cloud computing service protects users and organizations from both internal and external threats by filtering the network traffic. FWaaS includes enhanced data analysis capabilities, including the ability to detect malware attacks, in addition to security functionality such as packet filtering, network analyzing, and IPsec (e.g., Zscaler Cloud Firewall, SecurityHQ, Secucloud, Fortinet, Cisco, and Sophos).

Container-as-a-Service (CaaS):
This cloud computing model provides containers and clusters as a service to its subscribers. It provides services such as virtualization of container engines, management of containers, applications, and clusters through a web portal or an API. Using these services, subscribers can develop rich scalable containerized applications through the cloud or on-site data centers. CaaS inherits features of both IaaS and PaaS (e.g., Amazon EC2, Google Kubernetes Engine (GKE)).

Function-as-a-Service (FaaS):
This cloud computing service provides a platform for developing, running, and managing application functionalities without the complexity of building and maintaining necessary infrastructure (serverless architecture). This model is mostly used while developing applications for microservices. It provides on-demand functionality to the subscribers that powers off the supporting infrastructure and incurs no charges when not in use. It provides data processing services, such as Internet of Things (IoT) services for connected devices, mobile and web applications, and batch-and-stream processing (e.g., AWS Lambda, Google Cloud Functions, Microsoft Azure Functions, Oracle Functions).

Question 15

Which of the following cloud computing models allows manufacturers to sell or lease equipment to clients and receive a percentage of profits generated by that equipment?

A. PaaS
B. SECaaS
C. MaaS
D. FWaaS

Answer 15

Answer: C. MaaS

Explanation:

Machines-as-a-Service (MaaS) Business Model:
This type of cloud computing model, also known as Equipment-as-a-Service (EaaS), allows manufacturers to sell or lease machines to clients and receive a percentage of profits generated by those machines. This model is extensively utilized and implemented to benefit both manufactures as well as clients. It is a sophisticated cloud model that allows the client and manufacturer to generate and track real-time products from the machine.

Firewalls-as-a-Service (FWaaS):
This cloud computing service protects users and organizations from both internal and external threats by filtering the network traffic. FWaaS includes enhanced data analysis capabilities, including the ability to detect malware attacks, in addition to security functionality such as packet filtering, network analyzing, and IPsec (e.g., Zscaler Cloud Firewall, SecurityHQ, Secucloud, Fortinet, Cisco, and Sophos).

Platform-as-a-Service (PaaS):
This type of cloud computing service allows for the development of applications and services. Subscribers need not buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. This offers development tools, configuration management, and deployment platforms on-demand, which can be used by subscribers to develop custom applications (e.g., Google App Engine, Salesforce, Microsoft Azure).

Security-as-a-Service (SECaaS):
This cloud computing model integrates security services into corporate infrastructure in a cost-effective way. It is developed based on SaaS and does not require any physical hardware or equipment. Therefore, it drastically reduces the cost compared to that spent when organizations establish their own security capabilities. It provides services such as penetration testing, authentication, intrusion detection, anti-malware, security incident and event management (e.g., eSentire MDR, Switchfast Technologies, OneNeck IT Solutions, Foundstone Managed Security Services).

Question 16

Which of the following types of cloud platforms is most secure?

A. Internal
B. Hybrid
C. Public
D. Private

Answer 16

Answer: D. Private

Explanation for (a):
A private cloud platform is the most secure as it is owned and maintained by a single entity that has the flexibility of the cloud but the security and control of hosting on-premise.

Explanation for (b):
Public cloud platforms are not as secure as private clouds, as they are open to the public and rely on the cloud provider for security measures.

Explanation for (c):
Hybrid cloud platforms combine private and public cloud models, and while they can offer increased security compared to public clouds, they are not as secure as private clouds.

Explanation for (d):
Internal cloud platforms are not a common cloud deployment model and are not as secure as private clouds, as they are still within the organization’s network and may not have the same security measures as a private cloud.

Question 17

You are a security engineer for XYZ Corp. You are looking for a cloud-based e-mail provider to migrate the company’s legacy on-premise e-mail system to. What type of cloud service model will the new e-mail system be running on?

A. SaaS
B. PaaS
C. IaaS
D. XaaS

Answer 17

Answer: A. SaaS

Explanation:

SaaS is correct because you are purchasing the use of software that is based in the cloud.
IaaS/PaaS/XaaS are not correct because they either have different uses or are not an existing cloud service model.

Question 18

In which of the following cloud deployment models is a highly flexible model that holds several types of cloud services that can be supplied to different other clouds to help users choose a specific feature required from each cloud?

A. Private cloud
B. Poly cloud
C. Distributed cloud
D. Public cloud

Answer 18

Answer: B. Poly cloud

Explanation:

Public Cloud: In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. Therefore, he is liable for the creation and constant maintenance of the public cloud and its IT resources. Public cloud services may be free or based on a pay-per-usage model (e.g., Amazon Elastic Compute Cloud (EC2), Google App Engine, Windows Azure Services Platform, IBM Bluemix).

Private Cloud: A private cloud, also known as the internal or corporate cloud, is a cloud infrastructure operated by a single organization and implemented within a corporate firewall. Organizations deploy private cloud infrastructures to retain full control over corporate data (e.g., BMC Software, VMware vRealize Suite, SAP Cloud Platform).

Distributed Cloud: It is a centralized cloud environment comprised of geographically distributed public or private clouds controlled on a single control plane for providing services to the end users located on or off site. In this model, the end user can access data anywhere as a local data center providing edge computing capability for improving data privacy and meeting local governance policies.

Poly Cloud: This type of cloud technology holds several types of cloud services, which can be supplied to different other clouds. Unlike a multi cloud, it provides features of various clouds on a single platform to provide users with features from different cloud services based on their requirement. This model also helps users choose a specific feature required from each cloud to perform different tasks in their business environment. It provides specialized automation applications such as AI and ML services (e.g., Google Cloud Platform (GCP) and Amazon Web Services (AWS)).

Question 19

Which of the following cloud broker services improves a given function by a specific capability and provides value-added services to cloud consumers?

A. Service arbitrage
B. Service aggregation
C. Distributed storage
D. Service intermediation

Answer 19

Answer: D. Service intermediation

explanation:

Service Intermediation:
Improves a given function by a specific capability and provides value-added services to cloud consumers.

Service Aggregation:
Combines and integrates multiple services into one or more new services.

Service Arbitrage:
It is like service aggregation but without the fixing of the aggregated services (the cloud broker can choose services from multiple agencies).

Distributed Storage:
Distributed storage is a characteristic of cloud computing that offers better scalability, availability, and reliability of data. However, cloud distributed storage can potentially raise security and compliance concerns.

Question 20

Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. There are various types of employees working in the company, including technical teams, sales teams, and work-from-home employees. Highlander takes care of the security patches and updates of official computers and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date with the latest patches. The phones are not used to directly connect to any other resources in the Highlander, Incorporated, network.

The database that hosts the information collected from the insurance application is hosted on a cloud-based file server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based file server, and the company uses work folders to synchronize offline copies back to their devices. Apart from Highlander employees, no one can access the cloud service.

Quiz: What type of cloud service is Highlander, Incorporated, using?

A. Private cloud
B. Public cloud
C. Community cloud
D. Hybrid cloud

Answer 20

Answer: A. Private cloud

Explanation:

Private Cloud:
A private cloud, also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely. The organization can implement the private cloud within a corporate firewall. Organizations deploy private cloud infrastructures to retain full control over corporate data.

Public Cloud:
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. In this model, the cloud provider is liable for the creation and constant maintenance of the public cloud and its IT resources.

Community Cloud:
It is a multi-tenant infrastructure shared among organizations from a specific community with common computing concerns such as security, regulatory compliance, performance requirements, and jurisdiction.

Hybrid Cloud:
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but bound together for offering the benefits of multiple deployment models.

Question 21

Which of the following types of cloud computing services provides virtual machines and other abstracted hardware and operating systems (OSs) which may be controlled through a service API?

A. XaaS
B. PaaS
C. SaaS
D. IaaS

Answer 21

Answer: D. IaaS

Explanation:
Infrastructure-as-a-Service (IaaS): This cloud computing service enables subscribers to use on demand fundamental IT resources such as computing power, virtualization, data storage, network, and so on. This service provides virtual machines and other abstracted hardware and operating systems (OSs) which may be controlled through a service API. As cloud service providers are responsible for managing the underlying cloud-computing infrastructure, subscribers can avoid costs of human capital, hardware, and others (e.g., Amazon EC2, Go grid, Sungrid, Windows SkyDrive, Rackspace.com, etc.).
Platform-as-a-Service (PaaS): This type of cloud computing service offers the platform for the development of applications and services. Subscribers need not to buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. This offers development tools, configuration management, and deployment platforms on-demand that can be used by subscribers to develop custom applications (E.g., Intel MashMaker, Google App Engine, Force.com, Microsoft Azure, etc.).
Software-as-a-Service (SaaS): This cloud computing service offers application software to subscribers on demand over the Internet; the provider charges for it on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users (E.g. web-based office applications like Google Docs or Calendar, Salesforce CRM, Freshbooks, Basecamp, etc.).
Anything-as-a-Service (XaaS): It is also known as everything-as-a-service. It includes all the other types of cloud services.

Question 22

Which of the following cloud computing services allows app developers to integrate their frontend applications with backend infrastructure through an application programming interface (API) and software development kit (SDK)?

A. MBaaS
B. FWaaS
C. DaaS
D. IDaaS

Answer 22

Answer: A. MBaaS

Explanation:
Identity-as-a-Service (IDaaS): This cloud computing service offers authentication services to the subscribed enterprises and is managed by a third-party vendor to provide identity and access management services. It provides services such as Single-Sign-On (SSO), Multi-Factor-Authentication (MFA), Identity Governance and Administration (IGA), access management, and intelligence collection. These services allow subscribers to access sensitive data more securely both on and off-premises (e.g., OneLogin, Centrify Identity Service, Microsoft Azure Active Directory, Okta).
Firewalls-as-a-Service (FWaaS): This cloud computing service protects users and organizations from both internal and external threats by filtering the network traffic. FWaaS includes enhanced data analysis capabilities, including the ability to detect malware attacks, in addition to security functionality such as packet filtering, network analyzing, and IPsec (e.g., Zscaler Cloud Firewall, SecurityHQ, Secucloud, Fortinet, Cisco, and Sophos).
Desktop-as-a-Service (DaaS): This cloud computing service offers on-demand virtual desktops and apps to subscribers. Cloud service providers are responsible for providing infrastructure, computing power, data storage, backup, patching, and maintenance. Cloud providers deliver DaaS as a multi-tenancy subscription. The provider charges for the service with a predictable pay-as-you-need model (e.g., Amazon WorkSpaces, Citrix Managed Desktops, and Azure Windows Virtual Desktop).
Mobile Backend-as-a-Service (MBaaS): This cloud computing service allows app developers to integrate their front-end applications with backend infrastructure through an application programming interface (API) and software development kit (SDK). This service reduces the time developers spend on developing backend functionality. It provides user management, push notifications, cloud storage, database management, and geolocation to develop applications (e.g., Google’s Firebase, AWS Amplify, Kinvey, Apple’s CloudKit, and Backendless Cloud).

Question 23

Which of the following cloud deployment models is a highly flexible model that holds several types of cloud services that can be supplied to different other clouds to help users choose a specific feature required from each cloud?

A. Distributed cloud
B. Public cloud
C. Private cloud
D. Poly cloud

Answer 23

Answer: D. Poly cloud

Explanation:
Public Cloud: In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. Therefore, he is liable for the creation and constant maintenance of the public cloud and its IT resources. Public cloud services may be free or based on a pay-per-usage model (e.g., Amazon Elastic Compute Cloud (EC2), Google App Engine, Windows Azure Services Platform, IBM Bluemix).

Private Cloud: A private cloud, also known as the internal or corporate cloud, is a cloud infrastructure operated by a single organization and implemented within a corporate firewall. Organizations deploy private cloud infrastructures to retain full control over corporate data (e.g., BMC Software, VMware vRealize Suite, SAP Cloud Platform).

Distributed Cloud: It is a centralized cloud environment comprised of geographically distributed public or private clouds controlled on a single control plane for providing services to the end users located on or off site. In this model, the end user can access data anywhere as a local data center providing edge computing capability for improving data privacy and meeting local governance policies.

Poly Cloud: This type of cloud technology holds several types of cloud services, which can be supplied to different other clouds. Unlike a multi cloud, it provides features of various clouds on a single platform to provide users with features from different cloud services based on their requirement. This model also helps users choose a specific feature required from each cloud to perform different tasks in their business environment. It provides specialized automation applications such as AI and ML services (e.g., Google Cloud Platform (GCP) and Amazon Web Services (AWS)).

Question 24

Which of the following cloud platforms is most secure?

A. Internal
B. Hybrid
C. Public
D. Private

Answer 24

Answer: D. Private

Explanation:
A private cloud platform is the most secure as it is owned and maintained by a single entity that has the flexibility of the cloud but the security and control of hosting on-premise.

Public/hybrid/internal cloud platforms are not correct answers because they are not as secure.

Question 25

Which of the following tiers in the container technology architecture transforms images into containers and deploys containers to hosts?

A. Tier 1: Developer machines
B. Tier 2: Testing and accreditation systems
C. Tier 3: Registries
D. Tier 4: Orchestrators

Answer 25

Answer: D. Tier 4: Orchestrators

Tier-1: Developer machines - image creation, testing and accreditation

Tier-2: Testing and accreditation systems - verification and validation of image contents, signing images and sending them to the registries

Tier-3: Registries - storing images and disseminating images to the orchestrators based on requests

Tier-4: Orchestrators - transforming images into containers and deploying containers to hosts

Question 26

Which of the following is a docker remote driver that is a network plugin used to build a virtual network for connecting docker containers spread across multiple clouds?

A. Kuryr
B. Weave
C. Contiv
D. MACVLAN

Answer 26

Answer: B. Weave

Explanation:
Contiv: Contiv is an open-source network plugin introduced by Cisco for building security and infrastructure policies for multi-tenant microservices deployments.

Weave: Weave is a network plugin that is used to build a virtual network for connecting Docker containers spread across multiple clouds.

Kuryr: Kuryr is a network plugin that implements the Docker libnetwork remote driver by using Neutron, an OpenStack networking service, and also includes an IPAM driver.

MACVLAN: A macvlan driver is used to create a network connection between container interfaces and the parent host interface or sub-interfaces using the Linux MACVLAN bridge mode. It is a native network driver of a Docker engine.

Question 27

Which of the following tiers in the container technology architecture operates and manages containers as instructed by the orchestrator?

A. Tier 5: Hosts
B. Tier 3: Registries
C. Tier 1: Developer machines
D. Tier 2: Testing and accreditation systems

Answer 27

Answer: A. Tier 5: Hosts

Tier-1: Developer machines - image creation, testing and accreditation

Tier-2: Testing and accreditation systems - verification and validation of image contents, signing images and sending them to the registries

Tier-3: Registries - storing images and disseminating images to the orchestrators based on requests

Tier-4: Orchestrators - transforming images into containers and deploying containers to hosts

Tier-5: Hosts - operating and managing containers as instructed by the orchestrator

Question 28

Which of the following docker objects are read-only binary templates with instructions for container creation and are used to store and deploy containers?

A. Services
B. Networking
C. Images
D. Volumes

Answer 28

Answer: C. Images

Images:
Images are used to store and deploy containers. They are read-only binary templates with instructions for container creation.

Services:
Services enable users to extend the number of containers across daemons, and together they serve as a swarm with several managers and workers. Each swarm member is a daemon, and all these daemons can interact with each other using Docker API.

Networking:
It is a channel through which all isolated containers communicate.

Volumes:
It is a storage where persisting data created by Docker and used by Docker containers are stored.

Question 29

Which of the following is the docker native network driver that implements its own networking stack and is isolated completely from the host networking stack?

Answer Options:

A. None
B. MACVLAN
C. Overlay
D. Host

Answer 29

Answer:

A. None

Host:
By using a host driver, a container implements the host networking stack.

Overlay:
An overlay driver is used to enable container communication over the physical network infrastructure.

MACVLAN:
A macvlan driver is used to create a network connection between container interfaces and the parent host interface or sub-interfaces using the Linux MACVLAN bridge mode.

None:
A none driver implements its own networking stack and is isolated completely from the host networking stack.

Question 30

Which of the following constructs of the container network model comprises the container network stack configuration for the management of container interfaces, routing tables, and DNS settings?

Answer Options:

A. Bridge
B. Endpoint
C. Network
D. Sandbox

Answer 30

Answer:

D. Sandbox

Endpoint: An endpoint is a connection point for applications to access a network. It is abstracted away from the application to maintain portability and allows services to implement different network drivers.

Network: A network is a collection of interconnected endpoints. Endpoints without a network connection cannot communicate over the network.

Sandbox: A sandbox is a container’s network stack configuration that manages container interfaces, routing tables, and DNS settings.

Bridge: A bridge is a component of Docker’s native network drivers. The bridge driver creates a Linux bridge on the host that is managed by Docker.

Question 31

Which of the following node components of the Kubernetes cluster architecture is an important service agent that runs on each node and ensures that containers run in a pod?

Answer Options:

A. Etcd cluster
B. Kubelet
C. Kube-proxy
D. Container runtime

Answer 31

Answer:

The correct answer is B. Kubelet

Explanation:
Kube-proxy: It is a network proxy service that also runs on every worker node. This service maintains the network rules that enable network connection to the pods.

Etcd cluster: It is a distributed and consistent key-value storage where Kubernetes cluster data, service discovery details, API objects, etc. are stored. It is a master node component.

Container Runtime: Container runtime is a software designed to run the containers. Kurbernetes supports various container runtimes, such as Docker, rktlet, containerd, and cri-o.

Kubelet: Kubelet is an important service agent that runs on each node and ensures containers running in a pod. It also ensures pods and containers are healthy and running as expected. Kubelet does not handle containers that are not generated by Kubernetes.

Question 32

Which of the following is the property of container technology that makes it less secure than virtual machines?

Answer Options:

A. Created and launched in minutes
B. Process-level isolation
C. Heavyweight
D. Complete isolation

Answer 32

Answer:

The correct answer is B. Process-level isolation

Explanation:

Virtual Machines:

Heavyweight
Run on independent operating systems
Hardware-based virtualization
Slower provisioning
Limited performance
Completely isolated making it more secure
Created and launched in minutes
Containers:

Lightweight and portable
Share a single host operating system
OS-based virtualization
Scalable and real-time provisioning
Native performance
Process-level isolation, partially secured
Created and launched in seconds

Question 33

Which of the following serverless computing platforms allows users to run code without provisioning and managing servers?

Answer Options:

A. Portainer
B. Microsoft Azure Functions
C. Knative
D. Red Hat OpenShift

Answer 33

Answer:

The correct answer is B. Microsoft Azure Functions

Portainer and Red Hat OpenShift Container Platform are container management platforms.

Microsoft Azure Functions is a serverless computing platform that allows users to run code without provisioning and managing servers.

Knative is a Kubernetes-based platform to build, deploy, and manage modern serverless workloads.

Question 34

Which of the following components in the container network model assigns default subnet and IP addresses to the endpoints and networks if they are not assigned?

Answer Options:

A. IPAM drivers
B. Network drivers
C. Sandbox
D. Endpoint

Answer 34

Answer:

The correct answer is A. IPAM drivers

Sandbox: Sandbox comprises the container network stack configuration for the management of container interfaces, routing tables, and domain name system (DNS) settings.

Endpoint: To maintain application portability, an endpoint is connected to a network and is abstracted away from the application, so that services can implement different network drivers.

Network Drivers: The network functions through the implementation of Docker network drivers. These drivers are pluggable so that multiple network drivers can be used concurrently on the same network. There are two types of CNM network drivers: namely native and remote network drivers.

IPAM Drivers: IP address management (IPAM) drivers assign default subnet and IP addresses to the endpoints and networks if they are not assigned.

Question 35

Which of the following processes manages the lifecycles of software containers and schedules and distributes the work of individual containers for microservices-based applications?

Answer Options:

A. Microservices
B. Domain snipping
C. Sandbox
D. Container orchestration

Answer 35

Answer:

The correct answer is D. Container orchestration

Explanation:

Container Orchestration: Container orchestration is an automated process of managing the lifecycles of software containers and their dynamic environments. It is used for scheduling and distributing the work of individual containers for microservices-based applications spread across multiple clusters.

Sandbox: A sandbox comprises the container network stack configuration for the management of container interfaces, routing tables, and domain name system (DNS) settings.

Domain Snipping: Domain snipping involves registering an elapsed domain name. It allows multiple microservices to work together within a specific domain.

Microservices: Monolithic applications are broken down into cloud-hosted sub-applications called microservices that work together, each performing a unique task. As each microservice is packaged into the Docker container along with the required libraries, frameworks, and configuration files, microservices belonging to a single application can be developed and managed using multiple platforms.

Question 36

Which of the following docker components processes API requests and handles various docker objects, such as containers, volumes, images, and networks?

Answer Options:

A. Docker registries
B. Docker images
C. Docker client
D. Docker daemon

Answer 36

Answer:

The correct answer is D. Docker daemon

Explanation:

Docker Client: The Docker client is the primary interface that users use to communicate with Docker. When users enter Docker commands such as “docker run”, the client passes the commands to the Docker daemon for execution via the Docker API.

Docker Daemon: The Docker daemon (dockerd) is responsible for handling various Docker objects such as containers, images, volumes, and networks. It listens for Docker API requests and processes them accordingly.

Docker Images: Docker images are read-only templates that contain instructions for creating Docker containers. Images are used to store and distribute containerized applications and can be shared between multiple hosts. Docker images are built using a Dockerfile, which is a script that contains a set of instructions for building an image.

Docker Registries: Docker registries are locations where Docker images are stored and retrieved. Docker Hub is a public registry that allows developers to share and distribute their Docker images. Private registries can also be used for internal distribution of Docker images within an organization.

Question 37

Which of the following components of the container network model is connected to a network and is abstracted away from an application so that services can implement different network drivers?

Answer Options:

A. Bridge
B. Endpoint
C. Network
D. Sandbox

Answer 37

Answer:

The correct answer is B. Endpoint

Explanation:

Endpoint: An endpoint is a virtual object in Kubernetes that abstracts the details of a Kubernetes service. It allows the service to be easily changed without affecting the endpoint, which provides stability to the service’s consumers.

Network: In Kubernetes, a network is a set of nodes and their associated resources that are used to communicate with each other. It allows the containers and services running in the cluster to communicate with each other.

Sandbox: A sandbox is a container used by Kubernetes to isolate the network resources of a pod. It includes the network stack, IP address, and routing table for the pod.

Bridge: A bridge is a component of the Docker native network drivers that creates a virtual network interface on the host machine. It allows containers to communicate with each other and with the outside world.

Question 38

Which of the following technologies is a function as a service (FaaS) and a cloud-based application architecture that simplifies the process of application deployment and eliminates the need for developers to manage the server and hardware?

Answer Options:

A. Docker
B. Container
C. Serverless computing
D. Kubernetes

Answer 38

Answer:

The correct answer is C. Serverless computing

Container:
A container is a self-contained package of software and all its dependencies, designed to run independently of other processes in the cloud environment. Container-as-a-Service (CaaS) is a service that includes the virtualization of containers and container management through orchestrators, enabling subscribers to develop rich, scalable containerized applications on the cloud or on-site data centers.

Serverless computing:
Serverless computing, also known as serverless architecture or Function-as-a-Service (FaaS), is a cloud-based application architecture in which the cloud vendor provides the application infrastructure and supporting services as they are needed. This simplifies the process of application deployment and eliminates the need for developers to manage the server and hardware.

Kubernetes:
Kubernetes, or K8s, is an open-source, portable, extensible orchestration platform developed by Google for managing containerized applications and microservices. Kubernetes provides a resilient framework for managing distributed containers, generating deployment patterns, and performing failover and redundancy for applications.

Docker:
Docker is an open-source technology used for developing, packaging, and running applications and all their dependencies in the form of containers, ensuring seamless application execution in any environment. Docker provides a Platform-as-a-Service (PaaS) through OS-level virtualization and delivers containerized software packages.

Question 39

Which of the following components of the docker engine allows the communication and assignment of tasks to the daemon?

Answer Options:

A. Server
B. Rest API
C. Docker swarm
D. Client CLI

Answer 39

Answer:

The correct answer is B. Rest API

Client CLI: It is the command-line interface used to communicate with the daemon and where various Docker commands are initiated.

Rest API: This API allows the communication and assignment of tasks to the daemon.

Server: It is a persistent back-end process, also known as a daemon process (dockerd command).

Docker Swarm: The Docker engine supports the swarm mode that allows managing multiple Docker engines within the Docker platform. Docker CLI is used for creating a swarm, deploying an application to the swarm, and handling its activity or behavior.

Question 40

Which of the following types of DNS attack involves conducting phishing scams by registering a domain name that is similar to a CSP?

Answer Options:

A. Domain snipping
B. Cybersquatting
C. Domain hijacking
D. DNS poisoning

Answer 40

Answer:

The correct answer is B. Cybersquatting

Explanation:

DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user’s system.

Cybersquatting: Involves conducting phishing scams by registering a domain name that is similar to a CSP.

Domain Hijacking: Involves stealing a CSP domain name.

Domain Snipping: Involves registering an expired domain name.

Question 41

In which of the following attacks does an attacker abuse cloud file synchronization services, such as Google Drive and DropBox, for data compromise, command and control, data exfiltration, and remote access?

Answer Options:

A. Man-in-the-cloud attack
B. Cloud cryptojacking
C. Cloud hopper attack
D. Cloudborne attack

Answer 41

Answer:

The correct answer is A. Man-in-the-cloud attack

Man-in-the-Cloud (MITC) Attack: MITC attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access. Synchronization tokens are used for application authentication in the cloud but cannot distinguish malicious traffic from normal traffic. Attackers abuse this weakness in cloud accounts to perform MITC attacks.

Cloud Hopper Attack: Cloud hopper attacks are triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers. Attackers also move laterally in the network from one system to another in the cloud environment to gain further access to sensitive data pertaining to the industrial entities, such as manufacturing, government bodies, healthcare, and finance.

Cloud Cryptojacking: Cryptojacking is the unauthorized use of the victim’s computer to stealthily mine digital currency. Cryptojacking attacks are highly lucrative, involving both external attackers and internal rogue insiders. To perform this attack, attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities.

Cloudborne Attack: Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware. The installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS. Physical servers are not confined to one client and can be moved from one client to another.

Question 42

Which of the following cloud computing threats is caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, and lack of supplier redundancy?

Answer Options:

A. Hardware failure
B. Supply chain failure
C. Isolation failure
D. Subpoena and e-discovery

Answer 42

Answer:

The correct answer is B. Supply chain failure

Explanation:
Supply Chain Failure: A supply chain failure can be caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, lack of supplier redundancy, etc. Cloud providers outsource certain tasks to third parties. Thus, the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties.

Hardware Failure: Hardware failures, such as switches, servers, routers, access points, hard disks, network cards, and processors in data centers, can make cloud data inaccessible. The majority of hardware failures occur because of hard disk problems.

Isolation Failure: Multi-tenancy and shared resources are the characteristics of cloud computing. Strong isolation or compartmentalization of storage, memory, routing, and reputation among different tenants is lacking.

Subpoena and E-Discovery: Customer data and services are subjected to a cease request from authorities or third parties. This threat occurs owing to improper resource isolation, data storage in multiple jurisdictions, and lack of insight on jurisdictions.

Question 43

In which of the following attacks does an attacker exploit the vulnerability residing in a bare-metal cloud server and use it to implant a malicious backdoor in its firmware?

Answer Options:

A. Cryptanalysis attack
B. Cloudborne attack
C. Cross-site scripting attack
D. Wrapping attack

Answer 43

Answer:

The correct answer is B. Cloudborne attack

Explanation:

Wrapping Attack: A wrapping attack occurs during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

Cloudborne Attack: Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant a malicious backdoor in its firmware.

Cryptanalysis Attacks: Insecure or obsolete encryption makes cloud services susceptible to cryptanalysis. Data present in the cloud may be encrypted to prevent unauthorized access, but critical flaws in cryptographic algorithm implementations (e.g., weak random number generation) may weaken or break the encryption.

Cross-Site Scripting (XSS) Attack: Attackers use XSS to steal cookies used in the user authentication process by injecting a website with malicious code that is executed by the victim’s browser.

Question 44

Which of the following types of DNS attack involves registering an elapsed domain name?

Answer Options:

A. DNS poisoning
B. Cybersquatting
C. Domain snipping
D. Domain hijacking

Answer 44

Answer:

The correct answer is C. Domain snipping

Domain Hijacking: Involves stealing a CSP domain name.

Cybersquatting: Involves conducting phishing scams by registering a domain name that is similar to a CSP.

DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user’s system.

Domain Snipping: Involves registering an elapsed domain name.

Question 45

Which of the following practices is NOT a countermeasure for defending against cryptojacking attacks?

Answer Options:

A. Never review third-party components used by the company’s websites
B. Use encrypted SSH key pairs instead of passwords
C. Implement browser extensions for scanning and terminating scripts
D. Implement CoinBlocker URL and IP blacklist/blackholing in the firewall

Answer 45

Answer:

The correct answer is A. Never review third-party components used by the company’s websites

Countermeasures for Cryptojacking attacks:

Ensure to implement a strong password policy.

Always preserve three different copies of the data in different places and one copy off-site.

Ensure to patch the webservers and devices regularly.

Use encrypted SSH key pairs instead of passwords for securing access to cloud servers.

Implement CoinBlocker URL and IP Blacklist/blackholing in the firewall.

Employ real-time monitoring of the web page document object model (DOM) and JavaScript environments for detecting and mitigating malicious activities at an early stage.

Use the latest antivirus, anti-malware, and adblocker tools in the cloud.

Implement browser extensions for scanning and terminating scripts similar to the CoinHive’s miner script.

Use endpoint security management technology to detect any rogue applications in the devices.

Review all third-party components used by the company’s websites.

Question 46

Which of the following is not a legitimate cloud computing attack?

Answer Options:

A. Privilege escalation
B. Man-in-the-middle (MiTM)
C. Denial-of-service (DoS)
D. Port scanning

Answer 46

Answer:

D. Port scanning

Explanation:

Port scanning is correct because it is not an attack. It is used in information gathering.

DoS/privilege escalation/MiTM are legitimate attacks because they are generally performed with malice so as to cause damage or steal information from an organization.

Question 47

A privilege escalation threat is caused due to which of the following weaknesses?

Answer Options:

A. A mistake in the access allocation system causes a customer, third party, or employee to get more access rights than needed.
B. Due to flaws while provisioning or de-provisioning networks or vulnerabilities in communication encryption.
C. Due to isolation failure, cloud customers can gain illegal access to the data.
D. Weak authentication and authorization controls could lead to illegal access thereby compromising confidential and critical data stored in the cloud.

Answer 47

Answer:

A. A mistake in the access allocation system causes a customer, third party, or employee to get more access rights than needed.

Explanation:
Privilege escalation: A mistake in the access allocation system such as coding errors, design flaws, and others can result in a customer, third party, or employee obtaining more access rights than required. This threat arises because of AAA (authentication, authorization, and accountability) vulnerabilities, user-provisioning and de-provisioning vulnerabilities, hypervisor vulnerabilities, unclear roles and responsibilities, misconfiguration, and others.

Illegal Access to the Cloud: Weak authentication and authorization controls could lead to illegal access thereby compromising confidential and critical data stored in the cloud.

Isolation Failure: Due to isolation failure, cloud customers can gain illegal access to the data.

Modifying Network Traffic: Due to flaws while provisioning or de-provisioning network or vulnerabilities in communication encryption.

Question 48

In which of the following attacks does an attacker steal a CSP’s or client’s credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities?

Answer Options:

A. DNS attack
B. Wrapping attack
C. Service hijacking using social engineering attacks
D. Side-channel attack

Answer 48

Answer:

The correct answer is C. Service hijacking using social engineering attacks

Explanation:
Service Hijacking Using Social Engineering Attacks: In account or service hijacking, an attacker steals a CSP’s or client’s credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities. Using the stolen credentials, the attacker gains access to the cloud computing services and compromises data confidentiality, integrity, and availability.

Wrapping Attack: It is performed during the translation of SOAP messages in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

DNS Attack: The attacker performs DNS attacks to obtain authentication credentials from Internet users.

Side Channel Attack: The attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launches a side channel attack.

Question 49

In which of the following attacks does an attacker ride an active computer session by sending an email or tricking the user into visiting a malicious web page while they are logged into the targeted site?

Answer Options:

A. Session hijacking using session riding
B. Side-channel attack
C. DNS attack
D. Wrapping attack

Answer 49

Answer:

A. Session hijacking using session riding

Explanation:
Service Hijacking Using Social Engineering Attacks: In account or service hijacking, an attacker steals a CSP’s or client’s credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities. Using the stolen credentials, the attacker gains access to the cloud computing services and compromises data confidentiality, integrity, and availability.

Wrapping Attack: It is performed during the translation of SOAP messages in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

DNS Attack: The attacker performs DNS attacks to obtain authentication credentials from Internet users.

Side Channel Attack: The attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launches a side channel attack.

Question 50

Which of the following is not a type of DNS attack?

Answer Options:

A. Domain hijacking
B. Cybersquatting
C. Session hijacking
D. Domain snipping

Answer 50

Answer:

C. Session hijacking

Explanation:

Domain snipping, domain hijacking, and cybersquatting are various types of DNS attacks.

Session hijacking is not a type of DNS attack.

Question 51

Out of the following, which is not a type of side-channel attack?

Answer Options:

A. Cybersquatting
B. Data remanence
C. Acoustic cryptanalysis
D. Timing attack

Answer 51

Answer:

A. Cybersquatting

Explanation:
Attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launches side-channel attack. Inside channel attack, the attacker runs a virtual machine on the same physical host of the victim’s virtual machine and takes advantage of shared physical resources (processor cache) to steal data (cryptographic key) from the victim. Side-channel attacks can be implemented by any co-resident user and are mainly due to the vulnerabilities in shared technology resources.

Timing attack, data remanence, and acoustic cryptanalysis are types of side-channel attacks, whereas cybersquatting is a type of DNS attack.

Cybersquatting involves conducting phishing scams by registering a domain name that is similar to a cloud service provider.

Question 52

In which of the following attacks, does an attacker divert a user to a spoofed website by poisoning the DNS server or the DNS cache on the user’s system?

Answer Options:

A. DNS poisoning
B. Domain hijacking
C. Cybersquatting
D. Domain snipping

Answer 52

Answer:

A. DNS poisoning

Explanation:

Cybersquatting: Involves conducting phishing scams by registering a domain name that is similar to a cloud service provider.

Domain hijacking: Involves stealing a cloud service provider’s domain name.

Domain snipping: Involves registering an elapsed domain name.

DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user’s system.

Question 53

Identify the attack in which attackers exploit a zero-day vulnerability on the target application server or use information leaked via a reverse proxy implemented by administrators to gain unauthorized access to network resources by compromising cloud instances.

Answer Options:

A. Cloud snooper attack
B. IMDS attack
C. Cloudborne attack
D. CDN cache poisoning attack

Answer 53

Answer:

B. IMDS attack

Explanation:

Cloudborne Attack: Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant a malicious backdoor in its firmware. The installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS.

Instance Metadata Service (IMDS) Attack: In this attack, the attacker exploits a zero-day vulnerability or a reverse proxy implemented on the target application server. The attacker then compromises the cloud instance running on the server and acquires metadata of the instance. Next, the attacker uses the obtained credentials to gain access to the cloud resources.

Cache Poisoned Denial of Service (CPDoS)/Content Delivery Network (CDN) Cache Poisoning Attack: In a CPDoS or CDN cache poisoning attack, attackers create malformed or oversized HTTP requests to trick the origin web server into responding with malicious or error content, which can be cached at the content delivery network (CDN) servers. Therefore, the malicious or error-based content is cached in the CDN server, which delivers it to legitimate users, resulting in a DoS attack on the target network.

Cloud Snooper Attack: Cloud snooper attacks are triggered at AWS security groups (SGs) to compromise the target server and extract sensitive data stealthily. Attackers perform this attack by leveraging a weakly configured firewall or any underlying vulnerabilities. Attackers use various techniques to bypass security controls such as firewalls and gain remote control over the target server.

Question 54

In which of the following attacks do attackers gain access to federated services by hacking an administrative identity provider’s user profile and further exploiting token signing certificates to generate forged tokens to access the targeted services?

A. Cloud snooper attack
B. Fragmentation attack
C. Golden SAML attack
D. Slowloris attack

Answer 54

Answer: C. Golden SAML attack

Explanation:
Fragmentation Attack: In fragmentation attacks, the attacker sends a large number of fragmented (1500+ byte) packets to a target web server with a relatively small packet rate. Since the protocol allows fragmentation, these packets are usually uninspected as they pass through network equipment such as routers, firewalls, and the intrusion detection system (IDS)/intrusion prevention system (IPS). The reassembly and inspection of these large, fragmented packets consume excessive resources.

Slowloris Attack: In Slowloris attacks, the attacker sends partial HTTP requests to the target web server or application. Upon receiving the partial requests, the target server opens multiple connections and waits for the requests to complete. However, these requests remain incomplete, causing the target server’s maximum concurrent connection pool to be filled up and additional connection attempts to be denied.

Golden SAML Attack: Golden Security Assertion Markup Language (SAML) attacks are implemented to target identity providers on cloud networks such as the Active Directory Federation Service (ADFS) that utilize the SAML protocol for the authentication and authorization of users. Attackers initially gain administrative access to the identity provider’s user profile and exploit token signing certificates to generate forged SAML tokens or responses by manipulating the SAML assertions. This access can be achieved through session hijacking, privilege escalation, or lateral movement via previously exploited vulnerabilities or attacks.

Cloud Snooper Attack: Cloud snooper attacks are triggered at AWS security groups (SGs) to compromise the target server and extract sensitive data stealthily. Attackers perform this attack by leveraging a weakly configured firewall or any underlying vulnerabilities. Attackers use various techniques to bypass security controls such as firewalls and gain remote control over the target server.

Question 55

Which OWASP cloud security risk involves unsecured data in transit being susceptible to eavesdropping and interception attacks?

A) Multi-tenancy and physical security
B) Business continuity and resiliency
C) Incident analysis and forensic support
D) Service and data integration

Answer 55

Answer: D) Service and data integration

Explanation:

Table below summarizes the top 10 cloud security risks, according to OWASP.

Risks

Description

R4 - Business Continuity and Resiliency

Performing business continuity in an IT organization ensures that the business can be conducted in a disaster situation.
When organizations use cloud services, there is a chance of risk or monetary loss if the cloud provider handles the business continuity improperly.

R6 - Service and Data Integration

Organizations must ensure proper protection when proprietary data are transferred from the end-user to the cloud data center.
Unsecured data in transit are susceptible to eavesdropping and interception attacks.

R7 - Multi Tenancy and Physical Security

Cloud technology uses the concept of multi-tenancy for sharing resources and services among multiple clients, such as networking, databases.
Inadequate logical segregation may lead to tenants interfering with each other’s security features.

R8 - Incidence Analysis and Forensic Support

When a security incident occurs, investigating applications and services hosted at a cloud provider can be challenging because event logs are distributed across multiple hosts and data centers located at several countries and governed by different laws and policies.
Owing to the distributed storage of logs across the cloud, law enforcing agencies may face problem in forensics recovery.

Question 56

Which cloud computing threat involves authorized individuals such as disgruntled employees, contractors, or business partners misusing their access to compromise the information available in the cloud?

A) Cloud provider acquisition
B) Malicious insiders
C) Supply chain failure
D) Isolation failure

Answer 56

Answer: B) Malicious insiders

Explanation:
Supply Chain Failure: A supply chain failure can be caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, lack of supplier redundancy.

Cloud Provider Acquisition: CSP acquisition may increase the probability of tactical shift and affect non-binding agreements at risk. This could pose a challenge in handling security requirements.

Insufficient Due Diligence: Ignorance of CSP’s cloud environment poses risks in operational responsibilities such as security, encryption, incident response, and more such problems as contractual issues, design, and architectural issues.

Malicious Insiders: Malicious insiders are disgruntled current/former employees, contractors, or other business partners who have/had authorized access to cloud resources and could intentionally exceed or misuse that access to compromise the confidentiality, integrity, or availability of the organization information. Malicious insiders who have authorized access to cloud resources can abuse their access to compromise the information available in the cloud. Threats include loss of reputation, productivity, and financial theft.

Question 57

Which Kubernetes vulnerability allows an attacker to exploit the kube-apiserver, which has debug mode disabled, to directly interact with it and perform malicious activities?

A) No non-repudiation
B) Log rotation is not atomic
C) No back-off process for scheduling
D) Exposed bearer tokens in logs

Answer 57

Answer: A) No non-repudiation

Exposed Bearer Tokens in Logs
Kubernetes requires an authentication mechanism for enforcing user privileges; e.g., bearer tokens are logged in hyperkube kube-apiserver system logs.
Attackers with access to the system logs can exploit bearer tokens to impersonate a previously logged legitimate user.

Log Rotation is not Atomic
Kubelet, the primary node agent, uses logs for storing the metadata about the container. During log rotation, if the kubelet is restarted, all logs may be erased.
Attackers monitor log rotation and when it occurs attempt to remove all logs.

No Back-off Process for Scheduling
The Kubernetes pod is an execution unit which requires keen co-ordination for scheduling and has no back-off process.
This causes a tight loop as the scheduler continuously schedules pods that are rejected by the other processes.

No Non-repudiation
Kube-apiserver performs all user transactions, such as creation, modification, and deletion, through its handlers without using a central auditing service.
If debug mode is disabled, kube-apiserver does not record user actions.
Attackers can directly interact with kube-apiserver and perform various malicious activities.

Question 58

Which cloud computing threat is caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, and lack of supplier redundancy?

A) Hardware failure
B) Isolation failure
C) Supply chain failure
D) Subpoena and e-discovery

Answer 58

Answer: C) Supply chain failure

Supply Chain Failure: A supply chain failure can be caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, lack of supplier redundancy, etc. Cloud providers outsource certain tasks to third parties. Thus, the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties.

Hardware Failure: Hardware failures, such as switches, servers, routers, access points, hard disks, network cards, and processors in data centers, can make cloud data inaccessible. The majority of hardware failures occur because of hard disk problems.

Isolation Failure: Multi-tenancy and shared resources are the characteristics of cloud computing. Strong isolation or compartmentalization of storage, memory, routing, and reputation among different tenants is lacking.

Subpoena and E-Discovery: Customer data and services are subjected to a cease request from authorities or third parties. This threat occurs owing to improper resource isolation, data storage in multiple jurisdictions, and lack of insight on jurisdictions.

Question 59

In which attack does an attacker exploit a vulnerability in a bare-metal cloud server to implant a malicious backdoor in its firmware?

A) Cloudborne attack
B) Wrapping attack
C) Cryptanalysis attack
D) Cross-site scripting attack

Answer 59

Answer: A) Cloudborne attack

Wrapping Attack: A wrapping attack is performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

Cloudborne Attack: Cloudborne is a vulnerability residing in a bare-metal cloud server that enables the attackers to implant a malicious backdoor in its firmware.

Cryptanalysis Attacks: Insecure or obsolete encryption makes cloud services susceptible to cryptanalysis. Data present in the cloud may be encrypted to prevent them from being read if accessed by malicious users. However, critical flaws in cryptographic algorithm implementations (e.g., weak random number generation) may turn strong encryption to weak or broken.

Cross-Site Scripting (XSS) Attack: Attackers implement XSS to steal cookies used in the user authentication process; this involves injecting a website with malicious code, which is subsequently executed by the browser.

Question 60

An attacker creates anonymous access to cloud services to carry out various attacks, such as password and key cracking, hosting malicious data, and DDoS attacks. Which cloud threat is the attacker posing?

A) Data breach/loss
B) Insecure interface and APIs
C) Insufficient due diligence
D) Abuse and nefarious use of cloud services

Answer 60

Answer: D) Abuse and nefarious use of cloud services

Abuse and Nefarious Use of Cloud services: Presence of weak registration systems in the cloud-computing environment gives rise to this threat. Attackers create anonymous access to cloud services and perpetrate various attacks such as password and critical cracking, building rainbow tables, CAPTCHA-solving farms, launching dynamic attack points, hosting exploits on cloud platforms, hosting malicious data, Botnet command or control, DDoS, etc.

Insecure Interface and APIs: Attackers exploit user defined policies, reusable passwords/tokens, insufficient input-data validation.

Data Breach/Loss: Attackers gain illegal access to the data and misuse or modify the data.

Insufficient Due Diligence: Ignorance of CSP’s cloud environment poses risks in operational responsibilities such as security, encryption, incident response, and more issues such as contractual issues, design and architectural issues, etc.

Question 61

In which attack does an attacker steal a cloud service provider’s or client’s credentials using methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities?

A) Side-channel attack
B) Wrapping attack
C) DNS attack
D) Service hijacking using social engineering attacks

Answer 61

Answer: D) Service hijacking using social engineering attacks

Service Hijacking Using Social Engineering Attacks: In account or service hijacking, an attacker steals a CSP’s or client’s credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities. Using the stolen credentials, the attacker gains access to the cloud computing services and compromises data confidentiality, integrity, and availability.

Wrapping Attack: It is performed during the translation of SOAP messages in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

DNS Attack: The attacker performs DNS attacks to obtain authentication credentials from Internet users.

Side Channel Attack: The attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launches a side channel attack.

Question 62

In which attack does an attacker take control of an active computer session by sending an email or tricking the user into visiting a malicious web page while they are logged into the targeted site?

A) Wrapping attack
B) Session hijacking using session riding
C) Side-channel attack
D) DNS attack

Answer 62

Answer: B) Session hijacking using session riding

Session Hijacking Using Session Riding: Attackers exploit websites by engaging in cross-site request forgeries to transmit unauthorized commands. In session riding, attackers “ride” an active computer session by sending an email or tricking users to visit a malicious web page, during login, to an actual target site. When users click the malicious link, the website executes the request as if the user had already authenticated it. Commands used include modifying or deleting user data, performing online transactions, resetting passwords, and others.

Wrapping Attack: It is performed during the translation of SOAP messages in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

DNS Attack: The attacker performs DNS attacks to obtain authentication credentials from Internet users.

Side Channel Attack: The attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launches a side channel attack.

Question 63

Which attack is triggered at AWS security groups (SGs) to compromise the target server and extract sensitive data stealthily?

A) Cloud snooper attack
B) SYN flood attack
C) Cloud hopper attack
D) Man-in-the-cloud attack

Answer 63

Answer: A) Cloud snooper attack

Man-in-the-Cloud (MITC) Attack: MITC attacks are an advanced version of MITM attacks. In MITM attacks, an attacker uses an exploit that intercepts and manipulates the communication between two parties, while MITC attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access.

Cloud Hopper Attack: Cloud hopper attacks are triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers. Attackers also move laterally in the network from one system to another in the cloud environment to gain further access to sensitive data pertaining to the industrial entities, such as manufacturing, government bodies, healthcare, and finance.

SYN Flood Attack: In a SYN attack, the attacker sends a large number of SYN requests to the target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources.

Cloud Snooper Attack: Cloud snooper attacks are triggered at AWS security groups (SGs) to compromise the target server and extract sensitive data stealthily. Attackers perform this attack by leveraging a weakly configured firewall or any underlying vulnerabilities. Attackers use various techniques to bypass security controls such as firewalls and gain remote control over the target server.

Question 64

Which cloud malware is designed to exploit misconfigured kubelets in a Kubernetes cluster for infecting all the containers in the Kubernetes environment?

A) Hildeagard
B) Dreambot
C) njRAT
D) Necurs

Answer 64

Answer: A) Hildeagard

Explanation:

§njRAT: njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it can access a victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop.

Necurs: The Necurs botnet is a distributor of many pieces of malware, most notably Dridex and Locky. It delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself.

Hildegard: Hildegard is cloud malware designed to exploit misconfigured kubelets in a Kubernetes cluster and infect all the containers present in the Kubernetes environment. Hildegard helps attackers in bypassing security solutions and altering system configurations to hide their presence.

Dreambot: Dreambot banking Trojans are also known as updated versions of Ursnif or Gozi. Dreambot Trojans have long been used by hackers, and they have been regularly updated with more sophisticated capabilities.

Question 65

Which cloud computing threat reflects the inability of a client to migrate from one cloud service provider to another or in-house systems due to the lack of tools, procedures, standard data formats, applications, and service portability?

A) Theft of computer equipment
B) Lock-in
C) Licensing risks
D) Cloud provider acquisition

Answer 65

Answer: B) Lock-in

Licensing Risks: The organization may incur a substantial licensing fee if the CSP charges the software deployed in the cloud on a per-instance basis. Therefore, the organization should always retain ownership over its software assets located in the cloud provider environment. Risks to licensing occur because of incomplete and non-transparent terms of use.

Cloud Provider Acquisition: CSP acquisition may increase the probability of tactical shift and affect non-binding agreements at risk. This could pose a challenge in handling security requirements.

Lock-in: Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc.

Theft of Computer Equipment: The theft of equipment may occur owing to inadequate controls on physical parameters, such as smart card access at entry, which may lead to loss of physical equipment and sensitive data.

Question 66

Which cloud attack is triggered at Managed Service Providers (MSPs) and their customers and involves compromising staff accounts by initiating spear-phishing emails with custom-made malware?

A) Wrapping attack
B) Cross-guest VM breaches
C) Man-in-the-cloud attack
D) Cloud hopper attack

Answer 66

Answer: D) Cloud hopper attack

Man-in-the-Cloud (MITC) Attack: MITC attacks are an advanced version of MITM attacks. In MITM attacks, an attacker uses an exploit that intercepts and manipulates the communication between two parties, while MITC attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access.

Side-Channel Attacks or Cross-guest VM Breaches: Attackers can compromise the cloud by placing a malicious virtual machine near a target cloud server and then launch a side-channel attack.

Wrapping Attack: A wrapping attack is performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

Cloud Hopper Attack: Cloud Hopper attacks are triggered at the managed service providers (MSPs) and their users. Attackers initiate spear-phishing emails with custom-made malware to compromise the accounts of staff or cloud service firms to obtain confidential information.

Question 67

Which type of DNS attack involves conducting phishing scams by registering a domain name that is similar to a Cloud Service Provider (CSP)?

A) Domain snipping
B) Domain hijacking
C) Cybersquatting
D) DNS poisoning

Answer 67

Answer: C) Cybersquatting

DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user’s system.
Cybersquatting: Involves conducting phishing scams by registering a domain name that is similar to a CSP.
Domain Hijacking: Involves stealing a CSP domain name.
Domain Snipping: Involves registering an elapsed domain name.

Question 68

Which cloud computing threat arises from the ignorance of the Cloud Service Provider’s (CSP) cloud environment and poses risks in operational responsibilities such as security, encryption, and incident response?

A) Loss of operational and security logs
B) Insecure interfaces and APIs
C) Unsynchronized system clocks
D) Insufficient due diligence

Answer 68

Answer: D) Insufficient due diligence

Insecure Interfaces and APIs: Interfaces or APIs enable customers to manage and interact with cloud services. Cloud service models must be security integrated, and users must be aware of security risks in the use, implementation, and monitoring of such services.

Insufficient Due Diligence: Ignorance of CSP’s cloud environment poses risks in operational responsibilities such as security, encryption, incident response, and more such problems as contractual issues, design, and architectural issues.

Unsynchronized System Clocks: The failure of synchronizing clocks at the end systems can affect the working of automated tasks.

Loss of Operational and Security Logs: The loss of operational logs makes it challenging to evaluate operational variables. The options for solving issues are limited when no data is available for analysis. The loss of security logs poses a risk for managing the implementation of the information security management program. Loss of security logs may occur in case of storage under-provisioning.

Question 69

Which cloud computing threat is caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate Cloud Service Provider (CSP) selection, and lack of supplier redundancy?

A) Isolation failure
B) Hardware failure
C) Subpoena and e-discovery
D) Supply chain failure

Answer 69

Answer: D) Supply chain failure

Supply Chain Failure: A supply chain failure can be caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, lack of supplier redundancy, etc. Cloud providers outsource certain tasks to third parties. Thus, the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties.

Hardware Failure: Hardware failures, such as switches, servers, routers, access points, hard disks, network cards, and processors in data centers, can make cloud data inaccessible. The majority of hardware failures occur because of hard disk problems.

Isolation Failure: Multi-tenancy and shared resources are the characteristics of cloud computing. Strong isolation or compartmentalization of storage, memory, routing, and reputation among different tenants is lacking.

Subpoena and E-Discovery: Customer data and services are subjected to a cease request from authorities or third parties. This threat occurs owing to improper resource isolation, data storage in multiple jurisdictions, and lack of insight on jurisdictions.

Question 70

In which attack does an attacker exploit the vulnerability residing in a bare-metal cloud server and use it to implant a malicious backdoor in its firmware?

A) Cross-site scripting attack
B) Wrapping attack
C) Cryptanalysis attack
D) Cloudborne attack

Answer 70

Answer: D) Cloudborne attack

Wrapping Attack: A wrapping attack is performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.
Cloudborne Attack: Cloudborne is a vulnerability residing in a bare-metal cloud server that enables the attackers to implant a malicious backdoor in its firmware.
Cryptanalysis Attacks: Insecure or obsolete encryption makes cloud services susceptible to cryptanalysis. Data present in the cloud may be encrypted to prevent them from being read if accessed by malicious users. However, critical flaws in cryptographic algorithm implementations (e.g., weak random number generation) may turn strong encryption to weak or broken.
Cross-Site Scripting (XSS) Attack: Attackers implement XSS to steal cookies used in the user authentication process; this involves injecting a website with malicious code, which is subsequently executed by the browser.

Question 71

In which cloud computing threat does an attacker attempt to control operations of other cloud customers to gain illegal access to their data?

A) Isolation failure
B) Illegal access to the cloud
C) Privilege escalation
D) Supply chain failure

Answer 71

Answer: A) Isolation failure

Isolation Failure: Multi-tenancy and shared resources are the characteristics of cloud computing. Strong isolation or compartmentalization of storage, memory, routing, and reputation among different tenants is lacking. Because of isolation failure, attackers try to control operations of other cloud customers to gain illegal access to the data.

Privilege Escalation: A mistake in the access allocation system causes a customer, third party, or employee to get more access rights than needed.

Illegal Access to the cloud: Attackers can exploit weak authentication and authorization to get illegal access, thereby compromising confidential and critical data stored in the cloud.

Supply Chain Failure: A disruption in the chain may lead to loss of data privacy and integrity, unavailability of services, violation of SLA, economic and reputational losses resulting in failure to meet customer demand, and cascading failure.

Question 72

Which attack involves the manipulation of the CDN server to store an error page instead of the genuine one to trick users and prevent them from accessing cloud resources?

A) Mask attack
B) Brute-force attack
C) Zero-day DDoS attack
D) CPDoS attack

Answer 72

Answer: D) CPDoS attack

Brute-Force Attack: In a brute-force attack, attackers try every combination of characters until the password is broken.

Mask Attack: Mask attack is similar to brute-force attacks but recovers passwords from hashes with a more specific set of characters based on information known to the attacker. Brute-force attacks are time-consuming because the attacker tries all possible combinations of characters to crack the password. In contrast, in a mask attack, the attacker uses a pattern of the password to narrow down the list of possible passwords and reduce the cracking time.

Cache Poisoned Denial of Service (CPDoS)/Content Delivery Network (CDN) Cache Poisoning Attack: In a CPDoS or CDN cache poisoning attack, attackers create malformed or oversized HTTP requests to trick the origin web server into responding with malicious or error content, which can be cached at the content delivery network (CDN) servers. Therefore, the malicious or error-based content is cached in the CDN server, which delivers it to legitimate users, resulting in a DoS attack on the target network.

Zero-Day DDoS Attack: Zero-day DDoS attacks are attacks in which DDoS vulnerabilities do not have patches or effective defensive mechanisms. Until the victim identifies the threat actor’s attack strategy and deploys a patch for the exploited DDoS vulnerability, the attacker actively blocks all the victim’s resources and steals the victim’s data.

Question 73

What information can an attacker enumerate when running the command “# ps -ef | grep apiserver” in Kubernetes etcd?

A) Secrets stored in the Kubernetes cluster
B) Retrieve a key and convert it into the YAML format
C) Location of the etcd server and PKI information
D) Decoding keys

Answer 73

Answer: C) Location of the etcd server and PKI information

Attackers can use the following command to enumerate the location of the etcd server and PKI information:

ps -ef | grep apiserver
Attackers can run the following command to enumerate secrets stored in the Kubernetes cluster:

ETCDCTL_API=3 ./etcdctl –cacert=/etc/kubernetes/pki/etcd/ca.crt –cert=/etc/kubernetes/pki/apiserver-etcd-client.crt –key=/etc/kubernetes/pki/apiserver-etcd-client.key –endpoints=https://127.0.0.1:2379 get /registry/ –prefix | grep -a ’/registry/secrets/’
Furthermore, attackers can use the following command to retrieve a key and convert it into YAML format:

ETCDCTL_API=3 ./etcdctl –cacert=/etc/kubernetes/pki/etcd/ca.crt –cert=/etc/kubernetes/pki/apiserver-etcd-client.crt –key=/etc/kubernetes/pki/apiserver-etcd-client.key –endpoints=https://127.0.0.1:2379 get /registry/secrets/kube-system/weave-net-token-nmb26 |./auger decode -o yaml
By decoding keys, attackers can identify endpoints from the kube config file. Attackers can further use the information enumerated from etcd to perform privilege escalation attacks and gain access to node information.

Question 74

Which Nimbostratus command is used by an attacker to dump all the permissions for provided credentials?

A) $ nimbostratus dump-ec2-metadata
B) $ nimbostratus dump-credentials
C) $ nimbostratus create-iam-user –access-key=… –secret-key=…
D) $ nimbostratus dump-permissions –access-key=… –secret-key=…

Answer 74

Answer: D) $ nimbostratus dump-permissions –access-key=… –secret-key=…

Explanation:
Dump credentials: Extracts the credentials available with this host and prints them out to the console.

$ nimbostratus dump-credentials

Dump permissions: Dumps all the permissions for the provided credentials.

$ nimbostratus dump-permissions –access-key=… –secret-key=…

Dump instance metadata: Retrieves important information metadata of EC2 instances.

$ nimbostratus dump-ec2-metadata

Create new user: Create a new IAM user using existing credentials:

$ nimbostratus create-iam-user –access-key=… –secret-key=…

Question 75

An attacker is using DumpsterDiver, an automated tool, to identify potential secret leaks and hardcoded passwords in target cloud services. Which flag is set by the attacker to analyze the files in search of hardcoded passwords?

A) -o OUTFILE
B) -r, –remove
C) -a, –advance
D) -s, –secret

Answer 75

Answer: D) -s, –secret

Explanation:
DumpsterDiver flags:

-r, –remove Set this flag to remove files that do not contain secret keys.
-a, –advance Set this flag to analyze files using rules specified in ‘rules.yaml’.
-s, –secret Set this flag to analyze files in search of hardcoded passwords.
-o OUTFILE Generate output in JSON format.

Question 76

What docker command is used by an attacker to create a container from an image to exploit the docker remote API?

A) $ docker -H exec modest_goldstine ls
B) $ docker -H run –network=host –rm marsmensch/nmap -ox
C) $ docker -H pull alpine
D) $ docker -H run -t -d alpine

Answer 76

Answer: D) $ docker -H run -t -d alpine

Explanation:
Run the following command to get an image of Alpine Linux:
$ docker -H pull alpine

Create a container from the image using the following command:
$ docker -H run -t -d alpine

Run the ls command inside the container to retrieve files stored on the Docker host:
$ docker -H exec modest_goldstine ls

Use Nmap to scan the host’s internal network to identify running services: $ docker -H run –network=host –rm marsmensch/nmap -ox

Question 77

In which technique does an attacker use lambda functions such as rabbit_lambda, cli_lambda, and backdoor_created_users_lambda to install a backdoor to AWS infrastructure?

A) Inserting a backdoor
B) Manipulating access keys
C) Manipulating user data
D) Creating new EC2 instances

Answer 77

Answer: B) Manipulating access keys

Explanation:

Attackers install backdoors to the AWS infrastructure using the following techniques:

Manipulating user data associated with an EC2 instance with privileged access rights.

Creating new EC2 instances depending on the Amazon Machine Images (AMI) by assigning a privileged role.

Inserting a backdoor to the existing Lambda function.

Manipulating access keys using Lambda functions such as rabbit_lambda, cli_lambda, and backdoor_created_users_lambda.

Question 78

Which of the following is a security vulnerability that arises mostly from business associates and current or former employees who already have trusted access to an environment and do not need to compromise AWS credentials separately for performing malicious activities?

A) Reading local file
B) Password reuse
C) Insider threat
D) Social engineering

Answer 78

Answer: C) Insider threat

Insider Threat: Insider threat arises mostly from business associates and current or former employees who already have trusted access to the environment and do not need to compromise the credentials separately for performing malicious activities. These types of insiders pose a serious threat to the organization and the AWS environment.

Reading Local File: Generally, AWS keys are stored in various locations, such as configuration and log files, in an operating system. For example, if a user uses the AWS command-line interface aws-cli, his credentials are stored in the home directory, and the keys are stored in the environment variable file. If an attacker has already gained access to the operating system, he can read the credentials and keys stored in the operating system to perform further exploitation.

Social Engineering: Attackers use social engineering techniques, such as fake emails, calls, and SMSs, to trick users into revealing their AWS IAM credentials. For example, if a user enters only the API keys to authenticate the AWS, then an attacker can employ a simple phishing technique to steal the API keys and compromise the user account.

Password Reuse: Password reuse is a very common fault that can cause serious vulnerabilities. Most users reuse the same password for multiple services. If the attacker is able to compromise one password, he can gain access to other cloud services with the same credentials. In some scenarios, if a website is compromised, the attacker can gain access to the back-end database and retrieve password hashes or cleartext passwords stored in the database.

Question 79

Given below are the steps involved in exploiting AWS docker containers. What is the correct sequence of steps involved in exploiting AWS docker containers?

1. Pull the target docker image
2. Push the backdoor docker image
3. Create a backdoor image
4. Abuse AWS credentials

A) 1 -> 2 -> 3 -> 4
B) 4 -> 1 -> 3 -> 2
C) 2 -> 1 -> 3 -> 4
D) 3 -> 4 -> 2 -> 1

Answer 79

Answer: B) 4 -> 1 -> 3 -> 2

The following steps are involved in exploiting AWS Docker containers:

Step 1: Abuse AWS credentials
Step 2: Pull the target Docker image
Step 3: Create a backdoor image
Step 4: Push the backdoor Docker image

Question 80

Which of the following scripts is an example of a lambda function that responds to user-delete events by creating more copies of the deleted user?

A) rabbit_lambda
B) cli_lambda
C) backdoor_created_roles_lambda
D) backdoor_created_users_lambda

Answer 80

Answer: A) rabbit_lambda

Explanation:

cli_lambda: A Lambda function that acts as an AWS CLI proxy and does not require credentials.
rabbit_lambda: An example Lambda function that responds to user-delete events by creating more copies of the deleted user.
backdoor_created_roles_lambda: A Lambda function that adds a trust relationship to each newly created role.
backdoor_created_users_lambda: A Lambda function that adds an access key to each newly created user.

Question 81

Which of the following tools allows an attacker to perform account enumeration on an Azure Active Directory (AD) environment and assess the overall security of the target Azure environment?

A) bettercap
B) OWASP ZAP
C) Azucar
D) Hetty

Answer 81

Answer: C) Azucar

Explanation:
Hetty: Hetty is an HTTP toolkit for security research. It provides the following features:

Machine-in-the-middle (MITM) HTTP proxy with logs and advanced search
HTTP client for manually creating/editing requests and replaying proxied requests
Intercepting requests and responses for a manual review (edit, send/receive, and cancel)

Azucar: The Azucar tool allows users to assess the overall security of an Azure environment. It is a multi-threaded plug-in-based security tool that can be used in Windows. Moreover, the script used in the tool does not affect the assets that are implemented in the Azure subscription.

bettercap: bettercap is a portable framework written in Go that allows security researchers, red teamers, and reverse engineers to perform reconnaissance and various attacks on Wi-Fi networks, Bluetooth low energy devices, wireless HID devices, and IPv4/IPv6 networks.

OWASP ZAP: Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. It offers automated scanners as well as a set of tools that allow users to find security vulnerabilities manually.

Question 82

Which of the following tools contains two main scanning modules, AWStealth and AzureStealth, which attackers can use to discover users, groups, and roles that have the most sensitive and risky permissions?

A) DroidSheep
B) Fiddler
C) CxSAST
D) SkyArk

Answer 82

Answer: D) SkyArk

DroidSheep: The DroidSheep tool is used for session hijacking on Android devices connected to a common wireless network.

CxSAST: Checkmarx CxSAST is a unique source-code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in source code, such as security vulnerabilities, compliance issues, and business logic problems.

SkyArk: SkyArk contains two main scanning modules, AWStealth and AzureStealth. With the scanning results from SkyArk, attackers can discover the entities (users, groups, and roles) that have the most sensitive and risky permissions.

Fiddler: Fiddler is used for performing web-application security tests such as the decryption of HTTPS traffic and manipulation of requests using an MITM decryption technique. Fiddler is a web debugging proxy that logs all HTTP(S) traffic between a computer and the Internet.

Question 83

In which of the following techniques does an attacker use lambda functions such as rabbit_lambda, cli_lambda, and backdoor_created_users_lambda to install a backdoor to AWS infrastructure?

A) Manipulating user data
B) Inserting a backdoor
C) Manipulating access keys
D) Creating new EC2 instances

Answer 83

Answer: C) Manipulating access keys

Explanation:
Attackers install backdoors to the AWS infrastructure using the following techniques:

Manipulating user data associated with an EC2 instance with privileged access rights
Creating new EC2 instances depending on the Amazon Machine Images (AMI) by assigning a privileged role
Inserting a backdoor to the existing Lambda function
Manipulating access keys using Lambda functions such as rabbit_lambda, cli_lambda, and backdoor_created_users_lambda

Question 84

Given below are the different steps to exploit misconfigured AWS S3 buckets. What is the correct sequence of steps involved in exploiting misconfigured AWS S3 buckets?

1. Setup the AWS command-line interface
2. Identify S3 buckets
3. Configure aws-cli
4. Exploit S3 buckets
5. Extract access keys
6. Identify vulnerable S3 buckets

A) 1 -> 2 -> 3 -> 4 -> 5 -> 6
B) 2 -> 1 -> 5 -> 3 -> 6 -> 4
C) 3 -> 1 -> 4 -> 5 -> 6 -> 2
D) 3 -> 2 -> 4 -> 6 -> 5 -> 1

Answer 84

Answer: B) 2 -> 1 -> 5 -> 3 -> 6 -> 4

Explanation:

Follow the steps discussed below to exploit the misconfigured AWS S3 buckets.

Step 1: Identify S3 buckets

Step 2: Setup AWS command-line interface

Step 3: Extract access keys

Step 4: Configure aws-cli

Step 5: Identify vulnerable S3 buckets

Step 6: Exploit S3 buckets

Question 85

Which of the following docker commands is used by an attacker to retrieve MySQL database credentials?

A. $ docker -H [docker host] exec -i some-mysql mysql -u root -p -e “show databases”
B. $ docker -H run –network=host –rm marsmensch/nmap -ox
C. $ docker -H [docker remote host] exec -i some-mysql env
D. $ docker -H [docker remote host] ps | grep mysql

Answer 85

Answer: C. $ docker -H [docker remote host] exec -i some-mysql env

Explanation:
Querying databases:

Run the following command to find the MySQL containers on the target Docker host:
$ docker -H [docker remote host] ps | grep mysql

Now, run the following command to retrieve the MySQL credentials:
$ docker -H [docker remote host] exec -i some-mysql env

Use the retrieved credentials to find databases under the MySQL container:
$ docker -H [docker host] exec -i some-mysql mysql -u root -p -e “show databases”

To scan the host’s internal network and identify running services [Nmap scan]:
$ docker -H run –network=host –rm marsmensch/nmap -ox

Question 86

Given below are the various steps involved in abusing AWS Lambda functions using a white-box scenario. What is the correct sequence of steps involved?

Steps:

1. The attacker obtains information about the roles and other policies associated with that compromised cloud account. Here, the attacker strictly focuses on the specific misconfigured S3 bucket.
2. The attacker can now list the Lambda functions and obtain additional information about any function.
3. With the additional information and obtained user credentials, the attacker downloads the associated Lambda code for detecting and exploiting potential vulnerabilities.
4. The Lambda function can now be exploited by the attacker to launch further attacks.
5. An attacker obtains sensitive information such as user credentials through phishing or other social engineering methods.

Choose the correct sequence of steps:

A) 5 -> 2 -> 3 -> 4 -> 1
B) 3 -> 1 -> 2 -> 5 -> 4
C) 2 -> 3 -> 4 -> 1 -> 5
D) 5 -> 1 -> 2 -> 3 -> 4

Answer 86

Answer: D) 5 -> 1 -> 2 -> 3 -> 4

Serverless-Based Attacks on AWS Lambda

White-Box Scenario

In this scenario, attackers hold prior information about the environment, which helps them in achieving their goals.

The steps to perform an attack using the white-box scenario approach are as follows:

Step 1: An attacker obtains sensitive information such as user credentials through phishing or other social engineering methods.

Step 2: The attacker obtains information about the roles and other policies associated with that compromised cloud account. Here, the attacker strictly focuses on the specific misconfigured S3 bucket.

Step 3: The attacker can now list the Lambda functions and obtain additional information about any function.

Step 4: With the additional information and obtained user credentials, the attacker downloads the associated Lambda code for the detection and exploitation of potential vulnerabilities.

Step 5: The Lambda function can now be exploited by the attacker to launch further attacks.

Question 87

An attacker is using DumpsterDiver, an automated tool, to identify potential secret leaks and hardcoded passwords in target cloud services.

Which of the following flags is set by the attacker to analyze the files in search of hardcoded passwords?

A) -s, –secret
B) -a, –advance
C) -r, –remove
D) -o OUTFILE

Answer 87

Answer: A) -s, –secret

Explanation:

DumpsterDiver is a tool used to search for sensitive information or secret keys in source code and configuration files. It offers several flags to customize the search process:

-r, –remove: This flag is used to remove the files that do not contain any secret keys from the search results. This can help to narrow down the search and focus only on the relevant files.

-a, –advance: This flag is used to analyze the files using the rules specified in the ‘rules.yaml’ file. These rules are used to detect specific patterns or formats of sensitive information or secret keys.

-s, –secret: This flag is used to search for hardcoded passwords in the source code and configuration files. This can help to identify any passwords that may be stored in plaintext, which is a security risk.

-o OUTFILE: This flag is used to generate the output in JSON format. This can help to process the search results programmatically or to integrate the output with other tools.

Question 88

Given below are the steps involved in exploiting AWS docker containers.

1. Pull the target docker image
2. Push the backdoor docker image
3. Create a backdoor image
4. Abuse AWS credentials

What is the correct sequence of steps involved in exploiting AWS docker containers?

a) 3 -> 4 -> 2 -> 1
b) 4 -> 1 -> 3 -> 2
c) 1 -> 2 -> 3 -> 4
d) 2 -> 1 -> 3 -> 4

Answer 88

Answer: b) 4 -> 1 -> 3 -> 2

Question 89

Given below are the various steps involved in abusing AWS Lambda functions using a black-box scenario.

1. Once the files are uploaded, the tags of the individual files can be calculated using a Lambda function.
2. The attacker uploads files to S3 and then rechecks their configurations.
3. The attacker exfiltrates the cloud credentials of an account and starts enumeration for higher privileges with the acquired AWS credentials.
4. An attacker accesses a misconfigured S3 bucket that was not implemented with any credentials. The misconfigured buckets that the attacker gains access to may contain various organizational files.

What is the correct sequence of steps involved in abusing AWS Lambda functions using a black-box scenario?

A) 1 -> 4 -> 2 -> 3

B) 4 -> 2 -> 1 -> 3

C) 4 -> 3 -> 2 -> 1

D) 3 -> 1 -> 2 -> 4

Answer 89

Answer: B

Question 90

Which of the following cloud security control layers includes security controls such as governance-risk-compliance, IAM, VA/VM, patch management, configuration management, and monitoring?

A. Management layer
B. Application layer
C. Network layer
D. Information layer

Answer 90

Answer: A. Management layer

Explanation: When it comes to securing a cloud infrastructure, it’s essential to establish security measures at various layers of the infrastructure. These layers include the application layer, information layer, management layer, and network layer. Each layer requires different security controls to ensure the safety and protection of the cloud environment.

Application Layer: The application layer is responsible for providing access to cloud applications and services. To harden this layer, cloud consumers need to establish policies that align with industry-adopted security standards such as the Open Web Application Security Project (OWASP) for web applications. These policies should comply with regulatory and business requirements. Application layer controls include software development lifecycle, binary analysis, scanners, web application firewalls, transactional security, and more.

Information Layer: The information layer deals with the protection of data stored in the cloud. To secure this layer, cloud consumers should develop and document an information security management program that includes administrative, technical, and physical safeguards to protect information against unauthorized access, modification, or deletion. Some of the security controls for the information layer include data loss prevention (DLP), content monitoring and filtering, database activity monitoring, encryption, and more.

Management Layer: The management layer covers the administrative tasks related to cloud security. It’s responsible for facilitating continuous, uninterrupted, and effective services in the cloud. To ensure the safety of this layer, cloud consumers should look for policies that align with industry-adopted security standards. Management layer security controls include governance-risk-compliance (GRC), identity and access management (IAM), vulnerability assessment/vulnerability management (VA/VM), patch management, configuration management, monitoring, and more.

Network Layer: The network layer is responsible for managing and monitoring access to network resources. To secure this layer, network administrators need to implement various measures and policies to prevent unauthorized access, misuse, modification, or denial of network resources. Network layer security controls include network intrusion prevention/detection services, firewalls, deep packet inspection, anti-DDoS, quality of service (QoS), DNSSEC, OAuth, and more.

Question 91

Which of the following best practices should be followed for securing a cloud environment?

A. Do not disclose applicable logs and data to customers
B. Verify one’s own cloud in public domain blacklists
C. Allow unauthorized server access using security checkpoints
D. Do not enforce legal contracts in employee behavior policy

Answer 91

Answer: B. Verify one’s own cloud in public domain blacklists

Here are some best practices for securing a cloud environment:

Disclose applicable logs and data to customers: Cloud providers should be transparent with their customers and provide access to relevant logs and data to allow them to monitor their environment.

Prevent unauthorized server access using security checkpoints: Cloud providers should implement security checkpoints to prevent unauthorized access to servers and ensure that only authorized personnel can access them.

Enforce legal contracts in employee behavior policy: Cloud providers should enforce legal contracts in their employee behavior policy to ensure that employees are aware of their responsibilities and obligations concerning data protection.

Verify one’s cloud in public domain blacklists: Cloud providers should regularly check public domain blacklists to ensure that their environment is not listed as a malicious source.

Enforce data protection, backup, and retention mechanisms: Cloud providers should implement data protection, backup, and retention mechanisms to ensure that data is protected, backed up, and can be recovered in case of data loss.

Enforce SLAs for patching and vulnerability remediation: Cloud providers should enforce service level agreements (SLAs) for patching and vulnerability remediation to ensure that vulnerabilities are addressed in a timely and effective manner.

Vendors should regularly undergo AICPA SAS 70 Type II audits: Cloud providers should regularly undergo AICPA SAS 70 Type II audits to ensure that their security controls and processes are adequate and effective.

Apply a baseline security breach notification process: Cloud providers should implement a baseline security breach notification process to notify customers in case of a security breach.

Analyze API dependency chain software modules: Cloud providers should analyze their API dependency chain software modules to ensure that they are secure and do not introduce vulnerabilities into the cloud environment.

Question 92

Which of the following vulnerabilities in serverless security can be resolved by using the cloud provider’s built-in services, such as AWS Trust Advisor, to identify public resources and by setting functions with a minimum required timeout?

A. Security misconfiguration
B. Broken access control
C. XML external entities
D. Cross-site scripting

Answer 92

Answer: A. Security misconfiguration

Explanation: When it comes to securing a cloud environment, it’s important to be aware of the risks and vulnerabilities that exist. It’s equally important to implement solutions to minimize these risks and prevent potential security breaches.

Here are some risks and solutions related to cloud security:

Risk A4 - XML External Entities (XXE):

XXE vulnerabilities can be exploited to launch denial of service attacks or steal sensitive data. To minimize this risk, cloud consumers should implement the following solutions:

Use only the CSP’s software development kits, whenever possible.
Perform vulnerability scanning on supply chain libraries.
Test API calls for XXE vulnerabilities.
Always disable entity resolution.

Risk A5 - Broken Access Control:

Broken access control can lead to unauthorized access to sensitive data and applications. To minimize this risk, cloud consumers should implement the following solutions:

Follow the least-privilege principle while granting permissions to functions.
Review each function to detect excess privileges.
Follow the cloud service provider’s best practices, such as AWS IAM and Azure Identity Management best practices.

Risk A6 - Security Misconfiguration:

Security misconfiguration can occur due to incorrect configuration of cloud resources, leading to potential security breaches. To minimize this risk, cloud consumers should implement the following solutions:

Use the cloud provider’s built-in services, such as AWS Trust Advisor, to identify public resources.
Enforce strong access control on cloud resources.
Identify functions with unlinked triggers.
Set the functions with a minimum timeout required.
Employ automated tools to detect security misconfigurations in serverless applications.

Risk A7 - Cross-Site Scripting (XSS):

XSS vulnerabilities can be exploited to steal sensitive data or launch malicious attacks. To minimize this risk, cloud consumers should implement the following solutions:

Encode all untrusted data before transmitting it to the client.
Use only well-known frameworks and headers.

Question 93

Which of the following technologies is a security implementation that assumes every user attempting to access a network is not a trusted entity by default and verifies every incoming connection before allowing access to the network?

A. Zero-trust network
B. Container technology
C. Trusted computing
D. Serverless computing

Answer 93

Answer: A. Zero-trust network

Explanation: Cloud computing has brought numerous benefits to organizations, including cost savings, scalability, and flexibility. However, it has also brought unique security challenges that need to be addressed. Here are some important security concepts related to cloud computing:

Zero Trust Network: The Zero Trust model is a security implementation that assumes that every user trying to access the network is not a trusted entity by default and verifies every incoming connection before allowing access to the network. It’s a holistic approach to security that involves verifying identity, device, and context before granting access to resources.

Container Technology: Containers are a popular solution for deploying and running applications in the cloud. A container is a package of an application/software that includes all its dependencies, such as library and configuration files, binaries, and other resources that run independently from other processes in the cloud environment. Containers provide isolation and portability, making it easier to move applications between different environments.

Trusted Computing: Trusted computing defines a secured computational environment that implements internal control, auditability, and maintenance to ensure the availability and integrity of cloud operations. Hardware and software Root of Trust (RoT) and API are a few security controls for trusted computing. RoT refers to a secure, tamper-proof hardware component that ensures the integrity of the system, while API provides an interface for secure communication between components.

Serverless Computing: Serverless computing, also known as serverless architecture or Function-as-a-Service (FaaS), is a cloud-based application architecture where application infrastructure and supporting services are provided by the cloud vendor as they are needed. Serverless computing eliminates the need for server infrastructure, reducing costs and complexity. However, it also requires additional security measures to ensure the protection of data and resources.

Question 94

Which of the following tools helps security professionals secure a Kubernetes environment?

A. CloudGoat AWS
B. Alcide Advisor
C. Pacu
D. DumpsterDiver

Answer 94

Answer: B. Alcide Advisor

Explanation: As cloud computing continues to grow, so does the need for effective cloud security tools and techniques. Here are some popular tools used for cloud security:

Pacu: Pacu is an open source AWS exploitation framework used for enumerating and hijacking IAM roles. It’s a powerful tool for identifying security vulnerabilities in AWS environments and testing them for exploits.

DumpsterDiver: DumpsterDiver is a tool used by attackers to scan for hardcoded secret keys such as AWS access keys, SSL keys, and Microsoft’s Azure keys. It can examine a large volume of file types, making it an effective tool for identifying security vulnerabilities in cloud environments.

Alcide Advisor: Kubernetes is a popular container deployment and management tool, but it also presents unique security challenges. Alcide Advisor is a tool used by security professionals to monitor and secure Kubernetes workloads. Other popular tools for securing Kubernetes environments include Kube-bench and StackRox.

CloudGoat AWS: CloudGoat is a “Vulnerable by Design” AWS deployment tool created by Rhino Security Labs. It allows cloud security professionals to test and hone their cybersecurity skills by creating and completing several “capture-the-flag” style scenarios.

Question 95

Which of the following measures is NOT a best practice for securing a container environment?

A. Perform regular scanning of the images in the repository
B. Configure orchestrators to deploy a set of hosts separately based on their sensitivity level
C. Store sensitive data externally and allow dynamic access at runtime
D. Use a single database for all applications

Answer 95

Answer: D. Use a single database for all applications

Explanation: Containers have become a popular solution for deploying and running applications in the cloud. However, securing container environments requires additional measures to ensure the protection of data and resources. Here are some best practices for securing container environments:

Perform regular scanning of the images in the repository to identify vulnerabilities or misconfigurations. It’s essential to scan images for vulnerabilities and misconfigurations before deployment to reduce the risk of exploitation.

Configure orchestrators to deploy a set of hosts separately based on their sensitivity level. Separating hosts based on their sensitivity level can help to minimize the impact of potential security breaches.

Use a separate database for each application for greater visibility of individual applications and enhanced data management. Using a separate database for each application provides greater visibility and control over individual applications.

Store sensitive data externally and allow dynamic access at runtime. Storing sensitive data externally reduces the risk of data breaches and allows for dynamic access at runtime.

Regularly monitor the CVEs of the container runtime and remediate if vulnerabilities are detected. Monitoring CVEs of the container runtime and applying necessary patches is essential to reduce the risk of security breaches.

Employ app-aware tools to monitor container network interfaces, network traffic, and network anomalies. App-aware tools can provide insights into network traffic and detect anomalies, making it easier to identify and address security issues.

Question 96

Which of the following measures is NOT a best practice for securing a Kubernetes environment?

A. Use the copy-then-rename method for log rotation
B. Use a separate encoding format for each configuration task
C. Use offensive security certified professional stapling
D. Use kube-apiserver instances that maintain CRLs

Answer 96

Answer: B. Use a separate encoding format for each configuration task

Question 97

Identify the services provided by the application layer of the cloud security control model?

A. SDLC, binary analysis, scanners, web app firewalls, transactional sec
B. Hardware and software RoT and APIs
C. Physical plant security, CCTV, guards
D. DLP, CMF, database activity monitoring, encryption

Answer 97

Answer: A. SDLC, binary analysis, scanners, web app firewalls, transactional security

Explanation: Cloud security control layers are essential for ensuring the protection and confidentiality of data stored in the cloud. Here are some control layers and their security measures:

Information Layer: The information layer involves developing and documenting an information security management program (ISMP) that includes administrative, technical, and physical safeguards to protect information against unauthorized access, modification, or deletion. Security controls for this layer include data loss prevention (DLP), content monitoring and filtering (CMF), database activity monitoring, encryption, and more.

Trusted Computing: Trusted computing defines a secured computational environment that implements internal control, auditability, and maintenance to ensure the availability and integrity of cloud operations. Security controls for this layer include hardware and software Root of Trust (RoT) and API.

Physical Layer: The physical layer includes security measures for cloud infrastructure, data centers, and physical resources. Security controls for this layer include physical plant security, fences, walls, barriers, guards, gates, electronic surveillance, CCTV, physical authentication mechanisms, security patrols, and more.

Application Layer: To harden the application layer, it’s important to establish policies that match industry adoption security standards, such as OWASP for a web application. It should meet and comply with appropriate regulatory and business requirements. Security controls for this layer include software development lifecycle (SDLC), binary analysis, scanners, web application firewalls, transactional security, and more.

Question 98

Which of the following mechanisms should be incorporated into the cloud services to facilitate networks and resources to improve the response time of a job with maximum throughput?

A. Lockout mechanism
B. Encryption mechanism
C. Two-factor authentication
D. Load balancing

Answer 98

Answer: D. Load balancing

Explanation:
Cloud load balancing is the process of distributing workloads and computing resources in a cloud computing environment. Load balancing allows enterprises to manage application or workload demands by allocating resources among multiple computers, networks, or servers. Cloud load balancing involves hosting the distribution of workload traffic and demands that reside over the Internet.

Question 99

In which of the following cloud security control layers do the security controls DNSSEC, OAuth operates?

A. Computation and storage layer
B. Management layer
C. Information layer
D. Network layer

Answer 99

Answer: D. Network layer

Explanation:
The network layer deals with various measures and policies adopted by a network administrator to monitor and prevent illegal access, misuse, modification, or denial of network-accessible resources. Some of the additional network layer security controls include NIDS/NIPS, firewalls, DPI, anti-DDoS, QoS, DNSSEC, OAuth, and so on.