Practice Exam 9 Flashcards

1
Q

PE9.1 Which of the following statements is true regarding cloud computing?

A.In IaaS, applications, data, middleware, virtualization, and servers are part of the service provision.
B.In PaaS, applications, data, middleware, virtualization, and servers are part of the service provision.
C.In SaaS, applications, data, middleware, virtualization, and servers are part of the service provision.
D. None of the above.

A

C
C. So there are several things EC-Council is very concerned that you know regarding cloud computing, but two in particular are right at the top of the list. The concepts of separation of duties and separation of responsibility—both of which are key aims and benefits of cloud computing—keep popping up over and over again in study materials and will be key to your success. Separation of duties is a provision of all cloud computing types, but only one of the three takes care of everything. In Software as a Service (SaaS), the service provider delivers the entirety of the span of responsibility. Everything from applications and data through middleware and OS, all the way down to the networking itself, is provided by the service provisioner. For comparison sake, in Platform as a Service (PaaS), the service provider takes care of everything except the applications and data. In Infrastructure as a Service (IaaS), the client holds the applications, data, runtime, middleware, and OS, while the provider takes care of everything else—virtualization, servers, storage, and networking.

A, B, and D are incorrect because these are not true statements. In IaaS, the subscriber holds applications, data, and middleware but not virtualization and servers. In PaaS, the client only holds the applications and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

PE9.2 Which of the following is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services?

A. NIST Cloud Architecture
B. FedRAMP
C. PCI-DSS Cloud Special Interest Group
D. Cloud Security Alliance

A

B
B. EC-Council, at least as of this writing, doesn’t mention one single regulatory effort in cloud computing at all, outside of NIST’s reference architecture, in their official courseware. This does not mean you will not see any cloud computing regulatory efforts on your exam. I’m willing to bet you’ll see more and more of them as time goes on, and FedRAMP is the 800-pound gorilla of cloud computing regulatory efforts you absolutely need to know about. The Federal Risk and Authorization Management Program (FedRAMP; www.fedramp.gov/) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It not only provides an auditable framework for ensuring basic security controls for any government cloud effort, but FedRAMP also offers weekly tips for security and configuration and even has free training available on the site. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

A is incorrect because the definition provided does not match the NIST Cloud Computing Reference Architecture. NIST (National Institutes of Standards and Technology) released Special Publication 500-292, “NIST Cloud Computing Reference Architecture,” in 2011 to provide a “fundamental reference point to describe an overall framework that can be used government wide” (www.nist.gov/customcf/get_pdf.cfm?pub_id=909505).

C is incorrect because the definition provided does not match the PCI Data Security Standard (PCI-DSS) Cloud Special Interest Group. PCI is not a federal government regulatory body.

D is incorrect because the definition provided does not match the Cloud Security Alliance (CSA). CSA is the leading professional organization devoted to promoting cloud security best practices and organizing cloud security professionals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PE9.3 A business owner is advised that inventory, storage, sales, and backup online services can be provided less expensively and more securely via a cloud service. After investigating the options, the business owner determines the best cloud service provider for his needs also happens to be the provider for several of his competitors. Should he decide to engage the same provider, which cloud service deployment model will be used?

A. Private
B. IaaS
C. Community
D. Public

A

C. In most circumstances, it doesn’t matter who else uses the cloud provider you want to use—what matters is the services provided, the costs, and the available security. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require. Or, in this case, even adversarial competitors may make use of the same services from the same cloud provider.

A is incorrect because a private cloud model is, not surprisingly, private in nature. The cloud is operated solely for a single organization (a.k.a. single-tenant environment) and is usually not a pay-as-you-go type of operation.

B is incorrect because Infrastructure as a Service is a type of cloud computing, not a deployment model.

D is incorrect because a public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren’t a major issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
PE9.4 In “NIST Cloud Computing Reference Architecture,” which of the following is the intermediary for providing connectivity between the cloud and the subscriber? 
A.   Cloud provider 
B.   Cloud carrier 
C.   Cloud broker 
D.   Cloud auditor
A

B. I can guarantee you’ll see several questions from the cloud world on your exam, and many of those questions will be simply identifying portions of “NIST Cloud Computing Reference Architecture.” The cloud carrier is defined in the architecture as the organization with the responsibility of transferring the data—akin to the power distributor for the electric grid. The cloud carrier is the intermediary for connectivity and transport between the subscriber and provider.

A is incorrect because the cloud provider is the purveyor of products and services.

C is incorrect because the cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.”

D is incorrect because the cloud auditor is the independent assessor of cloud service and security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PE9.5 A company relies on a private cloud solution for most of its internal computing needs. After expanding into more online retailing, it relies on a portion of a public cloud for external sales and e-commerce offerings. Which of the following best describes the cloud deployment type in use?

A. Private
B. Public
C. Hybrid
D. Community

A

C. A hybrid cloud deployment is exactly what is sounds like—a combination of two or more deployment types together.

A is incorrect because a private cloud deployment is operated solely for a single organization (a.k.a. single-tenant environment).

B is incorrect because a public cloud deployment model is one where services are provided over a network that is open for public use (like the Internet).

D is incorrect because a community cloud deployment model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PE9.6 Cloud computing would be best suited for which of the following businesses?
A. A medical practice
B. An established rural general sales store
C. A law enforcement agency
D. A Christmas supply store

A

D. Scenario questions like this will be peppered throughout your exam on multiple topics, and cloud computing is no different. In this case, the Christmas supply store is, by its very nature, seasonal. This means instead of a steady flow of business and computing resources, it will need much more support during the last couple months of the year than it would in, say, July. Cloud computing provides the elasticity (another term you may see pop up) of adding or removing computing resources as you need them, which could very well save the company money.

A is incorrect. Of the choices provided, a medical practice would not be the best choice because of the sensitive data it holds (not to mention the federally mandated protections the practice would have to have in place for those records).

B is incorrect because an established storefront with steady sales and employee staff doesn’t necessarily need cloud services.

C is incorrect because law enforcement agencies also deal with highly sensitive information. Therefore, of the choices provided, this is not the best one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
PE9.7 A software company has decided to build and test web applications in a cloud computing environment. Which of the following cloud computing types best describes this effort? 

A.IaaS 
B.PaaS 
C.SaaS 
D.Community 
A

B. This scenario is tailor-made for Platform as a Service (PaaS). Despite also being a name brand recognized mostly during Easter for coloring eggs, PaaS is geared toward software development, as it provides a platform that allows subscribers to create applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure, so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.

A is incorrect because this does not describe Infrastructure as a Service. IaaS provides virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor (such as VMware, Oracle VirtualBox, Xen, or KVM) running the virtual machines as guests.

C is incorrect because this does not describe Software as a Service. SaaS is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.

D is incorrect because community refers to the cloud deployment model, not the type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PE9.8 Which of the following statements is not true?
A.Private cloud is operated solely for a single organization.
B.Public cloud makes use of virtualized servers.
C.Public cloud is operated over an intranet.
D.Private cloud makes use of virtualized servers.

A

C. Most of the time I deplore the “not” questions—they seem designed to trip candidates up more than to test their knowledge—but EC-Council (and, not surprisingly, virtually every other certification provider) makes use of them often. In this case, a private cloud is, of course, operated solely for one organization, and virtualization is used in all cloud deployment models. A public cloud, however, explicitly provides services on a network that is open for public use (like the Internet). A, B, and D are incorrect because these are true statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PE9.9 A company relies solely on Google Docs, Google Sheets, and other cloud-based provisions for its office documentation software needs. Which of the following cloud computing types best describes this?

A.SaaS
B.PaaS
C.IaaS
D.Public

A

A. This scenario aptly describes Software as a Service. SaaS is a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Google Docs and Google Sheets, where word processing and spreadsheet software actions are provided online, are perfect examples. Microsoft is also big in the SaaS game, and Office 365 is seemingly taking over for the traditional Microsoft Office suite. Instead of installing it on your system or buying it preinstalled at Best Buy (or whatever vendor you use), you can “rent” Office 365—get what you need for as long as you need. Given that Office is the world’s leading office productivity software, it shouldn’t come as a surprise that Office 365 is a big hit. The U.S. Air Force, for one example, moved over half a million e-mail accounts to Office 365 in January of 2019.

B is incorrect because Platform as a Service is a great…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
PE9.10 A subscriber purchases machine virtualization and hosting through Amazon EC2. Which of the following cloud computing types does this describe? 
A.IaaS 
B.PaaS 
C.SaaS 
D.Hybrid 
A

A. There are three types of cloud computing implementation: IaaS, PaaS, and SaaS. In the case of Amazon EC2, Infrastructure as a Service best matches the description. IaaS basically provides virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor (such as VMware, Oracle VirtualBox, Xen, or KVM) running the virtual machines as guests. Collections of hypervisors within the cloud provider exponentially increase the virtualized resources available and provide scalability of service to subscribers. As a result, IaaS is a good choice, not just for day-to-day infrastructure service, but also for temporary or experimental workloads that may change unexpectedly. IaaS subscribers typically pay on a per-use basis (within a certain timeframe, for instance) or sometimes by the amount of virtual machine space used. B is incorrect because Platform as a Service does not best match this description. PaaS is geared toward software development, as it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software. C is incorrect because Software as a Service does not best match this description. SaaS is probably the simplest and easiest…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

PE9.11 Cloud computing faces many of the same security concerns as traditional network implementations. Which of the following are considered threats to cloud computing?

A.Data breach or loss 
B.Abuse of services 
C.Insecure interfaces 
D.Shared technology issues 
E.All of the above 
A

E. EC-Council dedicated a lot of real estate in their past official courseware to cloud threats, even though much of it is the same as it would be in traditional networking, and in this version, it’s more of the same. In a blast from the past (as in this comes straight out of the Cloud Security Alliance’s “The Notorious Nine: Cloud Computing Top Threats in 2013” publication (https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf, which is no longer referenced in the course material but obviously still used as a reference), the top three listed are data breach and loss, abuse of cloud services, and insecure interfaces/APIs.

Lastly, I must point out the original Cloud Security Alliance publication (“The Notorious Nine: Cloud Computing Top Threats in 2013”) has been updated. It’s now “The Dirty Dozen: 12 Top Cloud Security Threats,” also referred to as “The Treacherous 12,” (https://www.csoonline.com/article/3043030/12-top-cloud-security-threats-for-2018.html) and while it’s very, very similar to the original, there are a few differences. for example, perusing the list you may notice “Abuse of Cloud Services” is now listed as “Abuse of Cloud Resources.” Because you may see questions from both lists on your exam, I’ve left the original noted, but what I’ve listed should provide all you need for memorization purposes. Just use your common sense on these questions and you should be fine.
A, B, C, and D are incorrect because they’re all cloud computing threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
PE9.12 Which of the following attacks occurs during the translation of SOAP messages? 
A.Wrapping attack 
B.Cross-guest VM 
C.Side channel 
D.Session riding 
A

A. Attacks aren’t necessarily specific to cloud computing, but EC-Council covers wrapping attacks here, so we’ll follow suit. In a wrapping attack, the user sends a request to the server, but the SOAP response is intercepted by the attacker. He then duplicates the original message and sends it as if he is the user. In short, to pull this off, you just intercept the response, change the data in the SOAP envelope, and replay.

B and C are incorrect because this does not describe cross-guest VM attacks, which are also known as side channel attacks and deal with virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of malicious activities.
D is incorrect because this does not describe a session riding attack. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
PE9.13 Which of the following is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network? 
A.API 
B.SOA 
C.EC2 
D.IaaS 
A

B. In Service-Oriented Architecture (SOA), software is designed where each of its individual components works and communicates with components on different systems across the network. Each computer can run any of the services in the software, and each individual component is built so that it can exchange information with any other service in the network, without interaction or the need to make changes to the software. For example, someone might create an API that provides access to a database, which then allows third-party vendors to create their own applications to take advantage of it.

A is incorrect because this does not define an…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

PE9.14 In “NIST Cloud Computing Reference Architecture,” which entity manages cloud services and maintains the relationship between cloud providers and subscribers?

A.Cloud broker
B.Cloud auditor
C.Cloud carrier
D.Cloud consumer

A

A. “NIST Cloud Computing Reference Architecture” defines the cloud broker as the entity that acts to manage the use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.” B is incorrect because the cloud auditor is the independent assessor of the cloud service provider’s security controls. C is incorrect because the cloud carrier is the…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PE9.15 Which of the following is not a benefit of virtualization?

A.It allows for more efficient backup, data protection, and disaster recovery.
B.It reduces system administration work.
C.It improves operational efficiency.
D.It locks individual hardware to each individual virtual machine.

A

D. Some of you may actually work with and in a cloud, and you may disagree with at least one of the benefits listed here. However, while there may be differences between the real world and your CEH exam, for your test you really need to know virtualization’s benefits. The idea itself is great—run one or more operating systems simultaneously on the same physical box by virtualizing the hardware to each OS. Multiple companies (such as VMware, Oracle VirtualBox, and Xen) provide the hypervisor (a.k.a. virtual machine monitor, or VMM, which is an application or hardware that creates and runs virtual machines) that allows multiple OSs to share the same physical machine hardware. Virtualizing your server can improve operational efficiency, provide for more efficient backups, offer disaster recovery and data…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PE9.16 A company acquires a cloud environment for much of its business IT needs. The environment is used and operated solely for the single organization. Which of the following represents the cloud deployment model in question?

A.Public
B.IaaS
C.Sole-source
D.Private

A

D. In a private cloud model, the cloud is operated solely for a single organization (a.k.a. single-tenant environment) and is usually not a type of pay-as-you-go operation. Private clouds are usually preferred by larger organizations, because the hardware is dedicated and security and compliance requirements can be more easily met.

A is incorrect because a public cloud is for use by anyone and everyone.

B is incorrect because IaaS is a cloud type providing virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor running the virtual machines as guests. IaaS is a good choice for day-to-day infrastructure service and temporary…

17
Q

PE9.17 Which of the following statements is true regarding cloud computing?

A.Security in the cloud is the responsibility of the provider only.
B.Security in the cloud is the responsibility of the consumer only.
C.Security in the cloud is the responsibility of both the consumer and the provider.
D.None of the above.

A

C. One of the biggest misconceptions about cloud computing seems to be where the lines of responsibility are drawn. However, it should come as no surprise that security is everyone’s responsibility, and that absolutely extends to the cloud. The provider must protect the hardware, virtualization, VMs, and network connectivity. The consumer must protect their virtual systems (OSs, applications, and data). Sometimes this is a challenge in the real world. Where does your testing start and end? If your entire system relies on a cloud provider to remain up and secure, can you test all of it? And what happens if your resources are comingled somewhere inside all that cloud secret sauce? Can you really trust they’re on top of things, security-wise? Should you? Can you?

A, B, and D are all incorrect statements.

18
Q

PE9.18 Which tool offers penetration-test-like services for Amazon EC2 customers?

A.CloudPassage Halo
B.Core Cloud
C.CloudInspect
D.Panda Cloud Office Protection

A

C. CloudInspect (www.coresecurity.com/corelabs-research/projects/core-cloudinspect) is “a tool that profits from the Core Impact & Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users.” It’s obviously designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.
A is incorrect because CloudPassage Halo (www.cloudpassage.com) “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds. The Halo platform is delivered as a service, so it deploys in minutes and scales on-demand. Halo uses minimal system resources, so layered security can be deployed where it counts, right at every workload—servers, instances and containers.” Other tools for cloud pen testing you should know for your exam include Dell Cloud Manager and Parasoft SOAtest.

B is incorrect because there is no such tool.

D is incorrect because Panda Cloud Office Protection is not an automated pen test tool suite.

19
Q

PE9.19 An attacker sets up a VM on the same physical cloud host as the target’s VM. He then takes advantage of the shared physical resources to steal data. Which of the following describes this attack?

A.Side channel
B.VM flood
C.Session riding
D.Cybersquatting

A

A. The side-channel attack, also known as a cross-guest VM breach, occurs when a bad guy gets a virtual machine on the same host as the target. Through a variety of means for taking advantage of vulnerabilities in some shared technologies, the attacker then uses the shared physical resources to pilfer data. Providers can mitigate these attacks by using an up-to-date hypervisor provision, implementing strong virtual firewalls between guest OSs, and enforcing the use of encryption. Subscribers can help by locking down (hardening) their OSs and using good coding in their applications (especially when it comes to accessing resources such as memory). As a fun aside, these types of attacks are categorized by people who actually pen test for a living as a unicorn attack—since you’ll have as good a chance seeing a unicorn as you will actually performing this attack.

B is incorrect because, although VM flood may sound cool, it is not a legitimate attack term.

C is incorrect because session riding is a CSRF attack inside the cloud.

D is incorrect because cybersquatting has nothing to do with this attack.

20
Q

PE9.20 In the trusted computing model, what is a set of functions called that’s always trusted by the computer’s operating system?

A.SOA
B.RoT
C.TCG
D.VM

A

B. Trusted computing is a simple idea: resolve a lot of computing problems through hardware enhancements and software modifications. Several vendors got together, calling themselves the Trusted Computing Group (TCG), and worked out specifications, proposals, and technologies to help protect system resources. Within all this work is the idea of Roots of Trust (RoT), which is a set of functions always trusted by the operating system. It provides a lot of the functionality the rest of the model is built on, such as real-time encryption, rootkit detection, memory curtailing, digital rights management (DRM) through hardware, and more.
A is incorrect because this does not describe Service-Oriented Architecture. SOA is an architectural design effort in computer software where…