Security + 10 / Virtualization and Cloud Security
Which capabilities are offered by Next-generation Secure Web Gateways? (Choose two.) A. Content filtering B. Proxy server C. Infrastructure as code D. CI/CD
A. Content filtering B. Proxy server
Which strategy involves using network edge devices to process and move data into and out of the cloud? A. Quantum computing B. Fog computing C. Hybrid cloud D. Private cloud
B. Fog computing --- Fog computing, also referred to as edge computing, places data processing capabilities on network edge devices between data sources and a public cloud environment, such as a corporate on-premises network. The benefit is that decentralizing processing and placing it nearest where it is needed can speed up data transfers and thus reduce overall processing time.
You have replicated on-premises application servers and data to the cloud in the event of an on-premises network disruption. The servers are kept in sync through replication. Which term best describes the role of the cloud in this configuration? A. Warm site B. Hot site C. Cold site D. Glacier site
B. Hot site
Which type of replication does not wait for data to be committed to the primary replica before synchronizing additional replicas? A. Asynchronous B. Synchronous C. Symmetric D. Asymmetric
B. Synchronous
What type of hypervisor would be required if you wanted to use an existing server with an existing operating system? A. Type 1 B. Type 2 C. Type 3 D. Type 4
B. Type 2
Adrian is working on a project in a refinery. He must deploy IoT devices that will alert the central control system when pressure increases in the petrol pipes. What is the best computing location for this project? Fog Cloud Edge Off-premises
Edge (not close but nearby) (off-premise - third party cloud - remote fog - automated guided cars)
An enterprise's application server and web server are hosted by a cloud service provider, and the database server is in the enterprise's own cloud establishment. Which type of cloud is used by the enterprise? Community cloud Private cloud Hybrid cloud loudPublic cloud
Hybrid cloud
Max's email client allows him to organize email into folders on the mail server, read email on different devices, and work with email while offline. Which of the following protocols is used in Max's email client for incoming mail? POP SMTP IMAP LDAP
IMAP IMAP (Internet Mail Access Protocol) - is a more recent and advanced electronic email system for incoming mail. -IMAP is a "remote" email storage. -email remains on the email server (in folders) Post Office Protocol (POP) - is a "store-and-forward" service -incoming mail -downloads the messages onto the local computer
Which of the following provides the underlying components to run a data center on a public cloud? PaaS SaaS IaaS Private Cloud
IaaS
Your enterprise ran out of computing resources due to the increasingly high rate of stored data. You are asked to choose a cloud model in which your enterprise can have the most control over the hardware. Which model should you choose? Infrastructure as a Service Security as a Service Software as a Service Platform as a Service
Infrastructure as a Service
Which of the following vulnerabilities of FTP can be prevented using SFTP? ARP spoofing MAC spoofing Man-in-the-middle DNS poisoning
Man-in-the-middle
Which of the following entities is contracted to manage the network, servers, and systems and provide active support in the IT functions? Managed Security Service Provider (MSSP) Cloud Service Provider Managed Service Provider (MSP) Cloud Access Service Broker (CASB)
Managed Service Provider (MSP)
Which of the following are examples of Platform as a Service (PaaS)? [Choose all that apply] Intel Mash Maker Cisco Metapod Google Compute Engine (GCE) Google App Engine Microsoft Azure Amazon EC2
Microsoft Azure Google App Engine Intel Mash Maker
In Edge computing, where is the data processed? On a central server On the device and central server On the device where it originated Only in the cloud
On the device where it originated
Database-as-a-service solution is an example of which of the following? IaaS PaaS Private Cloud SaaS
PaaS
Which of the following is deployed on premises and intended only for the organization? Hybrid Cloud Native Cloud Public Cloud Private Cloud
Private Cloud
In which of the following cloud type resources are shared amongst customers, although customers are segmented from each other? Hybrid Cloud Private Cloud Public Cloud Native Cloud
Public Cloud
Which protocol do the thin clients use to connect to a central server? File Transfer Protocol (FTP) Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Secure Shell (SSH)
Remote Desktop Protocol (RDP)
While attending a cybersecurity training program, Peter raised a question to the trainer: "How does sandboxing protect a system from malicious activities?" How should the trainer answer Peter's question? Sandboxing integrates different security appliances virtually so that malware can be easily detected. Sandboxing allows rolling back to the previous state if a security breach occurs. Sandboxing forms a barrier between the physical computing device and guest OS to prevent malicious applications from spreading. Sandboxing allows isolating potential malicious programs using a virtual machine (VM) to impact only the VM.
Sandboxing allows isolating potential malicious programs using a virtual machine (VM) to impact only the VM.
What separates the control plane from the data plane to virtualize a physical network? Software-defined network Hypervisor Virtual LAN Software-defined visibility
Software-defined network
A private medical practice hires you to determine the feasibility of cloud computing, whereby storage of e-mail and medical applications, as well as patient information, would be hosted by a public cloud provider. You are asked to identify potential problems related to sensitive data regulatory compliance. (Choose two.) A. Data is stored on the cloud provider's infrastructure, which is shared by other cloud tenants. B. HTTPS will be used to access remote services. C. Should the provider be served a subpoena, the possibility of full data disclosure exists. D. Data will be encrypted in transit as well as when stored.
A. Data is stored on the cloud provider's infrastructure, which is shared by other cloud tenants. C. Should the provider be served a subpoena, the possibility of full data disclosure exists. --- A and C. Sharing the same cloud computing services with other customers could be forbidden by sensitive data regulations, although cloud tenant data is not accessible by other cloud tenants. Depending on the provider's geographic location, different laws may apply to whether data hosted by the provider can legally be disclosed. However, that's not a risk many organizations are willing to take.
Which of the following are true regarding virtualization? (Choose two.) A. Each virtual machine has one or more unique MAC addresses. B. Virtual machine operating systems do not need to be patched. C. Virtual machines running on the same physical host can belong to different VLANs. D. A security compromise of one virtual machine means all virtual machines on the physical host are compromised.
A. Each virtual machine has one or more unique MAC addresses. C. Virtual machines running on the same physical host can belong to different VLANs.
Your software developers use security keys to access cloud services. What should you do to harden the use of security keys? A. Rotate cloud keys. B. Use symmetric instead of asymmetric keys. C. Reduce the key length. D. Send copies of keys to all developers via SMTP.
A. Rotate cloud keys. --- A. Rotating keys is a standard security practice. Past compromised keys will no longer provide resource access. Software developers must be provided with newly rotated keys for continued cloud resource access.
You are configuring cloud-based virtual networks without having to connect directly to the cloud provider hardware routers to configure VLANs. What enables this capability? A. Software-defined networking B. Transit gateway C. Software-defined visibility D. Serverless architecture
A. Software-defined networking --- A. Software-defined networking (SDN) adds a configuration layer above network infrastructure hardware that enables a simplified and consistent management experience such as through a web GUI or command-line tools. SDN removes the need of cloud customers having detailed technical knowledge related to the configuration of underlying network hardware.
You have deployed a database in an AWS virtual private cloud. You need to limit database access to other AWS resources while ensuring that network traffic does not leave the Amazon network. What should you configure? A. VPC endpoint B. Transit gateway C. Elastic IP address D. Security group
A. VPC endpoint --- A. A virtual private cloud (VPC) is a virtual network defined in the cloud, such as AWS, Google Cloud, or IBM Cloud. A VPC endpoint enables a private connection to resources in a VPC using only internal private IP addresses. B, C, and D are incorrect. In the cloud, transit gateways enable cloud virtual network and on-premises network interconnectivity through network-linking mechanisms such as VPNs.
In a security review meeting, Nathan proposed using a software-defined network for easy reconfiguration and enhanced security. How will an SDN enhance the security of Nathan's enterprise network? An SDN has a built-in intrusion prevention system. An SDN can ensure that all network traffic is free of malware. An SDN alerts when a suspect event is happening. An SDN can ensure that all network traffic is routed through a firewall.
An SDN can ensure that all network traffic is routed through a firewall.
Which type of hypervisor runs directly on the computer's hardware? a. Type I b. Type II c. Type IV d. Type III
a. Type I
A cloud firewall solution examines packet headers to allow or deny traffic based on IP addresses and port numbers. To which layer of the OSI model does the type of firewall apply? A. 2 B. 3 C. 4 D. 7
C. 4 --- C. Layer 4, the transport layer of the seven-layer conceptual OSI model, focuses on transporting data either reliably (TCP) or unreliably but more quickly (UDP). Network service port numbers are also called layer 4 addresses; IP addresses are layer 3 (the network layer) addresses. A packet-filtering firewall can examine packet headers containing addressing information, but not the packet payload containing the data being transmitted.
You need to deploy virtual machines in the cloud to support big data processing. The virtual machines must not be reachable from the Internet. Data processing summaries will be uploaded from the virtual machines to an on-premises database server. The on-premises network is already configured to allow incoming connections from the Internet. What should you do to allow the required functionality while maximizing security? A. Deploy a public subnet in the cloud with firewall rules. B. Deploy a private subnet in the cloud with an on-premises Internet gateway. C. Deploy a private subnet in the cloud with an Internet gateway. D. Deploy a client-to-site VPN.
C. Deploy a private subnet in the cloud with an Internet gateway.
Your company hosts an on-premises Microsoft Active Directory server to authenticate network users. Mailboxes and productivity applications for users are hosted in a public cloud. You have configured identity federation to enable locally authenticated users to connect to their mailboxes and productivity applications seamlessly. What type of cloud deployment model is in use? A. Public B. Private C. Hybrid D. Community
C. Hybrid
Private cloud technicians have configured policies that will shut down and remove virtual machines with no activity for 30 days or more. What are technicians attempting to prevent? A. VM escaping B. VM resource policy exploitation C. VM sprawl D. VM services integration
C. VM sprawl --- In VM sprawl, you may not be aware of the existence of numerous virtual machines that are not used or that have been forgotten, yet they still exist and could remain running, thus incurring cloud computing charges.
Which of the following provides services, maintains the infrastructure, and provides security in a cloud environment? Cloud Access Service Broker (CASB) Cloud consumer Cloud user Cloud Service Provider
Cloud Service Provider ---- A CASB is a set of software tools or services that resides between an enterprise's on-prem infrastructure and the cloud provider's infrastructure. Acting as the gatekeeper, a CASB ensures that the security policies of the enterprise extend to its data in the cloud
Which of the following is considered a hybrid form of private clouds built and operated specifically for a targeted group? Hybrid Cloud Community Cloud Public Cloud Private Cloud
Community Cloud
Which of these is NOT created and managed by a microservices API? a. User experience (UX) b. Authentication c. Database d. Logs
a. User experience (UX)
You have configured a content-filtering firewall for traffic leaving a cloud virtual network. To which layer of the OSI model does this type of firewall apply? A. 2 B. 3 C. 4 D. 7
D. 7 --- D. Layer 7 (the application layer) of the OSI model relates to high-level protocols, meaning all packet headers and packet payloads can be examined, as opposed to a layer 4 packet filtering firewall, which can base decisions only on the fields present in packet headers. As a result, layer 7 firewall solutions tend to be more expensive than layer 4 firewall solutions. A, B, and C are incorrect. Layer 2 is the OSI data link layer, which is concerned with how transmissions are placed on the network medium. Layer 3 focuses on IP addressing and routing, and layer 4 is responsible for packet transport and delivery.
Your manager wants to run every application securely in its own virtualized environment while minimizing application startup time. What should be used for each application? A. Virtual machine B. Cloud access security broker C. VM escape protection D. Application container
D. Application container
You must ensure that cloud storage is available in the event of a regional disruption. What should you configure? A. Cloud storage encryption B. Cloud storage permissions C. Cloud storage replication within a data center D. Cloud storage replication across zones
D. Cloud storage replication across zones --- D. Replication of cloud-stored data to alternative physical locations, or geographical zones, provides data redundancy in the event of a disruption in one region.
You are responsible for three IaaS payroll servers that store data in the cloud. The chief financial officer (CFO) requests observation of access to a group of budget files by a particular user. What should you do? A. Create file hashes for each budget file. B. Encrypt the budget files. C. Configure a HIDS to monitor the budget files. D. Configure file system auditing for cloud storage.
D. Configure file system auditing for cloud storage. --- D. You should configure file system auditing for budget file access by the employee in question. This enables you to track who accessed budget files at any given time. A, B, and C are incorrect. File hashing is useful only in determining whether a file has changed, not whether anybody in particular accessed the file. Encryption is used for data confidentiality. A host-based intrusion detection system (HIDS) looks for and reports on abnormal host activity; users who access files with appropriate permissions are generally not considered abnormal.
Which strategy increases the security of cloud-based containerized applications? A. Use a private cloud to host containerized applications. B. Run the containers only on physical servers. C. Create containers only from anonymous public repositories. D. Create containers only from private repositories.
D. Create containers only from private repositories. --- A containerized application decouples an application or application component (microservice) from other components or operating system dependencies. A container is a runtime version of a container image and consists of application files and configuration settings but not the OS; the underlying host OS that is already running is used instead. Hosting images in a private repository provides the ability to control which images are used to launch containers, thus enhancing security.
Over time, you have noticed unauthorized configuration changes made to virtual machine cloud settings. You need a way to track who made these changes and when. What should you do? A. Enable virtual machine API integration. B. Rotate the cloud access keys. C. Deploy an OSI layer 7 firewall. D. Enable cloud resource activity auditing.
D. Enable cloud resource activity auditing.
You are a server virtualization consultant. During a planning meeting with a client, the issue of virtual machine point-in-time snapshots comes up. You recommend careful use of snapshots because of the security ramifications. Which security problem is the most likely to occur when using snapshots? A. Snapshots can consume a large amount of disk space. B. Snapshots could expose sensitive data. C. Invoked snapshots will mean that the virtual machine is temporarily unavailable. D. Invoked snapshots will have fewer patch updates than the currently running virtual machine.
D. Invoked snapshots will have fewer patch updates than the currently running virtual machine. --- D. Reverting a running virtual machine to an older snapshot could mean going back to a point in time before critical patches or virus scanning updates were applied, thus rendering your virtual machine vulnerable.
You must control network traffic flow to specific Amazon Web Services (AWS) virtual machines. What should you configure? A. Network ACL B. Amazon machine image C. Elastic IP address D. Security group
D. Security group --- An AWS security group contains a list of rules that allow traffic into or out of specific virtual machines (called EC2 instances in AWS).
Which protocol has the data origin authentication and data integrity protection feature? SMTP DNSSEC IMAP FTP
DNSSEC --- DNS attacks can be thwarted by using Domain Name System Security Extensions (DNSSEC). DNSSEC adds additional resource records (these records define the data types being used) and message header information, which can be used to verify that the requested data has not been altered in transmission. DNSSEC essentially adds two important features to the DNS protocol: data origin authentication allows a resolver to verify that the data it received actually came from the zone from which it claims to have originated, and data integrity protection proves the data has not been modified in transit since it was originally signed by the zone owner with the zone's private key.
In an interview, you are provided the following statements regarding secure protocols. Which of the following should you identify as correct? X.500 Lite is an open protocol, so applications don't need to worry about the type of server hosting the directory. POP3 is a remote email storage service responsible for incoming email, while IMAP is a store-and-forward service for incoming email. SNMPv1 uses community strings that support authentication, while SNMPv3 uses community strings that support encryption. Secure FTP (SFTP) uses SSL or TLS to encrypt commands, while FTP Secure (FTPS) is an entire protocol itself.
X.500 Lite is an open protocol, so applications don't need to worry about the type of server hosting the directory.
Which of the following is NOT a cloud computing security issue? a. Bandwidth utilization b. Compliance regulations c. Insecure APIs d. System vulnerabilities
a. Bandwidth utilization
Which of the following is NOT correct about containers? a. Containers require a full OS whenever APIs cannot be used. b. Containers include components like binary files and libraries. c. Containers reduce the necessary hard drive storage space to function. d. Containers start more quickly.
a. Containers require a full OS whenever APIs cannot be used. --- A container, on the other hand, holds only the necessary OS components (such as binary files and libraries) that are needed for that specific application to run. And in some instances, containers can even share binary files and libraries. This not only reduces the necessary hard drive storage space and random access memory (RAM) needed but also allows for containers to start more quickly because the entire operating system does not have to be started. Containers can be easily moved from one computer to another.
Which of the following will NOT protect a container? a. Eliminate APIs. b. Use reduced-visibility images to limit the risk of a compromise. c. Use a hardened OS. d. Only use containers in a protected cloud environment.
a. Eliminate APIs.
Zuzana is creating a report for her supervisor about the cost savings associated with cloud computing. Which of the following would she NOT include on her report on the cost savings? a. Reduction in broadband costs b. Resiliency c. Pay-per-use d. Scalability
a. Reduction in broadband costs
Which of the following is NOT a feature of a next-generation SWG? a. Send alerts to virtual firewalls b. Can be placed on endpoints, at the edge, or in the cloud c. DLP d. Analyze traffic encrypted by SSL
a. Send alerts to virtual firewalls (Send alerts to SIEM) --- A next generation secure web gateway (SWG) combines several features into a single product. It examines both incoming and outgoing traffic and performs basic URL and monitoring in web applications. A next generation SWG also analyzes received traffic (even traffic encrypted by SSL), performs DLP, and provides alerts to a monitoring device such as a security information and event management (SIEM) appliance. An SWG can be placed on endpoints, at the edge, or in the cloud.
What does the term "serverless" mean in cloud computing? a. Server resources of the cloud are inconspicuous to the end user. b. The cloud network configuration does not require any servers. c. All appliances are virtual and do not interact with physical servers. d. Servers are run as VMs.
a. Server resources of the cloud are inconspicuous to the end user.
Which of the following is NOT correct about high availability across zones? a. They require that specific security appliances be located on-prem so that the local data center can be considered as a qualified Zone. b. In a cloud computing environment, reliability and resiliency are achieved through duplicating processes across one or more geographical areas. c. They are more highly available, fault tolerant, and scalable than would be possible with a single data center. d. An Availability Zone (AZ) is one or more data centers within a Region—each with redundant power, networking, and connectivity.
a. They require that specific security appliances be located on-prem so that the local data center can be considered as a qualified Zone. --- duplicating processes across one or more geographical areas. This is called high availability across zones.
The CEO is frustrated by the high costs associated with security at the organization and wants to look at a third party assuming part of their cybersecurity defenses. Nikola has been asked to look into acquiring requests for proposal (RFPs) from different third parties. What are these third-party organizations called? a. MPSs b. MSSPs c. MHerrs d. MSecs
b. MSSPs
Aleksandra, the company HR manager, is completing a requisition form for the IT staff to create a type of cloud that would only be accessible to other HR managers like Aleksandra who are employed at manufacturing plants. The form asks for the type of cloud that is needed. Which type of cloud would best fit Aleksandra's need? a. Group cloud b. Hybrid cloud c. Community cloud d. Public cloud
c. Community cloud
Nadia has been asked to perform dynamic resource allocation on specific cloud computing resources. What action is Nadia taking? a. Creating security groups to segment computing resources into logical groupings that form network perimeters b. Decreasing the network bandwidth to the cloud c. Deprovisioning resources that are no longer necessary d. Expanding the visibility of intrusion prevention devices
c. Deprovisioning resources that are no longer necessary
Alicja is working on a project to deploy automated guided vehicles on the industrial shop floor of the manufacturing plant in which she works. What location of computing would be best for this project? a. Edge b. Off-premises c. Fog d. Remote
c. Fog
Which cloud model requires the highest level of IT responsibilities? a. SaaS b. PaaS c. IaaS d. Hybrid cloud
c. IaaS
Which of the following is true about secrets management? a. It can only be used on-prem for security but has a connection to the cloud. b. It requires AES-512. c. It provides a central repository. d. It cannot be audited for security purposes.
c. It provides a central repository. secrets manager provides: a central repository single source to manage, access audit secrets across a cloud infrastructure.
Which of the following is NOT a characteristic of cloud computing? a. Immediate elasticity b. Universal client support c. Visible resource pooling d. Metered services
c. Visible resource pooling
Oliwia has been given a project to manage the development of a new company app. She wants to use a cloud model to facilitate the development and deployment. Which cloud model will she choose? a. IaaS b. SaaS c. XaaS d. PaaS
d. PaaS
Which of the following virtualizes parts of a physical network? a. SDV b. SDA c. SDX d. SDN
d. SDN An Software-Defined Network (SDN) - virtualizes parts of the physical network so that it can be more quickly and easily reconfigured. This is accomplished by separating the control plane from the data plane, Software-defined visibility (SDV) - is a framework that allows users to create programs in which critical security functions that previously required manual intervention can now be automated.
Which of the following provides the highest level of security? a. FTPS b. XFTP c. FTP d. SFTP
d. SFTP
Wiktoria is frustrated that her company is using so many different cloud services that span multiple cloud provider accounts and even different cloud providers. She wants to implement a technology to give full control and visibility over all the cloud resources, including network routing and security. What product does Wiktoria need? a. Thin virtual visibility appliance (TVVA) b. CASB c. SWG d. Transit gateway
d. Transit gateway --- A transit gateway is an Amazon Web Services (AWS) technology that allows organizations to connect all existing virtual private clouds (VPCs), physical data centers, remote offices, and remote gateways into a single managed source. cloud access security broker (CASB). - is a set of software tools or services that resides between an enterprise's on-prem infrastructure and the cloud provider's infrastructure. Acting as the gatekeeper, a CASB ensures that the security policies of the enterprise extend to its data in the cloud
Which of the following combines one or more private clouds with one or more public clouds? Public Cloud Hybrid Cloud Private Cloud Native Cloud
hybrid Cloud