Security cloud exam
An organization uses cloud-based VMs to support its manufacturing process. To ensure that outages are minimized, operating system updates are first installed on VMs that manage non-critical processes. Which method is the organization using?
A canary deployment process rolls out virtual machine (VM) changes in a controlled manner. This process deploys updated VMs to a limited group of users. Once functionality is verified, VMs can be deployed throughout the enterprise. The purpose of this approach is to allow limited, in-production testing without causing outages for critical processes. If issues are detected, the upgraded systems can be brought offline while non-upgraded systems continue to operate normally.
A CSP uses several public platforms to deliver firmware updates to its IaaS customers. The CSP is concerned that the malware could be injected into the updates, depending on where they are hosted. Which option is MOST likely to mitigate this risk?
Among other uses, digital signatures can be used to ensure that firmware, drivers, and software updates have not been modified by malicious parties. Modified files will have invalid signatures and can be discarded. Digital signatures use Public Key Infrastructure (PKI) to ensure data integrity. Ensuring data integrity is critical when transferring files across untrusted networks because file contents may be modified in transit. The signature is created by the file's signer using the private key that is created when a certificate request is generated. The signature can be verified using the signer's public key, which is stored in the signer's X.509 certificate.
A cloud-based application is composed of containers and VMs. The systems are frequently the target of brute force password attacks. What should the administrator do to identify and alert on these attacks without taking any corrective action?
An Intrusion Detection System (IDS) should be deployed on the network. An IDS can be host-based or network-based and is used to monitor systems and network connections. Typically, an IDS is configured to alert when suspicious activity is detected. However, an IDS is designed to be passive, which means that it will not actively stop intrusions. This feature is provided by an Intrusion Prevention System (IPS).
An organization stores sensitive data on a cloud-based network and is concerned that employees may email this information outside the network. What is the BEST option for mitigating this risk?
Deploying a Data Loss Prevention (DLP) system on the email server is the best option for preventing the sharing of the organization's data. DLP is designed to prevent exfiltration of an organization's sensitive or proprietary data. DLP is usually configured on email and file servers, firewalls, and other locations where data enters or leaves a network or system. DLP uses powerful search algorithms to locate data such as credit card numbers in emails, files, and network sessions. Depending on how the DLP system is configured, it may simply alert when sensitive data is found, or extract the data before it is sent.
An attacker uploads a rootkit to a critical server. The rootkit evades detection by hiding itself within core system DLLs. Which solution is MOST likely to mitigate this risk in the future?
Deploying file integrity monitoring (FIM) software on sensitive systems is the best solution for addressing this risk. FIM is used to monitor and detect changes to sensitive files. This is done by creating file hashes or signatures and then storing these for future comparison. If a file's signature has changed, this indicates the file's content has changed. Depending on how the FIM software is configured, this change can generate alerts or even lock a server down to prevent further changes.
What occurs during the detection phase of the incident response process?
During the detection phase of the incident response process, logged events are correlated based on time. Log correlation is the process of collecting and analyzing logs from various sources. The correlation is typically done using timestamps to identify the time and sequence of malicious activities. For this reason, accurate time keeping is critical in a networked environment.
What is the BEST method for ensuring that a cloud-based application's keys are stored securely?
Enrolling in an Application Programming Interface (API) secret management service is the best method for ensuring that a cloud-based application's keys are stored securely. Many cloud-based applications require keys as part of authenticating programs or services that access the application. Keys are like user account passwords and must be stored securely. Many cloud providers offer secret management services for their clients.
A server admin evaluates how an incident was handled to determine if the outcome was acceptable. Which phase or procedure in the incident response process does this describe?
Evaluating how an incident was handled is done as a part of the lessons learned phase of incident response. The purpose of this phase is to improve an organization's security stance and its incident response procedures. Depending on outcomes, the organization may decide to increase spending on security controls or modify its incident response procedures.
An organization's web page is defaced. Who should be contacted first?
If an organization's web page is defaced, an incident response team member should be contacted first. The purpose of creating an incident response plan is to determine how an incident should be handled, and this plan should be thoroughly understood by the members of the incident response team. This team may include a single member as the first point of contact, or an on-call rotation schedule may be shared by all members. The incident response team will know what steps to take next when an incident is discovered.
A government contractor must deploy MAC for all project-related assets. What is the organization MOST likely to do?
In a Mandatory Access Control (MAC) environment, the organization will most likely define a data classification policy. A data classification policy defines the process for classifying an organization's data based on the type of data and its sensitivity level. This exercise is required to properly manage and secure data throughout its lifecycle. In a MAC environment, data cannot be properly labeled until it has been classified. This label in turn drives requirements for encryption, data access, etc.
A cloud admin must ensure that traffic can be captured, and session statistics can be analyzed and stored over time. Additionally, the admin must use the information to identify performance anomalies. Which solution is the admin MOST LIKELY to implement?
Network flows can be captured using a network flow connector. Once captured, the flows can be analyzed to identify traffic trends. In most implementations, network devices are configured with the Internet Protocol (IP) address of a flow collector - a dedicated system that collects network flow data. The collector may have advanced analytical, reporting, and alerting functionality.
A cloud administrator has been instructed to apply digital signatures to all files stored on a cloud-based server. What BEST describes the purpose of this approach?
One of the primary uses of digital signatures is to verify that data has not been altered. This is also known as ensuring file data integrity. When a piece of data is created, a digital signature can also be generated. For file or email data, most digital signatures begin as a hash of the original data. This hash is then encrypted using Public Key Infrastructure (PKI) keys. The receiver can use the associated PKI key to validate the signature. Modified files will have invalid signatures and can be discarded. Signatures can also be used to authenticate the file's creator.
A cloud admin performs a scan and has discovers several vulnerabilities of concern. What should the admin do to ensure that they are addressed using security best practices?
The admin should add the vulnerabilities to a risk register. A risk register is used to track an organization's risks in a single location. This allows the organization to evaluate the impact each risk may present and the methods and costs associated with mitigating the risks. Based on this analysis, the organization can prioritize control acquisition and deployment.
A cloud admin discovers a long list of missing updates and patches on cloud servers. The admin's biggest concern is recently discovered OS exploits. What should the admin do FIRST?
The admin should first install missing hotfixes first. A hotfix is a critical fix released by a vendor. Hotfixes usually address severe bugs that affect a system's stability or security. Hotfixes should be prioritized over other system updates, patches, or service packs.
An admin is concerned about the impact of lateral movement if a user's credentials are compromised. Which is the BEST option the admin can choose to better assess this risk?
The admin should perform a credentialed scan. Lateral movement occurs when an attacker compromises a system and uses the privileges on that system to move to other systems on the network. A credentialed scan uses an authenticated account to detect vulnerabilities and can be used to mimic this lateral movement. The credentialed scan will expose any vulnerabilities accessible by an authenticated account.
A cloud administrator has been told that all resource access must be managed using MAC. What should the administrator do to meet this requirement?
The administrator should apply security labels to all resources. Access control is used to limit what a user can do and is commonly associated with file or folder access. Mandatory access control (MAC) is considered the most secure access control method and is primarily used in government systems. The basis of the MAC model is the application of security labels like top secret or secret. These labels are applied to all users and system resources, such as files. Users are only allowed to access resources that match their security label or lower. For example, a user with the label top secret could access files labeled top secret or secret.
A cloud administrator is concerned that an attacker might eavesdrop on name resolution requests performed by clients in a VPC. What should the administrator do to mitigate this risk?
The administrator should deploy Domain Name System (DNS) over Hypertext Transfer Protocol Secure (DoH) on all internal DNS servers. By default, DNS queries are sent in clear text, which means that an eavesdropper can capture query traffic and read its contents. However, by using Hypertext Transfer Protocol Secure (HTTPS), communications between clients and DNS servers in the virtual private cloud (VPC) can be encrypted. Many modern browsers now offer built-in DoH features.
A cloud engineer migrates an organization's HR and financial management apps to cloud-based VMs. What is the BEST option for isolating the VMs from one another without creating new subnets?
The best option for isolating the VMs from one another is to implement micro-segmentation. Micro-segmentation can be used to create boundaries between cloud servers and applications. This enhances security without requiring the creation of new subnets.
Following a brute-force attack, a cloud server has been compromised. What are the two BEST options for mitigating this risk in the future? (Choose TWO.)
The best options for mitigating brute-force password attacks would be to implement account lockout and deploy Multifactor Authentication (MFA).
Following the implementation of a hybrid cloud, the credentials for a cloud server are compromised. What are the BEST two options for preventing this in the future? (Choose TWO.)
The best options for preventing credential compromise in this scenario would be to configure a site-to-site Virtual Private Network (VPN) for all cloud communications and to install certificates on cloud servers and require Transport Layer Security (TLS).
A cloud engineer plans to deploy server VMs that will store and process PII. The engineer must ensure that servers can communicate with one another, but any suspicious activity detected on a server should trigger an alert to the security team. The suspicious activity should not be blocked. What is the BEST solution that meets these requirements?
The best solution for detecting and alerting on suspicious server activity is to install and configure a Host-Based Intrusion Detection System (HIDS) on each server. An IDS can be host (HIDS) or network (NIDS) based and is used to monitor systems and network connections. Typically, a HIDS is configured to alert when suspicious activity is detected. However, an IDS is designed to be passive, which means that it will not actively stop intrusions.
A cloud engineer must ensure that an organization's PHI destruction process and methods meet compliance regulations. What is the BEST solution to meet this requirement?
The best solution for ensuring that an organization's Personal Health Information (PHI) destruction process and methods meet compliance regulations is to define a data retention policy. A data retention policy is designed to outline how long and by what means data is stored, and when and how data is destroyed when it reaches the end of its usefulness. For example, corporate financial data may be stored off-premises, on magnetic tape, for seven years. Once the data expires, the policy may dictate that the tapes be shredded.
A cloud admin implements an aggressive patch management program. The admin is concerned about misconfigurations that may put servers at risk. What is the BEST tool for addressing this concern?
The best tool for addressing concerns about misconfigurations is a vulnerability scanner. The cloud admin is already patching aggressively, which should address system and application vulnerabilities. However, this will not remediate misconfigurations. The best way to locate misconfigured systems or apps is to use a vulnerability scanner.
A cloud admin deploys web service containers using a public repository. Almost immediately following deployment, the containers are breached by attackers. What should the admin do FIRST before deploying more containers?
The cloud admin should deactivate default service accounts. Many applications and devices come with default accounts that have been configured with well-known published passwords. This can also be true for VM and container appliances stored in repositories. In this scenario, the admin downloaded the preconfigured container but failed to deactivate default service accounts.
A cloud admin is having trouble managing permissions that have been assigned to individual users. The admin needs to implement an access control model that allows users to be grouped and permissions assigned based on job type. Which solution BEST addresses this requirement?
The cloud admin should deploy Role Based Access Control (RBAC). RBAC is designed to enhance security by streamlining the assignment of permissions and system privileges to users. Roles are typically defined based on job descriptions and are then assigned to users with that job. For example, the Accountant role could be created and then granted privileges to files and applications that accountants in an organization need to access. The Accountant role can then be assigned to users in the Accounting department.
An organization has deployed cloud based VMs for its mobile workers. Because mobile workers access data from a variety of potentially insecure sources, a cloud admin must be able to quickly investigate threats detected on these VMs. What is the BEST option for meeting this requirement?
The cloud admin should require all systems to run Endpoint Detection and Response (EDR) software. This is the best option for allowing a cloud admin to quickly investigate threats detected on mobile worker VMs. EDR tools are designed to perform elements of intrusion detection, but also provide investigation and remediation capabilities. Once a threat is detected, containment prevents the threat from causing further damage. The final stage in the EDR process is elimination.
After a successful phishing campaign, an attacker can log on to a cloud server. What should a cloud administrator do to mitigate this risk in the future?
The cloud administrator should configure the authentication server to require multi-factor authentication (MFA). MFA can help reduce the impact from successful phishing attacks. MFA requires at least two different authentication factors for successful authentication. Authentication factors can be something you know, something you have, or something you are. MFA mitigates phishing and other social engineering attacks that successfully compromise a user's password because the attacker will be unable to provide a second factor.
A cloud administrator is concerned that an attacker could use a packet analyzer to extract API keys. What is the BEST option for mitigating this risk?
The cloud administrator should deploy Transport Layer Security (TLS) on the Application Programming Interface (API) endpoint. Many APIs use keys as a type of password when authenticating requests. In this scenario, the administrator is concerned that an attacker will capture network traffic and extract passwords using a packet analyzer. Cloud APIs are web services and can be protected using the same techniques that would be used to secure a website, such as using TLS. If the API endpoint requires TLS, the data in the packets will be encrypted, and therefore unreadable to an attacker.
A well-known vulnerability was used to compromise a server VM and steal locally stored passwords. What should a cloud engineer do FIRST to mitigate this risk in the future?
The cloud engineer should implement a patch management process. Attackers commonly use well-known vulnerabilities to compromise systems. In many cases, system vendors create security patches to mitigate these risks, and one of the best methods for mitigating system vulnerabilities is to eliminate the vulnerability. This can often be done by keeping a system patched and up to date.
To enhance security, a cloud admin needs to ensure that URLs are scanned for common web server attacks. Which solution BEST meets this requirement?
The engineer should configure a web application firewall (WAF) to handle all inbound requests to the app. A WAF supports complex rules that can evaluate parameters in a Uniform Resource Locator (URL) and other information included in Hypertext Transfer Protocol (HTTP) requests. Among other uses, such as load balancing, a WAF can protect web applications from common exploits.
As part of a hardening exercise, a cloud engineer performs a port scan against an application server. What should the engineer do next?
The engineer should disable unnecessary services. A port scanner is a tool that scans network nodes and attempts to identify which ports are responding. For example, if a web service is running on a server, a port scanner will likely detect that ports 80 and 443 are open. Nmap is the most popular and widely used port scanner available today. Other tools, such as vulnerability scanners, also use port scanning techniques. If unrecognized or unnecessary ports are discovered, their associated applications or services can be disabled. This enhances endpoint security.
A cloud engineer is tasked with ensuring that traffic sent from employee laptops to a newly deployed cloud-based web server is secure from eavesdropping attacks. What should the engineer do FIRST?
The engineer should first generate a Public Key Infrastructure (PKI) certificate for the server. PKI can be used to generate the certificates required to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS). In this scenario, once a certificate is generated, it can be installed and SSL/TLS can be required for all connections. This will encrypt all traffic between employee laptops and the web server, protecting the traffic from eavesdropping (or sniffing) attacks.
After organizing an incident response team, the team's leader wants to guide the team through a mock incident. What should the team leader do?
The incident response team leader should schedule a tabletop exercise for all team members. A tabletop exercise allows an incident response team to convene and review each member's role. Additionally, the team can work through a scenario and talk about how they would respond and the actions that would be taken at each step. During this exercise, no changes are made to production systems.
An organization has moved most of its applications and services to cloud-based platforms. The organization wants to ensure that the security for these diverse environments can be managed centrally. Which solution BEST meets this requirement?
The organization should configure a Cloud Access Security Broker (CASB) to enforce organizational security policies. This is the best solution for facilitating the management and securing of diverse cloud systems. CASBs are designed to provide data, app, and identity security for cloud-based services and platforms. Among other features, a CASB can identify compromised accounts and mitigate the risk of data exfiltration.
An organization uses an SaaS email platform. Management suspects that an employee is complicit in a financial crime. What should the organization do to ensure that data stored in the employee's mailbox cannot be permanently deleted by the employee?
The organization should configure a legal hold on the employee's mailbox. A legal or litigation hold is a process whereby an organization preserves electronically stored information. Legal holds are typically implemented when suspicious or criminal activity has been detected. On email servers, a legal hold stores a copy of all mailbox data deleted by a user.
During the final phase of the incident response process, an organization plans to take legal action against the attacker. What is the MOST important consideration during this process?
The organization should consider data retention policy and process. Data retention is the process of storing data for a specified amount of time in such a way that it will always be available during that period. Well defined data retention policies and processes are particularly important if an organization plans to take legal action against an attacker. This ensures that the organization adhered to proper chain of custody procedures.
An organization deploys servers using an IaaS platform. Management is concerned that the risk of a stolen server is higher now that physical security is managed by a third party. What should the organization use to address this risk?
The organization should use storage encryption. This can be done in most operating systems by enabling whole disk encryption. Whole disk encryption secures data at rest and mitigates the risks presented by a lost or stolen hard drive. Technologies like BitLocker can be used to provide this protection.
A cloud engineer has been tasked with creating hardened OS security baselines. These will be used when new servers are deployed in a public cloud. What activity will the engineer MOST likely perform as part of this process?
Uninstalling unused applications and services is the best option for removing non-standard ports and reducing a system's attack surface. Among other sources, vulnerabilities are introduced by each application and service installed on a computer. Uninstalling these applications and services is known as systems hardening.
Which activity is MOST likely to occur as a part of containment, eradication, and recovery during incident response?
Validating the attacker's IP address is likely to occur as a part of containment, eradication, and recovery during incident response. This may or may not be important during incident response because IP addresses are easily spoofed. However, the IP address can be used as a part of event correlation to determine if other network nodes may have been compromised.