Chapter 6 - Quiz
What is the cloud service model in which the customer is responsible for administration of the OS? A. IaaS B. PaaS C. SaaS D. QaaS
A. In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.
Why will cloud providers be unlikely to allow physical access to their data centers? A. They want to enhance security by keeping information about physical layout and controls confidential. B. They want to enhance exclusivity for their customers, so only an elite tier of higherpaying clientele will be allowed physical access. C. They want to minimize traffic in those areas to maximize efficiency of operational personnel. D. Most data centers are inhospitable to human life, so minimizing physical access also minimizes safety concerns.
A. Knowledge of the physical layout and site controls could be of great use to an attacker, so they are kept extremely confidential. The other options are all red herrings.
In all cloud models, the customer will be given access and ability to modify which of the following? A. Data B. Security controls C. User permissions D. OS
A. The customer always owns the data and will therefore always have access to it. The customer will never have administrative access to the provider's security controls, regardless of the model. The customer may or may not have administrative control over user permissions. The customer only has administrative power over the OS in an IaaS model.
Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives? A. Database management software B. Open-source software C. Secure software D. Proprietary software
B. Open-source software is available to the public, and often draws inspection from numerous, disparate reviewers. DBMS is not reviewed more or less than other software. All software in a production environment should be secure. That is not a valid discriminator for answering this question, so option C is not optimum. Proprietary software reviews are limited to the personnel in the employ/under contract of the software developer, which narrows the perspective and necessarily reduces the amount of potential reviewers.
Hardening the operating system refers to all of the following except _____________. A. Limiting administrator access B. Removing anti-malware agents C. Closing unused ports D. Removing unnecessary services and libraries
B. Removing anti-malware agents. Hardening the operating system means making it more secure. Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure. But removing antimalware agents would actually make the system less secure. If anything, anti-malware agents should be added, not removed, as part of the hardening process.
Which kind of SSAE audit reviews the organization's controls for assuring the confidentiality, integrity, and availability of data? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
B. SOC 2 deals with the CIA triad. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4.
Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it without additional protections? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 1 Type 2 D. SOC 3
B. The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider.
In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties? A. Statutes B. The contract C. Security control matrix D. HIPAA
B. The contract between the provider and customer enhances the customer's trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures). Statutes, however, largely leave customers liable. The security control matrix is a tool for ensuring compliance with regulations. HIPAA is a statute.
In all cloud models, the will retain ultimate liability and responsibility for any data loss or disclosure. A. Vendor B. Customer C. State D. Administrator
B. The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious.
User access to the cloud environment can be administered in all of the following ways except: _________________________. A. Customer directly administers access B. Customer provides administration on behalf of the provider C. Provider provides administration on behalf the customer D. Third party provides administration on behalf of the customer
B. The customer does not administer on behalf of the provider. All the rest are possible options.
A honeypot should contain ______________________ data. A. Raw B. Production C. Useless D. Sensitive
C. A honeypot is meant to draw in attackers but not divulge anything of value. It should not use raw, production, or sensitive data.
The cloud customer's trust in the cloud provider can be enhanced by all of the following except ___________________. A. Audits B. Shared administration C. Real-time environmental controls D. SLAs
C. Real-time environmental controls will not provide meaningful information and will not enhance trust. All the others will and do.
Which kind of SSAE report provides only an attestation by a certified auditor? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C. SOC 2 deals with the CIA triad. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4.
Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer's trust in the provider? A. Site visit access B. Financial reports to shareholders C. Audit and performance log data D. Backend administrative access
C. The provider may share audit and performance log data with the customer. The provider will most likely not share A and D since they reveal too much information about the provider's security program. B is already public information and does not enhance trust.
Vulnerability assessments cannot detect which of the following? A. Malware B. Defined vulnerabilities C. Zero-day exploits D. Programming flaws
C. Vulnerability assessments can only detect known vulnerabilities, using definitions. Some malware is known, as are programming flaws. Zero-day exploits, on the other hand, are necessarily unknown until discovered and exercised by an attacker and will therefore not be detected by vulnerability assessments.
A firewall can use all of the following techniques for controlling traffic except _____________________. A. Rule sets B. Behavior analysis C. Content filtering D. Randomization
D. Firewalls do use rules, behavior analytics, and/or content filtering in order to determine which traffic is allowable. Firewalls ought not use random criteria, because any such limitations would be just as likely to damage protection efforts as enhance them.
In all cloud models, security controls are driven by which of the following? A. Virtualization engine B. Hypervisor C. SLAs D. Business requirements
D. Security is always contingent on business drivers and beholden to operational needs. The virtualization engine does not dictate security controls, and the hypervisor may vary (depending on its type and implementation). The SLAs do not drive security controls; they drive performance goals.
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 1 Type 2 D. SOC 3
D. The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider.
The auditor should not _____________ . A. Review documents B. Physically visit the business location C. Perform system scans D. Deliver consulting services
D. The auditor should be impartial to the success of the target organization; consulting creates a conflict of interest.
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except ________________________ . A. Access to audit logs and performance data B. SIM, SIEM, and SEM logs C. DLP solution results D. Security control administration
D. While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer.