1. Home
  2. Flashcards
  3. Preview

DAT605 Web & Cloud Computing

  1. What is the textbook definition of cloud computing?
    Cloud computing is the concept of providing services over the Internet whereby shared resources (infrastructure and platform), software and information are provided to users on demand.
  2. What are the 5 characteristics of cloud computing?
    There are 5 characteristics;

    • 1) Broad network access
    • 2) Rapid elasticity (scalability)
    • 3) Measured services (pay as you go)
    • 4) On-Demand self-service
    • 5) Resource pooling
  3. What does the NIST acronym stand for?
    National Institute of Standard and Technology
  4. What is NIST SP 800-145 (September 2011)?
    "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  This cloud model is composed of five essential characteristics, three services models, and four deployment models."
  5. How many characteristics of cloud computing are included in the NIST SP 800-145 standard?
    5 characteristics are outlined;

    • 1) Broad network access
    • 2) Rapid elasticity (scalability)
    • 3) Measured services (pay as you go)
    • 4) On-Demand self-service
    • 5) Resource pooling
  6. How many service models of cloud computing are included in the NIST SP 800-145 standard?
    3 service models are outlined;

    • 1) (Exploiting) Software as a Service (SaaS)
    • 2) (Delivering) Platform as a Service (Paas)
    • 3) (Deploying) Infrastructure as a Service (IaaS)
  7. How many cloud service delivery models for cloud computing are included in the NIST SP 800-145 standard?
    4 Cloud Service Delivery Models

    PPHC

    • 1) Public Cloud
    • 2) Private Cloud
    • 3) Hybrid Cloud
    • 4) Community Cloud
  8. Describe characteristic 1 of the NIST SP 800-145 standard, 'Broad Network Access';
    "Capabilities are available over the network and accessed through standard mechanism that promote use by heterogenous thin or thick client platforms (e.g., mobile phones, tablets, laptops and workstations)."   This is important for anytime/any device access.
  9. Describe characteristic 2 of the NIST SP 800-145 standard, 'Rapid Elasticity';
    "Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand.  To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity of time."  Scale up, scale out, easy up, easy down, easy in and easy out.
  10. In regards to characteristic 2 of the NIST SP 800-145 standard, 'Rapid Elasticity', what is the summary catchphrase used by the professor in class to define this characteristic?
    Scale up, scale out, easy up, easy down, easy in and easy out.
  11. Why is rapid elasticity an important characteristic to be included in the NIST SP 800-145 standard?
    Rapid elasticity is important to compensate for;

    • 1) Peaks due to periodic increased demand
    • 2) IT complexity and poor capacity planning
    • 3) Installed capacity is wasted when not being used, but lack of sufficient capacity at key moments could discourage or kill business
    • 4) Without rapid elasticity innovation can be discouraged until a time when installed capacity can be upgraded
    • 5) Sudden and unexpected demand can discourage end-users or sales if it is not possible to gain access to a site due to sudden and unexpected demand
  12. How does rapid elasticity help with business growth in the NIST SP 800-145 standard?
    • 1) Successful services need to grow/scale
    • 2) Keeping up with growth is a large IT challenge with local dedicated server farms
    • 3) Deployment of local resources requires complex lead time
    • 4) Capital is necessary for software development and/or expanding data centers
    • 5) Scaling lags can stunt growth at key critical moments
  13. What key aspects describe Measured Service as defined in the NIST SP 800-145 standard definition of Cloud Computing?
    • 1) Cloud systems automatically control and optimize resource use
    • 2) Resource use is leveraged allowing a metering capability at some level of abstraction
    • 3) Resource use can be monitored, controlled and reported providing transparency for both the provider and the consumer of the utilized service
  14. What key aspects describe On-Demand Self-Service as defined in the NIST SP 800-145 standard definition of Cloud Computing?
    A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
  15. What key aspects describe Resource Pooling as defined in the NIST SP 800-145 standard definition of Cloud Computing?
    • 1) The providers computing resources are pooled to serve multiple consumers using a multi-tenant model
    • 2) Different physical and virtual resources are dynamically assigned and reassigned according to consumer demand
    • 3) There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction
    • 4) Examples of resources include; storage, processing, memory and network bandwidth
  16. Describe Multi-Tenancy;
    • *  A single instance of a software is designed to virtually partition its resources to run on a server, serving multiple clients as opposed to multi-instance architectures where separate software instances (or hardware systems) operate on behalf of different clients.
    • *  Each client works with a customized virtual application.
    • *  The ability to isolate customer-specific traffic, data and configuration of resources using the same software and interfaces.
  17. What are the benefits of cloud computing?
    • 1) Lower upfront costs
    • 2) Agility
    • 3) Scalability and Elasticity
    • 4) Reliability
    • 5) Performance that is automatically adjusted for need
    • 6) Ease of maintenance
    • 7) Security and compliance
  18. What are the 7 layers underneath cloud computing?
    • 1) Application Layer
    • 2) Infrastructure Layer
    • 3) Operating System Layer
    • 4) Virtualization Layer
    • 5) Physical Servers
    • 6) Networking and Storage
    • 7) Mechanical and Electrical
  19. Which is the lower tier in the SPI Stack?
    • IaaS = Upper Tier
    • PaaS = Middle Tier
    • SaaS = Lower Tier

    SPI = SaaS, PaaS, IaaS
  20. Which is the upper tier in the SPI Stack?
    • IaaS = Upper Tier
    • PaaS = Middle Tier
    • SaaS = Lower Tier

    SPI = SaaS, PaaS, IaaS
  21. Which level in the SPI Stack is also known as the IT Level?
    IaaS = Infrastructure as a Service

    Customers pay for the usage of processing, storage, network bandwidth and other IT resources.
  22. Which level in the SPI Stack is also known as the User Level?
    SaaS = Software as a Service

    Customer uses a service providers application over a network.  Companies host applications in the cloud that many users access through Internet connections.  The service being sold is offered as a complete end-user application.
  23. Which level in the SPI Stack is also known as the Developer Level?
    PaaS = Platform as a Service

    Developers can design, build, and test applications that run on the cloud providers infrastructure and then deliver those applications to end-users from the providers servers.
  24. Dropbox is an example of what kind of service model?
    SaaS = Software as a Product

    Dropbox runs on Amazon S3 which is a IaaS.
  25. Amazon EC2 is an example of what kind of service model?
    IaaS = Infrastructure as a Service
  26. Amazon S3 is an example of what kind of service model?
    IaaS = Infrastructure as a Service
  27. Windows Azure is an example of what kind of service model?
    PaaS = Platform as a Service
  28. Google App Engine is an example of what kind of service model?
    PaaS = Platform as a Service
  29. Google Compute Engine is an example of what kind of service model?
    IaaS = Infrastructure as a Service
  30. Rackspace is an example of what kind of service model?
    IaaS = Infrastructure as a Service
  31. Heroku is an example of what kind of service model?
    PaaS = Platform as a Service
  32. MS Outlook is an example of what kind of service model?
    SaaS = Software as a Product
  33. Google Docs is an example of what kind of service model?
    SaaS = Software as a Product
  34. MS 365 is an example of what kind of cloud service model?
    SaaS = Software as a Product
  35. Name some examples of lower level (SaaS) cloud vendors;
    • MS Outlook
    • Google Docs
    • MS 365
    • Salesforce
    • Dropbox
    • Quickbooks Online
    • Expensify
    • Netdocuments
    • Zoho
  36. Name some examples of infrastructure software from the cloud layer;
    • MS SQL Server
    • Java
    • Microsoft.net
  37. Name some examples of hypervisor software for the cloud virtualization layer;
    • Xen
    • MS Hyper-V
    • KVM
  38. Is virtualization required for cloud computing?
    No.  Virtualization is not synonymous with cloud computing and not required when building a cloud environment but it is used in a majority of cloud implementation.  Virtualization can increase the ability to deliver the characteristics required in a cloud environment.  Virtualization enables resource pooling and shared storage.
  39. What are the two types of hypervisors?
    • Type-1: Bare Metal
    • Type-2: Hosted
  40. Describe the bare-metal hypervisor;
    Type-1:  Sits directly on top of the bare-bone hardware.  It acts as it's own operating system and has complete control over the hardware.  It doesn't have to fight the OS and it allows more efficient use of physical resources.
  41. Describe the hosted hypervisor;
    Type-2: Sits on top of another operating system which controls access to hardware resources and acts as a control system between the host OS and the guest OS.  Is installed, for example, on your regular desktop (an advantage) and avoids duplicate code since there is no need to code a process scheduler or memory management system since the OS already does that.  It can run native processes alongside virtual machines (VMs).
  42. Amazon Web Services is an example of which cloud deployment model?

    A) Public
    B) Private
    C) Community
    A) Public
  43. T/F   Amazon Web Services could be used as a part of a hybrid cloud?
    True
  44. A cloud provider that provides the capability for the consumer to use the provider’s applications running on a cloud infrastructure is an example of which service model?

    A. SAAS 
    B. PAAS 
    C. IAAS
    A. SAAS 
  45. A cloud provider that provides the capability to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications, is an example of which service model?

    A. SAAS 
    B. PAAS 
    C. IAAS
    C. IAAS
  46. T/F  Parallel computing and distributed computing have clearly defined differences and it is easy to differentiate between the two.
    False.  The terms "Parallel Computing" and "Distributed Computing" have a lot of overlap and no clear distinction exists between them.  Parallel computing may be seen as a particularly tightly-coupled form of distributed computing and distributed computing may be seen as a loosely-coupled form of parallel computing.
  47. What type of cloud delivery model is Amazon Web Service (AWS)?
    Public Cloud
  48. What type of cloud delivery model is operated solely for an organization and may be managed by the organization or a 3rd party and may exist on or off premise?
    Private Cloud
  49. What type of cloud delivery model has an infrastructure that is shared by several organizations and supports a specific community that has shared concerns?
    Community Cloud
  50. What type of cloud delivery model can be a composition of two or more delivery models that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)?
    Hybrid Cloud

    Any combination of two or more delivery models; Private, Community or Public clouds.
  51. The professor's catch phrase for Broad Network Access is;

    Clue: AAA
    Any time, Any where, Any device
  52. The professor's catch phrase for Rapid Elasticity is;

    Clue: S E E
    • Scale up, scale out
    • Easy up, easy down
    • Easy in, easy out
  53. Resource pooling uses the _______-_______ model.
    Multi-Tenant
  54. What characteristic of cloud computing encompasses 'pay as you go' and transparency for usage patterns?
    Measured Services
  55. T/F   Some cloud vendors may not be able to offer guaranteed services under SLAs.
    True
  56. T/F    As technology migrates from the traditional on-premise model to the new cloud model, service offerings evolve almost daily.
    True
  57. T/F    Rather than purchasing data center space, servers, software, network equipment, etc., IaaS customers essentially rent the resources as a fully outsourced service.
    True
  58. Provider-owned implementations typically include the following layered components:

    1) Para-virtualization on the network layer, non-utility computing billing.  

    2) Computer Hardware, network, internet connectivity, virtualization environment.  

    3) Computer Hardware, electricity generation, service level agreements.  

    4) Software installations, software distribution channels, no network connectivity.
    2) Computer Hardware, network, internet connectivity, virtualization environment.  
  59. T/F    Virtualization is required for cloud computing.
    False
  60. T/F    Your organization could be a good candidate for cloud computing if your organization has an in-house data center.
    True
  61. T/F    IaaS is the on ramp for corporate IT to cloud computing.
    True

    IaaS is also known as the "IT Layer".
  62. T/F    Virtualization decreases system density.
    False.  With multi-tenancy and virtual instances, system density is increased.
  63. T/F   Virtualization increases system utilization.
    True
  64. T/F    Type-1 hypervisor makes less efficient use of system resources than type-2 hypervisor.
    False    Type 1 Hypervisor, also known as "bare metal" sits on top of the hardware and therefore makes direct and better use of system resources than Type 2 since Type 2 sits on top of the operating system.
  65. T/F     Type-2 hypervisor has direct control and access to the underlying hardware resources.
    False  Type-2: (Hosted) Sits on top of another operating system which controls access to hardware resources and acts as a control system between the host OS and the guest OS. Since it has to go through the OS to access hardware resources, it has indirect access and control.
  66. T/F    AWS and Windows Azure can be used as a part of a hybrid cloud.
    True.   AWS and Windows Azure are examples of Public Clouds.  A hybrid cloud is any combination of the 3 other deployment models; Public, Private or Community clouds.
  67. A cloud provider that provides the capability for application developers to use the provider’s applications running on a cloudinfrastructure is an example of which service model?

    A) SaaS  
    B) PaaS  
    C) IaaS
    A) SaaS    The Software as a Service model includes the application layer meaning that the subscriber does not need to provide their own applications.  Outlook.com was given as an example of this.  Outlook is a proprietary application that is already installed in the cloud service.  Googles Docs and Dropbox are other examples.  You do not upload applications to use them although you could use them to distribute applications to other subscribers.
  68. Describe multi-tenancy.
    • • A single instance of a software is designed virtually partition its resources to run on a server, serving multiple clients as opposed to multi-instance architectures where separate software instances (or hardware systems) operate on behalf of different clients. 
    • • Each client works with a customized virtual application. 
    • • “The ability to isolate customer-specific traffic, data, and configuration of resources using the same software and interfaces. “
  69. List TEN benefits/advantages of cloud computing with brief descriptions;
    • • Lower upfront cost; Staff, Training, Hardware, Space, license 
    • • Agility 
    • • Scalability and elasticity 
    • • Reliability 
    • • Performance (automatically adjusted to provide more capacity if falls below a certain level) 
    • • Ease of maintenance 
    • • Security and compliance 
    • • All you need is an Internet connection
    • • Quicker implementations and deployment
    • • Easily expand
    • • Easy customization
    • • Painless Upgrades
  70. List FIVE potential issues/disadvantages of cloud computing.
    • •Ambiguity/lack of understanding 
    • •Concerns over maturity (does not meet needs, does not offer the right level of services and support, etc.) 
    • •Not robust enough 
    • •SLAs (many cloud providers cannot provide truly substantive SLAs, SLAs are not suitable, etc.) 
    • •Integration between on premise and cloud-based systems (application and data integration) 
    • •Security 
    • –Multi-tenancy 
    • •Ownership of data 
    • –Data reside on cloud-based system 
    • –what happens if the service provider goes out of business? 
    • •The ability to perform audit (do you have direct access to the systems and applications?) 
    • •Privacy, legal, and compliance 
    • –Cloud provider has direct access to your data 
    • –Located in U.S. but cloud providers in Europe. Which regulations/laws apply? 
    • •Lack of customization 
    • •Compatibility issues 
    • •Corporate policies need to be changed
  71. What are essential characteristics of cloud computing as defined by NIST?  Briefly describe what each characteristic means.
    • 1. Broad Network Access - Any time, Anywhere, Any Device. Access is available 24 hours a day, globally and from laptops, tablets, mobile devices or workstations.
    • 2. Rapid Elasticity - Scalable instantly; scale up, scale out, easy up, easy down, easy in, easy out. As a companies needs expand or contract the cloud service adapts instantly to meet those needs.
    • 3. Measured Service - Pay as you go. Instead of paying for a 24-hour service that is under utilized, companies pay for only what they use as in the example of electrical suppliers and transparency is included to understand usage billing.
    • 4. On-Demand Self-Service - Services can be increased or decreased as customer demands change. Services can be expanded or contracted as needed by the subscriber.
    • 5. Resource Pooling - Allows for multi-tenant service so that system resources can be immediately allocated and moved from tenant to tenant as demands change for each tenant. Processing power, network activity and storage capability can be instantly increased across multiple hardware resources for each tenant depending on their needs at any given moment.
  72. What do we mean by 'computer security'?
    Computer security refers to the methods used to ensure a system is secure, including both hardware and software.  Includes authentication, access control and network security.
  73. What is the difference between computer security and information security?
    Information security focuses on the data stored on computer hardware and in software rather then the hardware and software itself.
  74. What is information assurance?
    The availability of the systems and information when needed.
  75. What is spoofing?
    Spoofing makes data look like it is coming from a different source than where you think.  Destination and source IPs are included in packets however source information can be altered.  Also known as 'IP Spoofing' and 'Email spoofing'.
  76. Describe man-in-the-middle attacks;
    Attacker intercepts communication and views or modifies it before sending it on to it's destination.
  77. What is a replay attack?
    A replay attack is when an attacker captures a transaction and retransmits it.  According to Microsoft, "A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item."
  78. Describe session hijacking;
    Session hijacking attacks are attacks on encryption.  Weak or poor keys are intercepted and the attacker seizes and takes control of a session by using an exhaustive search of key space.  Key length becomes important as longer keys take longer to hack.
  79. What are 4 kinds of 'Password guessing' security attacks?
    • 1) Poor password choices, easy to guess
    • 2) Dictionary attack where scripts try combinations of words and numbers in order to find the right password
    • 3) Brute-Force attack:  a simple brute-force attack may have a dictionary of all words or commonly used passwords and cycle through those words until it gains access to the account. A more complex brute-force attack involves trying every key combination in an effort to find the correct password that will unlock the encryption. Due to the number of possible combinations of letters, numbers, and symbols, a brute force attack can take a long time to complete. The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer it can take.
    • 4) Birthday attacks:  Among a group of 23 people, the probability that 2 people having the same birthday is about 50%; the same for a password.  With a list of known passwords they test other accounts for access.
  80. Which of the following best describes a replay attack?




    D) The computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.
  81. Which of the following best describes session hijacking?




    C) Weak or poor keys are intercepted and the attacker seizes and takes control by using an exhaustive search of key space.  Key length becomes important as longer keys take longer to hack.
  82. Which type of common security attack is this? 
    Software and hardware device used to observe traffic as it passes through.



    A) Sniffing
  83. Which type of common security attack is this? A deliberately installed piece of software that remains dormant until triggered when certain conditions are met.




    B) Logic bombs
  84. Which type of common security attack is this?
    Buffer overflow –a program is provided with more input data than designed to handle. If not checked, the extra characters will fill memory and overwriting portions of program.




    D) Software exploitation;

    • •Taking advantages of bugs, design flaws, special features (e.g., debugging features)
    • •Example: buffer overflow –a program is provided with more input data than designed to handle. If not checked, the extra characters will fill memory and overwriting portions of program
    • –System crashing
    • –Commands supplied by attackers will be executed
  85. Describe a SQL injection security attack?
    A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application, such as the entering of a password or login. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
  86. What kind of common security attack takes advantage of bugs, design flaws and debugging features?




    D) Software exploitation

    • •Taking advantages of bugs, design flaws, special features (e.g., debugging features)
    • •Example: buffer overflow –a program is provided with more input data than designed to handle. If not checked, the extra characters will fill memory and overwriting portions of program
    • –System crashing
    • –Commands supplied by attackers will be executed
  87. What type of common security attack is this?  Using lies and misrepresentation to trick someone to give away sensitive information.




    A) Social engineering

    • •Lies and misrepresentation to trick someone to give away sensitive information
    • –Pretending to be someone else
  88. What type of common security attack is this?  Code is communicated from one device to another and executed.  An example are Java Applets.




    C) Mobile code
  89. Every piece of information needs to have an _________.
    Owner.    An owner is required for accountability, to ensure appropriate protection is maintained and is not personally responsible for implementing these security measures, only insuring that protection is maintained.
  90. Who is responsible for security?
    • •Everyone who uses information technology is responsible for maintaining the security and confidentiality of information resources and must comply with security policies and procedures
    • –Chief information security officer (CISO), information resources manager, information resources security officer, owners of information resources, custodians of information resources, technical managers (network
  91. Describe the CIA of security;
    • •Confidentiality
    • –ensure only those individuals who have authority to view a piece of information may do so
    • –Prevent unauthorized disclosure of sensitive information
    • •Integrity:
    • –only authorized individuals can create or change information
    • –keep data pure and trustworthy by protecting system data from intentional and accidental changes
    • –the message received is the message sent and the message is not intentionally or unintentionally altered
    • •Availability: system and data are available when needed by authorized individuals.
  92. Name the 5 A's of the security framework;
    • Accountability/Auditing
    • Assurance
    • Availability
    • Authentication
    • Authorization
  93. Which of the 5 A's promises processes, policies and controls used to develop confidence that security measures are working as intended?





    D) Assurance
  94. Which of the 5 A's grants users and systems predetermined levels of access to computer/information resources?





    E) Authorization
  95. Which of the 5 A's insures that systems and data are there when needed by authorized individuals?






    A) Availability
  96. Which of the 5 A's insures that you are who you claim to be?





    B) Authentication
  97. Name the 5 pillars of security;

    (Hint:  CIAAN)
    • 1) Confidentiality
    • 2) Integrity
    • 3) Availability
    • 4) Authorization and Authentication
    • 5) Non-repudiation
  98. Describe non-repudiation;
    –Non-repudiation of origin: provides the data sender with proof of delivery and it ensures the sender’s identity to the recipient. Neither party can later deny that the data was legitimately sent and received.  Commonly done with keys and also known as e-signing.
  99. What is the first security principle?





    • D)    #1 There Is No Such Thing as Absolute Security
    • •Given enough time, tools, skills, and inclination, a hacker can break through any security measure
  100. #3 Security Principle = Defense in Depth as strategy.  Which of these describes this principle?




    D) The weaknesses of one security layer are offset by the strengths of two or more layers

    –Security implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
  101. How many security principles are there in total?
    12
  102. In the Information Security Framework, what are the A's and how many of them are there?
    The 5 A's;

    • •Accountability/Auditing: the ability to trace actions to their sources
    • •Assurance: processes, policies, and controls used to develop confidence that security measures are working as intended
    • •Availability: system and data are available when needed by authorized individuals
    • •Authentication: you are who you claim to be
    • •Authorization: granting users and systems a predetermined level of access to computer/information resources
  103. Which of the 12 Security Principles is this?

    • Protect the confidentiality of data
    – ensure only those individuals who have authority to view a piece of information may do so.
    #2 -Three Security Goals (The "CIA" of Security)

    Confidentiality, Integrity and Availability

    • • Protect the confidentiality of data
    • – ensure only those individuals who have authority to view a piece of information may do so.
  104. Describe the 'A' in the CIA of security;
    • •Promote the availability of data for authorized use
    • –system and data are available when needed by authorized individuals (network and system reliability and stability)
  105. Describe the 'I' in the CIA of security;
    • •Preserve the integrity of data
    • –keep data pure and trustworthy by protecting system data from intentional and accidental changes
    • –the message received is the message sent and the message is not intentionally or unintentionally altered
  106. Describe the 'C' in the CIA of security;
    • • Protect the confidentiality of data
    • – ensure only those individuals who have authority to view a piece of information may do so.
  107. Security Principle #5: Computer Security Depends on Two Types of Requirements;
    Functional and Assurance Requirements
  108. What are the differences between functional and assurance requirements?
    Functional requirements –Describe what a system should do

    Assurance requirements –Describe how functional requirements should be implemented and tested
  109. Which Security Principle does this describe?

    Many people believe that if hackers don’t know how software is secured, security is better
    • Security Principle #6 Security Through Obscurity Is Not an Answer.
    • – Although this seems logical, it’s actually untrue
    • • Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all
  110. Which Security Principle does this describe?

    Protection = Prevention was the model
    • Security Principles #8 –The Operation Model of Security
    • •Security measures used to focus only on prevention: if we prevented someone from gaining access to computer systems and networks, then we assume that we have obtained security
    • •Protection = Prevention was the model
    • •However, no matter how well we seem to do in prevention technology, someone always finds a way to break in
    • •Therefore, Protection = Prevention + (Detection + Response)
  111. Security Principle #10 is about FUD.  What does FUD stand for and what is this principle?
    • Security Principles #10 Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security
    • •Information security managers must justify all investments in security using techniques of the trade
    • •When spending resources can be justified with good, solid business rationale, security requests are rarely denied
  112. According to Security Principle #9 what approach to security works best; Simple or Complex?
    • •Guidelines –Keep It Simple –Security and complexity are often at odds with each other
    • –many variables involved, various types of attacks and vulnerabilities, many types of resources to secure, etc
    • –If it’s too simple, may not be effective
    • –On the other hand, if it’s too complicated, then;
    • »it is harder to understand and therefore to implement correctly
    • »prone to errors
    • »troubleshooting is more difficult when something went wrong
    • –Therefore, security measurements and tools should be as simple yet elegant as possible.
    • –Simple to troubleshoot, simple to use, and simple to administer
  113. According to Security Principle #11, what 3 elements are essential elements of security practices?
    • #11 People, Process and Technology Are All Needed
    • • People, process, and technology controls are essential elements of security practices including operations security, applications
    • development security, physical
    • security, and cryptography
    • • Principle #3 – defense in depth
  114. According to ISO IEC 27002 Recommended InformationSecurity Practices, how many domains/areas are covered?
    •Latest recommendations cover 14 domains/areas
  115. Which of the following is not an information asset?






    C) 3rd party software applications

    • What is an information asset?
    • –Is a definable piece of information
    • –Stored in any manner
    • –Valuable to the organization
    • –Examples
    • •Database
    • •Data files
    • •Intellectual properties
    • •Operational and support procedures
    • •Research documentation
    • •Archived information
    • •Business plans
    • •Basically, the terminformationincludes all forms of data, documents, communications,conversations, messages, recordings, and photographs. It includeseverything from digital data and email to faxes and telephoneconversations (ISO IEC 27002)
    • •Information systems provide a way and a place to process, store, transit, and communicate information
    • –People
    • –Physical environment
  116. Who is responsible for security?
    • • Everyone who uses information technology is responsible for maintaining the security and confidentiality of information resources and must comply with security policies and procedures 
    • –Chief information security officer (CISO), information resources manager, information resources security officer, owners of information resources, custodians of information resources, technical managers (network and system administrators, internal auditors, and users
  117. Which one of the five pillars of security framework provides the data sender with proof of delivery and ensures the sender's identity to the recipient?
    • Non-repudiation
    • –Non-repudiation of origin: provides the data sender with proof of delivery and it ensures the sender’s identity to the recipient. Neither party can later deny that the data was legitimately sent and received.
  118. Describe the 'C' in the CIA of Security;
    • Confidentiality
    • –ensure only those individuals who have authority to view a piece of information may do so
    • –Prevent unauthorized disclosure of sensitive information
  119. Security Principle #5 Computer Security Depends on Two Types of Requirements: Functional and Assurance Requirements

    Describe Functional Requirements;
    • Functional requirements
    • –Describe what a system should do
    • –Security test to verify that the functions designed to meet a security requirement operate as expected 
    • •Similar to software testing –functionality testing
  120. According to Security Principle #8 (The Operation Model of Security), Protection =;
    Protection = Prevention + (Detection + Response)
  121. Security Principle #11 includes Principle #3, (Defense in Depth) and involves what 3 essential elements?

    Clue: PPT
    People, Process and Technology
  122. What does the acronym ISO stand for?
    International Standards Organization or the International Organization of Standards.
  123. What does the acronym IEC stand for?
    International Electrotechnical Commission
  124. According to ISO IEC 27002 Recommended Information Security Practices, how are 'Policies' defined?
    • Policies are:
    • •High-level, broad statements of what to accomplish.
    • •Made by the management when laying out the position on some issues.
  125. According to ISO IEC 27002 Recommended Information Security Practices, 3 kinds of documents are considered companion documents or "policy implementation" to policies.  What are these 3 documents?
    Standards, guidelines and procedures
  126. There are 4 types of policies according to ISO IEC 27002 (Recommended Information Security Practices). What are these 4 types of policies?

    Clue:  PPIS
    • Program-Level Policy
    • Program-Framework Policy
    • Issue-Specific Policy
    • System-Specific Policy
  127. When will cloud computing provide the most value?




    C) A company has to process their payroll actives at the end of each pay period in batch mode.
  128. Which statement is true about the public cloud model?

    A) It meets security and auditing requirements for highly regulated industries.   

    B)Resources and infrastructure are managed and maintained by the enterprise IT operations staff  

    C) It shifts the bulk of the costs from capital expenditures to creating a virtualized and elastic infrastructure within the enterprise data center.  

    D) It shifts the bulk of the costs from capital expenditures and IT infrastructure investment to an utility operating expense model.
    D) It shifts the bulk of the costs from capital expenditures and IT infrastructure investment to an utility operating expense model.
  129. A company has decided to leverage the web conferencing services provided by a cloud provider and to pay for those services as they are used. The cloud provider manages the infrastructure and any application upgrades. This is an example of what type of cloud delivery model? 




    B) Saas
  130. T/F    ASP and Cloud Computing are the same.
    False

    Active Server Pages or Classic ASP, as it is more commonly known, is Microsoft's first server side scripting engine that enables you to make dynamic and interactive web pages.Classic ASP uses server-side scripting to dynamically produce web pages that are not affected by the type of browser the website visitor is using.
  131. What is true about grid computing?

    A) Cloud computing is an example of grid computing.  

    B) Grid computing can run in a cloud computing environment.   

    C) Cluster computing is an example of grid computing.   

    D) Grid computing is a type of infrastructure as a service.
    B) Grid computing can run in a cloud computing environment.
  132. Which statement is true about cloud computing and cluster computing?  

    A) A cluster computing environment can be deployed in a cloud computing environment.   

    B) A cloud computing environment can be deployed in a cluster computing environment   

    C) A cluster computing environment cannot be deployed without a cloud computing environment.  

    D) A cloud computing environment cannot be deployed without a cluster computing environment.
    A) A cluster computing environment can be deployed in a cloud computing environment.
  133. Multitenancy enables sharing of resources and costs among a large pool of users. Chief benefits to a multitenancy approach include: (Choose all that apply);








    F) All of the above
  134. What are two common concerns in a cloud environment? (Choose two.)  







    A) B, C
  135. What is an important benefit of Cloud computing? 




    C) reduced cost
  136. What is a benefit of Cloud computing for IT staff?  

    A) higher pay of IT staff involved in Cloud computing  
    B) lower stress levels: less worry about normal daily activities like making back-ups   C) less knowledge needed: Cloud computing does not require special skills  
    D) All of the above.
    B) lower stress levels: less worry about normal daily activities like making back-ups
  137. How does Cloud computing change the relationship between provider and customer?  




    B) increased focus on service level agreements (SLAs)
  138. Which resources are typically provided by an Infrastructure as a Service cloud computing delivery model?




    B)  virtual machines
  139. T/F   The term cloud has been used historically as a metaphor for the Internet. This usage was originally derived from its common depiction in network diagrams as an outline of a cloud, used to represent the transport of data across carrier backbones.
    A) True
  140. A company that originally planned its web based IT system to support 10,000 users suddenly notices that there is a four times increase in demand. Assuming that the company has deployed its system in a true cloud environment, what are the incremental maintenance costs to adding new resources to this environment?  




    A) Negligible
  141. What is one benefit of a cloud computing environment?  




    B) It maximizes server utilization.
  142. What are the components of a cloud computing environment?  




    C) client, application, platform, infrastructure, server

    CAPIS
  143. Which statement is true about a bare metal hypervisor?




    A) It runs directly on server hardware to provide virtual machines with timesharing resources.
  144. Which two options are cloud computing architectural layers? (Choose two.)  








    E) D,E

    Platform and Application are cloud computing architectural layers.
  145. Which statement is true about the maintenance of a cloud computing environment?  




    D) In a SaaS environment, customers do not need to worry about installing patches in the virtual instances.
  146. What is an important concern for the customer in multi-tenant environments?




    D) Security
  147. Platform virtualization is performed on a given hardware platform by ______ software (a control program), which creates a simulated computer environment, a virtual machine, for its _____ software. 




    A) host, guest
  148. An enterprise needs highly controlled storage and access to their databases as well as managing the infrastructure for web front ends and other applications. They have a large existing IT infrastructure and they are continually expanding the capabilities. Which cloud computing model will satisfy all their current needs and enable them to reduce cost?  




    B) Hybrid Cloud.
  149. What is true about the tasks running on grid computing?  




    C) The tasks are divided among the computers.
  150. A company is considering a cloud environment to improve the operating efficiency for their data and applications. The company is part of an industry where strict security and data privacy issues are of the highest importance. Which type of cloud would be a good choice?  




    A) private cloud
  151. What are two important benefits of using cloud computing? (Choose two.) 

    A) Optimizes IT investments. 
    B) Lower total cost of ownership and improved asset utilization. 
    C) Enhanced Web V2.0 interfaces for user interactions.  
    D) Provides better availability than a standard computing environment. 
    E) Provides better security.
    A and B

    • A) Optimizes IT investments. 
    • B) Lower total cost of ownership and improved asset utilization.
  152. What is used to logically assign and separate physical resources such as memory and CPU in a cloud computing model? 




    B) a hypervisor
  153. Which delivery model is an example of a cloud computing environment that provides users access to virtual machines?  



    A) IaaS
  154. What is true about utility computing and cloud computing?  



    D) Cloud computing can be delivered as utility computing.
  155. What is utility computing?




    C) It delivers computing resource as a metered service.
  156. Which statement best describes the Software as a Service cloud delivery model? 



    C) An application delivered to the client from the cloud which eliminates the need to install and run the application on the customer's own computers and simplifying maintenance and support.
  157. Which statement is true about cluster computing and cloud computing?  




    B) In cloud computing, resources are treated independently; in cluster computing, the resources are seen as a single system.
  158. Which service model allows the customer to choose more layers in the computing architecture?  




    C) IaaS
  159. How can a company leverage the Platform as a Service cloud computing delivery model? 




    C) A company obtains an environment with a software stack from a cloud provider, develops a custom application, and makes that application available to its customers on the Internet.
  160. T/F   Rather than purchasing servers, data center space for them, and network equipment, IaaS customers rent those resources.
    True
  161. Why is virtualization important to Cloud computing?




    C) Virtualization made it easier and cheaper to share resources between users.
  162. What is one benefit of cloud computing?  




    D) Computer resources can be quickly provisioned.
  163. How does traditional IT different from Cloud Computing?
    There is no real difference but, In a traditional computing environment, great expense is involved with building and maintaining a centralized server room, farm and network infrastructure. Cabling has to be involved to connect client computers to the server infrastructure and expensive IT staff is hired and trained to maintain this infrastructure. This is very expensive even for small to mid-sized companies. Modern companies find it difficult to keep up with the fast pace of technological evolution for financial reasons as well as the ability of existing IT staff in regards to training and knowledge. Servers must be continually upgraded and emerging technological advances such as the inception of 'bring your own device', (BYOB), require continual upgrades to the existing traditional IT Infrastructure. As a company grows, IT infrastructure is expensive to expand both from a hardware perspective and from a training perspective for IT staff. Modern companies are finding it difficult to keep up with the pace of these challenges and this can cause financial loss when a company fails to quickly evolve to emerging technologies. With cloud computing these costs are greatly reduced. Server rooms, farms and network infrastructure are moved to the cloud and can be acquired as a utility with metered service that enables cloud customers to pay only for what they use. It staff do not have to worry as much about learning ways to incorporate newer technologies into existing architecture as cloud vendors strive to stay competitive by offering the latest and greatest capabilities. As a companies computing demands continue to grow, cloud computing allows a company to increase their computing needs on the fly. Broad network access allows a company to be more mobile in it's computing environment making it easier to reach out to it's customers with more robust and capable web presence and company employees can access the companies cloud from any location on any device.
  164. Discuss the advantages and disadvantages of virtualization.
    Traditional file servers in a company's server room sit idle most of the time. Even during the busy work day companies with physical file servers, work stations and software find their infrastructure mostly unused. The expense of owning and maintaining this infrastructure and associated software licensing as well as staff training is very high. With emerging technologies companies cannot afford to change-up software and file servers or to incorporate the latest and greatest emerging technologies on the fly. Virtualization enables cloud computing and shared resources. The multi-tenant model is ecologically greener and allows infrastructure to be shared and used more fully than traditional on-site server farms/rooms. Fewer file servers serve a larger number of customers reducing the number of idle file servers in the world. The servers that are used by cloud providers are used more efficiently and serve a larger number of clients than private individual file servers. Less energy is lost maintaining idle file servers as well. The disadvantages are in terms of security and sharing resources. Companies are always concerned that their data is secure and not exposed to hackers. SLA agreements are very critical as well. Companies using cloud services worry about availability and network speed. What if there is a power outage at the cloud service end? Will the cloud service provider be capable of maintaining service levels at peak times? Will data be protected and backed up regularly to ensure no data loss? Will the cloud provider chosen keep up with new and emerging technologies to continue to provide a competitive service model?
  165. Name one thing cloud providers can't provide.
    100% Security. Even in a traditional onsite server/client environment security can never be achieved at 100%. The best a company can do is rely on layered security to try and achieve the highest level of security possible. The same is true of cloud service providers. They cannot guarantee 100% security and there are reports of hackers stealing highly-secured data from companies every day. Even government computers that are required to answer to the highest possible security standards are vulnerable. A layered approach to security is the best thing any computing environment can offer whether it is a cloud computing environment or a traditional physical server/client environment.
  166. What kind of an attack is this;  
    Software and hardware device used to observe traffic as it passes through




    C) Sniffing
  167. What kind of security attack can be sent from one device to another and executed (such as Java Applets)?
    Mobile Code
  168. What is an information asset?
  169. –Is a definable piece of information
    • –Stored in any manner
    • –Valuable to the organization
    • –Examples
    • •Database
    • •Data files
    • •Intellectual properties
    • •Operational and support procedures
    • •Research documentation
    • •Archived information
    • •Business plans
    • •Basically, the terminformationincludes all forms of data, documents, communications,conversations, messages, recordings, and photographs. It includeseverything from digital data and email to faxes and telephoneconversations (ISO IEC 27002)
    • •Information systems provide a way and a place to process, store, transit, and communicate information
    • –People
    • –Physical environment
  170. What is the CIA of security and what does it mean?
    • Confidentiality, Integrity and Availability
    • The ‘CIA” of Security –the Goals of Computer Security
    • •Confidentiality
    • –ensure only those individuals who have authority to view a piece of information may do so
    • –Prevent unauthorized disclosure of sensitive information
    • •Integrity: 
    • –only authorized individuals can create or change information
    • –keep data pure and trustworthy by protecting system data from intentional and accidental changes
    • –the message received is the message sent and the message is not intentionally or unintentionally altered
    • •Availability: system and data are available when needed by authorized individuals.
  171. What are the 5 A's of the Information Security Framework?
    • •Accountability/Auditing: the ability to trace actions to their sources
    • •Assurance: processes, policies, and controls used to develop confidence that security measures are working as intended
    • •Availability: system and data are available when needed by authorized individuals
    • •Authentication: you are who you claim to be
    • •Authorization: granting users and systems a predetermined level of access to computer/information resources
  172. What is the difference between Availability and Assurance?
    Assurance: processes, policies, and controls used to develop confidence that security measures are working as intended

    Availability: system and data are available when needed by authorized individuals
  173. What are the 5 pillars of security?

    Clue: CIAAN
    • Confidentiality
    • Integrity
    • Availability
    • Authorization and Authentication
    • Non-repudiation
    •    –Non-repudiation of origin: provides the data sender with proof of delivery and it ensures the sender’s identity to the recipient. Neither party can later deny that the data was legitimately sent and received.
  174. What is the difference between authorization and authentication?
    Authentication is about making sure a user is who they say they are.

    Authorization is about rights and privileges for users to access data and applications.
  175. What is the first of the 12 Security Principles?
    • #1 There Is No Such Thing as Absolute Security 
    • -- Given enough time, tools, skills, and inclination, a hacker can break through any security measure
  176. The SECOND of the 12 security principles has to do with the CIA of security.  What are they and what do they mean?
    Confidentiality, Integrity and Availability.

    • #2 Three Security Goals (The “CIA” of Security) 
    • Confidentiality: Protect the confidentiality of data – ensure only those individuals who have authority to view a piece of information may do so.
    • Integrity: Preserve the integrity of data –keep data pure and trustworthy by protecting system data from intentional and accidental changes–the message received is the message sent and the message is not intentionally or unintentionally altered
    • Availability: Promote the availabilityof data for authorized use–system and data are available when needed by authorized individuals (network and system reliability and stability)
  177. What is the THIRD of the 12 Security Principles?
    • #3 Defense in Depth as Strategy 
    • •Defense in depth
    • –Security implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
    • –The weaknesses of one security layer are offset by the strengths of two or more layers
  178. What is the 4th of the 12 Security principles?
    • #4 When Left on Their Own, People Tend to Make the Worst Security Decisions 
    • •Takes little to convince someone to give up their credentials in exchange for trivial or worthless goods
    • –Experiment: 75% of people exchanged their office password for a free pen at London’s Waterloo station
    • •Many people are easily convinced to double-click on the attachment
  179. The 5th of the 12 Security Principles reads; #5 Computer Security Depends on Two Types of Requirements: Functional and Assurance Requirements.

    What are Functional and Assurance Requirements?
    • •Functional requirements
    •   –Describe what a system should does
    •   –Security test to verify that the functions  
    •    designed to meet a security requirement
    •    operate as expected 
    • •Similar to software testing –functionality testing
    • •Assurance requirements
    •    –Describe how functional requirements
    •    should be implemented and tested
    •    –Security test to validate that the
    •    implementation of the function is not flawed
    •    or haphazard
    • •In other words, does the system do the right things in the right ways?
    • •Alternatively, the system does not do what it is not supposed to do
    • •How can you prove?
    • –Subject the system to brutal security testing
    • Security Principles
  180. Describe the 8th of the 12 Security Principles; The Operational Model of Security.
    Protection = Prevention + (Detection + Response)

    • Security measures used to focus only on prevention: if we prevented someone from gaining access to computer systems and networks, then we assume that we have obtained security
    • Protection = Prevention was the model
    • However, no matter how well we seem to do in prevention technology, someone always finds a way to break in
  181. Describe Security Principle #10 of 12;

    Clue: FUD
    • #10 Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security
    • •Information security managers must justify all investments in security using techniques of the trade
    • •When spending resources can be justified with good, solid business rationale, security requests are rarely denied
  182. Describe Physical and Environmental Security;
    • –Focuses on designing and maintaining a secure physical environment to prevent unauthorized access, damage, and interference to business premises
    • –Involves controlling the physical security perimeter and physical entry
    • –Involves creating secure offices, rooms, and facilities
    • –Provides physical access control
    • –Provides protection devices to minimize risks ranging from fire to electromagnetic radiation
    • –Provides adequate protection to power supplies and data cables, etc.
  183. Name several of the 14 ISO IEC 27002 Recommended Information Security Practices;
    • 1.Security Policy Management 
    • 2.Corporate Security Management 
    • 3.Human Resources Security Management 
    • 4.Organizational Asset Management 
    • 5.Access Control 
    • 6.Cryptography Policy Management 
    • 7.Physical and Environmental Security 
    • 8.Operations Security Management 
    • 9.Communications (Network) Security Management 
    • 10.System Security Management 
    • 11.Supplier Relationship Management 
    • 12.Security Incident Management 
    • 13.Information Security Aspects of Business Continuity 
    • 14.Security Compliance Management
  184. The 1st of the 14 covered recommendations in the ISO IEC 27002 is Security Policy Management.  What does that entail?
    • Security Policy Management 
    • –Focuses on providing directions and support for the information security program 
    • –stresses the importance of management involvement in establishing policy, the direction of the information security program, and a commitment to protecting both physical and logical information resources. 
    • –Emphasizes the need for visible leadership and involvement of senior management
  185. Corporate Security Management is the 2nd Recommended Information Security Practice from the ISO IEC 27002.  Describe Corporate Security Management;
    • Corporate Security Management 
    • –Focuses on establishing and supporting a management framework to implement and manage information security within, across, and outside the organization 
    • –Provides the structure for information security program 
    • –Establishes a mobile device security risk management policy 
    • –Establishes a teleworking security management policy 
    • –Should be both inward and outward 
    • •Inward – controls and policies concentrate on employees’ relationships to information systems 
    • •Outward – controls and policies concentrate on third-party (vendors, customers, trading
  186. What are the characteristics of Supplier Relationship Management as outlined by the ISO IEC 27002 Recommended Information Security Practices?
    • Supplier Relationship Management 
    • – Establish security agreements with suppliers 
    • •Expect suppliers to comply with risk mitigation agreements 
    • •15.1.2 Expect suppliers to comply with information security agreements 
    • •15.1.3 Expect suppliers to deal with their own supply chain security risks 
    • –Manage supplier security and service delivery 
    • •Manage supplier services and supplier security 
    • •Manage changes to services provided by suppliers
  187. Describe the Information Security Aspects of Business Continuity as outlined as one of the 14 ISO IEC 27002 Recommended Information Security Practices;
    • Information Security Aspects of Business Continuity 
    • –Plans how information security will continue during a disaster 
    • –Protects critical business processes from effects of major failures and disasters 
    • –Minimizes interruptions to business 
    • –Defines response, recovery, and continuity plan
  188. Which of the 14 recommendations from the ISO IEC is described below;

    System development and maintenance 
    •Defines security requirements at the very beginning of software development lifecycle 
    •Involves security requirements and specification for 
    –Data input 
    –Data processing 
    –Data storage and retrieval 
    –Data output 
    •Specifies cryptographic control 
    –Encryption 
    –Digital signature 
    –Digital certificates 
    •Tracks changes with change control procedures and system
    System Security Management
  189. Which of the 14 recommendation from the ISO IEC 27002 includes the following;

    –Ensures that information systems conform to local, national, and international criminal and civil laws, regulatory or contractual obligations, intellectual property rights, and copyrights. 
    –Carry out security compliance reviews
    Security Compliance Management
  190. Describe IaaS Security;
    • •Secure the operating system 
    • •Validate your image 
    • •Plans for disaster recovery and business continuity 
    • •Understand the contract/SLA 
    • •Follow cloud provider security guidance 
    • •Secure your admin panel
  191. Describes PaaS Security;
    • •Understand the Contract/SLA 
    • •PAAS provider using IAAS 
    • •Follow SDLC 
    • •Encrypt Sensitive Data 
    • •Consider portability (Open standards) 
    • •Follow cloud provider security guidance
  192. Describe SaaS Security;
    • •Understand the Contract/SLA, include auditing 
    • •Understand the providers SDLC 
    • •Encrypt Sensitive Data 
    • •Consider portability (Open standards) 
    • •Integrate Identity and access management 
    • •Follow cloud provider security guidance
  193. Which of the following is true;



    C) The lower down the stack that the Cloud provider stops, the more security the consumer is tactically responsible for implementing and managing.
  194. V3.0 by Cloud Security Alliance cover 12 areas of Security Guidance for Critical Areas of Focus in Cloud Computing.  What are these 12 areas?
    • 1. Governance and Enterprise Risk Management
    • 2. Security as a Service
    • 3. Virtualization
    • 4. Identity and Access Management
    • 5. Encryption and Key Management
    • 6. Application Security
    • 7. Data Center Operations
    • 8. Legal Issues: Contracts and Electronic Discovery
    • 9. Compliance and Audit
    • 10. Information Management and Data Security
    • 11. Portability and Interoperability
    • 12.  Traditional Security, Business Continuity and Disaster Recovery
  195. Which of the 12 areas of Security Guidance for Critical Areas of Focus in Cloud Computing (V3.0 Cloud Security Alliance),  Deals with the following;

    “Maintaining and proving compliance when using cloud computing. Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise) are discussed here. This domain includes some direction on proving compliance during an audit.”
    Compliance and Audit
  196. Which of the 12 areas of Security Guidance for Critical Areas of Focus in Cloud Computing (V3.0 Cloud Security Alliance),  Deals with the following;

    “The ability to move data/services from one provider to another, or bring it entirely back in-house. Together with issues surrounding interoperability between providers.”
    Portability and Interoperability
  197. Which of the 12 areas of Security Guidance for Critical Areas of Focus in Cloud Computing (V3.0 Cloud Security Alliance),  Deals with the following;

    “Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident-handling program.”
    Data Center Operations
  198. In a cloud computing environment, which kind of security attack might cloud service subscribers be less susceptible too?
    • •Denial-of-service 
    • –Cloud base solutions have an advantage in handling denial-of-service attacks due to its ability to scale 
    • –So users may not be impacted 
    • –The increased scaling will alarm the administrators so they can initiate responses
  199. In a cloud computing environment, which kind of security attacks might cloud service subscribers be MORE susceptible too?
    • •Packet Sniffing 
    • –The Broad Network Access nature (anywhere, anytime, any device) of cloud computing increases potential risks; especially with wireless access 
    • –The best defense is to use secured (encrypted) connections 
    • •Man-in-the-Middle attack 
    • –Same situation 
    • •Session Hijacking 
    • –Same situation
  200. What is "Cloud Cartography"?
    • “that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and then instantiate new VMs until one is placed co-resident with the target.” 
    • •“An attacker can place his VM on the same physical machine as a target VM (40% success for a few dollars).” 
    • •“On EC2, VMs can be co-resident only if they have identical creation parameters: Region (US/Europe), Availability zone (data center), and Instance type (machine pool)”
  201. What is "data wiping" and how is it a security concern in cloud computing?
    Data wiping – overwrites a file’s content when it is deleted. 

    • –Clients may share storage devices 
    • –When a file is deleted, the appropriate directory entry is marked as a deleted file 
    • –Area of the disk where the deleted file resides becomes unallocated disk space 
    • –However, data in the file remains on the device 
    • –Available to receive new data from newly created files or other files needing more space 
    • –Someone can claim the space but do not write anything on it 
    • –That person will then have access to your data
  202. What ways can you utilize to protect hypervisors against security attacks?
    • –If the attacker gets the hypervisor he gets everything 
    • –Best Practices 
    • •Restricted access to only authorized admins 
    • •Consider compensating controls for access (2 factor etc.) 
    • –Remote admin is risky 
    • •Use firewall 
    • •Consider dedicated management Network 
    • •FIPS (Federal Information Processing Standards) approved methods for encryption
  203. What is the security concern in regards to hypervisors and cloud security?
    • –Escaping VM 
    • •“Attacker breaks out of a guest OS to gain access to the hypervisor, other guest OSs, or the underlying host OS” - NIST 
    • •Side Channel Attacks 
    • –“Attacker exploits the physical properties of hardware to reveal information about usage patterns for memory access, CPU use and other resources. The attacker typically uses these attacks to reveal cryptographic keys. Typically requires physical access to the host.” - NIST
  204. How does Hypersafe work?
    • 1.Use Non-bypassable memory lockdown to “reliably protect the hypervisor’s code and static data from being compromised.” 
    • 2.Use restricted pointer indexing to “introduce one layer of indirection to convert the control data into pointer indexes. These pointer indexes are restricted such that the corresponding call/return targets strictly follow the hypervisor control flow graph.” 
    • –Prototypes have been developed on BitVisor and Xen.
  205. Describe how Hooksafe works;
    • •Protects against Kernel rootkits in guest OSs 
    • Kernel rootkits – “hijack control flows by modifying control data or hooks in the kernel space.“ 
    • –So need to protect kernel hooks from being hijacked. 
    • •Observation 
    • –“kernel hook, once initialized, may be frequently “read”-accessed, but rarely “write”-accessed.” 
    • –Therefore, “relocate those kernel hooks to a dedicated a page-aligned memory space and then regulate accesses to them with hardware-based page-level protection.” 
    • •A prototype has been developed and used to protect more than 5, 900 kernel hooks in a Linux guest. 
    • –Prevented 9 real world rootkits from different attacks (6% overhead)
  206. How does VMware VMsafe work?
    • •VMsafe is integrated inside the hypervisor 
    • •“Prevents threats and attacks such as viruses, trojans and keyloggers from ever reaching a virtual machine.” www.vmware.com 
    • •Provides APIs to enable segregation, isolation, and protection of VM resources 
    • –Examine VM memory and CPU usages 
    • –Monitor and control process executions 
    • –Network packet filtering 
    • –Virtual machine disk files
  207. Good cloud security practices protect the 4 major aspects of cloud computing.  What are these 4 aspects?

    Clue: AOHH
    • 1. Applications
    • 2. Operating Systems (Host and Guest)
    • 3. Hypervisor
    • 4. Host Computer Storage
  208. How can you protect the Guest OS and Apps in a cloud computing environment?
    • •Hardening 
    • •Patching 
    • •Turn Off File shares 
    • •Turn off unused services
  209. How can you protect the Hypervisor in a cloud computing environment?
    • •Restricted access to only authorized admins 
    • •Consider compensating controls for access (2 factor etc) 
    • •Use a firewall 
    • •Consider dedicated management Network 
    • •FIPS approved methods for encryption for remote access
Author
caldreaming
ID
276092
Card Set
DAT605 Web & Cloud Computing
Description
A survey of the technologies required for software development of current applications, such as internet and client/server with a focus on database applications and software systems that solve a particular real-world problem. Examine application design and external, conceptual and internal levels of databases. Design and develop front-end application using GUI/API, server-side and client-side programming, and multi-threading for modern relational databases in the client/server environment.
Updated

  1. Home
  2. Flashcards
  3. Preview