Cloud Computing

Question 1

What is PaaS?

Answer 1

PaaS stands for Platform-as-a-Service. This type of cloud computing service allows for the development of applications and services. Subscribers need not buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. This offers development tools, configuration management, and deployment platforms on-demand, which can be used by subscribers to develop custom applications (e.g., Google App Engine, Salesforce, Microsoft Azure). Advantages of writing applications in the PaaS environment include dynamic scalability, automated backups, and other platform services, without the need to explicitly code for them.

Question 2

What is IaaS?

Answer 2

IaaS stands for Infrastructure-as-a-Service. This cloud computing service enables subscribers to use on-demand fundamental IT resources, such as computing power, virtualization, data storage, and network. This service provides virtual machines and other abstracted hardware and operating systems (OSs), which may be controlled through a service application programming interface (API). As cloud service providers are responsible for managing the underlying cloud computing infrastructure, subscribers can avoid costs of human capital, hardware, and others (e.g., Amazon EC2, GoGrid, Microsoft OneDrive, Rackspace).

Question 3

Which of the following cloud broker services improves a given function by a specific capability and provides value-added services to cloud consumers?

• Service intermediation
• Distributed storage
• Service arbitrage
• Service aggregation

Answer 3

Service Intermediation

Question 4

Which of the following is the layer in the cloud storage architecture that performs several functions such as data de-duplication and data replication?

• Front-end layer
• Back-end layer
• Application layer
• Middleware layer

Answer 4

Middleware Layer

Question 5

In cloud-storage, what is the front-end layer?

Answer 5

The front-end layer is accessed by the end user where it provides APIs for the management of data storage.

Question 6

In cloud-storage, what is the back-end layer?

Answer 6

The back-end layer is where the storage hardware resides.

Question 7

In cloud-storage, what is the middleware layer?

Answer 7

The middleware layer performs several functions such as data de-duplication and replication of data to the backend.

Question 8

Which of the following actors in the NIST cloud deployment reference architecture acts as an intermediary for providing connectivity and transport services between cloud consumers and providers?

• Cloud carrier
• Cloud consumer
• Cloud provider
• Cloud auditor

Answer 8

Cloud carrier

Question 9

What is a private cloud?

Answer 9

A private cloud, also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely. The organization can implement the private cloud within a corporate firewall. Organizations deploy private cloud infrastructures to retain full control over corporate data. Note that this means that someone operating their own Office 365 domain is using a private cloud.

Question 10

What is a community cloud?

Answer 10

A Community Cloud is a multi-tenant infrastructure shared among organizations from a specific community with common computing concerns such as security, regulatory compliance, performance requirements, and jurisdiction.

Question 11

Which of the following three service models are the standard cloud service models?

• SaaS, IaaS, and hybrid
• Private, public, and community
• XaaS, private, and public
• SaaS, PaaS, and IaaS

Answer 11

SaaS, PaaS and IaaS

Question 12

Which of the following is not a characteristic of virtualization in cloud computing technology?

• Isolation
• Storage
• Encapsulation
• Partitioning

Answer 12

Storage is not a characteristic of virtualization in cloud computing as it is its own virtualization (virtualizing storage hardware). Isolation, Encapsulation and Partitionining are the three characteristics of virtualization.

Question 13

What is XaaS?

Answer 13

XaaS is shorthand for anything as a service, used to reference the general computing turn towards turning everything into a service.

Question 14

What are the four tiers of container technology architecture?

Answer 14

• Tier 1: Developer Machines - Image Creation, Testing and Accreditation
• Tier 2: Testing and Accreditation Systems - Verification and Validation of Image Contents, Signing Images and Sending to Registries
• Tier 3: Registries - Storing Images and Disseminating Images to Orchestrators for Distribution
• Tier 4: Orchestrators - Transforming Images into Containers and deploying containers to hosts
• Tier 5: Host - Actual Execution of Container (don’t ask why it’s 5)

Question 15

In containers, what are the IPAM drivers?

Answer 15

IP address management (IPAM) drivers assign default subnet and IP addresses to the endpoints and networks if they are not assigned.

Question 16

In containers, what is the sandbox?

Answer 16

Sandbox comprises the container network stack configuration for the management of container interfaces, routing tables, and domain name system (DNS) settings. Aka high level shit.

Question 17

In containers, what is the endpoint?

Answer 17

To maintain application portability, an endpoint is connected to a network and is abstracted away from the application, so that services can implement different network drivers. In easier terms, the endpoint does the network operations so the container can use a different driver.

Question 18

Which of the following is a docker remote driver that is a network plugin used to build a virtual network for connecting docker containers spread across multiple clouds?

• Weave
• Kuryr
• MACVLAN
• Contiv

Answer 18

Weave

Question 19

Which of the following is the docker native network driver that implements its own networking stack and is isolated completely from the host networking stack?

• Overlay
• Host
• MACVLAN
• None

Answer 19

None

Question 20

Which of the following node components of the Kubernetes cluster architecture is an important service agent that runs on each node and ensures that containers run in a pod?

• Container runtime
• Kubelet
• Kube-proxy
• Etcd cluster

Answer 20

Kubelet

Question 21

In one of the following OWASP cloud security risks, unsecured data in transit are susceptible to eavesdropping and interception attacks. Which is this risk?

• Incident analysis and forensic support
• Service and data integration
• Business continuity and resiliency
• Multi tenancy and physical security

Answer 21

Service and Data integration

Question 22

Through which of the following Kubernetes vulnerabilities can an attacker exploit the kube-apiserver with the disabled debug mode to directly interact with it and perform various malicious activities?

• No back-off process for scheduling
• Exposed bearer tokens in logs
• Log rotation is not atomic
• No non-repudiation

Answer 22

No non-repudiation. If debug mode is disabled, kube-apiserver does not record user actions. Kube-apiserver performs all user transactions, such as creation, modification, and deletion, through its handlers without using a central auditing service. Attackers can directly interact with kube-apiserver and perform various malicious activities.

Question 23

In cloud computing, what is a wrapping attack?

Answer 23

A wrapping attack is performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

Question 24

What are cloud hopper attacks?

Answer 24

Cloud Hopper attacks are triggered at the managed service providers (MSPs) and their users. Attackers initiate spear-phishing emails with custom-made malware to compromise the accounts of staff or cloud service firms to obtain confidential information.

Question 25

What are man-in-the-cloud attacks?

Answer 25

**MITC attacks are an advanced version of MITM attacks**. In MITM attacks, an attacker uses an exploit that intercepts and manipulates the communication between two parties, while **MITC attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access**.

Question 26

Which of the following is not a legitimate cloud computing attack? * Port scanning * Denial-of-service (DoS) * Privilege escalation * Man-in-the-middle (MiTM)

Answer 26

Port scanning, as port scanning is information gathering and not an attack.

Question 27

An attacker creates anonymous access to the cloud services to carry out various attacks such as password and key cracking, hosting malicious data, and DDoS attack. Which of the following threats is he posing to the cloud platform? * Insecure interface and APIs * Data breach/loss * Abuse and nefarious use of cloud services * Insufficient due diligence

Answer 27

**Abuse and nefarious use of cloud services**.

Question 28

Which of the following information can be enumerated when an attacker runs the command ps ef | grep apiserver * Decoding keys * Location of the etcd server and PKI information * Secrets stored in the Kubernetes cluster * Retrieve a key and convert it into the YAML format

Answer 28

**Location of the etcd server and PKI information**

Question 29

In which of the following techniques does an attacker use lambda functions such as rabbit\_lambda, cli\_lambda, and backdoor\_created\_users\_lambda to install a backdoor to AWS infrastructure? * Creating new EC2 instances * Manipulating access keys * Manipulating user data * Inserting a backdoor

Answer 29

Manipulating access keys

Question 30

Which of the following is a security vulnerability that arises mostly from business associates and current or former employees who already have trusted access to an environment and do not need to compromise AWS credentials separately for performing malicious activities? * Insider threat * Password reuse * Reading local file * Social engineering

Answer 30

Insider Threat

Question 31

In AWS, what is rabbit\_lambda?

Answer 31

rabbit\_lambda is an example Lambda function that responds to user-delete events by creating more copies of the deleted user

Question 32

In AWS, what is cli\_lambda?

Answer 32

cli\_lambda is a lambda function that acts as an AWS cli proxy and does not require credentials

Question 33

What do the following nimbostratus commands do? * nimbostratus dump-permissions --access-key=... --secret-key=... * nimbostratus dump-ec2-metadata * nimbostratus create-iam-user --access-key=... --secret-key=... * nimbostratus dump-credentials

Answer 33

* nimbostratus dump-permissions --access-key=... --secret-key=... - **Dumps all the permissions for the provided credentials** * nimbostratus dump-ec2-metadata - **Retrieves important information metadata of EC2 instances** * nimbostratus create-iam-user --access-key=... --secret-key=... - **Create a new IAM user using existing credentials** * nimbostratus dump-credentials - **Extracts the credentials available with this host and prints them out to the console**

Question 34

Given below are the different steps to exploit misconfigured AWS S3 buckets. * Setup the AWS command-line interface * Identify S3 buckets * Configure aws-cli * Exploit S3 buckets * Extract access keys * Identify vulnerable S3 buckets What is the correct order to exploit misconfigured AWS S3 buckets?

Answer 34

1. Identify S3 buckets 2. Setup the AWS command-line interface 3. Extract Access Keys 4. Configure aws-cli 5. Identify vulnerable buckets 6. Exploit S3 buckets

Question 35

What do the following flags for DumpsterDiver do? * -r, --remove * -s, --secret * -a, --advance * -o OUTFILE

Answer 35

* -r, --remove: Remove any files which don't contain any secret. * -s, --secret: all files will be additionally searched for hardcoded passwords. * -a, --advance: all files will be additionally analyzed using rules in the rules.yaml file. * -o OUTFILE: where to store json output file.

Question 36

What is DumpsterDiver?

Answer 36

**DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords**. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses).

Question 37

Which of the following cloud security control layers includes security controls such as governance-risk-compliance, IAM, VA/VM, patch management, configuration management, and monitoring? * Network layer * Management layer * Application layer * Information layer

Answer 37

The management layer.

Question 38

In cloud security, what is the network layer?

Answer 38

**The network layer deals with various measures and policies adopted by a network administrator to monitor and prevent illegal access, misuse, modification, or denial of network-accessible resources. Additional network layer security controls include network intrusion prevention/detection services, firewalls, deep packet inspection, anti-DDoS, quality of service (QoS), DNSSEC, and OAuth**.

Question 39

In cloud security, what is the trusted computing layer?

Answer 39

**Trust computing defines a secured computational environment that implements internal control, auditability, and maintenance to ensure the availability and integrity of cloud operations. Hardware and software RoT & API are a few security controls for trusted computing**

Question 40

In cloud security, what is the physical layer?

Answer 40

**The physical layer includes security measures for cloud infrastructure, data centers, and physical resources. Security entities that come under this perimeter are physical plant security, fences, walls, barriers, guards, gates, electronic surveillance, CCTV, physical authentication mechanisms, security patrols, etc**.

Question 41

In cloud security, what is the computation and storage layer?

Answer 41

**CSPs must establish policies and procedures for data storage and retention and implement appropriate backup mechanisms to ensure availability and continuity of services that meet with statutory, regulatory, contractual, or business requirements and compliance. Host-based firewalls, host-based intrusion detection/prevention systems, integrity and file/log management, encryption, and masking are some security controls in computation and storage.**

Question 42

Which of the following tools helps security professionals secure a Kubernetes environment? * CloudGoat AWS * Pacu * DumpsterDiver * Alcide Advisor

Answer 42

Alcide Advisor

Question 43

The components such as DLP (data loss prevention), CMF (context management framework), database activity monitoring, and encryption are included in which of the following cloud security control layers? * Information layer * Management layer * Computer and storage * Applications layer

Answer 43

Information layer

Question 44

In cloud security, what is the management layer?

Answer 44

**The management layer covers the cloud security administrative tasks, which can facilitate continued, uninterrupted, and effective services of the cloud. Cloud consumers should look for the above-mentioned policies to avail better services. Some of the management layer security controls include GRC, IAM, VA/VM, patch management, configuration management, monitoring, etc**