Virtualization and Cloud Security

Question 1

You are a server virtualization consultant. During a planning meeting with a client, the issue of virtual machine point-in-time snapshots comes up. You recommend careful use of snapshots because of the security ramifications. Which security problem is the most likely to occur when using snapshots?

Snapshots can consume a large amount of disk space.

Invoked snapshots will mean that the virtual machine is temporarily unavailable.

Invoked snapshots will have fewer patch updates than the currently running virtual machine.

Answer 1

Invoked snapshots will have fewer patch updates than the currently running virtual machine.

Reverting a running virtual machine to an older snapshot could mean going back to a point in time before critical patches or virus scanning updates were applied, thus rendering your virtual machine vulnerable

Question 2

A private medical practice hires you to determine the feasibility of cloud computing, whereby storage of e-mail and medical applications, as well as patient information, would be hosted by a public cloud provider. You are asked to identify potential problems related to sensitive data regulatory compliance. (Choose two.)

Data is stored on the cloud provider’s infrastructure, which is shared by other cloud tenants.

HTTPS will be used to access remote services.

Should the provider be served a subpoena, the possibility of full data disclosure exists.

Data will be encrypted in transit as well as when stored.

Answer 2

Data is stored on the cloud provider’s infrastructure, which is shared by other cloud tenants.

Should the provider be served a subpoena, the possibility of full data disclosure exists.

Sharing the same cloud computing services with other customers could be forbidden by sensitive data regulations, although cloud tenant data is not accessible by other cloud tenants. Depending on the provider’s geographic location, different laws may apply to whether data hosted by the provider can legally be disclosed. However, that’s not a risk many organizations are willing to take

Question 3

Which of the following are true regarding virtualization? (Choose two.)

Each virtual machine has one or more unique MAC addresses.

Virtual machine operating systems do not need to be patched.

Virtual machines running on the same physical host can belong to different VLANs.

A security compromise of one virtual machine means all virtual machines on the physical host are compromised.

Answer 3

Each virtual machine has one or more unique MAC addresses.

Virtual machines running on the same physical host can belong to different VLANs.

Each virtual machine does have one or more unique MAC addresses that are configurable by the virtual machine administrator. Virtual machines running on the same host can connect to different VLANs (physical or internal); this is a virtual network configuration setting

Question 4

Cloud computing offers which benefits? (Choose two.)

Scalability

Fewer hardware purchases

Better encryption

Local data storage

No requirement for on-premises antivirus software

Answer 4

Scalability

Fewer hardware purchases

Scalability with cloud computing is possible because a third party (the cloud provider) pools and provides hardware, software, software licensing, and so on. Provisioning additional resources such as more storage on-demand is a characteristic of cloud computing. Because a third party is hosting some (or all) of your IT services, you will require fewer hardware resources on-premises

Question 5

You are responsible for three IaaS payroll servers that store data in the cloud. The chief financial officer (CFO) requests observation of access to a group of budget files by a particular user. What should you do?

Create file hashes for each budget file.

Configure a HIDS to monitor the budget files.

Configure file system auditing for cloud storage.

Answer 5

Configure file system auditing for cloud storage.

You should configure file system auditing for budget file access by the employee in question. This enables you to track who accessed budget files at any given time

Question 6

As the database administrator for your company, you are evaluating various public cloud offerings to test customer database app code changes. Which category of cloud service should you research?

Software as a Service

Platform as a Service

Infrastructure as a Service

Answer 6

Platform as a Service

Platform as a Service (PaaS) is primarily of interest to software developers and provides IT services over a network such as databases and programming APIs

Question 7

Your company hosts an on-premises Microsoft Active Directory server to authenticate network users. Mailboxes and productivity applications for users are hosted in a public cloud. You have configured identity federation to enable locally authenticated users to connect to their mailboxes and productivity applications seamlessly. What type of cloud deployment model is in use?

Public

Private

Hybrid

Answer 7

Hybrid

Hybrid cloud solutions combine on-premises IT services with IT services hosted in the cloud

Question 8

What type of hypervisor would be required if you wanted to use an existing server with an existing operating system?

Type 1

Type 2

Type 3

Answer 8

Type 2

Type 2 hypervisors run on top of an existing operating system

Question 9

Your manager wants to run every application securely in its own virtualized environment while minimizing application startup time. What should be used for each application?

Virtual machine

VM escape protection

Application container

Answer 9

Application container

Application containers enable the deployment of each app in its own virtualized environment while minimizing app startup time, because the container uses the underlying host operating system that is already running

Question 10

Which cloud computing characteristic relates to how a service can grow in response to workloads?

Scalability

Pulverizing

Templates

Answer 10

Scalability

Scalability is a cloud computing characteristic that enables resources to respond to workload changes, such as adding virtual machines (scaling out) when an application becomes busier. Scaling in (removing virtual machines) is also an option when demand declines, and it reduces cloud computing costs

Question 11

You have replicated on-premises application servers and data to the cloud in the event of an on-premises network disruption. The servers are kept in sync through replication. Which term best describes the role of the cloud in this configuration?

Warm site

Hot site

Cold site

Answer 11

Hot site

With disaster recovery, hot alternative sites are mirrored with copies of IT systems and data from a primary site. Configurations and data are kept in sync via replication. Hot sites can be alternate facilities many miles away from the primary site. Public clouds are now commonly used as hot sites, which removes the cost of maintaining a separate facility

Question 12

You have configured a cloud-based VDI solution in which client devices run a cloud-based Windows desktop. Which term best describes the connecting user device that may be generally used?

Thick client

Smartphone

Thin client

Answer 12

Thin client

A thin client is an end-user device with limited processing power and storage that connects to a powerful remote server to run operating systems and apps over a network

Question 13

You are configuring cloud-based virtual networks without having to connect directly to the cloud provider hardware routers to configure VLANs. What enables this capability?

Software-defined networking

Transit gateway

Software-defined visibility

Answer 13

Software-defined networking

Software-defined networking (SDN) adds a configuration layer above network infrastructure hardware that enables a simplified and consistent management experience such as through a web GUI or command-line tools. SDN removes the need of cloud customers having detailed technical knowledge related to the configuration of underlying network hardware

Question 14

Private cloud technicians have configured policies that will shut down and remove virtual machines with no activity for 30 days or more. What are technicians attempting to prevent?

VM escaping

VM resource policy exploitation

VM sprawl

Answer 14

VM sprawl

Because of the ease and speed in which virtual machines can be deployed in the cloud, over time VM sprawl may occur. In VM sprawl, you may not be aware of the existence of numerous virtual machines that are not used or that have been forgotten, yet they still exist and could remain running, thus incurring cloud computing charges

Question 15

You must ensure that cloud storage is available in the event of a regional disruption. What should you configure?

Cloud storage permissions

Cloud storage replication within a data center

Cloud storage replication across zones

Answer 15

Cloud storage replication across zones

Replication of cloud-stored data to alternative physical locations, or geographical zones, provides data redundancy in the event of a disruption in one region

Question 16

You must control network traffic flow to specific Amazon Web Services (AWS) virtual machines. What should you configure?

Network ACL

Elastic IP address

Security group

Answer 16

Security group

An AWS security group contains a list of rules that allow traffic into or out of specific virtual machines (called EC2 instances in AWS)

Question 17

You have deployed a database in an AWS virtual private cloud. You need to limit database access to other AWS resources while ensuring that network traffic does not leave the Amazon network. What should you configure?

VPC endpoint

Transit gateway

Elastic IP address

Answer 17

VPC endpoint

A virtual private cloud (VPC) is a virtual network defined in the cloud, such as AWS, Google Cloud, or IBM Cloud. A VPC endpoint enables a private connection to resources in a VPC using only internal private IP addresses

Question 18

Which type of provider specializes in providing IT security service offerings?

CASB

MSP

MSSP

Answer 18

MSSP

A managed security service provider (MSSP) offers IT security services, such as network DDoS attack mitigation, over a network. MSSP services can be cloud native or offered through third-party providers

Question 19

A cloud firewall solution examines packet headers to allow or deny traffic based on IP addresses and port numbers. To which layer of the OSI model does the type of firewall apply?

2

3

4

Answer 19

4

Layer 4, the transport layer of the seven-layer conceptual OSI model, focuses on transporting data either reliably (TCP) or unreliably but more quickly (UDP). Network service port numbers are also called layer 4 addresses; IP addresses are layer 3 (the network layer) addresses. A packet-filtering firewall can examine packet headers containing addressing information, but not the packet payload containing the data being transmitted

Question 20

You have configured a content-filtering firewall for traffic leaving a cloud virtual network. To which layer of the OSI model does this type of firewall apply?

3

4

7

Answer 20

7

Layer 7 (the application layer) of the OSI model relates to high-level protocols, meaning all packet headers and packet payloads can be examined, as opposed to a layer 4 packet filtering firewall, which can base decisions only on the fields present in packet headers. As a result, layer 7 firewall solutions tend to be more expensive than layer 4 firewall solutions

Question 21

Which strategy involves using network edge devices to process and move data into and out of the cloud?

Quantum computing

Fog computing

Hybrid cloud

Answer 21

Fog computing

Fog computing, also referred to as edge computing, places data processing capabilities on network edge devices between data sources and a public cloud environment, such as a corporate on-premises network. The benefit is that decentralizing processing and placing it nearest where it is needed can speed up data transfers and thus reduce overall processing time

Question 22

Which strategy increases the security of cloud-based containerized applications?

Use a private cloud to host containerized applications.

Run the containers only on physical servers.

Create containers only from private repositories.

Answer 22

Create containers only from private repositories.

A containerized application decouples an application or application component (microservice) from other components or operating system dependencies. A container is a runtime version of a container image and consists of application files and configuration settings but not the OS; the underlying host OS that is already running is used instead. Hosting images in a private repository provides the ability to control which images are used to launch containers, thus enhancing security

Question 23

Your software developers use security keys to access cloud services. What should you do to harden the use of security keys?

Rotate cloud keys.

Use symmetric instead of asymmetric keys.

Reduce the key length.

Answer 23

Rotate cloud keys.

Rotating keys is a standard security practice. Past compromised keys will no longer provide resource access. Software developers must be provided with newly rotated keys for continued cloud resource access

Question 24

You need to deploy virtual machines in the cloud to support big data processing. The virtual machines must not be reachable from the Internet. Data processing summaries will be uploaded from the virtual machines to an on-premises database server. The on-premises network is already configured to allow incoming connections from the Internet. What should you do to allow the required functionality while maximizing security?

Deploy a public subnet in the cloud with firewall rules.

Deploy a private subnet in the cloud with an on-premises Internet gateway.

Deploy a private subnet in the cloud with an Internet gateway.

Answer 24

Deploy a private subnet in the cloud with an Internet gateway.

A private cloud subnet does not allow incoming connections from the Internet and does not normally allow outgoing connectivity to the Internet. Configuring an Internet gateway will allow cloud virtual machines with only private IP addresses to communicate outside of the private subnet, such as to on-premises resources. Cloud resources are often isolated on segmented networks for security reasons

Question 25

Over time, you have noticed unauthorized configuration changes made to virtual machine cloud settings. You need a way to track who made these changes and when. What should you do?

Enable virtual machine API integration.

Deploy an OSI layer 7 firewall.

Enable cloud resource activity auditing.

Answer 25

Enable cloud resource activity auditing.

Auditing cloud resource activity will provide a log of actions, such as technicians who make configuration changes to cloud-based virtual machines. Most auditing systems have configurable audit data retention periods and filtering options

Question 26

Which capabilities are offered by Next-generation Secure Web Gateways? (Choose two.)

Content filtering

Proxy server

Infrastructure as code

CI/CD

Answer 26

Content filtering

Proxy server

A Next-generation Secure Web Gateway (SWG) is an on-premises or cloud-based unified IT security solution that provides services such a malware detection and prevention, network threat detection, forward and reverse proxying, content filtering, data loss protection, and threat reporting

Question 27

You have linked your on-premises and public cloud networks together with a site-to-site VPN. Which type cloud deployment model does this apply to?

Private

Community

Hybrid

Answer 27

Community

Hybrid cloud solutions combine cloud deployment models, such as linking a private cloud to a public cloud or linking conventional on-premises IT services with IT services hosted in the public cloud

Question 28

Which type of replication does not wait for data to be committed to the primary replica before synchronizing additional replicas?

Asynchronous

Synchronous

Symmetric

Answer 28

Synchronous

Synchronous replication writes to the primary and replica copies concurrently. This is often used for mission-critical applications and requires sufficient network speeds for replicas spread across great distances

Question 29

Which term describes breaking out of a virtual machine and attacking the hypervisor?

VM sprawl

VM escape

CASB

Answer 29

VM escape

VM escape occurs when malicious code running inside of a virtual machine attempts to access the hosting hypervisor operating system. Mitigations against this threat include patching hypervisor and guest operating systems as well as limiting tools that share resources between the hypervisor and guests, such as file sharing