A few years back my television exploded. Not like in a fiery, Michael Bay–type movie scene explosion (although that would have provided a great story and been much more entertaining than the show I was watching), but in a soft whimper of electronic death. I was immediately filled with two separate but equally strong emotional sentiments. First, that I was going to be out a lot of cash and would have a lot of hassle ahead of me. The second, though, was much more exhilarating: I was going to get to buy a new television.

Have you ever seen a perpetually tired, beaten-down parent get to go to an electronics store to actually buy something? It’s like watching a teenage rock fan stepping behind the curtain for backstage access. No minivans, no diapers, no recitals—nothing but pure, unadulterated fun. I couldn’t wait. When I got to the store, the sales staff must have immediately recognized the glow of purchase-ready rapture on my face, because they descended upon me in droves. I was advised about pixels, hues, sound digitalization efforts, something called “true” black, white balance, and refresh rate. Before I knew what was happening, I was standing in front of a $3000 TV that looked so clear and large I could just step into it. It was beyond HD, crystal clear, and according to the salesman not only “smart” but also capable of 3D! For a brief moment, my eyes glazed over and I thought, “Yeah, this makes sense!”

Thankfully my phone rang and woke me from my hypnotic stance. Did I need a TV that big? Where would I even put it? And what 3D programming is actually available to see in the first place? I stepped aside, cleared my head…and wound up buying a smart-enabled, 3D TV. Not because I even had any idea what the technology was, but I knew it was cool and brand new. And I wanted it.

Cloud computing isn’t anywhere near as exciting as televisions (have you seen the QLED screens available now?), but it is simultaneously a big draw to those searching for enterprise growth and largely misunderstood by a lot of people. EC-Council added a brand-new chapter on the subject in their official courseware in its previous version (9) and seemed to put a lot of focus on it. In this particular version, cloud is still important, and an area of study focus for you, but it appears to my reading it simply isn’t as focused a topic as it was before. This chapter captures the exam information you’ll need to know regarding cloud computing and security.

QUESTIONS Q

1.   Which of the following statements is true regarding cloud computing?

A.   In IaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

B.   In PaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

C.   In SaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

D.   None of the above.

2.   Which of the following is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services?

A.   NIST Cloud Architecture

B.   FedRAMP

C.   PCI-DSS Cloud Special Interest Group

D.   Cloud Security Alliance

3.   A business owner is advised that inventory, storage, sales, and backup online services can be provided less expensively and more securely via a cloud service. After investigating the options, the business owner determines the best cloud service provider for his needs also happens to be the provider for several of his competitors. Should he decide to engage the same provider, which cloud service deployment model will be used?

A.   Private

B.   IaaS

C.   Community

D.   Public

4.   In “NIST Cloud Computing Reference Architecture,” which of the following is the intermediary for providing connectivity between the cloud and the subscriber?

A.   Cloud provider

B.   Cloud carrier

C.   Cloud broker

D.   Cloud auditor

5.   A company relies on a private cloud solution for most of its internal computing needs. After expanding into more online retailing, it relies on a portion of a public cloud for external sales and e-commerce offerings. Which of the following best describes the cloud deployment type in use?

A.   Private

B.   Public

C.   Hybrid

D.   Community

6.   Cloud computing would be best suited for which of the following businesses?

A.   A medical practice

B.   An established rural general sales store

C.   A law enforcement agency

D.   A Christmas supply store

7.   A software company has decided to build and test web applications in a cloud computing environment. Which of the following cloud computing types best describes this effort?

A.   IaaS

B.   PaaS

C.   SaaS

D.   Community

8.   Which of the following statements is not true?

A.   Private cloud is operated solely for a single organization.

B.   Public cloud makes use of virtualized servers.

C.   Public cloud is operated over an intranet.

D.   Private cloud makes use of virtualized servers.

9.   A company relies solely on Google Docs, Google Sheets, and other cloud-based provisions for its office documentation software needs. Which of the following cloud computing types best describes this?

A.   SaaS

B.   PaaS

C.   IaaS

D.   Public

10.   A subscriber purchases machine virtualization and hosting through Amazon EC2. Which of the following cloud computing types does this describe?

A.   IaaS

B.   PaaS

C.   SaaS

D.   Hybrid

11.   Cloud computing faces many of the same security concerns as traditional network implementations. Which of the following are considered threats to cloud computing?

A.   Data breach or loss

B.   Abuse of services

C.   Insecure interfaces

D.   Shared technology issues

E.   All of the above

12.   Which of the following attacks occurs during the translation of SOAP messages?

A.   Wrapping attack

B.   Cross-guest VM

C.   Side channel

D.   Session riding

13.   Which of the following is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network?

A.   API

B.   SOA

C.   EC2

D.   IaaS

14.   In “NIST Cloud Computing Reference Architecture,” which entity manages cloud services and maintains the relationship between cloud providers and subscribers?

A.   Cloud broker

B.   Cloud auditor

C.   Cloud carrier

D.   Cloud consumer

15.   Which of the following is not a benefit of virtualization?

A.   It allows for more efficient backup, data protection, and disaster recovery.

B.   It reduces system administration work.

C.   It improves operational efficiency.

D.   It locks individual hardware to each individual virtual machine.

16.   A company acquires a cloud environment for much of its business IT needs. The environment is used and operated solely for the single organization. Which of the following represents the cloud deployment model in question?

A.   Public

B.   IaaS

C.   Sole-source

D.   Private

17.   Which of the following statements is true regarding cloud computing?

A.   Security in the cloud is the responsibility of the provider only.

B.   Security in the cloud is the responsibility of the consumer only.

C.   Security in the cloud is the responsibility of both the consumer and the provider.

D.   None of the above.

18.   Which tool offers penetration-test-like services for Amazon EC2 customers?

A.   CloudPassage Halo

B.   Core Cloud

C.   CloudInspect

D.   Panda Cloud Office Protection

19.   An attacker sets up a VM on the same physical cloud host as the target’s VM. He then takes advantage of the shared physical resources to steal data. Which of the following describes this attack?

A.   Side channel

B.   VM flood

C.   Session riding

D.   Cybersquatting

20.   In the trusted computing model, what is a set of functions called that’s always trusted by the computer’s operating system?

A.   SOA

B.   RoT

C.   TCG

D.   VM

QUICK ANSWER KEY

1.   C

2.   B

3.   C

4.   B

5.   C

6.   D

7.   B

8.   C

9.   A

10.   A

11.   E

12.   A

13.   B

14.   A

15.   D

16.   D

17.   C

18.   C

19.   A

20.   B

ANSWERS A

1.   Which of the following statements is true regarding cloud computing?

A.   In IaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

B.   In PaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

C.   In SaaS, applications, data, middleware, virtualization, and servers are part of the service provision.

D.   None of the above.

  C. So there are several things EC-Council is very concerned that you know regarding cloud computing, but two in particular are right at the top of the list. The concepts of separation of duties and separation of responsibility—both of which are key aims and benefits of cloud computing—keep popping up over and over again in study materials and will be key to your success. Separation of duties is a provision of all cloud computing types, but only one of the three takes care of everything. In Software as a Service (SaaS), the service provider delivers the entirety of the span of responsibility. Everything from applications and data through middleware and OS, all the way down to the networking itself, is provided by the service provisioner. For comparison sake, in Platform as a Service (PaaS), the service provider takes care of everything except the applications and data. In Infrastructure as a Service (IaaS), the client holds the applications, data, runtime, middleware, and OS, while the provider takes care of everything else—virtualization, servers, storage, and networking.

  A, B, and D are incorrect because these are not true statements. In IaaS, the subscriber holds applications, data, and middleware but not virtualization and servers. In PaaS, the client only holds the applications and data.

2.   Which of the following is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services?

A.   NIST Cloud Architecture

B.   FedRAMP

C.   PCI-DSS Cloud Special Interest Group

D.   Cloud Security Alliance

  B. EC-Council, at least as of this writing, doesn’t mention one single regulatory effort in cloud computing at all, outside of NIST’s reference architecture, in their official courseware. This does not mean you will not see any cloud computing regulatory efforts on your exam. I’m willing to bet you’ll see more and more of them as time goes on, and FedRAMP is the 800-pound gorilla of cloud computing regulatory efforts you absolutely need to know about.

The Federal Risk and Authorization Management Program (FedRAMP; www.fedramp.gov/) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It not only provides an auditable framework for ensuring basic security controls for any government cloud effort, but FedRAMP also offers weekly tips for security and configuration and even has free training available on the site. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

  A is incorrect because the definition provided does not match the NIST Cloud Computing Reference Architecture. NIST (National Institutes of Standards and Technology) released Special Publication 500-292, “NIST Cloud Computing Reference Architecture,” in 2011 to provide a “fundamental reference point to describe an overall framework that can be used government wide” (www.nist.gov/customcf/get_pdf.cfm?pub_id=909505).

  C is incorrect because the definition provided does not match the PCI Data Security Standard (PCI-DSS) Cloud Special Interest Group. PCI is not a federal government regulatory body.

  D is incorrect because the definition provided does not match the Cloud Security Alliance (CSA). CSA is the leading professional organization devoted to promoting cloud security best practices and organizing cloud security professionals.

3.   A business owner is advised that inventory, storage, sales, and backup online services can be provided less expensively and more securely via a cloud service. After investigating the options, the business owner determines the best cloud service provider for his needs also happens to be the provider for several of his competitors. Should he decide to engage the same provider, which cloud service deployment model will be used?

A.   Private

B.   IaaS

C.   Community

D.   Public

  C. In most circumstances, it doesn’t matter who else uses the cloud provider you want to use—what matters is the services provided, the costs, and the available security. A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require. Or, in this case, even adversarial competitors may make use of the same services from the same cloud provider.

  A is incorrect because a private cloud model is, not surprisingly, private in nature. The cloud is operated solely for a single organization (a.k.a. single-tenant environment) and is usually not a pay-as-you-go type of operation.

  B is incorrect because Infrastructure as a Service is a type of cloud computing, not a deployment model.

  D is incorrect because a public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations aren’t a major issue.

4.   In “NIST Cloud Computing Reference Architecture,” which of the following is the intermediary for providing connectivity between the cloud and the subscriber?

A.   Cloud provider

B.   Cloud carrier

C.   Cloud broker

D.   Cloud auditor

  B. I can guarantee you’ll see several questions from the cloud world on your exam, and many of those questions will be simply identifying portions of “NIST Cloud Computing Reference Architecture.” The cloud carrier is defined in the architecture as the organization with the responsibility of transferring the data—akin to the power distributor for the electric grid. The cloud carrier is the intermediary for connectivity and transport between the subscriber and provider.

  A is incorrect because the cloud provider is the purveyor of products and services.

  C is incorrect because the cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.”

  D is incorrect because the cloud auditor is the independent assessor of cloud service and security controls.

5.   A company relies on a private cloud solution for most of its internal computing needs. After expanding into more online retailing, it relies on a portion of a public cloud for external sales and e-commerce offerings. Which of the following best describes the cloud deployment type in use?

A.   Private

B.   Public

C.   Hybrid

D.   Community

  C. A hybrid cloud deployment is exactly what is sounds like—a combination of two or more deployment types together.

  A is incorrect because a private cloud deployment is operated solely for a single organization (a.k.a. single-tenant environment).

  B is incorrect because a public cloud deployment model is one where services are provided over a network that is open for public use (like the Internet).

  D is incorrect because a community cloud deployment model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.

6.   Cloud computing would be best suited for which of the following businesses?

A.   A medical practice

B.   An established rural general sales store

C.   A law enforcement agency

D.   A Christmas supply store

  D. Scenario questions like this will be peppered throughout your exam on multiple topics, and cloud computing is no different. In this case, the Christmas supply store is, by its very nature, seasonal. This means instead of a steady flow of business and computing resources, it will need much more support during the last couple months of the year than it would in, say, July. Cloud computing provides the elasticity (another term you may see pop up) of adding or removing computing resources as you need them, which could very well save the company money.

  A is incorrect. Of the choices provided, a medical practice would not be the best choice because of the sensitive data it holds (not to mention the federally mandated protections the practice would have to have in place for those records).

  B is incorrect because an established storefront with steady sales and employee staff doesn’t necessarily need cloud services.

  C is incorrect because law enforcement agencies also deal with highly sensitive information. Therefore, of the choices provided, this is not the best one.

7.   A software company has decided to build and test web applications in a cloud computing environment. Which of the following cloud computing types best describes this effort?

A.   IaaS

B.   PaaS

C.   SaaS

D.   Community

  B. This scenario is tailor-made for Platform as a Service (PaaS). Despite also being a name brand recognized mostly during Easter for coloring eggs, PaaS is geared toward software development, as it provides a platform that allows subscribers to create applications without building the infrastructure it would normally take to develop and launch software. Hardware and software are hosted by the provider on its own infrastructure, so customers do not have to install or build homegrown hardware and software for development work. PaaS doesn’t usually replace an organization’s actual infrastructure; instead, it just offers key services the organization may not have onsite.

  A is incorrect because this does not describe Infrastructure as a Service. IaaS provides virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor (such as VMware, Oracle VirtualBox, Xen, or KVM) running the virtual machines as guests.

  C is incorrect because this does not describe Software as a Service. SaaS is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.

  D is incorrect because community refers to the cloud deployment model, not the type.

8.   Which of the following statements is not true?

A.   Private cloud is operated solely for a single organization.

B.   Public cloud makes use of virtualized servers.

C.   Public cloud is operated over an intranet.

D.   Private cloud makes use of virtualized servers.

  C. Most of the time I deplore the “not” questions—they seem designed to trip candidates up more than to test their knowledge—but EC-Council (and, not surprisingly, virtually every other certification provider) makes use of them often. In this case, a private cloud is, of course, operated solely for one organization, and virtualization is used in all cloud deployment models. A public cloud, however, explicitly provides services on a network that is open for public use (like the Internet).

  A, B, and D are incorrect because these are true statements.

9.   A company relies solely on Google Docs, Google Sheets, and other cloud-based provisions for its office documentation software needs. Which of the following cloud computing types best describes this?

A.   SaaS

B.   PaaS

C.   IaaS

D.   Public

  A. This scenario aptly describes Software as a Service. SaaS is a software distribution model—the provider offers on-demand applications to subscribers over the Internet. Google Docs and Google Sheets, where word processing and spreadsheet software actions are provided online, are perfect examples. Microsoft is also big in the SaaS game, and Office 365 is seemingly taking over for the traditional Microsoft Office suite. Instead of installing it on your system or buying it preinstalled at Best Buy (or whatever vendor you use), you can “rent” Office 365—get what you need for as long as you need. Given that Office is the world’s leading office productivity software, it shouldn’t come as a surprise that Office 365 is a big hit. The U.S. Air Force, for one example, moved over half a million e-mail accounts to Office 365 in January of 2019.

  B is incorrect because Platform as a Service is a great choice for software development, but is not designed to provide software services in this manner.

  C is incorrect because Infrastructure as a Service is not designed to provide software services like those described.

  D is incorrect because public refers to the deployment model.

10.   A subscriber purchases machine virtualization and hosting through Amazon EC2. Which of the following cloud computing types does this describe?

A.   IaaS

B.   PaaS

C.   SaaS

D.   Hybrid

  A. There are three types of cloud computing implementation: IaaS, PaaS, and SaaS. In the case of Amazon EC2, Infrastructure as a Service best matches the description. IaaS basically provides virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor (such as VMware, Oracle VirtualBox, Xen, or KVM) running the virtual machines as guests. Collections of hypervisors within the cloud provider exponentially increase the virtualized resources available and provide scalability of service to subscribers. As a result, IaaS is a good choice, not just for day-to-day infrastructure service, but also for temporary or experimental workloads that may change unexpectedly. IaaS subscribers typically pay on a per-use basis (within a certain timeframe, for instance) or sometimes by the amount of virtual machine space used.

  B is incorrect because Platform as a Service does not best match this description. PaaS is geared toward software development, as it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.

  C is incorrect because Software as a Service does not best match this description. SaaS is probably the simplest and easiest to think about. It is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.

  D is incorrect because hybrid does not best match this description. The term “hybrid” deals with the deployment method of the cloud (for example, if you had a cloud environment that was both “public” and “community” in nature, it would be referred to as hybrid).

11.   Cloud computing faces many of the same security concerns as traditional network implementations. Which of the following are considered threats to cloud computing?

A.   Data breach or loss

B.   Abuse of services

C.   Insecure interfaces

D.   Shared technology issues

E.   All of the above

  E. EC-Council dedicated a lot of real estate in their past official courseware to cloud threats, even though much of it is the same as it would be in traditional networking, and in this version, it’s more of the same. In a blast from the past (as in this comes straight out of the Cloud Security Alliance’s “The Notorious Nine: Cloud Computing Top Threats in 2013” publication (https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf, which is no longer referenced in the course material but obviously still used as a reference), the top three listed are data breach and loss, abuse of cloud services, and insecure interfaces/APIs. Each is exactly what it sounds like and doesn’t require much in the way of explanation. However, the following explanations are for the sake of your exam:

•   Data breach and loss In addition to data erasure, theft, and/or modification, this also deals with loss of encryption keys and misuse of the data by the cloud security provider itself.

•   Abuse of cloud services This occurs when the bad guys create anonymous access to cloud services and use the cloud’s resources to carry out their activities. Why do password cracking, host exploits, or malware on your own machine when you can do it all in the cloud?

•   Insecure interfaces/APIs These allow the bad guys to circumvent user-defined policies and perhaps reuse passwords or tokens.

Pages and pages of cloud computing threats are mentioned in the official courseware—everything from insufficient due diligence, shared technology issues, and inadequate planning, through supply chain failure, management interface compromise, and hardware failures. It’s impossible to cover them all here, but they’re all pretty straightforward. On your exam, you’re probably more likely to have to identify which threats aren’t specific to cloud, and that should be a piece of cake for you.

Here is the full list of cloud threats ECC wants you to know about, as of the date I sit down to write this:

•   Data breach/loss

•   Abuse and nefarious use of cloud services

•   Insecure interfaces and APIs

•   Insufficient due diligence

•   Shared technology issues

•   Unknown risk profiles

•   Unsynchronized system clocks

•   Inadequate infrastructure design and planning

•   Client hardening procedures and cloud environment conflicts

•   Loss of operational and security logs

•   Malicious insiders

•   Illegal access

•   Privilege escalation

•   Natural disasters

•   Hardware failures

•   Supply chain failures

•   Modifying network traffic

•   Isolation failure

•   Cloud provider acquisition

•   Management interface compromise

•   Network management failure

•   Authentication attacks

•   VM-level attacks

•   Licensing

•   Lock-in

•   Loss of governance

•   Loss of encryption keys

•   Changes in jurisdiction

•   Malicious probes/scans

•   Cloud service termination

•   Subpoena

•   Improper data handling

•   Loss of backup data

•   Compliance

•   Economic denial of sustainability (EDoS)

Lastly, I must point out the original Cloud Security Alliance publication (“The Notorious Nine: Cloud Computing Top Threats in 2013”) has been updated. It’s now “The Dirty Dozen: 12 Top Cloud Security Threats,” also referred to as “The Treacherous 12,” (https://www.csoonline.com/article/3043030/12-top-cloud-security-threats-for-2018.html) and while it’s very, very similar to the original, there are a few differences. for example, perusing the list you may notice “Abuse of Cloud Services” is now listed as “Abuse of Cloud Resources.” Because you may see questions from both lists on your exam, I’ve left the original noted, but what I’ve listed should provide all you need for memorization purposes. Just use your common sense on these questions and you should be fine.

  A, B, C, and D are incorrect because they’re all cloud computing threats.

12.   Which of the following attacks occurs during the translation of SOAP messages?

A.   Wrapping attack

B.   Cross-guest VM

C.   Side channel

D.   Session riding

  A. Attacks aren’t necessarily specific to cloud computing, but EC-Council covers wrapping attacks here, so we’ll follow suit. In a wrapping attack, the user sends a request to the server, but the SOAP response is intercepted by the attacker. He then duplicates the original message and sends it as if he is the user. In short, to pull this off, you just intercept the response, change the data in the SOAP envelope, and replay.

  B and C are incorrect because this does not describe cross-guest VM attacks, which are also known as side channel attacks and deal with virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of malicious activities.

  D is incorrect because this does not describe a session riding attack. Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.

13.   Which of the following is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network?

A.   API

B.   SOA

C.   EC2

D.   IaaS

  B. In Service-Oriented Architecture (SOA), software is designed where each of its individual components works and communicates with components on different systems across the network. Each computer can run any of the services in the software, and each individual component is built so that it can exchange information with any other service in the network, without interaction or the need to make changes to the software. For example, someone might create an API that provides access to a database, which then allows third-party vendors to create their own applications to take advantage of it.

  A is incorrect because this does not define an application programming interface. APIs are sets of protocols and tools for building applications.

  C is incorrect because EC2 is a cloud service offering from Amazon.

  D is incorrect because IaaS is a cloud type.

14.   In “NIST Cloud Computing Reference Architecture,” which entity manages cloud services and maintains the relationship between cloud providers and subscribers?

A.   Cloud broker

B.   Cloud auditor

C.   Cloud carrier

D.   Cloud consumer

  A. “NIST Cloud Computing Reference Architecture” defines the cloud broker as the entity that acts to manage the use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.”

  B is incorrect because the cloud auditor is the independent assessor of the cloud service provider’s security controls.

  C is incorrect because the cloud carrier is the organization that has the responsibility of transferring the data between the provider and subscriber.

  D is incorrect because the cloud consumer is the individual or organization that acquires and uses cloud products and services.

15.   Which of the following is not a benefit of virtualization?

A.   It allows for more efficient backup, data protection, and disaster recovery.

B.   It reduces system administration work.

C.   It improves operational efficiency.

D.   It locks individual hardware to each individual virtual machine.

  D. Some of you may actually work with and in a cloud, and you may disagree with at least one of the benefits listed here. However, while there may be differences between the real world and your CEH exam, for your test you really need to know virtualization’s benefits. The idea itself is great—run one or more operating systems simultaneously on the same physical box by virtualizing the hardware to each OS. Multiple companies (such as VMware, Oracle VirtualBox, and Xen) provide the hypervisor (a.k.a. virtual machine monitor, or VMM, which is an application or hardware that creates and runs virtual machines) that allows multiple OSs to share the same physical machine hardware. Virtualizing your server can improve operational efficiency, provide for more efficient backups, offer disaster recovery and data protection, and reduce administrative work. Additionally, virtualization may have a positive effect on ensuring control and compliance throughout the network, as well as reduce overall costs.

  A, B, and C are incorrect because these are all benefits of the virtualization of servers.

16.   A company acquires a cloud environment for much of its business IT needs. The environment is used and operated solely for the single organization. Which of the following represents the cloud deployment model in question?

A.   Public

B.   IaaS

C.   Sole-source

D.   Private

  D. In a private cloud model, the cloud is operated solely for a single organization (a.k.a. single-tenant environment) and is usually not a type of pay-as-you-go operation. Private clouds are usually preferred by larger organizations, because the hardware is dedicated and security and compliance requirements can be more easily met.

  A is incorrect because a public cloud is for use by anyone and everyone.

  B is incorrect because IaaS is a cloud type providing virtualized computing resources over the Internet. A third-party provider hosts infrastructure components, applications, and services on behalf of its subscribers, with a hypervisor running the virtual machines as guests. IaaS is a good choice for day-to-day infrastructure service and temporary or experimental workloads that may change unexpectedly. IaaS subscribers typically pay on a per-use basis (within a certain timeframe, for instance) or sometimes by the amount of virtual machine space used.

  C is incorrect because sole-source is not a deployment method.

17.   Which of the following statements is true regarding cloud computing?

A.   Security in the cloud is the responsibility of the provider only.

B.   Security in the cloud is the responsibility of the consumer only.

C.   Security in the cloud is the responsibility of both the consumer and the provider.

D.   None of the above.

  C. One of the biggest misconceptions about cloud computing seems to be where the lines of responsibility are drawn. However, it should come as no surprise that security is everyone’s responsibility, and that absolutely extends to the cloud. The provider must protect the hardware, virtualization, VMs, and network connectivity. The consumer must protect their virtual systems (OSs, applications, and data). Sometimes this is a challenge in the real world. Where does your testing start and end? If your entire system relies on a cloud provider to remain up and secure, can you test all of it? And what happens if your resources are comingled somewhere inside all that cloud secret sauce? Can you really trust they’re on top of things, security-wise? Should you? Can you?

  A, B, and D are all incorrect statements.

18.   Which tool offers penetration-test-like services for Amazon EC2 customers?

A.   CloudPassage Halo

B.   Core Cloud

C.   CloudInspect

D.   Panda Cloud Office Protection

  C. CloudInspect (www.coresecurity.com/corelabs-research/projects/core-cloudinspect) is “a tool that profits from the Core Impact & Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users.” It’s obviously designed for AWS cloud subscribers and runs as an automated, all-in-one testing suite specifically for your cloud subscription.

  A is incorrect because CloudPassage Halo (www.cloudpassage.com) “provides instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds. The Halo platform is delivered as a service, so it deploys in minutes and scales on-demand. Halo uses minimal system resources, so layered security can be deployed where it counts, right at every workload—servers, instances and containers.” Other tools for cloud pen testing you should know for your exam include Dell Cloud Manager and Parasoft SOAtest.

  B is incorrect because there is no such tool.

  D is incorrect because Panda Cloud Office Protection is not an automated pen test tool suite.

19.   An attacker sets up a VM on the same physical cloud host as the target’s VM. He then takes advantage of the shared physical resources to steal data. Which of the following describes this attack?

A.   Side channel

B.   VM flood

C.   Session riding

D.   Cybersquatting

  A. The side-channel attack, also known as a cross-guest VM breach, occurs when a bad guy gets a virtual machine on the same host as the target. Through a variety of means for taking advantage of vulnerabilities in some shared technologies, the attacker then uses the shared physical resources to pilfer data. Providers can mitigate these attacks by using an up-to-date hypervisor provision, implementing strong virtual firewalls between guest OSs, and enforcing the use of encryption. Subscribers can help by locking down (hardening) their OSs and using good coding in their applications (especially when it comes to accessing resources such as memory). As a fun aside, these types of attacks are categorized by people who actually pen test for a living as a unicorn attack—since you’ll have as good a chance seeing a unicorn as you will actually performing this attack.

  B is incorrect because, although VM flood may sound cool, it is not a legitimate attack term.

  C is incorrect because session riding is a CSRF attack inside the cloud.

  D is incorrect because cybersquatting has nothing to do with this attack.

20.   In the trusted computing model, what is a set of functions called that’s always trusted by the computer’s operating system?

A.   SOA

B.   RoT

C.   TCG

D.   VM

  B. Trusted computing is a simple idea: resolve a lot of computing problems through hardware enhancements and software modifications. Several vendors got together, calling themselves the Trusted Computing Group (TCG), and worked out specifications, proposals, and technologies to help protect system resources. Within all this work is the idea of Roots of Trust (RoT), which is a set of functions always trusted by the operating system. It provides a lot of the functionality the rest of the model is built on, such as real-time encryption, rootkit detection, memory curtailing, digital rights management (DRM) through hardware, and more.

  A is incorrect because this does not describe Service-Oriented Architecture. SOA is an architectural design effort in computer software where application components communicate with, and provide services to, other components via a network.

  C is incorrect because this does not describe the Trusted Computing Group.

  D is incorrect because this does not describe a virtual machine.