Download CNIT 271 EXAM 1 QUESTIONS AND COMPLETE ANSWERS. and more Exams Advanced Education in PDF only on Docsity!
CNIT 271 EXAM 1 QUESTIONS AND COMPLETE
ANSWERS
Software as a Service (SaaS) - answer A form of cloud computing where a consumer subscribes to a third-party software and receives a service that is delivered online. Everything is managed by the provider Like google mail, office 365 Platform as a Service (PaaS) - answer A cloud service in which consumers can install and run their own specialized applications on the cloud computing network. This is an operating system in the cloud. Like appEngine, Microsoft Azure Infastructure as a Service (IaaS) - answer the cloud hosting of a bare server computer, data storage, network, and virtualization Provides virtual machines and other virtualized hardware Public Cloud - answer promotes massive, global, and industrywide applications offered to the general public Cost-effective, high availability and scalability. Can lack in overall security Private Cloud - answer serves only one customer or organization and can be located on the customer's premises or off the customer's premises. High security and is very customizable community cloud - answer serves a specific community with common business models, security requirements, and compliance considerations Is like a public and private combined Easy data sharing and collaboration among the organization Hybrid Cloud - answer includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability
flexible and better security broad network access (cloud computing) - answer all devices can access data and applications Container as a Service (CaaS) - answer This cloud computing model provides containers and clusters as a service to its subscribers. Function as a Service (FaaS) - answer A category of cloud computing services that provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. What are cloud users responsible for - answer application-level security What are cloud vendors responsible for - answer physical security and some software security risks of cloud computing - answer Abuse, insecure interfaces, malicious insiders, shared technology, data loss, account or service hijacking, unknown risk profile, multi-instance model - answer provides a unique DBMS running on a virtual machine instance for each cloud subscriber multi-tenant model - answer provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier Keystone - answer Security model for openStack. Provides identity and token IoT (Internet of Things) - answer Continuing development of the Internet that allows everyday objects embedded with electronic devices to send and receive data over the Internet. Information Technology (IT) - answer the computers and other electronic devices used to store, retrieve, transmit and manipulate data. Primarily using wired connectivity Operational Technology (OT) - answer A communications network designed to implement an industrial control system rather than data networking. Like machines embedded with IT Actuator - answer single purpose devices bought by consumers
Request Response. Not as reliable as MQTT Discretionary Access Control (DAC) - answer A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. Role-Based Access Control (RBAC) - answer An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization Mandatory Access Control (MAC) - answer The most restrictive access control model, typically found in military settings in which security is of supreme importance. Using security labels and clearance to access data. Attribute-based access control (ABAC) - answer Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions Strengths: Flexibility Subject - answer An entity capable of accessing objects. Three classes, Owner, Group, World Object - answer A resource to which access is controlled. Entity used to contain and/or receive information Access Rights and Permissions - answer How a user may interact with an object. Like read, write, execute Access Control List (ACL) - answer A clearly defined list of permissions that specifies what
actions an authenticated user may perform on a shared resource. Sorted by file, then permissions for specific users. capability list - answer an access control method that lists every user, the files to which each has access, and the type of access allowed to those files. subject attributes - answer username, ID, age, job title Object Attributes - answer describes the object being access like type, security level Weaknesses in DAC - answer Copying problem, trojan horse problem Bell-LaPadula Model - answer A combination of DAC and MAC, primarily concerned with the confidentiality of the resource. Two security properties define how information can flow to and from the resource: the simple security property and the * property Read Down and Write Up Biba Model - answer An access control model used to ensure integrity. It uses two primary rules: read up and write down. Which access control model has more detail - answer Attribute based Which access control model should you try first - answer Role-based XACML (Extensible Access Control Markup Language) - answer A standard that defines a declarative fine-grained, attribute-based access control policy language; an architecture;
on-demand self service - answer A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. measured service (cloud computing) - answer Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Resource pooling - answer The ability of a cloud provider to combine resources from multiple physical computers to appear to be one combined resource that is available to clients. Governance - answer Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, use, and monitoring of deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle. compliance - answer Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements trust - answer ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time architecture - answer Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved
have on the security and privacy of the system, over the full system lifecycle and across all system components Identity and Access Management (IAM) - answer Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization software isolation - answer Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi- tenant software architecture, and assess the risks involved for the organization data protection - answer Evaluate the suitability of the cloud provider's data management solutions for the organizational data concerned and the ability to control access to data; to secure data while at rest, in transit, and in use; and to sanitize data availability - answer Understand the contract provisions and procedures for availability, data backup and recovery, and disaster recovery, and ensure that they meet the organization's continuity and contingency planning requirements Incident Response - answer Ensure that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident Abuse and nefarious use of cloud computing countermeasures - answer ▪ Stricter initial registration and validation processes ▪ Enhanced credit card fraud monitoring and coordination ▪ Comprehensive inspection of customer network traffic ▪ Monitoring public blacklists for one's own network blocks
account or service hijacking countermeasures - answer ▪ Prohibit the sharing of account credentials between users and services ▪ Leverage strong two-factor authentication techniques where possible ▪ Employ proactive monitoring to detect unauthorized activity ▪ Understand CSP security policies and SLAs Unknown Risk Profile countermeasures - answer ▪ Disclosure of applicable logs and data ▪ Partial/full disclosure of infrastructure details ▪ Monitoring and alerting on necessary information IoT security requirements - answer Communication security, data management security, service provision security, integration of security policies and techniques, manual authentication and authorization, security audit. gateway security functions - answer • Support identification of each access to the connected devices .• Support authentication with devices. Based on application requirements and device capabilities, it is required to support mutual or one-way authentication with devices. With one-way authentication, either the device authenticates itself to the gateway or the gateway authenticates itself to the device, but not both.
- Support mutual authentication with applications.
- Support the security of the data that are stored in devices and the gateway, or transferred between the gateway and devices, or transferred between the gateway and applications. Support the security of these data based on security levels Protect Privacy self repair, autoconfiguration
What are the authentication mechanisms - answer • Knowledge: Something you know, e.g., password, passphrase, or personal identification number (PIN)
- Ownership: Something you have, e.g., smart card, key, badge, or token.
- Characteristics: Some attribute that is unique to you, e.g., biometrics your fingerprints, retina, or signature
- Other??
- Location: Somewhere you are, e.g., physical location while accessing resource
- Action: Something you do or how you do it, e.g., typing pattern in keyboard Federated Access - answer A single signon (SSO) technology that allows users in different networks to access multiple systems after logging on once. The systems can be using different operating systems owned and managed by different organizations. Identity Federation - answer Term used to describe the technology, standards, policies, and processes that allow an organization to trust digital identities, identity attributes, and credentials created and issued by another organization OpenID Connect - answer An open source standard used for identification on the Internet. It is typically used with OAuth and it allows clients to verify the identity of end users without managing their credentials. An open standard that allows users to be authenticated by certain cooperating sites using a third party service Kerberos - answer An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.
