Unit 3 - Practice Quiz

The main purpose of a secure cloud network architecture is to implement controls like firewalls, access control lists, and encryption to safeguard assets against cyber threats.

IaaS (Infrastructure as a Service) is a cloud computing model where a provider offers fundamental computing resources like virtual machines, storage, and networking over the internet.

The Zero Trust model assumes that no user or device is inherently trustworthy, regardless of its location. Every access request must be authenticated and authorized before being granted.

Resiliency is a system's capacity to maintain its essential functions during and after a failure, attack, or other adverse event.

An organization cannot protect what it does not know it has. Therefore, identifying and cataloging all assets is the foundational step of any asset management program.

Redundancy involves duplicating critical components (like servers, power supplies, or network links) so that if one fails, a backup can take over, ensuring continuous operation.

Physical security controls are measures designed to physically deter or prevent unauthorized access to facilities, equipment, and resources. Fences, locks, and security guards are prime examples.

Vulnerability management is a proactive and ongoing process of finding and fixing vulnerabilities before they can be exploited by attackers.

Software vendors regularly release patches to fix newly discovered security flaws. Failing to apply these patches leaves the OS vulnerable to known exploits.

SQL Injection is a common web application vulnerability where an attacker can interfere with the queries that an application makes to its database.

Vulnerability scanners are automated tools designed to check computers, networks, or applications for known vulnerabilities and report the findings.

Remediation is the action-oriented phase of the vulnerability management lifecycle where steps are taken to fix the weakness, such as by applying a patch or changing a configuration.

A VPC allows an organization to define and control a virtual network that is logically isolated from all other tenants in the public cloud, providing a layer of security and control.

A hot site is a disaster recovery location that is a mirror image of the primary site, with all necessary hardware, software, and real-time data synchronization, allowing for an immediate failover.

A mantrap uses two interlocking doors to ensure that only one authenticated individual can pass through at a time, preventing unauthorized persons from following them in (tailgating).

A penetration test, or pen test, is an authorized, simulated cyberattack on a computer system, performed to evaluate the security of the system by actively exploiting vulnerabilities.

Failover is a crucial resiliency mechanism that ensures high availability by automatically and seamlessly redirecting operations to a redundant or standby system upon failure of the active one.

Organizations cannot fix everything at once. The analysis phase involves prioritizing the identified vulnerabilities to determine which ones pose the greatest risk and should be fixed first.

An embedded system is a computer system designed for a specific function within a larger device. A smart refrigerator contains embedded systems to control temperature, manage inventory, and connect to the internet.

A security group acts as a stateful virtual firewall for instances (like virtual machines) to control network traffic. You can specify rules that allow or deny traffic based on port, protocol, and source/destination IP address.

VPC Peering allows for direct, private network communication between two VPCs as if they were on the same network. By using restrictive routing rules and security groups, access can be limited to only the required services (the database). This method avoids traversing the public internet, making it more secure and efficient than using a VPN or public IPs. A NAT Gateway is for outbound traffic, not inbound.

In a PaaS model, the cloud provider manages the underlying infrastructure, including the operating system, virtualization layer, servers, and storage. The customer is responsible for the application and data they deploy on the platform. Therefore, patching the OS is the provider's responsibility.

The core of Zero Trust is moving beyond network perimeter security and authenticating/authorizing every single request. While network isolation and encryption are important components, requiring each device to prove its identity for every session (e.g., via a unique certificate) is the most direct application of the 'never trust, always verify' principle at the device level.

Deploying across multiple AZs is the standard cloud architecture pattern for high availability and resilience against the failure of a single data center (AZ). A load balancer will automatically route traffic to the healthy instances in the other AZs, ensuring minimal downtime and automatic failover.

The vulnerability management lifecycle includes Discovery, Scanning/Identification, Triage/Prioritization, Remediation, and Validation. The reappearance of known critical vulnerabilities indicates that the organization is failing to effectively fix (remediate) the issues and/or verify (validate) that the fixes are working, which is a crucial part of the cycle.

When a patch is unavailable for a zero-day vulnerability, compensating controls are necessary. A virtual patch uses security tools like a WAF or IPS to create rules that inspect traffic and block attempts to exploit the vulnerability, effectively shielding the system without modifying its code. Taking servers offline is a last resort, and waiting is not a proactive mitigation strategy.

SSRF vulnerabilities occur when an attacker can coerce a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In a cloud context, this is particularly dangerous as it can be used to pivot to the internal cloud metadata service (like the one at 169.254.169.254) to exfiltrate credentials and other sensitive information.

SAST, or 'white-box' testing, analyzes an application's source code, bytecode, or binary code for security vulnerabilities without executing the application. This makes it ideal for integration into the early stages of a CI/CD pipeline to provide rapid feedback to developers on the code they have just written.

In an auto-scaling cloud environment, servers and containers are created and destroyed frequently based on demand. This ephemeral nature makes traditional, static inventories obsolete. The best solution is to use tools that dynamically discover new assets as they are created and apply consistent, automated tagging for identification, ownership, and purpose.

Cloud providers do not typically allow customers to perform physical tours due to security and privacy concerns for other tenants. The industry-standard way to verify controls is by reviewing independent, third-party audit reports like SOC 2, which specifically attest to the operational effectiveness of security controls (including physical security) over a period of time.

NACLs operate at the subnet level and are stateless, processing rules in order to determine whether to allow or deny traffic. They are ideal for creating broad, overriding rules like blocking a specific IP address for an entire subnet. Security Groups, in contrast, are stateful and operate at the instance level.

Vulnerability prioritization requires combining the technical severity (like CVSS) with business context. An exploitable medium-severity flaw on a critical, internet-exposed asset that processes payments often represents a greater immediate risk to the business than a critical-severity flaw on an isolated, non-critical system. The likelihood of exploitation and potential impact on the business are key factors.

A very low RTO (15 minutes) and RPO (5 minutes) for a region-level disaster necessitates a strategy where a second region is already running (active-active or hot standby) and data is being replicated near-continuously. The other options would result in significant downtime (violating RTO) and/or significant data loss (violating RPO).

The Recovery Point Objective (RPO) is a time-based metric that refers to the maximum acceptable amount of data loss an application can tolerate, measured in time. An RPO of 1 hour means that in the event of a disaster, the business can afford to lose up to one hour's worth of data since the last good backup or replica.

Traditional segmentation creates large, trusted zones. Micro-segmentation breaks this down further, creating secure zones around individual workloads (e.g., a single VM or container). This means that even if one workload is compromised, security policies prevent it from easily communicating with (and attacking) its neighbors, thus containing the breach and limiting lateral movement.

This policy is dangerously permissive. "Action": "s3:*" grants all possible S3 actions (read, write, delete, permissions management), and "Resource": "*" applies these permissions to all S3 resources (all buckets). If the VM is compromised, the attacker gains full control over all company data stored in S3. The principle of least privilege dictates that the VM should only have the s3:GetObject permission for the specific log bucket.

While automated SAST and DAST are excellent for finding common vulnerabilities, they often struggle with complex business logic flaws or chaining multiple lower-risk vulnerabilities into a high-impact attack. Manual penetration testing, conducted by a skilled ethical hacker, excels at simulating real-world attack scenarios and identifying these complex issues that automated tools would miss.

A CASB is a security policy enforcement point that sits between cloud service consumers and cloud service providers. It is designed to provide visibility, compliance, data security, and threat protection for cloud services, making it the ideal tool for managing and securing the use of third-party SaaS applications.

Firmware is software that runs on the hardware device itself. Just like operating systems and applications, firmware can have vulnerabilities that vendors patch through updates. Compromising a core network device like a router or switch gives an attacker a powerful position within the network, enabling man-in-the-middle attacks, data exfiltration, and lateral movement.

Remediation isn't complete until it's been validated. It's essential to perform a follow-up scan or test to verify that the fix was successful and did not introduce any new issues. Simply deploying a patch does not guarantee the vulnerability is gone; the deployment could have failed or been incomplete. This validation step closes the loop in the vulnerability management lifecycle.

While deploying virtual firewalls in each cloud (Option A) is a common pattern, it can lead to management overhead and potential bottlenecks within the cloud provider's network. A SASE solution is specifically designed for this type of distributed, multi-cloud/hybrid environment. It externalizes the security inspection plane to a dedicated, globally distributed network, providing consistent policy enforcement without hairpinning traffic back to a central on-premise location (Option D) or a single cloud VPC. Host-based firewalls (Option C) are a part of a defense-in-depth strategy but are not a substitute for a centralized egress inspection architecture and are difficult to manage consistently for this purpose at scale.

This is the strongest method. A TPM provides a hardware root of trust. The PCRs store measurements of the boot process (firmware, bootloader, OS kernel), ensuring the device's software stack hasn't been tampered with. A 'quote' is a signed statement of these PCR values. The AIK is a unique, non-migratable key that proves the quote came from a specific, genuine TPM. This remote attestation process verifies both the device's identity and its integrity, which is a core tenet of Zero Trust for devices. PSKs (A) are difficult to manage and rotate at scale and don't prove integrity. MAC addresses (B) are easily spoofed. Simple certificates (D) prove identity but not the integrity of the device's boot state; the private key could be exfiltrated from flash memory, whereas a key in a TPM cannot.

This question tests the synthesis of different vulnerability metrics. While CVSS measures the potential severity of a vulnerability, EPSS measures the probability of it being exploited in the wild. A mature vulnerability management program prioritizes actual threat over potential threat. A vulnerability with a 92% chance of being exploited (Vuln B) represents a much more immediate and probable risk to the organization than a theoretically more severe vulnerability (Vuln A) that has a very low probability of being exploited. Therefore, the most effective risk-based approach is to address the most likely threat first.

This is a complex architectural trade-off. While synchronous replication guarantees an RPO of zero, it introduces high latency for write operations and, more importantly, a failover process is still required to promote the passive node. This promotion, DNS changes, and connection switching can take several minutes, violating the sub-1-minute RTO. An Active-Active architecture, even with the slight risk of data loss from asynchronous replication lag, can achieve a near-zero RTO because traffic can be instantly routed by a GSLB to the remaining active regions. The failover is inherent in the design. Modern applications using this pattern often build in logic to handle eventual consistency and data conflicts, accepting a minimal data loss risk for maximum availability.

This option provides the most granular, least-privilege control. Placing the Lambda in a VPC and using security groups (Option D) allows you to define stateful Layer 4 rules that precisely control which other resources (identified by their security groups) the function can communicate with, and on which ports. This is superior to using NACLs with IP addresses (Option C), which are stateless and harder to manage than security group references. A WAF (Option A) is a good defense-in-depth layer but can be bypassed by sophisticated payloads. Denying all network traffic (Option B) would break the function's required functionality. Using VPC endpoints ensures that even calls to other AWS services don't traverse the public internet.

AWS Transit Gateway is specifically designed for this use case. It acts as a central cloud router and simplifies network management at scale. The key to solving this problem is its ability to use multiple route tables. By associating production VPCs with a more restrictive route table, you can programmatically enforce the policy that they cannot route traffic directly to other spoke VPCs, forcing communication through the central inspection VPC if needed, or blocking it entirely. VPC Peering (Option A) does not scale well and becomes complex to manage ('transitive peering' is not supported). Routing traffic on-prem (Option C) is inefficient and costly. SD-WAN (Option D) is a valid but often more complex and costly solution than using the native cloud provider's service designed for this exact purpose.

This is a question about deep OS security controls. While all options are security measures, seccomp-bpf (secure computing mode with Berkeley Packet Filter) is the most direct and effective mitigation for this scenario. Exploits for kernel vulnerabilities often rely on chaining together a sequence of specific and sometimes obscure system calls (syscalls) to achieve their goal. A seccomp filter acts as a fine-grained sandbox at the kernel interface, blocking any syscall that is not explicitly permitted. This can neutralize the exploit chain even if the initial vulnerability is triggered. iptables (A) operates at the network layer and can't stop an attack if the service is meant to be public. SELinux/AppArmor (B) primarily controls access to objects like files and processes, which is useful post-exploitation but may not prevent the initial memory corruption. ASLR (D) is a probabilistic defense that makes exploitation harder but not impossible, and it would already be enabled on any modern system.

This question requires a precise understanding of chaos engineering principles. The goal is to simulate a specific, plausible failure mode. Connection pool exhaustion is a common and subtle cause of cascading failures. Injecting logic to saturate the connection pool (Option D) directly tests the system's ability to handle this specific state—do other services have proper timeouts? Do they fail gracefully? Is there monitoring to detect this? Blackhole (A) and shutdown (B) attacks are too coarse and test a different hypothesis (complete DB failure). Resource exhaustion (C) would also likely cause the database to fail completely, but the specific failure mode of connection starvation is more nuanced and tests the application logic of all dependent services, not just the infrastructure's response to a dead database.

This is the most proactive, accurate, and real-time solution. A Kubernetes admission controller intercepts requests to the API server before an object (like a pod) is created. By integrating it with security tooling, you can enforce policy (e.g., block vulnerable images) and, crucially for asset management, enrich the runtime object with invaluable metadata at the moment of creation. This provides a guaranteed, real-time record of what is running, where, its vulnerability status, and its origin (ownership). A CSPM scanning the registry (B) only knows what's stored, not what's running. Manual processes (A) and batch jobs (D) are slow, error-prone, and cannot keep up with the ephemeral nature of containers.

This option provides the strongest security layers to address the specific threat of a facility insider. It combines multiple factors for access ('something you have' - card, 'something you are' - biometric), which is much stronger than a single factor. Crucially, it links this access event to an independent, company-controlled video record, creating a high-assurance, non-repudiable audit trail. This is far superior to relying on the facility's general access logs (A), easily defeated manual logs (B), or periodic, non-real-time seals (D).

This question targets the discovery of unknown, logic-based flaws. Fuzzing is the ideal technique for this. Specifically, grey-box fuzzing is highly effective because it combines some knowledge of the application's structure (the valid request formats) with the power of automated, random mutation. This allows it to explore edge cases in business logic, such as negative values in transaction amounts, parameter type juggling, or race conditions, that standard DAST scanners and SAST tools would miss. SCA (A) only finds known vulnerabilities in dependencies. SAST (C) is good at finding certain code patterns but often struggles with complex business logic flaws. A WAF (D) is a detective/protective control, not a vulnerability identification method.

This question tests the core formulas of quantitative risk analysis. The Single Loss Expectancy (SLE) represents the total monetary loss expected from a single occurrence of a specific risk. The correct formula is SLE = Asset Value (AV) * Exposure Factor (EF). The Exposure Factor is the percentage of loss that a realized threat event would have on the asset. In this case, AV is 5,000,000 0.40 = $2,000,000. Option A uses the wrong operator (division). Option C is the formula for ALE (`ALE = SLE ARO`), not SLE. Option D incorrectly tries to use the qualitative CVSS score in a quantitative formula.

ZTNA is the modern evolution of remote access and directly embodies Zero Trust principles. Unlike a traditional VPN (Option A), which grants broad network-level access ('connect to the network'), ZTNA grants specific, application-level access ('connect to App_X'). It authenticates the user and device for every session, creating a 1:1 connection between the user and the resource. This eliminates lateral movement risk and removes the need for any inbound ports to be open on the VPC edge, significantly reducing the attack surface. Bastion hosts (B) are cumbersome and still expose an attack surface (the SSH port). Managing IP whitelists (D) is not scalable, secure, or feasible for a remote workforce with dynamic IPs.

This question requires a precise understanding of redundancy models. The requirement is to survive the failure of a single server. N represents the number of components required for the system to function correctly (N=4). N+1 redundancy means providing N components plus one independent backup. If one of the 5 servers fails, there are still 4 remaining, which is the exact number required to handle peak load. Therefore, deploying 5 servers (4+1) is the most cost-effective solution that strictly meets the requirement. N+2 (A) would work but is more expensive than necessary. 2N (B) and N+N (D) provide a much higher level of redundancy (e.g., surviving multiple failures or a full AZ failure) and are significantly more costly than what is specified by the requirement.

A TOCTOU vulnerability is fundamentally a logic flaw in how an application handles resources over time. While the ultimate fix is in the code (e.g., using file handles instead of paths), an infrastructure-level mitigation can be highly effective. An LSM like AppArmor or SELinux can enforce a mandatory access control policy that strictly defines which files and paths a process is allowed to interact with. By creating a tight profile, you can prevent the application from accessing the swapped, malicious file because its path would not be in the allowlist, thus breaking the exploit chain. Network segmentation (A) is irrelevant for a file-based vulnerability within a pod. A read-only filesystem (B) is a great practice but doesn't help if the vulnerability targets a necessarily writable location. Disabling privilege escalation (C) is also good practice but doesn't prevent this specific type of race condition.

This question presents a common real-world cloud migration challenge. While refactoring the application (Option A) is the ideal long-term solution, it is highly disruptive and violates the 'least disruptive' constraint. An SDN overlay network (e.g., from vendors like Aviatrix or Cisco) is specifically designed to overcome the limitations of native cloud networking. It creates a virtual network layer on top of the existing cloud infrastructure that can provide advanced features like multicast, which are not natively available. This allows the legacy application to run without modification. Simulating multicast with unicast (C) is extremely complex and doesn't scale. Tunneling all traffic on-prem (D) would introduce massive latency and negate the benefits of migrating to the cloud.

This question requires matching the DR strategy to the RPO/RTO goals. A Warm Standby approach fits these requirements perfectly. Asynchronous replication can easily achieve an RPO of 15 minutes (and often much less). Because a fully functional (though scaled-down) environment is already running, the process of scaling up and redirecting traffic can comfortably be achieved within the 1-hour RTO. Backup and Restore (A) would have a much higher RPO (up to 24 hours) and RTO (many hours). Active-Active (D) is designed for near-zero RPO/RTO and is far more complex and expensive than required. Pilot Light (B) is close, but the need to restore data and potentially warm up servers from scratch can push the RTO beyond one hour, making Warm Standby a more reliable choice for this specific RTO.

Fileless malware is designed to defeat file-based detection. Therefore, disk forensics (B) would be ineffective. The key to detecting this type of attack is to monitor system behavior. An EDR tool (C) does exactly this. It would capture the suspicious event chain, such as an Office application spawning a PowerShell process (powershell.exe), which then executes a long, obfuscated command-line script to download and run code in memory. This behavioral analysis of process lineage and command-line arguments is the most direct and effective way to uncover fileless malware. Network logs (A) might show the C2 traffic but won't reveal the initial execution vector on the host. API logs (D) are useful for understanding lateral movement within the cloud but won't detect the malware's presence on the server itself.

This scenario requires going beyond standard IP/port-based filtering. True least-privilege in an ICS context means controlling not just who can talk to a device, but what they are allowed to say. A standard firewall (A) cannot understand the content of the ICS protocol. An NGFW with protocol-specific DPI (B) can parse the industrial protocol and enforce Layer 7 rules, effectively creating a command-based whitelist. This is the essence of micro-segmentation and Zero Trust in this environment, as it prevents an authorized user from performing an unauthorized (and potentially dangerous) action. An IDS (C) is a passive, detective control, not a preventative one. A VPN (D) provides secure access to the network but does not enforce least-privilege within it.

Virtual patching is the concept of using an external security device to block an exploit for a known vulnerability, providing protection without modifying the application code itself. In this scenario, a WAF is perfectly suited to inspect HTTP traffic and apply a rule to block the specific exploit pattern (the malformed header). This can be deployed very quickly across all services at the network edge or ingress controller, providing immediate mitigation while the proper, longer-term patching process (rebuilding and deploying) takes place. Rushing a patch (A) is risky. Isolating the services (C) would cause a business outage. Manual code review (D) is slow, error-prone, and unnecessary when a vendor patch exists.