Cloud Computing and the Internet of Things

1. Which of these is not an example of an IoT device?

A. Chromebook

B. iDevices light switch

C. Nest thermostat

D. Amazon Echo

A. a Chromebook is a laptop with a traditional user interface, including a screen and a keyboard. The other devices don't have a traditional user interface but are still connected to networks, allowing anyone who has access to those networks to interface with them.

2. Why is REST a common approach to web application design?

A. HTML is stateless.

B. HTTP is stateless.

C. HTML is stateful.

D. HTTP is stateful.

B. HTTP is a stateless protocol, which requires the application to perform some sort of state transfer. REST is Representational State Transfer, which allows the client and server to communicate information about the state of the client and the application between them. HTML is not a protocol but a language, so state doesn't make sense.

3. Which of these cloud offerings relies on the customer having the most responsibility?

A. Software as a service

B. Platform as a service

C. Storage as a service

D. Infrastructure as a service

D. Infrastructure as a service puts everything down to the operating system under the control of the customer. The other services put much more control into the hands of the service provider.

4. Which of these is less likely to be a common element of cloud‐native design?

A. Microservice architecture

B. Automation

C. Virtual machines

D. Containers

C. Cloud‐native design takes advantage of lots of technologies that make for responsive applications. This will commonly include containers, which is application virtualization. A virtual machine is a lot slower to start up than a container is. Automation and microservice architecture are important components of cloud‐native design.

5. Which of these is not an advantage of using automation in a cloud environment?

A. Consistency

B. Fault tolerance

C. Repeatability

D. Testability

B. Automation leads to consistency, because automation is performed by scripts that will always execute the same way every time. This also leads to repeatability. Because they are scripts, you can test them. What you don't necessarily get is fault tolerance.

6. What common element of a general‐purpose computing platform does an IoT not typically have?

A. Memory

B. Processor

C. External keyboards

D. Programs

C. Computing devices generally follow the Von Neumann architecture: there is memory, storage, and a processor. A general‐purpose computing device will have some sort of input/output to interface with a user. An IoT device will have a special‐purpose input/output device that may not easily allow a user to interact with it in general ways. A smart thermostat, for example, has a simple display that would do things like show the temperature and allow you to adjust the desired temperature.

7. If you wanted to share documents with someone using a cloud provider, which service would you be most likely to use?

A. Software as a service

B. Platform as a service

C. Storage as a service

D. Infrastructure as a service

C. Storage as a service is used to store documents. From there, you can share those documents. While you could also share documents from the other cloud‐based services, storage as a service would be the most common.

8. What tool could you use to identify IoT devices on a network?

A. Cloudscan

B. nmap

C. Samba

D. Postman

B. Cloudscan is used to assess cloud services. Samba is a network sharing application based around the server message block protocol. Postman is an application used to test web application programming interfaces. nmap is a port scanner that could be used to identify any devices on a network as well as the ports open on that device.

9. What might you be most likely to use to develop a web application that used a mobile application for the user interface?

A. NoSQL database

B. Data bus

C. Microservices

D. RESTful API

D. While a NoSQL database, data bus, and microservice architecture could be used to develop a web application with a mobile application for a front end that interacts with the user, the most likely would be a RESTful API. This way, it doesn't matter what is behind the API. The API is the interface between the web application and the mobile device.

10. Which of these might be a concern with moving services to a cloud provider, away from on‐premise services?

A. Multiple accounts per user

B. Lack of transport layer encryption

C. Inability to implement security controls

D. Lack of access to necessary operating systems and hardware

C. Implementing security controls is essential, regardless of where the services are located. Businesses commonly know how to implement these controls in on‐premise systems. They may not know the appropriate way of implementing these controls in a cloud environment. All of the other answers could be a problem in an on‐premise environment and wouldn't be specific to cloud.

11. What modern capability does fog computing support?

A. Cloud‐native design

B. IoT

C. Access management

D. Grid computing

B. Fog computing is a way of providing compute and storage resources closer to the "ground," where IoT devices are likely to be. Cloud‐native design may be used to support IoT devices that use cloud services but cloud services are not fog computing. Access management is an important element of any good security design, but fog computing does not specifically support access management. Finally, grid computing is a distributed processing model.

12. Which of these is an example of grid computing?

A. SETI@home

B. OWASP Top 10

C. Shodan.io

D. Thingful.net

A. SETI@home is an example of grid computing because it uses distributed processing across a large number of systems. Shodan.io and Thingful are both related to IoT, and the OWASP Top 10 is a list of vulnerabilities to web applications.

13. What is a botnet an example of?

A. Cloud‐native design

B. RESTful processing

C. Grid computing

D. Fog computing

C. A botnet may use a distributed computing model to perform tasks, which is grid computing. Cloud‐native design and RESTful processing are related to web applications. Fog computing is related to control, and storage associated with IoT devices.

14. Which of these would be least likely as a vulnerability to serverless web applications?

A. Insecure third‐party components

B. Misconfiguration

C. Access control

D. Command injection

D. Insecure third‐party components, misconfiguration, and access control issues are all possibilities in serverless web applications that may be built primarily using serverless functions. As there is no server associated, and no guarantee of the type of operating system the function is running on, serverless functions are less likely to be vulnerable to command injection attacks.

15. No matter what cloud‐based service model is being used, which of these is the customer always responsible for?

A. Patching

B. Operating system installation

C. Application management

D. Data

D. The shared responsibility model of cloud computing means there is a sliding scale where the customer or the provider will be responsible for different aspects of the service. However, no matter which service is used, the customer is always responsible for data, since the data always belongs to the customer.

16. What devices would you find at the lowest layer of the Purdue model and, as a result, should be the best protected?

A. Sensors and actuators

B. Programmable logic controllers

C. Remote terminal units

D. Human-computer interfaces

A. Sensors and actuators are the physical devices that allow for manufacturing to be automated. As they have the least "intelligence," they are at the lowest level of the Purdue model. The other answers are higher up in the model.

17. What aspect of the Purdue model is considered essential from a security perspective?

A. Human-computer interfaces

B. Segmentation

C. IT and OT interfaces

D. Layered model matches OSI

B. Segmentation is the most important aspect of the Purdue model, since it has the ability to offer better protections for fragile or sensitive devices. None of the other answers here make sense in this context.

18. What is a good mitigation against credential compromise in cloud‐based services?

A. Long passwords

B. Using only software as a service

C. Requiring MFA

D. Using serverless functions

C. Requiring MFA is the best approach to protecting against credential compromise. Long passwords won't help if the password is stolen. Neither of the other two will have an impact on credential compromise.

19. Which of these might be a common problem with a cloud‐based service leading to data exposure?

A. Public buckets

B. Insider threat

C. Selecting the wrong provider

D. Only using software as a service

A. Unfortunately, a common problem with cloud services, as well as on‐premise services, is misconfiguration. This may include inadvertently setting an S3 bucket to be public when sensitive data may be stored there. The provider won't make a difference and software as a service won't impact data exposure directly. Insider threat isn't a problem with cloud‐based services specifically.

20. Which of these would not be used to automate deployment of systems into a cloud environment?

A. Templates

B. Ansible

C. PowerShell

D. Containers

D. Templates, Ansible, and PowerShell are all used to automate deployment of systems into a cloud environment. While containers may be deployed, they are not used to automate the deployment.