Reducing Shadow IT Risk with Cloud Applications

Questions and Answers

What is the primary purpose of deploying a cloud access security broker (CASB) in relation to shadow IT?

To provide visibility and control over cloud applications (correct)

To optimize the performance of cloud applications

To enhance email security within the organization

To increase network bandwidth for cloud services

Which feature of a CASB is essential for enforcing security policies against unauthorized cloud applications?

User training modules

Automated software updates

Real-time performance analytics

Encryption of sensitive data (correct)

In the case of a DDoS attack disrupting access to SaaS resources, which log should be prioritized for review?

User access log

CDN log

Network performance log

DNS log (correct)

What is a major risk associated with shadow IT in organizations?

Exposure to compliance violations

What technology type primarily assists in mitigating risks from shadow IT applications?

Cloud Access Security Brokers (CASB)

Which of the following solutions can specifically block unauthorized cloud applications in an enterprise?

Deploying a Cloud Access Security Broker (CASB)

According to Security Policy 1006, which factor should be prioritized when remediating security vulnerabilities?

The confidentiality of data

A malicious actor uses social engineering to gain access to a network. They then attempt to persist their access and evade detection. Which stage of the Cyber Kill Chain does this represent?

Installation

A threat actor has successfully deployed malware onto a victim's computer. What is the most likely next step the actor would take to maintain persistence and evade detection?

Attempting to disable the victim's antivirus software

A malicious actor uses a social engineering technique to trick a user into clicking on a link that leads to a website designed to steal their credentials. What type of attack is this?

Phishing

Which of the following techniques can help prevent a malicious actor from using obfuscated links in their social engineering attacks?

URL filtering

An organization is concerned about the risk of malicious actors gaining access to their network through social engineering. Which of the following would be the MOST effective strategy to mitigate this risk?

Educating employees about social engineering tactics

A company is conducting a security audit to identify potential vulnerabilities. Which of the following activities is considered a vulnerability scan?

Using automated tools to check for known security flaws

During the reconnaissance phase of an attack, what information is a malicious actor MOST likely trying to gather?

All of the above

A security team is investigating a suspected DDoS attack. Which of the following logs would be MOST helpful in determining the source of the attack traffic?

DNS logs

In a security incident involving a critical server, why is collecting malicious files prioritized over collecting the routing table?

Malicious files provide valuable information about the attack, whereas routing tables are less relevant.

Which of the following is NOT a typical reason for collecting malicious files during an incident response?

To recover the compromised system to its previous state.

What is the significance of isolating a compromised server after collecting malicious files?

Isolation allows for the creation of a safe environment to analyze the malicious files without affecting the original system.

Which of the following statements BEST describes the rationale behind isolating a server in a security incident?

To allow for a thorough analysis of the incident without risking further damage to the system.

What is the primary purpose of collecting malicious files in a security incident?

To understand the attacker's tactics and objectives.

Why is the order of volatility important during incident response?

It prioritizes the collection of evidence that is most likely to be lost or altered.

Which of the following is an example of a security operation task that can be effectively automated?

Analyzing malicious files to identify the type of malware used.

Study Notes

Shadow IT and Cloud Security

• Eliminating shadow IT in an enterprise requires reducing the risk of unauthorized cloud applications and services.
• A Cloud Access Security Broker (CASB) is a tool that provides visibility and control over cloud applications and services.
• CASB enables policy enforcement by:
  • Blocking unauthorized or risky cloud applications
  • Enforcing data loss prevention rules
  • Encrypting sensitive data
  • Detecting anomalous user behavior

Incident Response and DDoS Attacks

• A Distributed Denial-of-Service (DDoS) attack is a type of cyberattack that aims to overwhelm a network or system.
• In the event of a DDoS attack, the incident response team should review the following logs first:
  • DNS logs (to identify the source of the attack and affected domains)
• DNS logs are crucial in investigating DDoS attacks, as they can help identify the source of the attack and affected domains.

On-Path Attack

• An on-path attack is being performed by someone with internal access that forces users into port 80.
• This suggests a potential security threat that should be investigated further due to inconsistent access to the internal portal.

Vulnerability Management

• The Company uses the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
• When choosing between confidentiality and availability, the Company prioritizes confidentiality of data over availability of systems and data.
• Patching of publicly available systems and services takes priority over patching of internally available systems.

Incident Response

• Collecting malicious files is important to gather valuable information about the nature of the attack, malware used, and potentially the threat actor responsible.
• This allows for analysis without altering the system's state.
• Malicious files are prioritized over collecting a routing table in incident response due to their volatility and importance in investigating the incident.

Automation in Security Operations

• DNS logs are ideal for automation in security operations, especially for identifying and mitigating DDoS attacks.
• DNS logs provide detailed information on IP addresses of devices sending traffic to the target, helping to identify attackers.

Cyber Kill Chain

• If a malicious actor has gained access to an internal network through social engineering and wants to maintain access, they are currently operating in the Command and Control stage of the Cyber Kill Chain.

Description

This quiz assesses knowledge on reducing risk from high-risk cloud applications. It involves identifying the best solution to eliminate shadow IT in an enterprise. Options include deploying a CASB, configuring MFA, deploying an API gateway, and enabling SSO to the cloud applications.