Home > Articles

Cloud, Mobile, and IoT Security

In this chapter from CompTIA PenTest+ PT0-002 Cert Guide, 2nd Edition, you will learn about different attacks against cloud, mobile, and IoT implementations.

This chapter is from the book

This chapter covers the following topics related to Objective 3.4 (Given a scenario, research attack vectors and perform attacks on cloud technologies.) and Objective 3.5 (Explain common attacks and vulnerabilities against specialized systems.) of the CompTIA PenTest+ PT0-002 certification exam:

  • Researching attack vectors and performing attacks on cloud technologies

  • Explaining common attacks and vulnerabilities against specialized systems

The adoption of cloud technology and cloud services has revolutionized how organizations develop, host, and deploy applications and store data. In addition, mobile devices and Internet of Things (IoT) devices communicate using a diverse set of protocols and technologies. Mobile and IoT devices also often communicate with applications hosted in the cloud. All these technologies and architectures increase the attack surface and introduce a variety of cybersecurity risks. In this chapter, you will learn about different attacks against cloud, mobile, and IoT implementations.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

Table 7-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Researching Attack Vectors and Performing Attacks on Cloud Technologies

1–5

Explaining Common Attacks and Vulnerabilities Against Specialized Systems

6–10

  1. Which of the following is the process of gathering and stealing valid usernames, passwords, tokens, PINs, and other types of credentials through infrastructure breaches?

    1. Password cracking

    2. Key reauthentication attack

    3. Crypto downgrade attack

    4. Credential harvesting

  2. You were tasked with performing a penetration assessment of a cloud-hosted application. After compromising the osantos user account, you were then able to access functions or content reserved for another user, ccleveland. Which of the following best describes this type of attack?

    1. Cloud lateral movement

    2. VM escape

    3. Sandbox escape

    4. Horizontal privilege escalation

  3. Which of the following are potential ways to detect account takeover attacks? (Choose all that apply.)

    1. Analyzing failed attempts

    2. Looking for abnormal OAuth, SAML, or OpenID Connect connections

    3. Monitoring for abnormal file sharing and downloading

    4. All of these answers are correct.

  4. When performing a cloud-based penetration test, you noticed that a software developer included sensitive information in user startup scripts. Through which of the following could these user startup scripts be accessed and allow cloud-based instances to be launched with potential malicious configurations?

    1. Block storage

    2. Lambda

    3. Metadata services

    4. None of these answers are correct.

  5. Which of the following is an example of a vulnerability that could allow an attacker to launch a side-channel attack in a cloud infrastructure?

    1. Heartbleed

    2. DNS cache poisoning

    3. Spectre

    4. None of these answers are correct.

  6. Which of the following is a mandatory access control mechanism describing the resources that a mobile app can and can’t access?

    1. Container

    2. IPC

    3. Sandbox

    4. None of these answers are correct.

  7. Which of the following are vulnerabilities that could affect a mobile device? (Choose all that apply.)

    1. Insecure storage vulnerabilities

    2. Vulnerabilities affecting biometrics integrations

    3. Certificate pinning

    4. All of these answers are correct.

  8. Which of the following is a tool that can be used to find vulnerabilities in Android implementations and attack the underlying operating system?

    1. Drozer

    2. Nmap

    3. Nikto

    4. MobSF

  9. Which of the following is an automated mobile application and malware analysis framework?

    1. Postman

    2. Bettercap

    3. MobSF

    4. Ettercap

  10. Which of the following management interface implementations can be leveraged by an attacker to obtain direct access to a system’s motherboard and other hardware?

    1. IPMC implants

    2. UEFI bus

    3. BIOS

    4. IPMI baseboard management controller

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |