• UID9577
  • Fans6
  • Follows1
  • Posts5

[Share]How to pass ACA Cloud Security Exam, Checkout Study Guide!

More Posted time:Aug 4, 2020 19:58 PM
Hi all,
This post will help you to pass the Alibaba Cloud Associate Cloud Security exam!
Before you start looking at the Study guide, I highly recommend that you first buy this Security Exam Preparation
Course- https://edu.alibabacloud.com/certification/clouder_acaacpsecurity which is available at a discounted price at 0.99 cents
Sample Questions can be found here > https://files.alicdn.com/tpsservice/7c4ca91314609d7a65461a48ac5afa4c.pdf?spm=a3c0i.11600383.4784649250.2.5ba17521FzKgox&file=7c4ca91314609d7a65461a48ac5afa4c.pdf
There were several questions on Server Guard which is the other name for Server Security, so make sure that you fully understand the concepts of Server Guard.

I have posted 126 points in the form of Study Guide which should help you pass the Alibaba Cloud Security exam. I highly recommend you to go through each of these points thoroughly to get a better understanding of ACA Cloud Security Concepts.
1. Understand the difference between RAM-User and RAM role - https://www.alibabacloud.com/help/doc-detail/93689.htm
2. Web SQL injection attack - https://www.alibabacloud.com/help/faq-detail/37450.htm
3. Steps to enable WAF service - Add the domain name that needs to protected > Select the original IP Address
> Add the CNAME record > upload HTTPS CA and private key (HTTPS website only)
4. CC attacks happen on the Application Layer of ISO/OSI layer
5. Anti-DDoS Basic Vs Anti-DDoS Pro Service
6. Command in RHEL to check disk usage is df -h
7. Best Practices for account, authentication, authorization and audit - https://www.alibabacloud.com/help/faq-detail/56346.htm
8. Data Backup and Restore – Cloud Disk Snapshot, RDS backup and DR, Multiple copies and remote backup
9.  Data Encryption – OSS encryption, RDS encryption, EBS Encryption, KMS
10. Secured Data Transmission – SSL certification, VPN
11. Server Guard – Trojan Scan, Brute Force Login Detection, Unusual logon detection
12. Cloud Account Security – Login verification, Account permissions, Authorization distribution
13. Security Plan offered by Alibaba Cloud – Two
factor authentication, Phone number binding, Phone

or email verification for password resetting
14. Increase Account Security - Strong
password policies, Periodically reset the user login passwords, Adhere to the minimum authorization principle
15. Functions provided by RAM - User and Group definition, Policy based authorization, STS(Security Token Service)
16. Identity Management Requirements - Resource Access Management (RAM)
17. Shared responsibilities security model - The user and the cloud service provider will be jointly responsible for
cloud security, with each responsible for different layers of security.
18. Paid Security Services provided by Alibaba Cloud - Web Application Firewall, Anti-DDoS Pro, SSL certificate
19. VPC function – Security isolation, customized network configuration, Support various network connections
20. Anti-DDoS is used for Network Security Protection
21. Web Application Firewall allows websites to protect against common web server plug-in vulnerabilities, XSS attacks
22. Data and Application security risks in IT infrastructure - Data integrity, Data access control, Data encryption
23. Transparent Data Encryption - Once activated, TDE cannot be deactivated, Keys used by TDE are produced and managed
by the Key Management Service (KMS), After activating TDE, CPU usage will significantly increase.
24. Cloud OSS storage Client encryption - User data is encrypted before it is sent to a remote server, It ensures the security of user data, even if data is leaked, others cannot decrypt the original data, The data transmission between local and OSS must use HTTPS

25. Disk data backup is supported by Alibaba Cloud ECS
26. Cross-data
center recovery is a data backup method that can improve data reliability by using Alibaba Cloud ApsaraDB for RDS

disaster recovery instances.
27. Server Load Balancer (SLB)supports HTTPS protocol - SSL certificates need to be uploaded to SLB,
including the public and privatekeys
28. Logical Backup is not a location based data backup strategy.
29. Alibaba Cloud WAF provides HTTPS authentication - It supports HTTP back-to-source (the source station can be an
HTTP website), and requires no configuration modification on the server, The
complete certificate chain includes the server certificate
and CA certificate, HTTPS needs to be selected for services that require HTTP redirect
30. Hot backup belongs to Alibaba Cloud OSS as it can store multiple copies of the same data
31. Key Selection understanding - The
longer the key, the longer time for running the encryption algorithm, The longer the key, the better the encryption effect, Symmetric encryption algorithms only use one key during an encryption process.
32. Hash Algorithms are used when you require OSS to perform data integrity validation to ensure the downloaded data is
consistent with data on the OSS server end.
33. Step required to test data integrity when an OSS storage user downloads data from OSS to local - Compare returned
CRC64 value with locally computed CRC64 value
34. SSL encryption for ApsaraDB forRDS - Setting SSL encryption for RDS is aimed at improving the link security
and integrity
, enable SSL encryption for Internet connections that require encryption. Intranet connections are relatively secure, and generally do not
require link encryption; After activating SSL encryption, you need to configure
the SSL certificate when you connect RDS to an
application or a client.
35. Alibaba Cloud Security digital certificate supports quick ID authentication to efficient and secure HTTPS data transmission
36. Steps to Select the Certificates > Enter the documents > Manage Certificates > Push the cloud product
37. Functions Provided by SSL protocol to network connections - Data encryption, Server authentication, Message
38. Alibaba Cloud Web Application Firewall (WAF)'s support for HTTPS - To meet data transmission security requirements,
WAF provides HTTPS authentication and Requires no configuration modification on the server.
39. SSL encryption for Alibaba Cloud ApsaraDB - Improves data security and integrity, Provides data encryption in
the transmission layer, Increases resource consumption
40. Backup modes for Database level backup - File-level backup and Logical backup
41. For asymmetric encryption algorithms, data encrypted using a private key can only be decrypted using the
corresponding public key.
42. Data processed by hash algorithms cannot be restored to raw data.
43. SSL Certificates and Integrity Validation prevent data hijacking.
44. Products supported by one-click digital certificates deployment function - Server Load Balancer (SLB), CDN and WAF
45. RDS Automatic Backup – Data Backup and Log Backup
46. In order to avoid hackers to exploit vulnerabilities, it is important to install system patches on a timely
basis in daily server security management
47. Daily management of server accounts and passwords - Renaming the Administrator helps to improve security, In
addition to the necessary server account, disable or delete other useless accounts, Still need to set a complex high-strength password
48. Alibaba Server Guard provides a remote login detection function - Set frequent login location, You can detect
the remote login source IP information, Alerts will be shown in Server Guard console if unusual login detected
49. Set an IP whitelist in the Server Guard console if there are many employees and the access requests are
numerous who want to access the cloud server from the corporate office
50. Reason for System Vulnerability - Software logic flaws or errors in writing
51. Common application Vulnerabilities - Web SQL Injection, XSS vulnerability, Upload vulnerability
52. Server Guard's vulnerability management (original patch management) provides ServerGuards self-developed
patches for open source software bug fixes
53. Web Shell Attack - Webshell is a backdoor like vulnerability, Webshell attack need to upload some files to
server side first
, Webshell attack uploaded file needs to have similar type as the web server is using
54. Hot fixes do not require rebooting the physical host
55. Security Challenges that require attention  - Brute-force password
cracking, Trojan virus in the server, Application Vulnerability
has been compromised
56. Server Security Management Best Practice - Timely server system patch installation, Enable the server firewall,
Shut down unneeded server ports
57. Windows update can be set to update the patch and based on this setting, you cannot set update conditions on
your customized rules
58. Server Guard Benefits - Security risks exposure, most updated patches and Users can receive real-time alarm
after intrusion
59. Server Guard's password brute force crack interception supports Cloud server ECS self-built MySQL database
remote connection
60. Alibaba Cloud's Server Guard brute force interception results primarily contain - Attack time, Attack type and Attack origin
61. Vulnerabilities in the cloud platform can lead to the following consequences: May cause sensitive data to be
read from one client to another client and Attackers use vulnerabilities to bypass the virtualization platform and directly access the host
62. The vulnerabilities on the cloud server mainly include following types: Operating system vulnerabilities, App
vulnerabilities And Virtualization vulnerabilities
63. Server Guard Functions: Brute-force password cracking detection and defense, Remote logon checking and alarm and Vulnerability
detection and repair
64. How to close some external service port: Close by way of firewall rules,Close by way of local security policies, Shut down the port

corresponding service
65. Cloud server ECS log contains System logs and Application logs
66. Servers connected to internet will face following security challenges: Brute-force password cracking, Trojan
attacks and Vulnerability attack
67. After WAF was purchased, users need to add one DNS record to map their domain name to WAF provided IP and this
DNS record is called CNAME record
68. Consequence if attacks if your companys official website is tampered - Website is used for some illegal
attempts, Public image or reputation of your company is damaged, Business is impacted

69. Webshell Detection Feature of WAF - cache will be enabled only after you turn on the protection switch, there
is a switch
need to be turned on first, If you changed some page content, youcan use 'cache update' button to manually update the cache
70. Server Side Security Issue: SQL injection, System Command Execution vulnerability and File uploading
71. Web Application Security Protection best practices - enforce security management to any public service, keep
monitoring system processes , performance and status, always scan input by user through web application
72. WAF can provide: SQL injection detection, XSS attack detection and unauthorized resource access blocking
73: After using WAF, if you find there are many user input data in the network traffic, you should apply: Strict protection policy
74. Possible reasons to cause website tampering: Share password between different users, system vulnerability is not
fixed in time, Wrong security configuration
75. WAF provides protection against Web Server vulnerability attack, Core files unauthorized access and HTTP flood
76. WAF - DNS will resolve original domain name to WAF cluster, After scrubbing, traffic will be re-injected to
original server, server response traffic will be scrubbed also
77. WAF protection strategy – Access Control > CC Detection > Web Application attack detection
78. Enterprise Version of WAF will provide advisor customized protection rule
79. Methods to prevent SQL injection attack - Strict input check, Use secured function call and SQL pre-compiling
and variable binding
80. User is responsible to Update Cache on WAF console after turning on website tampering protection when
updating webpage content
81. CC attacks - CC attack will simulate real user requests, Will consume massive sever side resource and The
request generated by CC attack is hard to be distinguished from normal requests
82. Methods used to defend CC attacks - Use WAF, resolve domain name to a disguised IP, change the service providing port
83. WAF Data risk control feature - WAF need to inject JavaScript piece into
all pages under the same protected domain name to decide
if the client side is worth to trust, direct access URL protected by this feature will have  slider verification pop out, this feature is
not suitable for scenario needs to call API directly
84. Traffic Flow if user is using WAF, Anti-DDoS Pro & CDN -   Anti-DDOS Pro > CDN > WAF > Original website
85. Alibaba Cloud WAF modes to defend SQL injection: Protection Mode and Warning Mode
86. Alibaba WAF protection strategy modes available on console: Loose, Strict and Regular
87. Alibaba Cloud WAF modes to defend CC attacks: Normal and Emergency
88. In CC customized protection rule, the following items can be self-defined – URL, How long the detection should
last and How frequently the page is visited by one single source IP
89. CC Attack Examples - One host simulate many IP addresses, Attack through agent and Zombie network
90. Scenarios suitable to use CC Emergency Protection Mode: Web page and HTML 5 page
91. Scenarios considered as business fraud: massive accounts registration for new user benefits gain, post massive
comments with bots to some e-commerce website
92. SQL injection can cause following damages: DB data modified, New user information added, Sensitive data leak
93. Common methods by which the SQL attack is carried out: Adding more search request together with the original
one, adding an absolute true condition to bypass original request, adding ";" or "--" to change the original request purpose with new
request attached
94. SYN Flood Attack - A DoS attack that sends a flood of synchronization (SYN) requests and never sends the final
acknowledgement (ACK)
95. DoS Attack is likely to occur if you see a significant increase in network traffic and users complain that web server is hung up.
96. SYN (Synchronize) Attack misuses TCP's (Transmission Control Protocol) three way handshake to overload servers
and denies access to legitimate users
97. Most common method of accomplishing DDoS (Distributed Denial of Service) attacks - Overwhelming and
shutting down multiple services on a server
98.Three basic target categories for a DoS or DDoS - Networks, systems and applications
99. In Botnet attacks, the attacker pretends to be a legitimate user.
100. Smurf Attack - Attach in which the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so
it seems to have originated at the victim's system, in order to flood it with REPLY packets.
101. DoS  Attack  - Stop a workstation or service from functioning
102. When web server has gone into a loop trying to service a client request, it means that that web server has been
attacked and this attack is called Denial Of Service Attack
103.  Syn Attack exploits the session initiation between the Transport Control Program (TCP) client and server in a network
104. Ping of death attack uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum
Transmission Unit) to crash a target computer
105. In an IP (Internet Protocol) spoofing attack, the attacker manipulates The source address field of an IP
(Internet Protocol) packet
106. DDoS Attacks can bring DNS service down, Military commander system down, Web service down.
107. Anti-DDoS attack cannot defend against
XSS attack. It defend attacks against TCP flood, UDP Flood, ICMP Flood, SYN Flood
108. Valid Steps for using Anti-DDoS pro - Configure to be protected domain name, Add new DNS record, Change source
IP, If original server is using its own firewall, then need to add Anti-DDOS pro IP to its white list
109. Truths about Anti-DDoS Basic and Anti-DDoS Pro - Both can defend DDOS attack, Anti-DDOS pro has more
capabilities to defend against DDOS attacks, Anti-DDOS pro can protect both inside and outside Alibaba Cloud servers
110. DDoS attack - Steal confidential information, If the target server has no vulnerabilities, the remote attack may still succeed.
111.  What happens when you encounter DoS or DDoS attack - Delay of data reception, Slow access web resources
112. Approach for detecting DoS attack that uses system vulnerabilities - Use the Resource Manager to check the
current memory, CPU and other resource usage, Compare system processes and snapshot to identify illegal processes
113. Protocol used for a SYN Flood Attack – TCP
114. Reason for a DDoS attack - Destroying of availability, Destroying of business credit
115. Anti-DDoS Basic Service - No protection upper limit to the rate of attack traffic, Basic anti-DDOS service can protect
any server connect to internet
116. Services that can suffer from DDoS attack - Public DNS service, Any device internet reachable, Government website
117. Anti-DDoS pro advantages comparing to Anti-DDoS basic - Stronger defending attacks capability, Elastic
protection bandwidth, Can protect IDC outside Alibaba Cloud
118. Scenarios handled by Anti-DDoS Service - Server is under syn flood attack, and is not reachable, Online game
service which is suffering with too many empty connections and slow connections,
DNS server is under UDP flood attack
and got no response anymore
119. IPV6 -  IPV6 address length upper limit is 128 bits, IPV6 has more simplified header
120. software logic flaw or mistakes made during software development cycle may lead to system vulnerabilities
121. Hypervisor vulnerability can cause the following damages - One client host can access another client's data,
User service become unavailable, Hacker can access host server directly
122. Web Server Vulnerabilities can be caused by the following: Bugs generated during common component development,
Software used or OS itself contain some logic flaw
123. Encryption Algorithm does not belong to the 5 key elements of network communication
124. OS type cannot be set in ECS security group configuration.
125. EIP cannot bind to different ECS servers at the same time. It can only bind to one ECS server, Different EIP
cant share bandwidth, NAT gateway can support shared bandwidth between several IP’s,
NAT gateway can support multi
servers inside VPC to access public internet through one public IP
126. By utilizing Elastic Public IP/ EIP + SLB / EIP + NAT Gateway, servers can gain the capability to communicate
to the internet
[njagwani edited the post at Aug 4, 2020 21:07 PM]

  • UID10729
  • Fans0
  • Follows0
  • Posts1
1st Reply#
Posted time:Jan 7, 2021 12:42 PM
excellent material. thank you so much

  • UID11563
  • Fans0
  • Follows0
  • Posts1
2nd Reply#
Posted time:Jul 5, 2021 13:25 PM
Item 115 is misleading. Perhaps it is referring to "What is incorrect about anti-ddos basic service".

  • UID12107
  • Fans0
  • Follows0
  • Posts1
3rd Reply#
Posted time:Dec 29, 2021 10:58 AM
thanks so much