1.Architectural Concepts

Question 1

Cloud security considerations :

Security n privacy considerations

Answer 1

security n privacy considerations:
1. Confidentiality seeks to protect assets (information and systems) from unauthorized access.
2. Integrity seeks to protect those same assets against unauthorized modification.
3. Availability seeks to ensure that assets are available for authorized use when needed without disruption.

4. Privacy

three new concerns: governance, auditability, and regulatory oversight.

Question 2

ISO/IEC 27034

Answer 2

ISO/IEC 27034 is the standard for integrating security throughout
the life cycle of applications.

Question 3

ISO/IEC 15408

Answer 3

ISO/IEC 15408 (Common Criteria) is the standard for expressing
IT security functional and assurance requirements.

Question 4

ISO/IEC 17789 - Cloud Computing Reference Architecture (CCRA)

Answer 4

ISO/IEC 17789 Cloud Computing Reference Architecture (CCRA)
is specific to the cloud. It may be used to organize the components of a cloud architecture
into a set of common elements using common terminology

Question 5

ISO/IEC 27017:2015

Answer 5

ISO/IEC 27017 provides guidance on the information security
aspects of cloud computing.

Question 6

ISO/IEC 17788

Question 7

ISO/IEC 18788

Answer 7

This ISO standard offers a framework and provides the principles
and requirements for the establishment, operations and management of security operations.

Question 8

ISO/IEC 19441

Answer 8

This standard is about portability and interoperability of data.

Question 9

ISO/IEC 20000-1

Answer 9

This ISO standard is about establishing requirements for
implementing, maintaining and continually improving a service management system (SMS).

Question 10

ISO 27002

Question 11

ISO/IEC 27001

Answer 11

ISO/IEC 27001 standard is about the establishment,
implementation, operation, monitoring, reviewing, and maintaining an Information Security
Management System (ISMS).

Question 12

5 rules of evidence

Answer 12

Be authentic, accurate, complete, convincing and admissible in court

Question 13

Privacy Level Agreement (PLA)

Answer 13

A PLA is similar in concept to an SLA in that it defines roles and
responsibilities as well as clearly defining service commitments for the protection of privacy
information between a service provider and consumer

Question 14

The Cloud Controls Matrix (CCM)

Answer 14

The Cloud Controls Matrix (CCM) by Cloud Security Alliance (CSA)
is an example of a framework that can be used to determine applicable controls and their
effectiveness. This framework’s elements are specific to the cloud.

Question 15

ISO/IEC 12207

Answer 15

ISO/IEC 12207 provides a framework around lifecycle processes

Question 16

NIST SP 800-209

Answer 16

(SP) 800-209 provides specific guidance on storage security

Question 17

NIST SP 800-88

Answer 17

NIST SP 800-88 provides guidelines for media sanitization.

Question 18

NIST SP 800-92

Answer 18

Guide to
Computer Security Log Management

Question 19

Data stewards

Answer 19

Data stewards
typically ensure that data is collected correctly

Question 20

Strategic supplier

Answer 20

Strategic suppliers are deemed to be mission critical and cannot
be easily replaced if they become unavailable. While companies typically do business with a
few of these types of partners, they are the most crucial to the success or failure of the
enterprise cloud architecture.

Question 21

Tactical supplier

Answer 21

Tactical suppliers supplement strategic and commodity suppliers
to manage emerging unforeseen issues and incidents

Question 22

Commodity supplier

Answer 22

Commodity suppliers, in contrast to strategic suppliers, are
those that provide goods and services that can easily be replaced and sourced from a
variety of suppliers, if necessary.

Question 23

Consensus Assessments Initiative Questionnaire (CAIQ)

Answer 23

(CAIQ) is a
survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to
assess the security capabilities of a cloud service provider

Question 24

The CLOUD Act

Answer 24

The CLOUD Act gives broad powers to U.S. law enforcement
officials to force U.S.-based technology providers to release data regardless of where the
company stores data.

Question 25

Sarbanes-Oxley Act (SOX)

Answer 25

This U.S. legislation was enacted to protect shareholders and the
general public from accounting errors and fraudulent practices in the enterprise.

Question 26

Data sovereignty

Answer 26

refers to the idea that a country or jurisdiction has the authority and right to govern and control the data generated within its borders.

The implied or explicit right to decide what treatment, care
or disposition (embargo or movement) a nation or state can determine on data by
means of its laws

Question 27

GAPP (10 Principles)
Generally accepted privacy principles

Answer 27

MNCCUADSQM

Management
Notice
Choice and Consent
Collection
Use, Retention, and Disposal
Access
Disclosure to Third Parties
Security for Privacy
Quality
Monitoring and Enforcement

Question 28

Correct order for an audit plan

Answer 28

Define audit objectives, define audit scope, refine audit processes
based on lessons learned, fieldwork, analysis, reporting

Question 29

Secure Data lifecycle phases

Answer 29

Create, store, use, share, archive and destroy

Question 30

Data dispersion

Answer 30

When using the data dispersion technique, each storage block is
fragmented and the storage application writes each bit into different physical storage
containers to achieve greater information assurance, just like the old-fashioned RAID system,
only scattered across different physical devices and/or geographical locations.

Question 31

Consumer DRM, Enterprise DRM

Answer 31

Consumer DRM aims at controlling copying, execution and
alteration of media such as audio, video and e-books.

Enterprise DRM Focuses on
protecting enterprise assets such as documents and email through implementation of usage
rights policies.

Question 32

Data: Static masking

Answer 32

In static masking, a new copy of the data is created with the
masked values.
Static masking is typically efficient when creating clean, nonproduction
environments.

Question 33

Data: Dynamic masking

Answer 33

This type of masking is efficient when protecting production
environments; in other words, dynamic masking can hide the full credit card number from
customer service representatives, but the data remains available for processing

Question 34

SSD versus HDD

Answer 34

SSD: Faster , more expensive,nonmechanical(flash), shock resistent, best for storing OS, Gaming apps, frequently used files

HDD: slower, cheaper, mechanical(moving parts),fragile, best for storing extra data, movies, audio, video, photos, backup

Question 35

Software-Defined Networking (SDN) planes (3)

Answer 35

SDN planes are the management plane, control plane and data
plane.

Question 36

The ISO/IEC TS 22237 standard describes 4 availability classes for data centers.

Answer 36

Availability Class-1: Basic Site Infrastructure (basic infrastructure required to support an organization that wants to conduct IT operations)

Availability Class-2: Redundant Capacity Component Site Infrastructure (facilities provide more redundancy than Tier 1 facilities)

Availability Class-3: Concurrently Maintainable Site Infrastructure (concurrently maintainable site infrastructure)

Availability Class-4: Fault Tolerant Site Infrastructure (highest level described by the Uptime Institute)

Question 37

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
framework

Answer 37

provides real-world observations about tactics and techniques used by
many of the advanced persistent threat (APT) operators.

The ATT&CK framework is a database of adversary tactics and
techniques and provides valuable data to incident responders.

Question 38

Security Groups & ACLs

Answer 38

While network ACLs operate at the subnet level, security groups
operate at the instance level.

Question 39

FIPS 140-2
Federal Information Processing Standard (FIPS) 140-2

Answer 39

describes the process used to approve cryptographic implementations

Question 40

cloud management
platform (CMP)

Answer 40

Cloud orchestration is typically delivered by a cloud management
platform (CMP).

Question 41

Security Assertion Markup Language (SAML)

Answer 41

SAML defines an XML-based framework for describing and
exchanging security information between online business relationships.

Question 42

RTO , MPTD :
maximum tolerable period
of disruption (MTPD),

Answer 42

RTO is less than MTPD

Question 43

Firmware vulnerabilities

Answer 43

In a SaaS deployment, firmware vulnerabilities are the
responsibility of the cloud service provider and are not a concern of the consumer.

Question 44

Five facets of cloud interoperability :

Answer 44

policy, behavioral,
transport, syntactic and semantic data.

Question 45

ISO/IEC TS 22237

Answer 45

This standard provides availability class ratings and protection
class ratings for data centers related to the criteria enumerated below :

the building construction, power distribution, environmental controls,
telecommunication cabling and security systems in data centers

Question 46

Volume Storage

Answer 46

volume storage is most suitable for files
that change frequently, like operating system files.

Question 47

Microsegmentation

Answer 47

A fundamental design requirement of microsegmentation is
understanding the protection requirements for east-west (traffic within
a data center) and north-south (traffic to and from the internet) traffic
flows.

Question 48

OWASP Cornucopia

Answer 48

is a card game used to help derive application security requirements during the software development life cycle

Question 49

Application Security Verification Standard (ASVS)

Answer 49

It consists of three levels of security verification,
from Level 1’s low assurance level that can be done entirely through penetration testing to Level 3’s critical applications security validation that requires in-depth validation and testing.

level 1: The baseline level for most web applications, this level is mostly automated and can be assessed through interactions with the application. It aligns with standard penetration testing methodology

level 2: This level is recommended for most applications, especially those that store or process sensitive data. It requires a more comprehensive review of the development and security processes than Level 1, and involves a collaborative review

level 3: This is the most rigorous level of security requirements, and is intended for the most critical applications. These applications may perform high value transactions, contain sensitive medical data, or require the highest level of trust.

Question 50

ISO/IEC 27034

Answer 50

ISO/IEC 27034 is the standard for integrating security throughout
the life cycle of applications.

Question 51

Cloud Security Alliance’s report,

The Egregious Eleven, among the top concerns and threats for cloud computing

Answer 51

• Insufficient identity, credential, access and key management (#4)
• Insecure interfaces and APIs (#7)
• Misconfiguration and inadequate change control (#2)
• Lack of cloud security architecture and strategy (#3)
• Insecure software development
• Unsecure third-party resources
• System vulnerabilities
• Accidental cloud data disclosure/disclosure
• Misconfiguration and exploitation of serverless and container workloads
• Organized crime/hackers/APT
• Cloud storage data exfiltration

Question 52

Microsoft SDL

Answer 52

consisting of a set of 12 processes
that follow the product life cycle, intending to help development teams with the
construction of secure software by introducing security and privacy considerations in
every phase of the development process

Question 53

STRIDE

Answer 53

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

Question 54

DREAD

Answer 54

Damage
Reproducibility
Exploitability
Affected Users
DiscoverabilityHow easily can the threat be discovered?

Question 55

ATASM

Answer 55

ATASM, or Architecture, Threats, Attack Surfaces, and Mitigations.

Question 56

PASTA

Answer 56

PASTA, the Process for Attack Simulation and Threat Analysis, is a seven-stage framework

Question 57

Change requests (CR)

Answer 57

Standard, normal and emergency changes are three types of
change that must be managed differently.

Question 58

Security Content Automation Protocol (SCAP)

Answer 58

SCAP is a suite of specifications that standardize the format and
nomenclature by which software flaw and security configuration information is
communicated, both to machines and humans

SCAP is a multipurpose framework of specifications that support
automated configuration, vulnerability and patch checking, technical
control compliance activities and security measurement.

Question 59

DNSSEC

Answer 59

It can validate zone transfers with a digital signature to thwart attackers that falsify responses to DNS queries.

Question 60

DNS Shadowing threat

Answer 60

Malicious actors compromising the domain owner’s account and
creating subdomains to host their malicious pages