Boot Camp Reference Material Flashcards
Which of the following threat types involves an application that does not validate authorization for portions of
itself after the initial checks?
Missing function-level access control
What does the management plane typically utilize to perform administrative functions on the hypervisors that it
has access to?
APIs
Which of the following standards primarily pertains to cabling designs and setups in a data center?
Building Industry Consulting Service International (BICSI)
What is used for local, physical access to hardware within a data center?
KVM (keyboard, video, mouse) switches.
Which of the following roles is responsible for overseeing customer relationships and the processing of
financial transactions?
Cloud service business manager
Which of the following roles involves the provisioning and delivery of cloud services?
Cloud service manager
How is an object stored within an object storage system?
Key value
What are the two protocols that TLS uses?
Handshake and record
Which of the following roles is responsible for peering with other cloud services and providers?
Inter-cloud provider
The ____________ is responsible for peering with other cloud services and providers, as well as
overseeing and managing federations and federated services.
inter-cloud provider
Which of the following storage types is most closely associated with a traditional file system and tree
structure?
Volume
What must be secured on physical hardware to prevent unauthorized access to systems?
BIOS
If you’re using iSCSI in a cloud environment, what must come from an external protocol or application?
Encryption
Which of the following pertains to a macro level approach to data center design rather than the traditional
tiered approach to data centers?
International Data Center Authority (IDCA)
The standards put out by the_____________ have established the Infinity
Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity
Paradigm shifts away from many models that rely on tiered architecture for data centers, where each
successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level,
without a specific and isolated focus on certain aspects to achieve tier status.
International Data Center Authority (IDCA)
What is the data encapsulation used with the SOAP protocol referred to?
Envelope
Which of the following threat types involves an application developer leaving references to internal information
and configurations in code that is exposed to the client?
Insecure direct object references
What are the three components of a federated identity system transaction?
Relying party
Identity provider
User
________________________is a measure of the amount of time it would take to recover operations in
the event of a disaster to the point where management’s objectives are met for BCDR.
The recovery time objective (RTO)
________is the measure of data that can be lost in an outage without irreparably damage
Recovery point objective (RPO)
______is how long an organization can suffer an outage before ceasing to be an organization.
Maximum allowable downtime (MAD)
_____is the measure of how long an asset is expected to last
Mean time to failure (MTTF)
What provides the information to an application to make decisions about the authorization level appropriate
when granting access?
Identity Provider
Which entity requires all collection and storing of data on their citizens to be done on hardware that resides
within their borders?
Russia (Russian Law 526-FZ)
The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect?
1995
Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations?
recovery point objective (RPO)
Two very popular tools for maintaining configurations and versioning of software are
Puppet and Chef
___________is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.
Dynamic resource scheduling (DRS)
Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?
6 months
Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?
Confidentiality
Cloud Controls Matrix (CCM) Domains?
Application & Interface Security
Audit and Assurance
Business Continuity Mgmt & Op Resilience
Change Control & Configuration Management
Cryptography, Encryption and Key Management
Data Security & Privacy Lifecycle Management
Datacenter Security
Governance, Risk Management and Compliance
Human Resources Security
Identity & Access Management
Interoperability & Portability
Logging and Monitoring
Security Infrastructure & Virtualization
Security Incident Management, E-Discovery & Cloud Forensics
Supply Chain Management, Transparency & Accountability
Universal EndPoint Management
Threat & Vulnerability Management
Regardless of which cloud-hosting model is used, the cloud provider always has sole responsibility for the
_________ environment.
physical
The SOC Type 2 audits include what five principles:
security, privacy, processing integrity, availability, and
confidentiality.
What is the biggest challenge to data discovery in a cloud environment?
Location
What is the phrase used to describe the optimization of cloud computing and cloud services for a particular vertical (e.g., a specific industry) or specific application use.
A vertical cloud, or vertical cloud computing,
is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices.
ISO/IEC 31000
covers information security management systems, including an overview and vocabulary.
ISO/IEC 27000
covers information security management for inter-sector and inter-organizational communications.
ISO/IEC 27010
covers the requirements for bodies providing audit and certification of information security management systems.
ISO/IEC 27006
determines the user’s right to access a certain resource.
Authorization
ensures that users can access relevant resources based on their credentials and characteristics of their identity.
Access management
ensures that a single user authentication process grants access to multiple information technology (IT) systems or even organizations.
Single sign-on (SSO)
provides the policies, processes, and mechanisms that manage identity and trusted access to systems across organizations.
Federated identity management (FIM)
What options are all actions that OWASP recommends for reducing the risk of XSS attacks
-Put untrusted data in only allowed slots of HTML documents.
-HTML escape when including untrusted data in any HTML elements.
-Use the attribute escape when including untrusted data in attribute elements.
What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?
BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.
