Boot Camp Reference Material

Question 1

Which of the following threat types involves an application that does not validate authorization for portions of
itself after the initial checks?

Answer 1

Missing function-level access control

Question 2

What does the management plane typically utilize to perform administrative functions on the hypervisors that it
has access to?

Answer 2

APIs

Question 3

Which of the following standards primarily pertains to cabling designs and setups in a data center?

Answer 3

Building Industry Consulting Service International (BICSI)

Question 4

What is used for local, physical access to hardware within a data center?

Answer 4

KVM (keyboard, video, mouse) switches.

Question 5

Which of the following roles is responsible for overseeing customer relationships and the processing of
financial transactions?

Answer 5

Cloud service business manager

Question 6

Which of the following roles involves the provisioning and delivery of cloud services?

Answer 6

Cloud service manager

Question 7

How is an object stored within an object storage system?

Answer 7

Key value

Question 8

What are the two protocols that TLS uses?

Answer 8

Handshake and record

Question 9

Which of the following roles is responsible for peering with other cloud services and providers?

Answer 9

Inter-cloud provider

Question 10

The ____________ is responsible for peering with other cloud services and providers, as well as
overseeing and managing federations and federated services.

Answer 10

inter-cloud provider

Question 11

Which of the following storage types is most closely associated with a traditional file system and tree
structure?

Answer 11

Volume

Question 12

What must be secured on physical hardware to prevent unauthorized access to systems?

Answer 12

BIOS

Question 13

If you’re using iSCSI in a cloud environment, what must come from an external protocol or application?

Answer 13

Encryption

Question 14

Which of the following pertains to a macro level approach to data center design rather than the traditional
tiered approach to data centers?

Answer 14

International Data Center Authority (IDCA)

Question 15

The standards put out by the_____________ have established the Infinity
Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity
Paradigm shifts away from many models that rely on tiered architecture for data centers, where each
successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level,
without a specific and isolated focus on certain aspects to achieve tier status.

Answer 15

International Data Center Authority (IDCA)

Question 16

What is the data encapsulation used with the SOAP protocol referred to?

Answer 16

Envelope

Question 17

Which of the following threat types involves an application developer leaving references to internal information
and configurations in code that is exposed to the client?

Answer 17

Insecure direct object references

Question 18

What are the three components of a federated identity system transaction?

Answer 18

Relying party
Identity provider
User

Question 19

________________________is a measure of the amount of time it would take to recover operations in
the event of a disaster to the point where management’s objectives are met for BCDR.

Answer 19

The recovery time objective (RTO)

Question 20

________is the measure of data that can be lost in an outage without irreparably damage

Answer 20

Recovery point objective (RPO)

Question 21

______is how long an organization can suffer an outage before ceasing to be an organization.

Answer 21

Maximum allowable downtime (MAD)

Question 22

_____is the measure of how long an asset is expected to last

Answer 22

Mean time to failure (MTTF)

Question 23

What provides the information to an application to make decisions about the authorization level appropriate
when granting access?

Answer 23

Identity Provider

Question 24

Which entity requires all collection and storing of data on their citizens to be done on hardware that resides
within their borders?

Answer 24

Russia (Russian Law 526-FZ)

Question 25

The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect?

Answer 25

1995

Question 26

Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations?

Answer 26

recovery point objective (RPO)

Question 27

Two very popular tools for maintaining configurations and versioning of software are

Answer 27

Puppet and Chef

Question 28

___________is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.

Answer 28

Dynamic resource scheduling (DRS)

Question 29

Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?

Answer 29

6 months

Question 30

Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?

Answer 30

Confidentiality

Question 31

Cloud Controls Matrix (CCM) Domains?

Answer 31

Application & Interface Security
Audit and Assurance
Business Continuity Mgmt & Op Resilience
Change Control & Configuration Management
Cryptography, Encryption and Key Management
Data Security & Privacy Lifecycle Management
Datacenter Security
Governance, Risk Management and Compliance
Human Resources Security
Identity & Access Management
Interoperability & Portability
Logging and Monitoring
Security Infrastructure & Virtualization
Security Incident Management, E-Discovery & Cloud Forensics
Supply Chain Management, Transparency & Accountability
Universal EndPoint Management
Threat & Vulnerability Management

Question 32

Regardless of which cloud-hosting model is used, the cloud provider always has sole responsibility for the
_________ environment.

Answer 32

physical

Question 33

The SOC Type 2 audits include what five principles:

Answer 33

security, privacy, processing integrity, availability, and
confidentiality.

Question 34

What is the biggest challenge to data discovery in a cloud environment?

Answer 34

Location

Question 35

What is the phrase used to describe the optimization of cloud computing and cloud services for a particular vertical (e.g., a specific industry) or specific application use.

Answer 35

A vertical cloud, or vertical cloud computing,

Question 36

is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices.

Answer 36

ISO/IEC 31000

Question 37

covers information security management systems, including an overview and vocabulary.

Answer 37

ISO/IEC 27000

Question 38

covers information security management for inter-sector and inter-organizational communications.

Answer 38

ISO/IEC 27010

Question 39

covers the requirements for bodies providing audit and certification of information security management systems.

Answer 39

ISO/IEC 27006

Question 40

determines the user’s right to access a certain resource.

Answer 40

Authorization

Question 41

ensures that users can access relevant resources based on their credentials and characteristics of their identity.

Answer 41

Access management

Question 42

ensures that a single user authentication process grants access to multiple information technology (IT) systems or even organizations.

Answer 42

Single sign-on (SSO)

Question 43

provides the policies, processes, and mechanisms that manage identity and trusted access to systems across organizations.

Answer 43

Federated identity management (FIM)

Question 44

What options are all actions that OWASP recommends for reducing the risk of XSS attacks

Answer 44

-Put untrusted data in only allowed slots of HTML documents.
-HTML escape when including untrusted data in any HTML elements.
-Use the attribute escape when including untrusted data in attribute elements.

Question 45

What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?

Answer 45

BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.