CCSP Vocabulary

Question 1

ALE : Annualized Loss Expectancy

Answer 1

ALE = SLE * ARO

Formula for estimation of the cost of an accepted risk in a given year – i.e. if the accepted vulnerability is exploited by an attacker, ALE is the dollar cost estimate for the loss.

The ALE equals the single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO).

The SLE = asset value * exposure factor

Exposure factor describes the loss that will happen to the asset as a result of the attack (expressed as percentage value lost) – e.g. if an assets will be wholly lost in an attack, the exposure factor is 100%… if 30% will be lost, the exposure factor is 30%, etc.

Question 2

API : Application Programming Interface

Answer 2

A set of functions, routines, tools, or protocols for building applications.

APIs are leveraged by developers to save time and increase availability as the API offers a set of working programatic methods to build connectivity without bespoke coding.

At issue for the Cloud Security Professional is that APIs are functional only and cannot be assumed to represent good security practices.

Question 3

ARO : Annualized Rate of Occurrence

Answer 3

An estimated number of times a threat will be successfully exploited within a year – e.g. if two laptops are stolen each month then the ARO is 2 * 12 = 24 times per year.

ARO is an element of the ALE calculation:
ALE = SLE * ARO

Question 4

auditability

Answer 4

The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance.

Question 5

authentication

Answer 5

The process of comparing credentials presented by a user, application, or service to a set of known stored values that have been previously issued or verified by the authentication system.

e.g. A user is given an email address and password when provisioned to the system; later the user provides that verified and valid email address and password to the system for matching – if these credentials match and are still valid, the user is granted access to the system.

Question 6

authorization

Answer 6

The process of granting or denying privileges to a system, network, or application after successful authentication has been preformed; these privileges (such as read, write, execute) are based on an approved set of constrained features enforced by a policy / rule set.

Question 7

backdoor

Answer 7

Backdoors can be created by developers or hackers: A backdoor is a method of accessing a system that bypasses the normal (“official”) authentication and authorization processes.

Backdoors can be unauthorized methods that are discovered by malicious actors to get into a system, or they can be methods that are purposefully employed by developers or support staff to access systems for maintenance or other support activities.

Question 8

baseline

Answer 8

A baseline is a constrained configuration standard or a state in time “snap shot” for a known good system state.

Baselines are often employed in change management to establish a “gold image” as in the baseline configuration of a workstation, or, as a fall back option as in “we will patch the system and fail-back to the baseline if patching causes availability issues.”

Question 9

big data

Answer 9

Refers to the collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them.

The concept of ‘big data’ is often applied outside of this formal definition to reference predictive analysis and user analytics of data sets.

Question 10

BYOD : Bring Your Own Device

Answer 10

The practice of allowing employees of an organization to use their personally owned computers, phones, tablets, or other electronic resources to access the computing resources of the firm, rather than using IT provided and supported devices.

Question 11

business continuity

Answer 11

The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or disruption of service.

Business continuity encompasses the full range of possible service disruptions and how a company can minimize, mitigate, and respond to them and keep business operations running, available, and secure.

i.e. BC is a daily, operational, discipline.

Question 12

BIA : Business Impact Analysis

Answer 12

A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption.

Question 13

chain of custody

Answer 13

The formal documentation showing the chronological control and disposition of physical or electronic evidence.

This documentation includes creation, all changes of possession, and final disposition.

Note that any evidence with probative value may be offered to the court – i.e. chain of custody is not required for evidence to be admissible.

Question 14

CAB : Change Advisory Board

Answer 14

A group that assists the change team and change management process by evaluating, prioritizing, and approving change requests.

Question 15

change manager

Answer 15

An individual who ensures that the change management process is properly executed; this person also directly handles low-level tasks related to the change process.

Question 16

cloud application

Answer 16

An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionality of a local application with the accessibility of a web-based application.

Question 17

CAMP : Cloud Application Management for Platforms

Answer 17

Within PaaS implementation, CAMP serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise that platform, and the language describing the overall platform, and its components and services, as well as metadata about it.

Question 18

cloud auditor

Answer 18

An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications.

The cloud auditor is responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used.

Question 19

cloud backup

Answer 19

The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center.

Question 20

cloud backup service provider

Answer 20

A public or private cloud service’s organization that offers backup services to either the public or organizational clients either on a free basis or using various costing models based on either the amount of data or the number of systems.

Question 21

cloud backup solutions

Answer 21

Services that run within a public or private cloud offering backup solutions – either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system.

Question 22

cloud computing

Answer 22

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Five (5) essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service

Three (3) service models: IaaS, PaaS, and SaaS

Four (4) deployment models: community cloud, hybrid cloud, private cloud, and public cloud

Question 23

cloud computing reseller

Answer 23

An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider.

Question 24

CCM : Cloud Control Matrix

Answer 24

A formally published guide by the Cloud Security Alliance (CSA) that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. The CCM can also be used by cloud providers to structure its security program and services.

Question 25

cloud customer

Answer 25

An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.

Question 26

cloud data portability

Answer 26

The ability to move data between cloud providers.

Question 27

cloud database

Answer 27

A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application.

Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability, and high availability can be achieved and maximized.

Question 28

cloud deployment model

Answer 28

The cloud deployment models are public, private, hybrid, and community; these describe how the cloud service is delivered through a set of particular configurations and virtual resources.

Question 29

cloud enablement

Answer 29

The creation of a public cloud environment through the offering of services or infrastructure.

Question 30

cloud management

Answer 30

The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment.

Question 31

cloud migration

Answer 31

The process of moving services, systems, applications, or data from a traditional data-center hosting model into a cloud environment.

Question 32

cloud OS

Answer 32

Typically used to denote an operating system (OS) in a Platform as a Service (PaaS) implementation and to signify that the implementation is within a cloud environment.

Question 33

cloud provider

Answer 33

A service provider that makes storage or software applications available via the Internet or private networks to customers. Since they are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customer.

Question 34

cloud provisioning

Answer 34

The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources.

Question 35

CSA : Cloud Security Alliance

Answer 35

The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment.

Question 36

cloud server hosting

Answer 36

The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center.

Question 37

cloud service

Answer 37

Capabilities offered via a cloud provider and accessible via a client.

Question 38

cloud service broker

Answer 38

A partner that serves an an intermediary between a cloud service customer and cloud service provider.

Question 39

cloud service category

Answer 39

A group of cloud services that have a common set of features or qualities.

Question 40

cloud service partner

Answer 40

One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery.

Question 41

cloud service user

Answer 41

One that interacts with and consumes services offered by a cloud service provider.

Question 42

cloud testing

Answer 42

The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users.

Question 43

Common Criteria

Answer 43

A set of international guidelines and specifications for the evaluation of IT security resources to ensure those resources meet an agreed-upon set of security standards. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408.

Question 44

community cloud

Answer 44

A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (for example, mission, security requirements, policy, or compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.

Question 45

configuration management

Answer 45

Establishing a controlled means of consistency throughout a system’s lifecycle, based on its requirements and technical specifications to properly ensure configuration controls, performance standards, and design requirements.

Question 46

container

Answer 46

A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit.

Question 47

XSS : cross-site scripting

Answer 47

A web application vulnerability that allows an attacker to inject client-side scripts into web pages that are then viewed and executed by other users. The goal of XSS from an attacker’s perspective is to bypass the security controls of an application, such as an access control with a same-origin policy.

Question 48

DAR : Data at Rest

Answer 48

Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device.

Question 49

data dispersion

Answer 49

The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed.

The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer.

Question 50

DIT : Data in Transit

Answer 50

Data that flows over a networked connection – either through public unsecured networks or internal protected corporate networks.

Question 51

DIU : Data in Use

Answer 51

Data within a system or application that is currently being processed or is in use – either through the computing resources or residing in memory.

Question 52

DLP : Data Loss Prevention

Answer 52

An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected.

This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leaking of data.

Question 53

data portability

Answer 53

The ability to easily move data from one system to another without having to re-enter it.

Question 54

DoS : Denial-of-Service attack

Answer 54

An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels.

Question 55

direct identifiers

Answer 55

Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.

Question 56

DRS : Distributed Resource Scheduler

Answer 56

A utility from VMware that balances computing demands and available resources within the virtualized environment.

Question 57

DAST : Dynamic Application Security Testing

Answer 57

The testing of an application while it is in an operational state with currently running systems, applications, and networks.

Question 58

DO : Dynamic Optimization

Answer 58

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization.

Question 59

eDiscovery

Answer 59

The process of discovering and securing electronic data for use in criminal or civil legal cases.

Question 60

encryption

Answer 60

The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it.

Question 61

enterprise application

Answer 61

An application that runs on a large and distributed scale and is deemed mission critical to a company or an organization.

Question 62

enterprise cloud backup

Answer 62

A cloud-based backup and recovery service similar to those offered for personal use but scaled and focused on large-scale and organizational-level services.

Question 63

Eucalyptus :

Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems

Answer 63

Free and open source software for utilizing Amazon Web Services (AWS) to build public and private cloud offerings.

Question 64

event

Answer 64

An action or situation that is recognized by software and causes the software to respond or take action – i.e. any recordable activity.

Question 65

FRCP : Federal Rules of Civil Procedure

Answer 65

The set of rules and procedures that govern civil legal proceedings in the United States federal courts to provide uniformity and efficiency in resolving legal matters and proceedings.

Question 66

FRE : Federal Rules of Evidence

Answer 66

The set of rules that apply to the United States federal courts with regard to collecting evidence in a uniform and official manner.

Question 67

federation

Answer 67

A group of IT service providers that interoperate based on an agreed-upon set of standards and operations.

Question 68

FIPS 140-2

Answer 68

A security standard published by the United States federal government that pertains to the accreditation of cryptographic modules.

Question 69

firewall

Answer 69

A part of a computing network provided by either hardware or software implementations that control which network connections are allowed to be made in regard to origin, destination, and ports, while blocking all other inbound or outbound connections.

Question 70

hashing

Answer 70

Hashing involves taking data of arbitrary type, length, or size, and using a mathematical function to map the data to a value that is of fixed size.

Hashing can be applied to virtually any type of data object: text strings, documents, images, binary data, and even virtual machine images.

Question 71

HIDS : Host Intrusion Detection System

Answer 71

A host-based intrusion detection system that monitors the internal resources of a system for malicious attempts; HIDS may also perform packet inspection and network monitoring.

Question 72

host

Answer 72

A computer that is connected to a network and provides computing services to either users or other hosts on the network.

Question 73

hybrid cloud

Answer 73

A cloud infrastructure that’s a composition of two or more distinct cloud infrastructures (private, community, or public).

Question 74

hypervisor

Answer 74

A virtual machine manager that allows and enables multiple virtual hosts to reside on the same physical host.

A Type 1 hypervisor is hardware based; a Type 2 hypervisor is application / software based.

Question 75

IdP : identity provider

Answer 75

A system responsible for determining the authenticity of a user or system, providing assurance to a service that the identity is valid and known, and possibly providing additional information about the identity of the user or system to the service provider requesting it.

Question 76

IDS : Intrusion Detection System

Answer 76

A device, appliance, or software implementation that monitors servers, systems, or networks for malicious activities.

Question 77

incident

Answer 77

An event that could potentially cause disruption to an organization’s systems, services, or applications.

Question 78

indirect identifiers

Answer 78

Information about an entity that cannot be used solely to identify that entity uniquely but can be used in combination with other data points to potentially do so; examples include place of birth, race, employment history, and educational history.

Question 79

IRM : Information Rights Management

Answer 79

A subset of digital rights management that is focused on protecting sensitive information from unauthorized exposure or use.

Question 80

IaaS : Infrastructure as a Service

Answer 80

The capability provided to a consumer to provision processing, storage, networks, and other fundamental computing resources in order to deploy and run arbitrary software, including operating systems and applications.

The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications – and possibly limited control of select networking components such as host firewalls.

Question 81

IoT : Internet of Things

Answer 81

Internet of things (IoT) refers to the extension of Internet connectivity to devices beyond traditional computing platforms. This can include home appliances, thermostats, sensors, lighting fixtures, and so on, and is very common within the scope of “smart home” technologies.

Question 82

interoperability

Answer 82

The ease and ability to reuse components of a system or application regardless of the underlying system design and provider.

Question 83

IPS : Intrusion Prevention System

Answer 83

A network-based appliance or software that examines network traffic for known exploits, or any attempts to use exploits, and actively stops them.

Question 84

ISO/IEC 27001 and 27001:2013

Answer 84

A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance. ISO/IEC 27001:2013 is the latest revision.

Question 85

ITIL : IT Infrastructure Library

Answer 85

A collection of papers and concepts that lay out a vision for an IT Service Management (ITSM) framework for IT services and user support.

Question 86

jurisdiction

Answer 86

The authority to exert regulatory and legal control over a defined area of responsibility. Jurisdictions can overlap between the local, state / province, and national levels.

Question 87

KMS : Key Management Service

Answer 87

A system or service that manages keys used for encryption within a system or application that is separate from the actual host systems.

The KMS will typically generate, secure, and validate keys.

Question 88

KPI : Key Performance Indicator

Answer 88

A metric that provides a quantitative value that can be used to evaluate how effectively key business requirements are being met.

Question 89

legal hold

Answer 89

The process of collecting and preserving data as required by an official request from a legal authority.

Question 90

malware

Answer 90

A broad term that encompasses software, scripts, content, and executable code that takes the form of viruses, Trojan horses, ransomware, spyware, and other malicious programs that intend to steal information or computing resources.

Question 91

managed service provider

Answer 91

A provider of IT services where the technology, software, and operations are determined and managed away from the customer or user.

Question 92

mapping

Answer 92

The process of aligning data values and fields with specific definitions or requirements.

Question 93

MTBF : Mean Time Between Failures

Answer 93

A measure of reliability: the average time (typically in hours) between failures of a hardware component.

Question 94

MTTR : Mean Time to Repair

Answer 94

The typical or average time to repair and recover after a hardware failure.

Question 95

measured service

Answer 95

Cloud services that are delivered and billed for in a metered way.

Question 96

metadata

Answer 96

Data that gives additional or descriptive information about other data. This can be in the form of structural data that pertains to how the information is stored and represented or descriptive data that contains information about the actual content of the data.

Question 97

mobile cloud storage

Answer 97

Cloud-based storage, typically used for mobile devices such as tablets, phones, and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way.

Question 98

MDM : Mobile Device Management

Answer 98

A system that allows a firm to manage and secure mobile devices that are granted access to the firm’s resources.

This is typically accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether it is owned by the organization or is a private device owned by the user.

Question 99

multitenancy

Answer 99

Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources.

Question 100

network security group

Answer 100

A set of rules that can be applied to network resources for the processing and handling of network traffic; they contain information used to filter traffic based on direction of traffic flow, source address, destination address, ports of both the source and destination, and the protocols being used for transmission.

Question 101

NIDS : Network Intrusion Detection System

Answer 101

A network-based device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and comparing it against signatures for known vulnerabilities and attacks.

Question 102

NIST SP 800-53

Answer 102

Titled “Security and Privacy Controls for Federal Information Systems and Organizations,” NIST SP 800-53 provides a set of security controls for all systems under the United States federal government, with the exception of systems dedicated to national security.

Question 103

nonrepudiation

Answer 103

The ability to confirm the origin or authenticity of data to a high degree of certainty.

Question 104

object storage

Answer 104

A storage method used with IaaS where data elements are managed as objects rather than in hierarchical storage with a file system and directory structure.

Question 105

on-demand self-service

Answer 105

The ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider.

Question 106

TOGAF : The Open Group Architecture Framework

Answer 106

An open enterprise architecture model that design teams can use to optimize success efficiency and returns throughout a system’s lifecycle.

Question 107

OLA : Operational Level Agreement

Answer 107

An official ITIL term that relates to a specialized service level agreement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider (i.e. an SLA).

Question 108

overwriting

Answer 108

The process of securely removing data from a system by writing blocks of random or opaque data on storage media to destroy any previous data and make it unrecoverable.

Question 109

pen testing / penetration testing

Answer 109

The process of testing systems and applications for vulnerabilities by employing the same tools and strategies used by malicious actors. Any exploits discovered can then be proactively addressed by the organization before a malicious actor can discover them.

Question 110

PaaS : Platform as a Service

Answer 110

The capability provided to the customer to deploy onto the cloud infrastructure any consumer-created or acquired applications written using programming languages, libraries, services, and tools supported by the provider.

The customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, and storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Question 111

portability

Answer 111

The ability of a system or application to seamlessly and easily move between different cloud providers.

Question 112

PLA : Privacy Level Agreement

Answer 112

A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts

Question 113

private cloud

Answer 113

A cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (for example, business units). It may be owned, managed, and operated by the organization, a third party, or some combination thereof, and it may exist on or off primises.

Question 114

PHI : Protected Health Information

Answer 114

A special designation of data under United States law that encompasses any health-related data that can be tied to an individual, including health status, healthcare service sought or provided, or any payment related to healthcare.

Question 115

public cloud

Answer 115

A cloud infrastructure provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic organization, governmental organization, or some combination thereof. It exists on the premises of the cloud provider.

Question 116

quantum computing

Answer 116

Quantum computing involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation.

Question 117

RPO : Recovery Point Objective

Answer 117

A duration of time in the past that an organization is willing to revert to in order to restore lost data or services following an interruption.

Question 118

RTO : Recovery Time Objective

Answer 118

A defined maximum time duration for which an organization can accept the loss of data or services following an interruption.

Question 119

relying party

Answer 119

A system or application that provides access to secure data through the use of an identity provider.

Question 120

RDP : Remote Desktop Protocol

Answer 120

RDP is a proprietary technology, developed by Microsoft, to allow users to connect to a remote computer over a network and utilize a graphical interface with the Windows operating system.

Question 121

REST : RE-presentational State Transfer

Answer 121

A system for designing and implementing networked applications by utilizing a stateless cacheable, client-server protocol, almost always via HTTP.

Question 122

RFC : Request For Change

Answer 122

A formal documented change request, including what change is needed, why it is needed, the urgency of the change, back-out plan should the change introduce instabilities to the system, and the impact if the change is not made.

Question 123

resource pooling

Answer 123

The aggregation and allocation of resources by the cloud provider to serve the cloud customers.

Question 124

reversibility

Answer 124

The ability of a cloud customer to recover all data and applications from a cloud provider and to completely remove all data from the cloud provider’s environment.

Question 125

RASP : Runtime Application Self-Protection

Answer 125

Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time.

Question 126

sandboxing

Answer 126

The segregation and isolation of information or processes from others within the same system or application, typically for security concerns.

Question 127

SOC : Security Operations Center

Answer 127

A SOC is a centralized group that deals with security issues within an organization or enterprise and is responsible for the monitoring, reporting, and handling of security incidents. This is done at both the technical and organizational levels and touches all information assets within the organization.

Question 128

service

Answer 128

A computing system or application that processes data.

Question 129

SLA : Service Level Agreement

Answer 129

A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements.

An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer service, and potentially many other requirements.

Question 130

SP : Service Provider

Answer 130

An organization that provides IT services and applications to other organizations in a sourced manner.

Question 131

SABSA :

Sherwood Applied Business Security Architecture

Answer 131

SABSA is a proven methodology for developing business-driven, risk- and opportunity-focused security architectures, at both enterprise and solutions levels, that traceably support business objectives.

It is widely used for information assurance architectures and risk management frameworks, as well as to align and seamlessly integrate security and risk management into IT architecture methods and frameworks, models, methods, and processes.

Question 132

SOAP : Simple Object Access Protocol

Answer 132

An operating system agnostic messaging protocol that is used to communicate with other systems through HTTP and XML.

Question 133

SLE : Single Loss Expectancy

Answer 133

The monetary value assigned to the occurrence of a single instance of exploit to an IT service, application, or system.

SLE = AV (asset value) * EF (exposure factor) where the EF is a percentage of the asset lost in the attack.

The SLE is an input to ALE (annualized loss expectancy):
ALE = ARO (annual rate of occurrence) * SLE

Question 134

SOA : Service-Oriented Architecture

Answer 134

A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider, or implementation.

Question 135

SOC 1 / SOC 2 / SOC 3

Answer 135

Audit and accounting reports, focused on an organization’s controls, that are employed when providing secure services to users.

SOC 1: target client is financial auditors; focus is management structure, customer base, pertinent regulations, auditors that verify compliance.

SOC 2: target client is “restricted use” internal review; focus is five (5) broad areas: availability, confidentiality, processing integrity, privacy, and security

SOC 3: target client is “general use” third parties; scope of audit is similar to SOC 2 with the main difference being that the SOC 3 is intended for a general audience.

Question 136

SaaS : Software as a Service

Answer 136

An application hosted and maintained by the cloud provider as a service to be consumed by the cloud customer.

The cloud customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, storage, and even individual application capabilities, with the possible exception of limited user-specific application settings.

Question 137

SDN : Software Defined Networking

Answer 137

SDN separates the network configurations for the control plane from the data plane.

This separation allows network administrators to configure and control network infrastructure functions without having to get involved with the actual mechanisms for forwarding network traffic.

Question 138

SQL injection

Answer 138

A method used by malicious actors in which an SQL query is placed in an input field in hopes it will be passed to the back-end database, executed by the db, with db output returned to the attacker.

This could include attempts to access a full database, or protected data within it, or, to modify or delete data.

Question 139

SAST : Static Application Security Testing

Answer 139

Security testing of applications by analysis of source code, binaries, and configurations. This is done by testers who have in-depth knowledge of systems and applications and is performed in a non-running (i.e. static) state.

Question 140

tenant

Answer 140

One or more cloud customers who share access to a pool of resources.

Question 141

tokenization

Answer 141

The process of substituting sensitive data with an abstraction of that data (a token) which has no value outside of the application: e.g. real SSN 2341 is replaced with the token 1234, translation to the real SSN occurs only when needed and disclosure of the token 1234 is harmless to the firm and the person with SSN 2341.

Question 142

Trojan

Answer 142

An attempt to trick a user or administrator into executing an attack by disguising the true intention of a program or application.

Question 143

trust zones

Answer 143

A security concept that separates systems and data into different levels or zones; each zone can apply its own security controls based on the activities supported in that zone – e.g. RBAC for network assets.

In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa.

Question 144

UC : Underpinning Contract

Answer 144

A contract negotiated and agreed upon between an organization and an external service provider or vendor.

Question 145

vertical cloud computing

Answer 145

The optimization of cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or, by a particular industry sector.

Question 146

virtual host or virtual machine

Answer 146

A software based computing environment running on a host system as opposed to running within a physical hardware environment.

Question 147

VPN : Virtual Private Network

Answer 147

A VPN facilitates the extension of a private network over public networks and enables a device to operate as if it were on the private network directly.

A VPN works by enabling an encrypted point-to-point connection from a device into a private network, typically through software applications, but also can be done via hardware accelerators.

Question 148

VMBR : VM-Based Rootkit

Answer 148

A type of rootkit that is installed in a virtualized environment between the underlying host system and the virtual machine.

It is then executed and used when the virtual machine is started. A VM-based rootkit is very difficult to detect in an environment, but also very difficult to successfully implement.

Question 149

volume storage

Answer 149

A more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine and can be used as a traditional hard drive would be, with a file system, folders, and file organization methods.

Question 150

WAF : Web Application Firewall

Answer 150

An appliance or software plug-in that parses and filters HTTP traffic from a browser or client and applies a set of rules before the traffic is allowed to proceed to the actual application server.

Question 151

web portal

Answer 151

A web-based application that provides tools, reporting, and visibility for a user into multiple systems. In a cloud environment, a web portal typically provides metrics and service up-sell / options / capabilities that the cloud customer may choose to consume.

Question 152

XML appliance

Extensible Mark-up Language (XML)

Answer 152

An appliance that is implemented within a network to secure and manage XML traffic; it is often used within a cloud environment to help integrate cloud-based systems with those still residing in traditional data centers.

Question 153

XML external entity

Extensible Mark-up Language (XML)

Answer 153

Occurs when a developer has in their code a reference to data on the application side, such as a database key, the directory structure of the applications, configuration information about the hosting system, or any other information that pertains to the workings of the application, that should not be exposed to users or the network.

Question 154

Honeypots

Answer 154

A honeypot is a system, isolated from the production system, that is designed to appear to an attacker to be part of the production system and contain valuable data. The intent of a honeypot is to lure would-be attackers into going after the honeypot instead of a real production system.