Chapter 7 Practice Exam 1 (Ben Malisow) Flashcards
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. What is the term for this kind of arrangement?
A. Public-key infrastructure (PKI)
B. Portability
C. Federation
D. Repudiation
C. Federation
Explanation:
This is the definition of federation.
PKI is used to establish trust between parties across an untrusted medium, portability is the characteristic describing the likelihood if being able to move data away from one cloud provider to another and repudiation is when a party to a transaction can deny having taken part in that transaction
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the most likely reason for declining that option?
A. It is impossible to trust more than two organizations.
B. If you work for the government, the maximum parties allowed to share data is five.
C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.
D. Data shared among that many entities loses its inherent value.
C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.
Explanation:
In the cross-certification model, every participating organization has to review and approve every other organization; this does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy
Option A is incorrect because it is possible to trust more than two organizations
Option B is not true.
There is no law/rule that limits the government to sharing data to five or less parties
Option D is incorrect.
Sharing data does not automatically affect the value of the data.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol, language, or technique will you most likely utilize?
A. Representational State Transfer (REST)
B. Security Assertion Markup Language (SAML)
C. Simple Object Access Protocol (SOAP)
D. Hypertext Markup Language (HTML)
B. Security Assertion Markup Language (SAML)
Explanation:
SAML 2.0 is currently the standard used to pass security assertions across the Internet.
REST and SOAP are ways of presenting data and executing operations on the Internet, and HTML is a way of displaying web pages
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you don’t use cross-certification, what other model can you implement for this purpose?
A. Third-party identity broker
B. Cloud reseller
C. Intractable nuanced variance
D. Mandatory access control (MAC)
A. Third-party identity broker
Explanation:
A third party identity broker can serve the purpose of checking and approving all participants to the federation so that the participants dont have to perform that task.
A cloud reseller is an entity that sells cloud services without maintaining its own data center.
Option C is gibberish
MAC is used to define access relations betweens subjects and objects
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in the United States, one of the standards you should adhere to is _______________.
A. National Institute of Standards and Technology (NIST) 800-53
B. Payment Card Industry (PCI)
C. ISO 27014
D. European Union Agency for Network and Information Security (ENISA)
A. National Institute of Standards and Technology (NIST) 800-53
Explanation:
NIST Special Publication 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framework
PCI is a contractual standard for commercial entities that take credit card payments, not applicable to the government.
ENISA publishes a European standard, which is also not applicable to the United States
ISO is not required for government systems in the US
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in Canada, one of the standards you will have to adhere to is _______________.
A. FIPS 140-2
B. PIPEDA
C. HIPAA
D. EFTA
B. PIPEDA
Explanation:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information.
The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities
The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers.
The European Free Trade Association (EFTA) is not a standard; it is a group of European countries.
You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which of the following benefits will the CSA CCM offer your organization?
A. Simplifying regulatory compliance
B. Collecting multiple data streams from your log files
C. Ensuring that the baseline configuration is applied to all systems
D. Enforcing contract terms between your organization and the cloud provider
A. Simplifying regulatory compliance
Explanation:
The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks.
The CCM does not aid in collecting log files; that is the function of a security information and event management (SIEM), search engine marketing (SEM), or security information management (SIM) tool.
The CCM will not help ensure that the baseline is applied to systems; automated configuration tools are available for that purpose (Although this might be interpreted as desirable; the CCM will help you select appropriate controls for your baseline, but it wont check to see if those are applied)
Contract terms are not enforced by the CCM; the service-level agreement (SLA) should be the mechanism for that task.
You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.
Which of the following regulatory frameworks is not covered by the CCM?
A. ISACA’s Control Objectives for Information and Related Technologies (COBIT)
B. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law
C. The ALL-TRUST framework from the environmental industry
D. The U.S. Federal Risk and Authorization Management Program (FedRAMP)
C. The ALL-TRUST framework from the environmental industry
Explanation:
Option C is a nonsense term made up as a distractor.
All the other frameworks are addressed in the CCM.
You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selecting and applying the proper controls to meet your organization’s regulatory needs?
A. The Consensus Assessments Initiative Questionnaire (CAIQ)
B. The Open Web Application Security Project (OWASP) Top Ten
C. The Critical Security Controls (CSC) list
D., National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2
A. The Consensus Assessments Initiative Questionnaire (CAIQ)
Explanation:
The CAIQ is a self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls.
The OWASP Top Ten is used to indicate trends in poor design of web applications.
The CSC may be a useful tool for choosing and implementing appropriate controls, but it comes from the Center for Internet Security (CIS), not the CSA.
The FIPS 140-2 lists only approved cryptographic tools and is published by NIST.
You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. What is probably the best benefit offered by the CCM?
A. The low cost of the tool
B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort
C. Simplicity of control selection from the list of approved choices
D. Ease of implementation by choosing controls from the list of qualified vendors
B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort
Explanation:
The CCM allows you to note where specific controls (some of which you might already have in place) will address requirements listed in multiple regulatory and contractual standards, laws and guides.
Option A is a misnomer because the CCM is free of charge.
Options C and D are incorrect because the CCM does not list either specific controls or vendors
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective is set up in such a way that the members own various pieces of the network themselves, pool resources and data, and communicate and share files via the Internet. This is an example of what cloud model?
A. Hydrogenous
B. Private
C. Public
D. Community
D. Community
Explanation:
This is a community cloud, because various parties own different elements of it for a common purpose.
A private cloud would typically be owned by a single entity, hosted at a cloud provider data center.
A public cloud would be open to anyone and everyone
Hydrogenous is a word that does not have relevant meaning in this context.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective wants to create a single sign-on experience for all members of the collective, where assurance and trust in the various members are created by having each member review all the others’ policies, governance, procedures, and controls before allowing them to participate. This is an example of what kind of arrangement?
A. Security Assertion Markup Language (SAML)
B. Cross-certification federation
C. Third-party certification federation
D. JavaScript Object Notation (JSON)
B. Cross-certification federation
Explanation:
The cross-certification model of federated identity requires all participants to review and confirm all the others.
SAML is the format most used for identity assertions in a federated environment.
JSON is a communications format for exchanging objects online
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective exchanges music files in two forms: images of written sheet music and electronic copies of recordings. Both of these are protected by what intellectual property legal construct?
A. Trademark
B. Copyright
C. Patent
D. Trade Secret
B. Copyright
Explanation:
A copyright protects expressions of ideas, usually creative expression
Music, whether written or recorded, falls into this category.
Trademarks are for data that is associated with a bran of a company.
Patents are usually for processes or inventions.
Trade secrets are business elements kept from public disclosure - music would not usually fit into this category as its value is derived from its distribution in the marketplace
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure?
A. The third party
B. A cloud access security broker (CASB)
C. The various members of the collective
D. The cloud provider
C. The various members of the collective
Explanation:
In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers.
In a third-party certification model, the third party is the identity provider; this is often a CASB.
The cloud provider is neither a federated identity provider nor a federated service provider, unless the cloud provider is specifically chosen as the third party providing this function; in this question, option C is more general and requires no assumptions, so it is the correct choice
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. You are fairly certain the complaint is not applicable and that the material in question does not belong to anyone else. What should you do in order to comply with the law?
A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.
B. Leave the material up, do an investigation, and post the results of the investigation alongside the material itself once the investigation is complete.
C. Ignore the complaint.
D. Leave the material up until such time as the complainant delivers an enforceable governmental request, such as a warrant or subpoena.
A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.
Explanation:
This is the correct process, according to the law.
The rest are not proper procedures for complying with the law and are therefore incorrect and inadvisable
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. Upon investigation, you determine that the material in question is the sheet music for a concerto written in 1872. What should you do in order to comply with the law?
A. Contact the current owners of the copyright in order to get proper permissions to host and exchange the data.
B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.
C. Apply for a new copyright based on the new usage of the material.
D. Offer to pay the complainant for the usage of the material.
B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.
Explanation:
Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose.
This material certainly exceeds the time of any copyright protection.
All other options are invalid.
Bob is designing a data center to support his organization, a financial services firm. What Uptime Institute tier rating should Bob try to attain in order to meet his company’s needs without adding extraneous costs?
A. 1
B.2
C. 3
D. 4
C. 3
Explanation:
Tier 3 should probably suffice for Bobs purposes, providing sufficient redundancy and resiliency.
Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for organizations providing health and human services (hospitals and trauma centers, for instance)
Tiers 1 and Tiers 2 are probably not sufficient and might only be considered for non-constant situations, such as archiving and backup
Bob is designing a data center to support his organization, a financial services firm. Bob’s data center will have to be approved by regulators using a framework under which law?
A. Health Industry Portability and Accountability Act (HIPPA)
B. Payment Card Industry (PCI)
C. Gramm–Leach–Bliley Act (GLBA)
D. Sarbanes–Oxley Act (SOX)
C. Gramm–Leach–Bliley Act (GLBA)
Explanation:
GLBA mandates requirements for securing personal account information in the financial and insurance industries; Bobs company provides financial services, so he will definitely need to comply with GLBA.
If Bobs company is publicly traded, he may have to comply with SOX, but we do not know enough about Bobs company from the question to choose that answer.
HIPAA is a requirement for only medical providers and their business associates.
PCI is not law.
Bob is designing a data center to support his organization, a financial services firm. Which of the following actions would best enhance Bob’s efforts to create redundancy and resiliency in the data center?
A. Ensure that all entrances are secured with biometric-based locks.
B. Purchase uninterruptible power supplies (UPSs) from different vendors.
C. Include financial background checks in all personnel reviews for administrators.
d. Make sure all raised floors have at least 24 inches of clearance.
B. Purchase uninterruptible power supplies (UPSs) from different vendors.
Explanation:
Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer.
The other suggestions are all suitable but do not offer redundancy or resiliency.
Bob is designing a data center to support his organization, a financial services firm. How long should the uninterruptible power supply (UPS) provide power to the systems in the data center?
A. 12 hours
B. An hour
C. 10 minutes
D. Long enough to perform graceful shutdown of the data center systems
D. Long enough to perform graceful shutdown of the data center systems
Explanation:
Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing electrical load that was previously handled by utility power.
However, the absolutely baseline for battery power is just long enough for all systems to complete their transactions without losing data
The other options are incorrect, because they use finite, specific durations; there is no single value that is optimum for all organizations.
You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a _______________.
A. Functional requirement
B. Nonfunctional requirement
C. Regulatory issue
D. Third-party function
B. Nonfunctional requirement
Explanation:
It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement
If you were creating security products, security would be a functional requirement; games are not security products.
A game with security flaws is still a game and fulfills the purpose.
Option A is therefore incorrect (although hotly debated among IT security personnel - remember, the game can exist without a security department, but the security department couldn’t exist without games.
Thus far, regulations have not imposed particular security conditions on delivered products by statute
This does not obviate all liability from shipping defective products, of course; the need for due care and due diligence remains.
However, this is a much lower threshold than direct statutory guidance, which exists in fields other than software development (to date)
Option C is incorrect
Outsourcing may or may not be used when performing software security reviews; there is not enough information in the question to determine which method your company uses, so option D is too specific for the vague data provided.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of _______________.
A. Static testing
B. Dynamic testing
C. Code review
D. Open source review
B. Dynamic testing
Explanation:
Testing the product in a runtime context is dynamic testing
Because this is being done in runtime, it is neither code review nor static testing; options A and C are incorrect
Using a small pool of specified individuals is not truly open source, which would involve releasing the game to the public.
Option D is incorrect.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. To optimize this situation, the test will need to involve _______________.
A. Management oversight
B. A database administrator
C. A trained moderator
D. Members of the security team
C. A trained moderator
Explanation:
The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, as well as help document the outcomes
Having managers in attendance would present a form of unnecessary micromanagement; option A is wrong
There is no need for a database administrator (DBA) to be involved in the test; option B is wrong
The security team should use the data gathered from the test, but they do not need to be present for the testing; option D is incorrect
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should most be excluded from the test?
A. Management
B. Security personnel
C. Billing department representatives
D. The game developers
D. The game developers
Explanation:
It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test unduly, purposefully or otherwise
The other parties do not need to participate in the testing process but are not as undesirable as the developers; all the other options are incorrect
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. It is absolutely crucial to include _______________ as part of this process.
A. Managerial oversight
B. Signed nondisclosure agreements
C. Health benefits
D. The programming team
B. Signed nondisclosure agreements
Explanation:
Having the test participants provide signed nondisclosure agreements is an absolutely essential part of this process; they will be exposed to proprietary material and need to be held accountable for any disclosures they might mike.
Managerial oversight is not at all necessary at this level of development and would actually be a form of micromanagement; option A is incorrect
Health benefits are in no way appropriate for temporary, unpaid testers; option C is only a distractor
Programmers should be prevented from participating in testing as they have inherent bias and may unfuly influence the results
You are the IT security manager for a video game software development company. Which of the following is most likely to be your primary concern on a daily basis?
A. Health and human safety
B. Security flaws in your products
C. Security flaws in your organization
d. Regulatory compliance
C. Security flaws in your organization
Explanation:
The most grave concern to your company is the loss of proprietary information 0 that is, your games, which are your property and means of profit
Security flaws in your organization could lead to a total loss of your property, which could end your business
This is one of the very few questions where health and human safety is not the correct answer to a security issue; there just isnt much danger involved in either producing or consuming video games (aside from dated, anecdotal reports of seizures resulting from flashing images, which lacked scientific substantiation)
Though this will be something you must consider (such as workplace violence issues), it will not be a daily activity
Security flaws in your products will most likely not be critical or of grave impact; people who hack your game after shipping may be able to include additional functionality or violate some elements of copy protection, but this is not as threatening as pre-release exposure of the material
Current laws do not dictate much in the way of either content or functionality for software (other than very specific industries, such as health care or financial services
You are the IT security manager for a video game software development company. Which type of intellectual property protection will your company likely rely upon for legally enforcing your rights?
A. Trademark
B. Patent
C. Copyright
D. Trade secret
C. Copyright
Explanation:
Software is protected by copyright
All the other options are forms of intellectual property protections but not applicable to software for the most part (trademarked names and characters may be important, but not as important as the copyright)
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Results gathered from this activity are _______________.
A. Useless
B. Harmful
C. Desirable
D. Illegal
C. Desirable
Explanation:
This is a very pragmatic and helpful means of gathering inputs that are unpredictable and difficult to simulate and that mimic conditions under which the software will operate
All the other options are incorrect
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Trying to replicate this phenomenon in a testbed environment with internal testing mechanisms is called _______________.
A. Source code review
B. Deep testing
C. Fuzz testing
D. White-box testing
C. Fuzz testing
Explanation:
Fuzz testing is the term used to describe the use of known bad or randomized inputs to determine what unintended results may occur
Source code review, just like it sounds, is a review of the actual program code; option A is incorrect
Deep testing is a made-up term; option B is incorrect
White box testing is a term used to describe a form of code review; option D is incorrect
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated?
A. Physical surveillance of their property and personnel
B. Communications tapping of their offices
C. Code signing
D. Subverting insiders
C. Code signing
Explanation:
Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes
All the other options represent solutions that not only lack efficacy but are also often illegal
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following legal methods are you likely able to exercise to defend your rights?
A. Criminal prosecution
B. Public hearings
C. Civil court
D. Arrest and detention
C. Civil court
Explanation:
Enforcement of copyright is usually a tortious civil action, as a conflict between private parties
Only crimes involve arrest, detention and prosecution; most copyright cases such as this would not be tried as a crime, and the government would not be involved (other than in the form of the judge/court)
Options A and D are incorrect
Public hearings are not used t gain restitution for harmful acts; option B is incorrect
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You suggest that a(n) _______________ service model will best meet this requirement.
A. IaaS
B. PaaS
C. SaaS
D. TaaS
B. PaaS
Explanation:
A platform as a service (PaaS) environment will likely provide the best option for testing the game; the provider will offer various OS platforms for the game to run on, giving your company the opportunity to reach as many customers (using various platforms) as possible, raising your potential for market penetration
Although infrastructure as a service (IaaS) is not a terrible option and would give your team additional control of the entire test, it would also require the team to duplicate many platforms and OSs, requiring a much greater level of effort and additional expertise at what would likely be a much greater cost
Option B is preferable to option A
A software as a service (SaaS) model will not allow your team to install and run the game; option C is incorrect
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You remind them that it is absolutely crucial that they perform _______________ before including any sample player or billing data.
A. Vulnerability scans
B. Intrusion detection
C. Masking
D. Malware scans
C. Masking
Explanation:
To attenuate the risks of inadvertent disclosure inherent in untested software, it is essential to obfuscate any raw production data (such as potential personally identifiable information (PII) before including it in any test environment
The other options represent activity that is obviously beneficial but secondary to the importance of masking production data.
Think of it this way: even if there is a vulnerability, breach, or malware in the test environment, if raw data is included something of value is lost; if dummy or masked data is the only content included, nothing of value is lost.
Which of the following is not an essential element defining cloud computing?
A. Broad network access
B. Metered service
C. Off-site storage
D. On-demand self-service
C. Off-site storage
Explanation:
Off-site storage is not intrinsic to the definition of cloud computing; all the other options are.
Which of the following is not an essential element defining cloud computing?
A. Rapid elasticity
B. Pooled resources
C. On-demand self-service
D. Immediate customer support
D. Immediate customer support
Explanation:
Immediate customer support may be an option offered by some cloud providers, but it is not a defining characteristic of the industry.
All the other options are.
In what cloud computing service model is the customer responsible for installing and maintaining the operating system?
A. IaaS
B. PaaS
C. SaaS
D. QaaS
A. IaaS
Explanation:
In the infrastructure as a service (IaaS) model, the customer is responsible for everything up from the hardware layer
In platform as a service (PaaS) and software as a service (SaaS), this will be performed by the provider; options B and C are incorrect
QaaS is an invented term and not meaningful; option D is wrong
Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of _______________.
A. Favorable contract terms
B. Strong negotiation
C. Infrastructure as a service (IaaS)
D. Vendor lock-in
D. Vendor lock-in
Explanation:
Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.
These contract terms can be described as favorable only from the providers perspective; option D is preferable to option A for describing this situation
There was no description of negotiation included in the question; option B is incorrect
IaaS is a service model and doesnt really apply to anything in this context; option C is incorrect
There are two general types of smoke detectors. Which type uses a small portion of radioactive material?
A. Photoelectric
B. Ionization
C. Electron pulse
D. Integral field
B. Ionization
Explanation:
Ionization detectors usually use a small amount of americium in the detection chamber
Photoelectric detectors use a light source instead. Option A is incorrect
Options C and D are incorrect because they are meaningless in this context
You are the privacy data officer for a large hospital and trauma center. You are called on to give your opinion of the hospital’s plans to migrate all IT functions to a cloud service. Which of the following Uptime Institute tier-level ratings would you insist be included for any data center offered by potential providers?
A. 1
B. 2
C. 3
D. 4
D. 4
Explanation:
Because the nature of a life-support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes.
All the other options are incorrect
What is the most important factor when considering the lowest temperature setting within a data center?
A. System performance
B. Health and human safety
C. Risk of fire
D. Regulatory issues
B. Health and human safety
Explanation:
Bare skin sticks to cold metal
Most modern systems dont suffer performance degradation at the lower ends of the temperature spectrum; its the higher temperatures that are of concern for that aspect of the data center.
Option B is preferable to Option A
Similarly, high temperature invokes a greater risk of fire, not low temperature, and this environment aspect is perhaps the factor least impacting risk of fire anyway. Option C is incorrect
Any regulatory issues stemming from a workplace that is too cold correlates directly with risks to health and human safety, so option B is still preferable to Option D.
Storage controllers will typically be involved with each of the following storage protocols except _______________.
A. Internet Small Computer Systems Interface (iSCSI)
B. RAID
C. Fibre Channel
D. Fibre Channel over Ethernet
B. RAID
Explanation:
This question might be susceptible to overthinking because it is simplistically straightforward: RAID is not a protocol - its a configuration mechanism
All the other options are storage protocols that will involve storage controllers
When you’re using a storage protocol that involves a storage controller, it is very important that the controller be configured in accordance with _______________.
A. Internal guidance
B. Industry standards
C. Vendor guidance
D. Regulatory dictates
C. Vendor guidance
Explanation:
While it is important to follow internal policy, industry standards and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular product in question; the other forms of guidance do not usually specify individual products/versions.
This does not mean using the default configuration; the vendor will continue to publish suggestions and recommendations for optimizing performance and security of the product after it goes into distribution in order to meet evolving needs and threats
What is the importance of adhering to vendor guidance in configuration settings?
A. Conforming with federal law
B. Demonstrating due diligence
C. Staying one step ahead of aggressors
D. Maintaining customer satisfactionj
C. Staying one step ahead of aggressors
Explanation:
Applying vendor configurations is an excellent method for demonstrating due diligence in IT security efforts.
Always remember that proper documentation of the action is also necessary
Federal law rarely dictates application of vendor guidance, or any other specific security method for individual platforms; option A is incorrect
Aggressors will almost always be on the offensive and adapt attack methodology faster than our industry creates defenses; even vendor guidance is usually repetitive.
Option C is incorrect.
Customers rarely have any idea of (or reason to know) configuration settings; option D is incorrect
Which of the following is a true statement about the virtualization management toolset?
A. It can be regarded as something public facing.
B. It must be on a distinct, isolated management network (virtual local area network [VLAN]).
C. It connects physically to the specific storage area allocated to a given customer.
D. The responsibility for securely installing and updating it falls on the customer.
B. It must be on a distinct, isolated management network (virtual local area network [VLAN]).
Explanation:
All management functions should take place on a highly secure, isolated network.
The toolset may be available via remote access but is not in any way to be considered public facing; option A is incorrect.
Resource pooling contradicts direct connections to any particular storage mechanism; option C is incorrect.
Usually virtualization management will be a responsibility of the provider because it is a crucial element for all customers; option D is incorrect
In order to ensure proper _______________ in a secure cloud network environment, consider the use of Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec), and Transport Layer Security (TLS).
A. Isolation
B. Motif
C. Multitenancy
D. Signal modulation
A. Isolation
Explanation:
Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies)
In order to do this, the use of technologies like those listed in the question is warranted
Options B and D have no meaning in this context and are therefore incorrect.
Domain Name System Security Extensions (DNSSEC) provides all of the following except _______________.
A. Payload encryption
B. Origin authority
C. Data integrity
D. Authenticated denial of existence
A. Payload encryption
Explanation:
DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options)
This does not include payload encryption - confidentiality is not an aspect of DNSSEC
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.
A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications
B. Starting with a clean installation (hardware or virtual) of the desired OS
C. Including only the default account credentials and nothing customized
D. Halting or removing all unnecessary services
C. Including only the default account credentials and nothing customized
Explanation:
Default credentials are the bane of security, everywhere.
This is definitely the correct answer because it should not be part of the baseline build.
All the other options are actual baselining functions.
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.
A. Removing all nonessential programs from the baseline image
B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems
C. Including the baseline image in the asset inventory and configuration management database
D. Configuring the host OS according to the baseline requirements
B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems
Explanation:
Baseline systems need current partches/configuration updates in order to be used to replicate production systems
All the other options are actual baselining functions
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except _______________.
A. Auditing the baseline to ensure that all configuration items have been included and applied correctly
B. Imposing the baseline throughout the environment
C. Capturing an image of the baseline system for future reference, versioning, and rollback purposes
D. Documenting all baseline configuration elements and versioning data
B. Imposing the baseline throughout the environment
Explanation:
Beforer applying the baseline to the environment, it is important to determine if there are any offices/systems that will require exceptions; not all baselines meet all business needs.
All the other options are actual baselining functions
You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would best fit your needs if you wanted an option that reduced the chance of vendor lock-in but also did not require the highest degree of administration by your own personnel?
A. IaaS
B. PaaS
C. SaaS
D. TanstaafL
B. PaaS
Explanation:
With a platform as a service (PaaS), the cloud provider will administer both the hardware and the OS, but you will be in charge of managing t he applications and data.
There is less likelihood of vendor lock-in with PaaS than software as a service (SaaS), because your data will not be put into any proprietary format (option B is preferable to option C)
With infrastructure as a service (IaaS), your company will still retain a great deal of the administrative responsibility, so PaaS is a better option; option B is preferable to A
Option D has no applicability in this context and is incorrect.