Chapter 8 Practice Exam 2 (Ben Malisow) Flashcards

1
Q

You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. In reviewing provider options, management considers an offer from Cloud Services Corp., who has contracts with several cloud providers and data centers and has offered to tailor a package of services for your company’s needs. In this case, Cloud Services Corp. is considered a _______________.

A. Cloud provider
B. Cloud customer
C. Cloud reseller
D. Cloud database

A

C. Cloud reseller

Explanation:
 A cloud reseller is a firm that contracts with both cloud providers and customers in order to arrange custom services. The cloud provider(s), in this case, would be those entities selling services to Cloud Services Corp. Option A is incorrect. The cloud customer, in this case, would be your company. Option B is incorrect. No aspect of the question describes a cloud database specifically. Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. Management has expressed a concern that any cloud provider the company chooses will have your company at a disadvantage—that your company will be at great risk because the provider will have your data and operational capability, and that the provider could hold the data “hostage” in order to raise the price of the service dramatically at the end of the contract term. To address management’s concerns, you should try to find a cloud offering that places a great deal of emphasis on the _______________ trait of cloud computing.

A. Resource pooling
B. Scalability
C. Portability
D. Metered service

A

C. Portability

Explanation:
Portability is the aspect of cloud computing that describes the ability to move data and operations away from a given cloud provider (either to another cloud provider or to an on-premise solution). All the other options are aspects of cloud computing but do not aid in addressing the concerns described in the question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. As you consider possible providers, you are careful to check that they each offer the essential traits of cloud computing. These include all of the following except _______________.

A. Broad network access
B. Metered service
C. On-demand self-service
D. Automatic anti-malware and intrusion prevention

A

D. Automatic anti-malware and intrusion prevention

Explanation:
While many cloud providers will offer these services (as well as many others), they are not defining characteristics of cloud computing. All the other options are defining characteristics of cloud computing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. Your company wants to install its own software solutions in a managed environment to decrease the cost of purchasing and maintaining the hardware of a data center. You should most likely be considering a(n) _______________ offering.

A. IaaS
B. PaaS
C. SaaS
D. Hybrid

A

B. PaaS

Explanation:
A platform as a service (PaaS) model will probably best suit your company’s needs as it allows the customer (your company) to install software and load data onto a hardware infrastructure owned and operated by the provider. An infrastructure as a service (IaaS) solution may be viable for this situation, because it allows the same functionality, but it also requires the customer (your company) to install and maintain the OS(s) that run the software. In looking to decrease cost of investment and maintenance, the PaaS model is probably preferable. Option A is not as good as option B, in this case. A software as a service (SaaS) model does not allow the customer to install software; option C is incorrect.
A hybrid cloud model usually requires the customer to maintain at least part of the hardware infrastructure; in accordance with the description of the situation in this question, option D is not as optimum as option B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If a company wanted to retain some of its own internal traditional hardware but use the cloud as a means of performing software testing functions, which service and deployment models should it probably use?

A. PaaS, hybrid
B. IaaS, private
C. PaaS, community
D. SaaS, hybrid

A

A. PaaS, hybrid

Explanation:
 Platform as a service (PaaS) models are particularly useful for performing software testing because the customer can install and run their own programs across multiple OSs/systems. A hybrid model is used to describe a situation where ownership of the infrastructure is split between the provider and the customer. A software as a service (SaaS) or infrastructure as a service (IaaS) model would not be optimum for software testing; options B and D are incorrect. A community cloud model involves the joint ownership of infrastructure among many providers and customers; option C is not correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company wants to absolutely minimize their involvement in administration of IT; which combination of cloud service model and deployment should it consider?

A. IaaS, private
B. PaaS, private
C. SaaS, private
D. SaaS, public

A

D. SaaS, public

Explanation:
A software as a service (SaaS) model reduces customer involvement more than the other models; a public cloud deployment likewise reduces customer participation in ownership and maintenance of infrastructure. Infrastructure as a service (IaaS) and platform as a service (PaaS) models require the customer to participate in some administration of the environment; options A and B are incorrect. A private cloud entails customer involvement in at least the detailing of governance of the environment; option C is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During a cost–benefit analysis, your company determines that it spends a disproportionate amount of money on software licensing and administration. Which cloud model may best help your company to reduce these costs?

A. IaaS
B. PaaS
C.SaaS
D. Hybrid

A

C.SaaS

Explanation:
 In a software as a service (SaaS) model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud provider’s operations can allow them to reduce the per-seat cost of software considerably. The customer is still responsible for some software licensing and maintenance activities (and therefore costs) in infrastructure as a service (IaaS) and platform as a service (PaaS) models; options A and B are incorrect.
A hybrid deployment usually entails the customer maintaining some infrastructure elements, and that usually would also include software licensing requirements. Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company does not have a well-trained, experienced IT staff and is reluctant to spend more money on training personnel (in recent company history, personnel have received training and then immediately quit the company to work for competitors). If senior management considers cloud migration, which deployment model would probably best suit their needs?

A. Public
B. Private
C. Community
D. Hybrid

A

A. Public

Explanation:
 A public cloud deployment would probably best meet the needs of a company without a robust, trained IT staff. The cloud provider will be responsible for the greatest degree of administration and maintenance compared to the other options. Options B, C, nor D would not be the optimal choices for a cloud deployment model in this case, because each of those requires personnel with more experience/training. Options B, C, and D are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Your company operates under a high degree of regulatory scrutiny. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s compliance needs. Which deployment model would probably best suit the company’s needs?

A. Public
B. Private
C. Community
D. Hybrid

A

B. Private

Explanation:
A private cloud arrangement allows the customer to have greater control of the governance and policy within an environment. All the other options are cloud deployment models that allow the customer less control over the environment as a whole.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company operates in a highly competitive market, with extremely high-value data assets. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s security needs. Which deployment model would probably best suit the company’s needs?

A. Public
B. Private
C. Community
D. Hybrid

A

B. Private

Explanation:
A private cloud model can allow the customer to have the greatest assurance of confidentiality compared to the other models.
Options A, C, and D provide less confidentiality than option B and are therefore incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company operates in a highly cooperative market, with a high degree of information sharing between participants. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s collaboration needs. Which deployment model would probably best suit the company’s needs?

A. Public
B. Private
C. Community
D. Hybrid

A

C. Community

Explanation:
A community cloud entails all participants to have some degree of ownership and responsibility for the cloud environment; this is the preferred model for cooperative ownership and collaboration among a group with a shared interest/goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your company maintains an on-premises data center for daily production activities but wants to use a cloud service to augment this capability during times of increased demand (cloud bursting). Which deployment model would probably best suit the company’s needs?

A. Public
B. Private
C. Community
D. Hybrid

A

D. Hybrid

Explanation:
 A hybrid model, where ownership fluctuates between exclusive control of the customer (private) and provider (public) only during times of increased demand, is almost a textbook description of this arrangement and translates very well for cloud-bursting techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A company is considering a cloud migration to a platform as a service (PaaS) environment. Which of the following factors might make the company less likely to choose the cloud environment?

A. The company wants to reduce overhead costs.
B. The company operates proprietary software.
C. The company hopes to reduce energy costs related to operation of a data center.
D. The company is seeking to enhance its business continuity and disaster recovery 
(BC/DR) capabilities.

A

B. The company operates proprietary software.

Explanation:
A customer using proprietary software in a PaaS environment faces the risk that updates to the underlying OS(s) and/or hardware infrastructure will not be compatible with the customer’s software and will affect productivity. Cloud migration can, however, aid in reducing overhead costs, including energy costs associated with operating a data center, and can enhance BC/DR capability through the provider’s increased investment in redundancy and continuity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which mechanism best aids to ensure that the cloud customer receives dependable, consistent performance in the cloud environment?

A. Audits
B. Service-level agreement (SLA)
C. Regulators
D. Training

A

B. Service-level agreement (SLA)

Explanation:
The service-level agreement creates financial incentive for the cloud provider to meet the customer’s needs on a consistent basis. Audits and regulators might help this effort, somewhat, by ensuring that the provider adheres to certain mandates and standards, but these are less convincing (and occur after the fact of delivery) than profit motive. Options A and C are incorrect. Training does not really aid the efforts described in the question; option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the business advantage of shifting from capital expenditure in an on-premises environment to the operating expenditures of a cloud environment?

A. Reduces the overall cost
B. Reduces tax exposure
C. Reduces cash flow risks
D. Increases profit

A

C. Reduces cash flow risks

Explanation:
 By spreading costs over time, a business can reduce the risk that there will be a lack of money at any given time, impacting operations. A shift from a capital expenditure scheme to an operational expenditure arrangement does not necessarily mean that overall costs decrease; in fact, costs might very likely increase because the sum of the OpEx installments may total more than the CapEx would have been. Option A is incorrect.
CapEx usually reduces tax exposure because it allows for depreciation of assets, whereas OpEx does not. Option B is not correct. Whether the business uses CapEx or OpEx financing does not necessarily increase or decrease profit. Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A host-based firewall in a virtualized cloud environment might have aspects of all the following types of controls except _______________.

A. Administrative
B. Deterrent
C. Corrective
D. Preventive

A

B. Deterrent

Explanation:
This is a complicated question and requires a significant amount of understanding of control types. A firewall uses aspects of administrative controls. The firewall policy is a set of rules that dictate the type of traffic and source/destination of that traffic. Option A is incorrect. Firewalls can be set to change activity in reaction to detected threats, which is a corrective action; option C is incorrect. Firewall rules can also prevent certain kinds of traffic/access; option D is incorrect. However, the effect of a deterrent control is the result of its perception by someone who might engage in wrongdoing—unless it is perceived, the control is not really a deterrent. Most firewalls don’t function in that manner; they are transparent to both legitimate users and attackers.
Option B is therefore correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A virtual network interface card (NIC) exists at Layer _______________ of the OSI model.

A. 2
B. 4
C. 6
D. 8

A

A. 2

Explanation:
All of the other options are incorrect. Option D is incorrect because there is no Layer 8 in the Open Systems Interconnection (OSI) model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which technology is most associated with tunneling?

A. IPSec
B. GRE
C. IaaS
D. XML

A

B. GRE

Explanation:
Generic routing encapsulation (GRE) is a tunneling mechanism, specifically designed for the purpose. Internet Protocol Security (IPSec) may or may not involve tunneling. Option A is incorrect. Infrastructure as a service (IaaS) may or may not use tunneling for remote access/
administration; option C is incorrect. Extensible Markup Language (XML) is a format for communicating data; option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Secure Shell (SSH) tunneling can include all of the following services except _______________.

A. Remote log-on
B. Content filtering
C. Port forwarding
D. Command execution

A

B. Content filtering

Explanation:
SSH does not offer content filtering. It does offer all the services listed in the other options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Transport Layer Security (TLS) is a session encryption tool that uses _______________ encryption to create a _______________ session key.

A. Symmetric, symmetric
B. Asymmetric, symmetric
C. Asymmetric, asymmetric
D. Symmetric, asymmetric

A

B. Asymmetric, symmetric

Explanation:
TLS uses asymmetric encryption to create a symmetric session key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following architecture frameworks was designed for service delivery entities, from the perspective of how they serve customers?

A. SABSA (Sherwood Applied Business Security Architecture)
B. ITIL
C. COBIT (Control Objectives for Information and Related Technologies)
D. TOGAF (The Open Group Architecture Framework)

A

B. ITIL

Explanation:
 ITIL was specifically designed to address service delivery entities (in particular, British telecommunications providers), and how they provide service to their customers. SABSA is a means of looking at security capabilities from a business perspective; option A is incorrect. COBIT is designed for all types of business, regardless of their purpose; option C is incorrect. TOGAF is a means to incorporate security architecture with the overall business architecture; option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The Cloud Security Alliance (CSA) created the Trusted Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is not one of the CSA’s TCI fundamental principles?

A. Delegate or federate access control when appropriate.
B. Ensure the [trusted cloud] architecture is resilient, elastic, and flexible.
C. Ensure the [trusted cloud] architecture addresses and supports multiple levels of 
protection.
D. Provide economical services to all customers, regardless of point of origin.

A

D. Provide economical services to all customers, regardless of point of origin.

Explanation:
 The TCI does not, specifically, require cost-effectiveness of cloud services. All the other options are principles detailed in the TCI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Data loss prevention or data leak protection (DLP) solutions typically involve all of the following aspects except _______________.

A. Data discovery
B. Tokenization
C. Monitoring
D. Enforcement

A

B. Tokenization

Explanation:
Tokenization is not typically an aspect of DLP solutions. All the other options are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A typical data loss prevention or data leak protection (DLP) tool can enhance the organization’s efforts at accomplishing what legal task?

A. Evidence collection
B. Delivering testimony
C. Criminal prosecution
D. Enforcement of intellectual property rights

A

A. Evidence collection

Explanation:
The data discovery facet of DLP solutions can aid an organization in gathering applicable evidence, especially in response to a legal request such as a subpoena (this is often termed e-discovery). Tools cannot deliver testimony; only people can testify. Option B is incorrect. DLP solutions do not perform prosecutorial work; that is the function of law enforcement agencies. Option C is incorrect. While DLP tools can locate intellectual property assets, they do not, strictly speaking, enforce the rights attendant to those assets. Option A is still preferable to D in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following activities can enhance the usefulness and abilities of a data loss prevention or data leak protection (DLP) solution?

A. Perform emergency egress training for all personnel.
B. Require data owners, stewards, and custodians to properly classify and label data at time of creation or collection.
C. Require senior management to participate in all security functions, including initial, recurring, and refresher training.
D. Display security guidance in a variety of formats, including a web page, banner, posters, and hard-copy material.

A

B. Require data owners, stewards, and custodians to properly classify and label data at time of creation or collection.

Explanation:
DLP tools can function better if appropriate and accurate classification and labeling is applied throughout the environment and done on a consistent basis. All the other options are good aspects of a security program but not exactly germane to DLP function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Data archiving can also provide what production capability?

A. Enhanced database mechanisms
B. Near-term data recovery
C. New data-driven business workflows
D. Greater management insight into productivity

A

B. Near-term data recovery

Explanation:
Depending on the availability of the archive, it may be possible to use it to recover production data that has been accidentally or inadvertently deleted or destroyed.
Archiving does not really offer any of the other benefits; when data is taken out of the production environment and put into long-term storage, the organization loses the capability to manipulate it and create new assets from it. Options A, C, and D are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Data archiving can be required for regulatory compliance as a legal mandate. What other business function is also often tied to archiving?

A. Marketing
B. Business continuity and disaster recovery (BC/DR)
C. Personnel development
D. Intellectual property protection

A

B. Business continuity and disaster recovery (BC/DR)

Explanation:
Having a suitable backup, away from the main production environment, allows the organization to recover from contingency operations that have interrupted or affected the production environment. All the other options are not benefits directly associated with data archiving.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is probably most important to include in a data archiving policy?

A. Data format and type
B. Data classification
C. Encryption procedures and standards
D. Data audit and review processes

A

A. Data format and type

Explanation:
In order to use the archive for recovery (either on a large scale for contingency operations or for granular recovery as a means of data discovery), the data needs to be of a format and type that can be utilized by the organization’s systems and environment. Saving data in the wrong format can be equivalent to losing the data. All the other options are important aspects of a data archiving policy but are not as important as option A (for instance, data that is not encrypted might pose a risk of loss, but data in the wrong format may not be recoverable at all).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The destruction of a cloud customer’s data can be required by all of the following except _______________.

A. Statute
B. Regulation
C. The cloud provider’s policy
D. Contract

A

C. The cloud provider’s policy

Explanation:
The cloud provider cannot typically require the destruction of the customer’s data simply because of its own (provider’s) policy. If this is an aspect of the contract between the provider and customer, that is another issue (and listed as another option in this question). The other options are all sources that may dictate the customer’s destruction of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following data storage types is most associated with software as a service (SaaS)?

A. Content delivery network (CDN)
B. Databases
C. Volume storage
D. Data warehousing

A

A. Content delivery network (CDN)

Explanation:
CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often multimedia). Databases and data warehousing are typically associated with platform as a service (PaaS), where the provider owns and maintains the infrastructure and data management engine but the customer can install programs and interfaces to manipulate the data. Options B and D are incorrect. Volume storage is typically associated with infrastructure as a service (IaaS); option C is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

You are the security manager for a bookkeeping firm that is considering moving to a cloud-based production environment. In selecting a cloud provider, your company is reviewing many criteria. One of these is enhancing the company’s business continuity and disaster recovery (BC/DR) capabilities. You want to ensure that the cloud provider you select will allow for migration to an alternate provider in the event of contingencies. The provider you choose should be able to support a migration to an alternate provider within _______________.

A. 24 hours
B. 1 hour
C. Your company’s recovery time objective (RTO)
D. Your company’s recovery point objective (RPO)

A

C. Your company’s recovery time objective (RTO)

Explanation:
 The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time. RTOs vary for every organization; there is no set answer for all organizations. Options A and B might be correct for a given organization but incorrect in the general case because it’s impossible to know an organization’s RTO without knowing more about the organization. The RPO is a measure of data that can be lost, not time; option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

In which phase of the cloud secure data lifecycle does data leave the production environment and go into long-term storage?

A. Store
B. Use
C. Share
D. Archive

A

D. Archive

Explanation:
This action defines the archive phase. All the other options are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

In which phase of the cloud secure data lifecycle should classifications and labels be assigned to data?

A. Create
B. Store
C. Use
D. Share

A

A. Create

Explanation:
Data should be labeled and classified as soon as it is created/collected. All the other options are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following is not included in the Open Web Application Security Project (OWASP) Top Ten web application security threats?

A. Injection
B. Cross-site scripting
C. Internal theft
D. Sensitive data exposure

A

C. Internal theft

Explanation:
Internal theft is not listed in the OWASP Top Ten, probably because the list concerns web application security, not security overall.
All the other options are included in the OWASP Top Ten.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Your organization is developing software for wide use by the public. You have decided to test it in a cloud environment, in a platform as a service (PaaS) model. Which of the following should be of particular concern to your organization for this situation?

A. Vendor lock-in
B. Backdoors
C. Regulatory compliance
D. High-speed network connectivity

A

B. Backdoors

Explanation:
 Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly (or even purposefully) leave the backdoors in the software after development, creating a hidden and significant vulnerability. All the other options should be concerns of any cloud customer, but they are not of specific or increased concern for this situation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following management risks can make an organization’s cloud environment unviable?

A. Insider trading
B. Virtual machine (VM) sprawl
C. Hostile takeover
D. Improper personnel selection

A

B. Virtual machine (VM) sprawl

Explanation:
Because the cost of creating new instances in the cloud environment is transparent to many users/offices, there is a significant likelihood that users/offices will create many new virtual machine (VM) instances without the knowledge/oversight of management. This can result in a very expensive surprise at the end of the payment period, when the organization receives the bill from the cloud provider. All the other options are management risks that do not have anything specific to do with the cloud environment and should not affect it/be affected by it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

You are the security manager for a company that is considering cloud migration to an infrastructure as a service (IaaS) environment. You are assisting your company’s IT architects in constructing the environment. Which of the following options do you recommend?

A. Unrestricted public access
B. Use of a Type I hypervisor
C. Use of a Type II hypervisor
D. Enhanced productivity without encryption

A

B. Use of a Type I hypervisor

Explanation:
The Type I hypervisor is preferable, as it offers less attack surface. All the other options increase risk and should not be recommended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Your company uses a managed cloud service provider to host the production environment. The provider has notified you, along with several other of the provider’s customers, that an engineer working for the provider has been using administrative access to steal sensitive data and has been selling it to your competitors. Some of this sensitive data included personally identifiable information (PII) related to your employees. Your company’s general counsel informs you that there are at least three jurisdictions involved that have laws requiring data breach notification for PII. Who has legal liability for the costs involved with making the required notifications?

A. The cloud provider
B. Your company
C. The Internet service provider (ISP)
D. Your regulators

A

B. Your company

Explanation:
Under current laws, the owner of the PII is legally responsible for data breach notifications, regardless of the circumstances of the breach; in this case, your company is the PII owner. All the other options are incorrect because those entities are not the owner of the PII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following techniques is not recommended for privileged user management?

A. Increased password/phrase complexity
B. More frequent password/phrase changes
C. More detailed background checks
D.Less detailed audit trail

A

D.Less detailed audit trail

Explanation:
If anything, the audit trail for privileged users should be more detailed than that for regular users. All the other options are recommended techniques for privileged user management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

You are the security officer for a company operating a production environment in the cloud. Your company’s assets have a high degree of sensitivity and value, and your company has decided to retain control and ownership of the encryption key management system. In order to do so, your company will have to have which of the following cloud service/deployment models?

A. Public
B. Infrastructure as a service (IaaS)
C. Hybrid
D. Software as a service (SaaS)

A

C. Hybrid

Explanation:
 Managing the encryption keys on-premises necessitates some elements of a hybrid cloud model; the key management is done on-premises, and the production takes place in the cloud.
A public cloud arrangement would preclude the customer hosting the key management system on its premises; option A is incorrect. The service model is slightly irrelevant to where the key management system is located; whereas customer-hosted key management is usually associated with an SaaS model, it is not strictly required. Options B and D are incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which security principle dictates that encryption key management and storage should be isolated from the data encrypted with those keys?

A. Least privilege
B. Two-person integrity
C. Compartmentalization
D. Separation of duties

A

D. Separation of duties

Explanation:
Separation of duties dictates that one person/entity cannot complete an entire transaction alone. In the case of encryption, a single entity should not be able to administer the issuing of keys, encrypt the data, and store the keys, because this could lead to a situation where that entity has the ability to access or take encrypted data. All the other options are security principles but are not intrinsically applicable to the concept of storing encryption keys away from encrypted data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which cloud data storage technique involves encrypting a data set, then splitting the data into pieces, splitting the key into pieces, then signing the data pieces and key pieces and distributing them to various cloud storage locations?

A. RAID
B. Secret sharing made short (SSMS)
C. Homomorphic encryption
D. Asymmetric encryption

A

B. Secret sharing made short (SSMS)

Explanation:
Option A is incorrect because RAID is a storage virtualization technology, used in traditional environments, that combines physical disks components into one or more logical units.
Homomorphic encryption is a theoretical conversion of data into ciphertext that can be analyzed as if it were in its original form. Option C is incorrect. Option D is incorrect because it uses public and private key pairs to encrypt and decrypt data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which theoretical technique would allow encrypted data to be manipulated without decrypting it first?

A. RAID
B. Secret sharing made short (SSMS)
C. Homomorphic encryption
D. Asymmetric encryption

A

C. Homomorphic encryption
Option A is incorrect because RAID is a storage virtualization technology, used in traditional environments, that combines physical disks components into one or more logical units. SSMS involves encrypting a data set, then splitting the data into pieces, splitting the key into pieces, then signing the data pieces and key pieces and distributing them to various cloud storage locations. Option B is incorrect. Option D is incorrect because it uses public and private key pairs to encrypt and decrypt data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which theoretical technology would allow superposition of physical states to increase both computing capacity and encryption keyspace?

A. All-or-nothing-transform with
B. Reed-Solomon (AONT-RS) Quantum computing
C. Filigree investment
D. Sharding

A

B. Reed-Solomon (AONT-RS) Quantum computing

Explanation:
This is a description of quantum computing. Option A is incorrect because it refers to a data transformation. Option C is a made up term and is therefore incorrect.
Option D is incorrect because it is a data dispersion term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In a virtualized environment, suspended virtual machine (VM) instances at rest are subject to increased risk because _______________.

A. There is no way to encrypt instances at rest
B. Insider threats are greater for data storage locations than processing locations
C. The instances are saved as image snapshots and highly portable
D. They are unprotected unless multifactor authentication is required

A

C. The instances are saved as image snapshots and highly portable

Explanation:
Saved virtual instances are simply inert files, and they are very easy to copy and move. Encryption may be applied to data at rest (even VM snapshots); option A is incorrect. Insider threats within the cloud data center probably pose just as much risk to the storage nodes as the processing nodes; option B is incorrect. Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

In a virtualized cloud environment, the management plane is usually responsible for provisioning virtual machine instances with all of the following resources except _______________.

A. CPU
B. Memory
C. User interface
D. Permanent storage

A

C. User interface

Explanation:
 The user interface to the virtualized instance can be handled by a variety of mechanisms, but it is not the function of the management plane. All the other options are resources provisioned to the virtual machine(s) by the management plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which of the following business continuity and disaster recovery (BC/DR) testing methodologies is least intrusive?

A. Walk-through
B. Simulation
C. Tabletop
D. Full test

A

C. Tabletop

Explanation:
The tabletop testing method is the least intrusive type of BC/DR test. All the other options are BC/DR testing methods that are more intrusive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

In order for an organization to determine if its backup solution is adequate for meeting the recovery point objective (RPO), what must be done?

A. Conduct full backups at least daily.
B. Use a data mirroring solution.
C. Put all backups in the cloud.
D. Practice a restore from backup.

A

D. Practice a restore from backup.

Explanation:
There is no way to know if the backup actually serves the purpose until the organization tests a restoration. The other options are all backup options but do not actually demonstrate whether the backup is suitable for the business continuity and disaster recovery (BC/DR) requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which common characteristic of the cloud data center also serves customer business continuity and disaster recovery (BC/DR) needs?

A. Multitenancy
B. Virtualization
C. Redundancy
D. Software-defined networking

A

C. Redundancy

Explanation:
 The ubiquitous redundancy of systems and capabilities within most cloud data centers not only serves the provider’s requirement to meet customer service-level agreements but also enhances the data center’s (and the customer’s) resistance to disasters and interruptions. All the other options are characteristics of a cloud data center, but they don’t serve much BC/DR purpose; option C is the best choice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which phase of the business continuity and disaster recovery (BC/DR) process can result in a second disaster?

A. Event anticipation
B. Creating BC/DR plans and policy
C. Return to normal operations
D. Incident initiation

A

C. Return to normal operations

Explanation:
Returning to normal operations can result in a second disaster if the conditions created by the initial disaster (which created the need to run the BC/DR plan) have not fully been addressed/resolved.
An inadvertent initiation of the plan can result in a disaster, but that would only be one disaster, not two; for instance, if senior management got faulty information during the event anticipation phase and decided to switch to contingency operations, but there was no actual causative event, that would be a single disaster. Options A and D are incorrect. The act of planning and crafting policy cannot take the form of a disaster. Option B is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which process artifact aids an organization in determining the critical assets and functions that need to continue operations during a business continuity and disaster recovery (BC/DR) contingency?

A. Service Organization Control (SOC) 2, Type 2
B. Business impact analysis (BIA)
C. Qualitative risk analysis report
D. Annual loss expectancy (ALE) calculation

A

B. Business impact analysis (BIA)

Explanation:
The BIA lists the assets of the organization and states their importance, value, and criticality. This can easily be used for BC/DR planning purposes. The SOC is an audit report; this does not aid in BC/DR planning. Option A is incorrect. The risk analysis and ALE calculation are used to select reasonable and cost-effective controls suitable for the environment; this does not aid in BC/DR efforts. Options C and D are incorrect.

52
Q

In general, a cloud business continuity and disaster recovery (BC/DR) solution will be _______________ than a physical solution.

A. Slower
B. Less expensive
C. Larger
D. More difficult to engineer

A

B. Less expensive

Explanation:
Typically, the cost of using the cloud for contingency operations will be much less than creating a physical alternate operating site. Usually, a cloud solution may also be faster and easier to engineer than a physical solution; options A and D are incorrect. “Larger,” in this context, has no meaning, because the “size” of the cloud is a misnomer; option C is incorrect.

53
Q

Which of the following is not a common federation technology?

A. WS-Federation
B. OWASP
C. OpenID
D. OAuth

A

B. OWASP

Explanation:
The Open Web Application Security Project (OWASP) is a volunteer organization that devises standards and solutions for web application development. All the other options are common federation technologies.

54
Q

Which of the following is an audit report on the design of an organization’s controls?

A. Service Organization Control (SOC) 1
B. SOC 2, Type 1
C. SOC 3
D. SOC 4

A

B. SOC 2, Type 1

Explanation:
 The SOC 2 ,Type 1 audit reviews management’s selection of controls for the organization’s environment. The SOC 1 audit reviews the accuracy and correctness of the organization’s financial reporting. Option A is incorrect. The SOC 3 is an attestation of an audit. Option C is incorrect. There is no SOC 4 report. Option D is incorrect.

55
Q

Which of the following is not usually suitable for inclusion in a service-level agreement (SLA) for managed cloud services?

A. Service availability
B. Number of users and virtual machines
C. Background checks for provider personnel
D. Amount of cloud storage

A

C. Background checks for provider personnel

Explanation:
The SLA won’t typically include direct mention of the sorts of personnel security measures undertaken by the cloud provider. This may be mentioned, obliquely, in another part of the contract (that is, there may be some language that states that the provider is responsible for ensuring the trustworthiness of its personnel), but it is not a useful SLA element. All the other options are excellent items to include in an SLA.

56
Q

Which of the following is not a typical physical access control mechanism in the cloud data center?

A. Cage locks
B. Video surveillance
C. Rack locks
d. Fire suppression

A

d. Fire suppression

Explanation:
 Fire suppression systems are physical control mechanisms commonly found in cloud data centers but are not an element of access control. All the other options are common physical access control mechanisms in a cloud data center.

57
Q

Which of the following cloud environment accounts should only be granted on a temporary basis?

A. Remote users
B. Senior management
C. Internal users
D. External vendors

A

D. External vendors

Explanation:
If external vendors need access to the cloud environment, that access should only be granted on an extremely limited and temporary basis. All the other options are common cloud access types and don’t necessarily need to be limited in duration.

58
Q

Which of the following attack vectors is new to the cloud environment and was not typically found in on-premises, legacy environments?

A. Distributed denial of service (DDoS)
B. Guest escape
C. Internal threats
D. Inadvertent disclosure

A

B. Guest escape

Explanation:
Guest escape is a prevailing threat in a virtualized, multitenant cloud environment and was not commonly found in traditional environments (those environments were typically not virtualized and did not serve more than one customer, the owning organization). All the other threats are currently faced by cloud customers but also existed in the traditional environment.

59
Q

Which of the following is a file server that provides data access to multiple, heterogeneous machines and users on the network?

A. Storage area network (SAN)
B. Network-attached storage (NAS)
C. Hardware security module (HSM)
D. Content delivery network (CDN)

A

B. Network-attached storage (NAS)

Explanation;
This is the description of a NAS device. A SAN typically presents storage devices to users as attached/mounted drives. Option A is incorrect. An HSM is designed for encryption generation and management; option C is incorrect. A CDN typically replicates multimedia content at multiple, geographically diverse locations to ensure high quality for recipients. Option D is incorrect.

60
Q

You are the security manager for a retail company that is considering cloud migration to a public, software as a service (SaaS) solution both for your current internal production environment (an on-premises data center) and to host your e-commerce presence. Which of the following is a new concern you should bring up to senior management for them to consider before the migration?

A. Regulatory compliance for your credit card processing transactions
B. Inadvertent disclosure by internal (company) personnel
C. Data disclosure through insufficiently isolated resources
D. Malicious intrusion by external entities

A

C. Data disclosure through insufficiently isolated resources

Explanation:
 Because of the multitenant nature of public cloud services, processes and resources that are not properly isolated may create a situation where data could be disclosed to other cloud customers (neighboring tenants). This is a new threat that may result from the migration. All the other options are existing threats in the company’s current environment.

61
Q

When a data center is configured such that the backs of the devices face each other and the ambient temperature in the work area is cool, it is called _______________.

A. Hot aisle containment
B. Cold aisle containment
C. Thermo-optimized
D. Heating, ventilation, and air conditioning (HVAC) modulated

A

A. Hot aisle containment

Explanation:
This is a description of hot aisle containment. Cold aisle containment is a configuration where the fronts of devices face each other. Option B is incorrect. Option C is not relevant in this context. Option C is incorrect. Option D does not describe the data center configuration in the question. Option D is incorrect.

62
Q

Disciplined cable management is crucial for cloud data centers because it provides greater assurance of only authorized lines operating in the environment and _______________.

A. Reduces unproductive heating, ventilation, and air conditioning (HVAC) activity
B. Reduces the risk of slip, trip, and fall hazards
C. Greatly reduces the environmental footprint
D. Ensures regulatory compliance

A

A. Reduces unproductive heating, ventilation, and air conditioning (HVAC) activity

Explanation:
 Unused or poorly managed cabling can impede efficient air flow, increasing HVAC and energy costs and increasing the difficulty of optimizing temperature. While it is possible that mismanaged cabling could cause slip/trip/fall hazards, this is much less common in modern data centers; option A is preferable in this case.
Cabling does not really have much of an environmental footprint, so discipline applied to cabling won’t affect the environment much, one way or the other; option C is incorrect. Regulators do not usually enforce cable management; option D is incorrect.

63
Q

To optimize airflow within a data center according to industry standards, a raised floor used as an air plenum must have at least _______________ of clearance.

A. One foot
B. One meter
C. 24 inches
D. 30 inches

A

C. 24 inches

Explanation:
The industry standard is 24 inches. All the other options are incorrect.

64
Q

Raised flooring can serve as both an air plenum and _______________.

A. A convenient location for RAID arrays
B. Cool storage for data center personnel meals
C. A conduit for running cable
D. Disaster shelter locations

A

C. A conduit for running cable

Explanation:
Ideally, raised flooring should be used for no other purpose because any objects in that location would impede airflow. Therefore, options A, B, and D are incorrect because they defeat the purpose of the raised flooring design.

65
Q

Typically, when raised flooring is used as an air plenum, _______________ air is directed through it.

A. Warm
B. Cold
C. Bleed
D. Exhaust

A

B. Cold

Explanation:
Cold air is usually put through raised flooring because warm air naturally rises and using the raised flooring to conduct warm air would require an unnecessary and inefficient expenditure of energy. All the other options are incorrect as they include warmer air.

66
Q

There are two general types of smoke detectors. One type uses a light source to detect the presence of particulate matter resulting from a fire, and the other uses _______________.

A. Electric pulses
B. Small amounts of radioactive material
C. Fiber-optic mechanisms
D.d A water-pressure plate

A

B. Small amounts of radioactive material

Explanation:
 Ionization-based smoke detectors use trace amounts of a radionuclide (often americium) to detect the presence of particulate matter in the detection chamber when smoke particles interrupt the constant electric current. Neither type uses the techniques described in the other options, as they are all incorrect answers.

67
Q

Fire suppression systems are often linked to a detection system. Common detection systems include all of the following except _______________.

A. Heat
B. Pressure
C. Flame
D.Smoke

A

B. Pressure

Explanation:
 Pressure detection is not a common detection technology. All the other options are common fire detection methods.

68
Q

FM-200 has all the following properties except _______________.

A. It’s nontoxic at levels used for fire suppression
B. It’s gaseous at room temperature
C. It may deplete the earth’s ozone layer
D. It does not leave a film or coagulant after use

A

C. It may deplete the earth’s ozone layer

Explanation:
FM-200 is used as a replacement for older Halon systems specifically because it (unlike Halon) does not deplete the ozone layer. All the other options are true statements about FM-200 used in fire suppression.

69
Q

FM-200 has all the following properties except _______________.

A. It is colorless
B. It leaves a faint chemical residue after use
C. It is liquid when stored
D. It is nonconducive

A

B. It leaves a faint chemical residue after use

Explanation:
One of the properties that makes it desirable for fire suppression in a data center is that FM-200 does not leave a residue. All the other options are true statements about FM-200.

70
Q

Dynamic Host Configuration Protocol (DHCP) servers in a network will provide the clients with all of the following except _______________.

A. A temporary IP address
B. Encryption protocols
C. A default gateway
D. Time server synchronization

A

B. Encryption protocols

Explanation:
DHCP servers do not normally orchestrate encryption. All the other options are common functions of DHCP servers.

71
Q

You are the security officer for a cloud deployment. In order to secure data in transit, you can choose to implement all of the following techniques and technologies except _______________.

A. DNSSEC
B. TLS
C. IDS/IPS
D. IPSec

A

C. IDS/IPS

Explanation:
This question is challenging because it requires some abstract thought and all answers seem correct at first glance. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) do not secure data; they detect attack activity. Domain Name System Security Extensions (DNSSEC) protects data in transit by reducing the risk of DNS poisoning; Transport Layer Security (TLS) and Internet Protocol Security (IPSec) reduce the risk of eavesdropping and interception of data.

72
Q

All of the following techniques are used in OS hardening except _______________.

A. Removing default accounts
B. Disallowing local save of credentials
C. Removing unnecessary services
D. Preventing all administrative access

A

D. Preventing all administrative access

Explanation:
Administrative access may be limited but not prevented. All the other options are common steps of OS hardening.

73
Q

You are performing an audit of the security controls used in a cloud environment. Which of the following would best serve your purpose?

A. The business impact analysis (BIA)
B. A copy of the virtual machine (VM) baseline configuration
C. The latest version of the company’s financial records
D. A Service Organization Control (SOC) 3 report from another (external) auditor

A

B. A copy of the virtual machine (VM) baseline configuration

Explanation:
The baseline configuration can be used as a template of controls applied throughout the environment. The BIA and financial records may offer an auditor insight into asset valuation/risk but will not provide meaningful data for a control audit. Options A and C are incorrect. The SOC 3 report is only an attestation by an auditor that an audit has taken place; it does not provide any useful information about security controls.

74
Q

In a cloud environment, prior to putting a node into maintenance mode, all of the following actions should be taken except _______________.

A. Prevent any new users from logging on or creating any new instances
B. Migrate any existing guest virtual machines (VMs) to another node
C. Disable alerts from host-based intrusion detection systems (IDSs), intrusion prevention systems (IPSs), or firewalls
D. Disable logging functions and tools

A

D. Disable logging functions and tools

Explanation:
 During maintenance mode, all maintenance activities should still be logged and tracked. All the other actions are recommended for a cloud node entering maintenance mode.

75
Q

A cloud provider conducting scheduled maintenance of the environment should do all the following except _______________.

A. Notify any customers who may be affected
B. Require reverification of all user accounts
C. Follow approved change-management procedures and processes
D. Confirm that remaining resources are sufficient to manage the minimum load as dictated by service-level agreements (SLAs)

A

B. Require reverification of all user accounts

Explanation:
This action is pointless and excessive; the option is a distractor. All the other options are actions the cloud provider should undertake when conducting scheduled maintenance.

76
Q

Which of the following is characterized by a set maximum capacity?

A. A secret-sharing-made-short (SSMS) bit-splitting implementation
B. A tightly coupled cloud storage cluster
C. A loosely coupled cloud storage cluster
D. A public-key infrastructure

A

B. A tightly coupled cloud storage cluster

Explanation:
By definition, the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not. The other options do not have a set maximum capacity and are therefore incorrect.

77
Q

Which of the following is an open source cloud-based software project characterized by a toolset that includes components called Nova, Neutron, Heat, Ironic, and Cinder?

A. OWASP
B. OAuth
C. OpenStack
D. Mozilla

A

C. OpenStack

Explanation:
OpenStack is an open source project for creating cloud environments regardless of hardware brand. Open Web Application Security Project (OWASP) is an open source web application development project and does not involve the use of any of the tools mentioned in the question. Option A is incorrect. OAuth is a set of standards for identity federation. Option B is incorrect. Mozilla is a company that produces and administers open source software such as the Firefox web browser. Option D is incorrect.

78
Q

You are the security director for a call center that provides live support for customers of various vendors. Your staff handles calls regarding refunds, complaints, and the use of products customers have purchased. To process refunds, your staff will have access to purchase information, determine which credit card the customer used, and identify specific elements of personal data. How should you best protect this sensitive data and still accomplish the purpose?

A. Encrypt the data while it is at rest but allow the call center personnel to decrypt it for refund transactions.
B. Encrypt the data while call center personnel are performing their operations.
C. Mask the data while call center personnel are performing their operations.
D. Have the call center personnel request the pertinent information from the customer for every refund transaction.

A

C. Mask the data while call center personnel are performing their operations.

Explanation:
 Masking the data (such as replacing the majority of the credit card number with Xs, leaving only the last four digits in view) should suffice for the purpose; it allows the call center personnel to determine which card was used in the sale but does not reveal the card number to the call center. Encrypting the data in storage but allowing call center personnel to decrypt it creates a vast opportunity for fraud and abuse; option A is incorrect. Encrypting the data while the call center is trying to make the refund would be counterproductive; the call center personnel would be unable to determine which card gets the refund. Option B is incorrect.
Relying on the customer to provide the correct card number invites inaccuracy and exposes the transaction to fraud; option D is not correct.

79
Q

Which of the following is not typically included as a basic phase of the software development lifecycle (SDLC)?

A. Define
B. Design
C. Describe
D.Develop

A

C. Describe

Explanation:
Describe is not a common phase in the SDLC; the software should be described in the Define phase. All the other options are common phases of the SDLC.

80
Q

What is the most important input to the software development lifecycle (SDLC)?

A. Senior management direction
B. Legislation/regulation
C. Investor oversight
D. Business requirements

A

D. Business requirements

Explanation:
 Business requirements are paramount because they incorporate the elements of all the other options as well as additional inputs.

81
Q

Which of the following can be included in the cloud security architecture as a means to identify and reject hostile SQL commands?

A. Web application firewall (WAF)
B. Application programming interface (API) gateway
C. Data loss prevention or data leak protection (DLP)
D. Database activity monitor (DAM)

A

D. Database activity monitor (DAM)

Explanation:
A DAM can recognize and block malicious SQL traffic. A WAF is a Layer 7 firewall that understands hostile HTTP traffic. Option A is incorrect. An API gateway filters API traffic. Option B is incorrect. DLP solutions are used for egress monitoring, not incoming SQL commands. Option C is incorrect.

82
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Which cloud service or deployment model would probably best suit your needs?

A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Community

A

B. Platform as a service (PaaS)

Explanation:
PaaS is optimum for software testing as it allows the software to run across multiple platforms/OSs.
All the other options are service/deployment models that are not as optimum for software testing as PaaS.

83
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Which of the following tools, technologies, or techniques may be very useful for your purposes?

A. Data loss prevention or data leak protection (DLP)
B. Digital rights management (DRM)
C. Sandboxing
D. Web application firewall (WAF)

A

C. Sandboxing

Explanation:
Sandboxing allows software to be run in an isolated environment, which can aid in error detection. Software testing should not include raw production data, so there is no purpose for using DLP and DRM solutions; options A and B are incorrect. The WAF is used to filter web traffic; in the testing environment, there should not be any live traffic going to the software. Option D is incorrect.

84
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Previous releases have shipped with major flaws that were not detected in the testing phase; leadership wants to avoid repeating that problem. What tool, technique, or technology might you suggest to aid in identifying programming errors?

A. Vulnerability scans
B. Open source review
C. Service Organization Control (SOC) audits
D. Regulatory review

A

B. Open source review

Explanation:
Open source review can detect flaws that a structured testing method might not. Vulnerability scans will only detect known problems, not programming defects that have not yet been identified; option A is incorrect. Neither SOC audit nor regulatory review have anything to do with finding software flaws; options C and D are incorrect.

85
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Previous releases have shipped with major flaws that were not detected in the testing phase; leadership wants to avoid repeating that problem. It is important to prevent _______________ from being present during the testing.

A. Senior management
B. Marketing department personnel
C. Finance analysts
D. Programmers who worked on the software

A

D. Programmers who worked on the software

Explanation:
 Programmers have a vested interest in, and a specific perspective of, software they create. They can unduly influence testing outcomes, even unintentionally. It is best to prevent programmers from attending testing of software they helped create. All the other options are personnel who do not need to be present but will not necessarily cause undue influence of the testing process.

86
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. When you explain what impact this will have, you note that _______________ may be decreased by this option.

A. Speed of development
B. Thoroughness of documentation
C. Availability of prototypes
D. Customer collaboration

A

B. Thoroughness of documentation

Explanation:
The Agile method reduces the dependence and importance of documentation in favor of functioning software versions. All the other options are elements that will most likely be increased by transitioning to an Agile model.

87
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. In order for this to happen, the company will have to increase the involvement of _______________.

A. Security personnel
B. Budget and finance representatives
C. Members of the user group
D. Senior management

A

C. Members of the user group

Explanation:
Agile requires interaction between developers and personnel who will use the software. All the other options are not essential roles in Agile development.

88
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. This will be typified by which of the following traits?

A. Reliance on a concrete plan formulated during the
B. Define phase Rigorous, repeated security testing
C. Isolated programming experts for specific functional elements
D. Short, iterative work periods

A

D. Short, iterative work periods

Explanation:
Agile development is usually organized in relatively short iterations of effort, between a week and a month in duration.
Dependence on planning is directly contrary to Agile methodology; option A is incorrect. In Agile, prototyping is favored over testing; option B is incorrect. Agile relies on cooperative development instead of stovepiped expertise; option C is incorrect.

89
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. This will be typified by which of the following traits?

A. Daily meetings
B. A specific shared toolset
C. Defined plans that dictate all efforts
D. Addressing customer needs with an exhaustive initial contract

A

A. Daily meetings

Explanation:
Agile development often involves daily meetings (called Scrums). Agile methodology spurns the use of specific tools and concrete planning; options B and C are incorrect. Agile also favors customer collaboration and prototyping instead of an elaborate contract mechanism; option D is incorrect.

90
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The backend of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on for the frontend interface?

A. Simple Object Access Protocol (SOAP)
B. Representational state transfer (REST)
C. Security Assertion Markup Language (SAML)
D. Data loss prevention or data leak protection (DLP)

A

A. Simple Object Access Protocol (SOAP)

Explanation:
SOAP is a web service programming format that requires the use of XML. REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect.
SAML is a protocol for passing identity assertions over the Internet; option C is incorrect. DLP is a data egress monitoring tool; option D is incorrect.

91
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. You recommend the use of STRIDE threat modeling to assess potential risks associated with the software. Which of the following is not addressed by STRIDE?

A. External parties presenting false credentials
B. External parties illicitly modifying information
C. Participants able to deny a transaction
D. Users unprepared for secure operation by lack of training

A

D. Users unprepared for secure operation by lack of training

Explanation:
STRIDE does not address user security training. All the other options are aspects addressed by the STRIDE model.

92
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management has decided that the company will deploy encryption, data loss prevention or data leak protection (DLP), and digital rights management (DRM) in the cloud environment for additional protection. When consulting with management, you explain that these tools will most likely reduce _______________.

A. External threats
B. Internal threats
C. Software vulnerabilities
D. Quality of service

A

D. Quality of service

Explanation:
Every additional security measure might reduce a potential threat but definitely will reduce productivity and quality of service. There is always an overhead cost of security.

93
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Your company has, and wishes to retain, ISO 27034 certification. For every new application it creates, it will also have to create a(n) _______________.

A. Organizational normative framework (ONF)
B. Application normative framework (ANF)
C. Intrinsic normative framework (INF)
D. Service Organization Control (SOC) 3 report

A

B. Application normative framework (ANF)

Explanation:
 ISO 27034 compliance requires an ANF for every application within the organization. Under 27034, the organization only needs one ONF, of which every ANF is a subset. Option A is incorrect. There is no INF. The term is a distractor; option C is incorrect. SOC 3 reports are for the Statement on Standards for Attestation Engagements (SSAE) standard, not ISO 27034; option D is incorrect.

94
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

A. Japan
B. Australia
C. Belgium
D. Chile

A

D. Chile

Explanation:
Chile does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do (Belgium is in the EU).

95
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

A. Argentina
B. Israel
C. South Korea
D. Switzerland

A

C. South Korea

Explanation:
South Korea does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do.

96
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

A. Canada
B. Singapore
C. France
D. Kenya

A

D. Kenya
Explanation:
 Kenya does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do (France is in the EU).

97
Q

Which of the following is not a core principle included in the Organisation for Economic Cooperation and Development (OECD) privacy guidelines?

A. The individual must have the ability to refrain from sharing their data.
B. The individual must have the ability to correct errors in their data.
C. The individual must be able to request a purge of their data.
D. The entity holding the data must secure it.

A

C. The individual must be able to request a purge of their data.

Explanation:
This is an aspect of the current European Union (EU) legislation, known colloquially as “the right to be forgotten”—it is not an aspect of the OECD principles. All the other options are included in the OECD principles.

98
Q

Who is the entity identified by personal data?

A. The data owner
B. The data processor
C. The data custodian
D. The data subject

A

D. The data subject

Explanation:
The data subject is the person who is identified by personal data. All the other options are other privacy-data-related roles.

99
Q

What is the current European Union (EU) privacy legislation that restricts dissemination of personal data outside the EU?

A. The EU Data Directive
B. Privacy Shield
C. The General Data Protection Regulation (GDPR)
D. Sarbanes–Oxley (SOX)

A

C. The General Data Protection Regulation (GDPR)

Explanation:
The GDPR is the current prevailing EU privacy data legislation. It replaced the Data Directive. Privacy Shield is the program under which entities in non-adhering countries can still be allowed to process the personal data of EU citizens. SOX is an American law.

100
Q

In order for American companies to process personal data belonging to European Union (EU) citizens, they must comply with the Privacy Shield program. The program is administered by the U.S. Department of Transportation and the _______________.

A. U.S. State Department
B. Fish and Wildlife Service
C. Federal Trade Commission (FTC)
D. Federal Communication Commission (FCC)

A

C. Federal Trade Commission (FTC)

Explanation:
The FTC is the local U.S. enforcement arm for most Privacy Shield activity. All the other options are U.S. government agencies not involved with Privacy Shield.

101
Q

In addition to the Privacy Shield program, what other means can non–European Union (EU) companies use to be allowed to process personal data of EU citizens?

A. Enhanced security controls
B. Standard contractual clauses
C. Increased oversight
D. Modified legal regulation

A

B. Standard contractual clauses

Explanation:
Companies that are not in countries that have laws in accordance with the EU privacy regulations can instead opt for creating contract language that voluntarily complies with the laws. All the other options are incorrect because they do not allow non–European Union companies to process personal data of EU citizens.

102
Q

Which entity is legally responsible for the protection of personal data?

A. The data subject
B. The data controller
C. The data processor
D. The data steward

A

B. The data controller

Explanation:
The data controller is legally liable for protecting any privacy data it has. All the other options are other data privacy roles that do not have ultimate legal responsibility.

103
Q

When a company is first starting and has no defined processes and little documentation, it can be said to be at level _______________ of the Capability Maturity Model (CMM).

A. 1
B. 2
C. 3
D. 4

A

A. 1

Explanation:
 Level 1 is the initial level of maturity for a company and its processes; activity may be performed in an ad hoc manner. All the other options are greater maturity levels of the CMM.

104
Q

Which of the following standards addresses a company’s entire security program, involving all aspects of various security disciplines?

A. ISO 27001
B. ISO 27002
C. National Institute of Standards and Technology (NIST) 800-37
D. Statement on Standards for Attestation Engagements (SSAE) 18

A

A. ISO 27001

Explanation:
The ISO 27001 standard reviews an organization’s security in terms of an information security management system (ISMS), which involves a holistic view of the entire security program. ISO 27002 is a standard for applying controls to the ISMS; option B is incorrect. NIST 800-37 is the Risk Management Framework; option C is incorrect. SSAE is an audit standard for financial reporting and the controls within an environment; option D is incorrect.

105
Q

A cloud provider might only release Service Organization Control (SOC 2), Type 2 reports to _______________.

A. Regulators
B. The public
C. Potential customers
D. Current customers

A

D. Current customers

Explanation:
Because of the sensitive nature of the material covered in the SOC 2, Type 2 report, a cloud provider might not be willing to share it with any entity that does not have a financial stake in the cloud service. All the other options are entities that are unlikely to receive a SOC 2, Type 2 report from a cloud provider.

106
Q

A cloud provider’s Service Organization Control (SOC) 1 report may not be useful to customers interested in determining the provider’s security posture because the SOC 1 report contains only information about _______________.

A. Sales projections
B. Financial reporting
C. Previous customer satisfaction
D. Process definition

A

B. Financial reporting

Explanation:
 The SOC 1 report reviews the accuracy and completeness of an organization’s financial reporting mechanisms. All the other options are incorrect.

107
Q

The Payment Card Industry (PCI) Data Security Standard requires different levels of activity based on participants’ _______________.

A. Number of personnel
B. Branch locations
C. Number of transactions per year
D. Preferred banking institutions

A

C. Number of transactions per year

Explanation:
There are four PCI merchant levels, based on the number of transactions an organization conducts per year. All the other options are incorrect answers.

108
Q

Which IT product review framework is intended to determine the accuracy of vendor claims regarding security functions of the product?

A. Underwriters Laboratories (UL)
B. Federal Information Processing Standard (FIPS) 140-2
C. Payment Card Industry (PCI) Data Security Standard (DSS)
D. Common Criteria

A

D. Common Criteria

Explanation:
The Common Criteria is a framework for reviewing product security functions, as stated by the vendor. The UL is a standards and certification entity concerned with product safety; option A is incorrect.
FIPS 140-2 is a standard for certifying cryptographic modules; option B is incorrect. PCI DSS is a security standard for credit card merchants and processors; option C is incorrect.

109
Q

What is the lowest level of cryptographic security for a cryptographic module, according to the Federal Information Processing Standard (FIPS) 140-2 standard?

A. 1
B. 2
C. 3
D. 4

A

A. 1

Explanation:
The lowest level of the FIPS 140-2 standard is 1. All the other options are incorrect.

110
Q

What is the highest level of the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) certification program for cloud service providers?

A. 1
B. 2
C. 3
D. 4

A

C. 3

Explanation:
 There are three levels of the CSA STAR program, and 3 is the highest. All the other options are incorrect.

111
Q

Every cloud service provider that opts to join the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) program registry must complete a _______________.

A. Service Organization Control (SOC) 2, Type 2 audit report
B. Consensus Assessment Initiative Questionnaire (CAIQ)
C. National Institute of Standards and Technology (NIST) 800-37 Risk Management Framework (RMF) audit
D. ISO 27001 information security management system (ISMS) review

A

B. Consensus Assessment Initiative Questionnaire (CAIQ)

Explanation:
 The CAIQ is the CSA’s mechanism for STAR applicants to evaluate their own service. The SOC reports are part of the Statement on Standards for Attestation Engagements (SSAE) 18 audit standard; option A is incorrect. The NIST RMF is only mandated for U.S. federal agencies and not part of the CSA purview; option C is incorrect. The ISMS is one of the ISO standards and not part of the CSA purview; option D is incorrect.

112
Q

The term cloud carrier most often refers to _______________.

A. The cloud provider
B. The cloud customer
C. An Internet service provider (ISP)
D. A cloud manager

A

C. An Internet service provider (ISP)

Explanation:
 Cloud carrier is a term describing the intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP. Options A and B are other typical cloud computing roles; option D is a not a term with any meaning in this context.

113
Q

In a centralized broker identity federation, which entity typically creates and sends the Security Assertion Markup Language (SAML) token?

A. The cloud provider
B. The Internet service provider (ISP)
C .The broker
D. The cloud customer

A

C .The broker

Explanation:
 In a centralized broker federation, the broker (typically a third party) acting as the identity provider, creates the SAML identity assertion tokens and delivers them to the relying parties. All the other options are distractors and not entities that are assigned specific roles in a federation motif.

114
Q

Which of the following tools incorporates and references the requirements listed in all the others?

A. ISO 27001 Cloud Security Alliance (CSA)
B. Cloud Controls Matrix (CCM)
C. Federal Risk and Authorization Management Program (FedRAMP)
D. European Union Agency for Network and Information Security (ENISA)

A

B. Cloud Controls Matrix (CCM)

Explanation:
 The CCM is a tool for determining control coverage for compliance with a variety of standards and regulations. All the other options are standards or regulations.

115
Q

Which of the following is an example of true multifactor authentication?

A. Having a login that requires both a password and a personal identification number (PIN)
B. Using a thumbprint and voice recognition software for access control
C. Presenting a credit card along with a Social Security card
D. Signing a personal check

A

D. Signing a personal check

Explanation:
The check involves two kinds of security elements: something you have (the check) and something you are (the biometric control, the signature).
Option A is two elements of the same kind: something you know. This is incorrect. Option B is two elements of the same kind: something you are. This is incorrect. Option C is two elements of the same kind: something you have. This is incorrect.

116
Q

Which of the following is appropriate to include in a service-level agreement (SLA)?

A. That the provider deliver excellent uptime
B. That the provider host the customer’s data only within specific jurisdictions
C. That any conflicts arising from the contract be settled within a particular jurisdiction
D. The specific amount of data that can be uploaded to the cloud environment in any given month

A

D. The specific amount of data that can be uploaded to the cloud environment in any given month

Explanation:
 SLA elements should be objective, numeric values, for repeated activity. Options B and C are useful elements to be included in the contract, but not specifically the SLA. Options B and C are incorrect. Option A is too ambiguous; “excellent” is not a discrete value. Option A is incorrect.

117
Q

Which of the following standards is typically used to convey public key information in a public-key infrastructure (PKI) arrangement?

A. Security Assertion Markup Language (SAML)
B. X.400
C. X.509
D. 802.11

A

C. X.509

Explanation:
Option A is incorrect because software-defined networking refers to a networking architecture consisting of three layers: application, control, and infrastructure. Enterprise networking is a general term, not specifically related to the cloud. Option B is incorrect.
Legacy networking or traditional networking is designed for traditional networks that use physical devices and components rather than virtual. Option D is incorrect.

118
Q

In working with various networking technologies such as Frame Relay, ATM, and Ethernet, the capability of the network to provide better service to selected traffic is called _______________.

A. QaS
B. ASP
C. OLA
D. QoS

A

D. QoS

Explanation:
Quality of service (QoS) refers to the capability of a network to provide better service for certain traffic regardless of network type or topology. The other options contain uppercase and lowercase letters that may or may not be related to the cloud. Option D is the only option that answers the question correctly. The acronym QoS represents Quality of Service. QoS is used to set priorities for specific types of data to dependably run high-priority applications and traffic.

119
Q

Which type of networking model is optimized for cloud deployments in which the underlying storage and IP networks are combined so as to maximize the benefits of a cloud workload?

A. Software-defined networking model
B. Enterprise networking model
C. Converged networking model
D. Legacy networking model

A

C. Converged networking model

Explanation:
Optimized for cloud deployments, the converged networking model combines the underlying storage and IP networks to maximize the benefits of a cloud workload.

120
Q

Which type of law consists of a body of rules and statutes that define prohibited conduct and is set out to protect the safety and well-being of the public?

A. Tort
B. Criminal
C. Civil
D. Contract

A

B. Criminal

Explanation:
Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well-being of its citizens. Violations generally consist of both monetary and/or loss of liberty punishments. Tort law refers the body of laws that provide remedies to individuals who have been caused harm by unreasonable acts of others. Negligence is the most common type of tort lawsuit. Therefore, option A is incorrect. Option C is incorrect because civil law pertains to contracts, property, and family law as opposed to crimes like murder and theft that are associated with criminal law. Contracts are agreements between parties to exchange goods and services; Option D is incorrect.

121
Q

What is the primary reason for the use of SSDs in the cloud today?

A. They are faster than traditional spinning drives.
B. They last longer than traditional spinning drives.
C. They are easier to replace than traditional spinning drives.
D. dThey can be replaced quickly.

A

A. They are faster than traditional spinning drives.

Explanation:
Solid-state disks (SSDs) are used in cloud computing today because they operate at high speeds as compared to traditional spinning drives. Option B is incorrect. SSDs do not necessarily last longer than magnetic drives. Options C and D are incorrect because SSDs are not noticeably easier or quicker to replace than traditional drives.

122
Q

Which of the following are risks associated with virtualization?

A. Loss of governance, snapshot and image security, and sprawl
B. Public awareness, snapshot and image availability, and sprawl
C. Increased cost, snapshot and image security, and sprawl
D. Loss of data

A

A. Loss of governance, snapshot and image security, and sprawl

Explanation:
 The primary risks associated with virtualization are loss of governance, snapshot and image security, and sprawl. Options B and C are incorrect. Public awareness and increased costs are not risks associated with virtualization. Option D is incorrect because the loss of data is not associated with virtualization anymore than the loss of data is associated with non-virtualization.

123
Q

Which of the following is the core of any system handling all input/output (I/O) instructions?

A. Central processing unit (CPU)
B. Hypervisor
C. User interface
D. Supervising application

A

A. Central processing unit (CPU)

Explanation:
The central processing unit (CPU) is the core of any and all systems, handling all the basic I/O instructions as they originate from the software. The question focuses on the handling of all input/output (I/O) instructions. Only the CPU does that. Options B, C, and D function as a result of the CPU handling all of I/O for the hypervisor, user interface, and supervising application. The CPU is the core of computing systems. Options B, C, and D are incorrect.

124
Q

Which of the following is an international organization of network designers and architects who work together in establishing standards and protocols for the Internet?

A. Internet Assigned Numbers Authority (IANA)
B. International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC)
C. National Institute of Standards and Technology (NIST)
D. Internet Engineering Task Force (IETF)

A

D. Internet Engineering Task Force (IETF)

Explanation:
The IETF is an international organization of network designers and architects who work together in establishing standards and protocols for the Internet. IANA oversees global IP address allocation among other Internet tasks. IANA does not establish standards and protocols for the Internet. Option A is incorrect. Option B is incorrect because the ISO/IEC develops, maintains and promotes standards in information technology and information communication technology. Option C is incorrect because NIST is a federal government standards body in the US.

125
Q

_______________ is a symmetric block type of cipher used to encrypt information and is currently the standard for the U.S. government in protecting sensitive and secret documents.

A. MD5
B. Secure Socket Layer (SSL)
C. Blowfish
D. Advanced Encryption Standard (AES)

A

D. Advanced Encryption Standard (AES)

Explanation:
The Advanced Encryption Standard (AES) is currently used to encrypt and protect U.S. government sensitive and secret data. There are variants, but the most common is 256-bit, which is virtually impossible to break today. Option A is incorrect because MD5 is a cryptographic hash function used to verify that a file has not been altered.
SSL uses certificates to create a secure connection using encryption. Option B is incorrect. Blowfish is a symmetric-key block cipher that has been replaced by AES encryption. The U.S. government uses AES and not Blowfish. Option C is incorrect.