CISSP Q v1.4 -- Domain 3

Question 1

A data breach was discovered after a company’s usernames and password were posted to a hacker website. Afterwards, an analyst discovered the company stored credentials in plain text. Which of the following would help mitigate this type of breach in the future?

A. Create data loss controls that prevent documents from leaving the network.
B. Implement salting and hashing.
C. Configure the web content filter to block access to the forum.
D. Increase password complexity requirements.

Answer 1

B. Implement salting and hashing.

Passwords should not be stored in plain text!
We want to store passwords as hashed values, and salt them for extra security!
The hashing will protect us from insiders/hackers seeing the password, while the salt will make password cracking very difficult. The salt will also make rainbow tables useless!
(more salt related details in the slide notes)

Question 2

Of the control type listed below, what would a mantrap (access control vestibule) be considered?

A. Preventative
B. Physical
C. Detective
D. Deterrent

Answer 2

B. Physical

A mantrap, access control vestibule, sally port, or air lock:
A physical security access control system comprising a small room with two sets of interlocking doors, such that the first set of doors must close before the second set opens. This mechanism seeks to eliminate the threat of piggybacking or tailgating.

There are three well-known TYPES of controls:
* Physical
* Technical/Logical
* Administrative/Management
(A), (C), and (D) are all CATEGORIES of control.

Question 3

Given the following output on an attacker’s system:

Which of the following BEST describes the type of password attack the attacker is performing?

A. Dictionary
B. Pash-the-hash
C. Brute-force
D. Known plain text

Answer 3

A. Dictionary

A password that long was broken in a few minutes? Must be a dictionary attack; brute force attacks could take years to crack passwords of that length.

Question 4

The components of this security model include subjects, objects, clearances, and who can have access to what. These components are related to which of the following security models?

A. The Bell-LaPadula Model
B. The Clark-Wilson Model
C. The Lipner Model
D. The Biba Model

Answer 4

A. The Bell-LaPadula Model- Confidentiality model

Biba is an integrity model, concerned with who can modify what. Clark Wilson does not discuss clearances, only integrity ideas. We can rule both of those out. With Bell-LaPadula (BLP) and Lipner remaining, BLP is the closest match to the description above. Lipner does have some element of BLP in it, but its still mostly defined by its integrity mechanisms and there is nothing integrity related in the question.

B. The Clark-Wilson Model - Integrity Model
C. The Lipner Model - Combination of Biba and Bell-Lapadula
D. The Biba Model - Integrity Model

Question 5

Which of the following statements is true of Common Criteria’s Evaluation Assurance Levels (EALs)?

A. Common Criteria has 7 EALs against which a security product may be able to get certified.
B. Common Criteria has 7 EALs against which a security product maybe able to get accredited.
C. Common Criteria EALs can be used to cross-certify with the Information Technology Security Evaluation Criteria (ITSEC) ratings, but not the Trusted Computer System Evaluation Criteria (TCSEC) ratings.
D. Common Criteria EALs can be used to cross-certify with the Trusted Computer System Evaluation Criteria (TCSEC) ratings, but not the Information Technology Security Evaluation Criteria (ITSEC) ratings.

Answer 5

A. Common Criteria has 7 EALs against which a security product may be able to get certified.

Question 6

A stream cipher works by using which of the following?

A. Bit-by-bit substitution with Exclusive Or (XOR) and a keystream
B. Confusion, diffusion, and permutation
C. Exclusive Or (XOR) and an initialization vector (IV)
D. An initialization vector (IV), the Temporal Key Integrity
Protocol (TKIP), and Wi-Fi Protected Access (WPA)

Answer 6

A. Bit-by-bit substitution with Exclusive Or (XOR) and a keystream

Stream ciphers should be used to protect data in transit.

Question 7

Which cipher uses key words and numerous rows (traditionally 26), each one of which is offset by one?

A. The Rail/Fence cipher
B. The Running key cipher
C. The Vigenère cipher
D. The Vernam cipher

Answer 7

C. The Vigenère cipher

Answer (C) is correct. The RAIL fence only uses two rows. In the running key cipher, frequently used with the Vigenère cipher, text (typically from a book) is used to provide a very long keystream, ideally one as long as the message itself. Finally, the Vernam cipher, or One Time Pad (OTP) uses one time pads from a code book.

Question 8

Upper management is looking to find a new cloud provider to host the company’s software as a service product. Considering the problems your organization had with the last provider, they instructed you to find a provider who has displayed good internal governance. What indicator should be used when looking for this new provider?

A. Maturity level
B. Risk identification
C. SOC reports
D. Loss history

Answer 8

A. Maturity level

Maturity levels (CMM) account for a better indication of governance, surpassing losses, audits, or the ability simply ID risk.

Question 9

Which of the following is true with respect to the Operating System (OS) kernel?

1. It loads and runs binary programs.
2. It schedules task swapping
3. It allocates memory and tracks the physical location of files on the computer’s hard disk.
4. It must correctly manage input/output requests from software, andtranslate them into instructions for the Central Processing Unit (CPU).

A. 1 and 2
B. 2 and 3
C. 1, 2, and 3
D. 1, 2, 3, and 4

Answer 9

D. 1, 2, 3, and 4

The purpose of the kernel is described in Item 4, and the ways in which it achieves its purpose are described in 1, 2 and 3.

Question 10

Which of the following allows two cooperating processes to transfer information in such a way that it violates the system’s security policy?

A. Partial disclosure
B. Full disclosure
C. Covert channel
D. Opensource

Answer 10

C. Covert channel

Answer (C) is correct, as it is the classic definition of what a covert channel achieves.
“A covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.”

Question 11

A Certificate Authority (CA) will occasionally have to revoke a certificate it has published. How does the CA make this fact known to users who are trusting it to deliver reliable certificates?

A. The CA informs the RA and the RA sends this information to the CA’s membership.
B. The CA destroys its Digital Certificate Signing Key and creates a new one.
C. The CA informs the major browser vendors and they change their browsers so that they do not accept any Certificates signed by that version of the CA’s key.
D. The CA publishes a special list which includes details about revoked certificates.

Answer 11

D. The CA publishes a special list which includes details about revoked certificates.

The special list they are describing is known as the Certificate Revocation List (CRL).

Question 12

What is the difference between a Registration Authority (RA) and a Certificate Authority (CA)?

A. An RA generates the user’s public/private key pair and saves the min the PKI database.
B. An RA verifies the user credentials, and the CA issues the digital certificate.
C. The CA generates the user’s public/private key pair and the RA generates the certificate.
D. The RA verifies the user credentials, and the CA generates the user’s public/private key pair.

Answer 12

B. An RA verifies the user credentials, and the CA issues the digital certificate.

At no point does an RA (the company) or the CA (a computer that makes certificates) generate the end users public/private key pair. This allows us to rule out everything except (B), which is 100% correct.

Question 13

Which statement below BEST describes the difference between the Electronic Code Book (ECB) and the Counter (CTR) method of encryption?

A. ECB is a block cipher, whereas CTR does not stop errors from propagating.
B. ECB is a stream cipher, whereas CTR is a block cipher.
C. Encryption errors can propagate when ECB is used, but do not propagate when Counter is used.
D. ECB can only secure short messages, whereas CTR can secure long ones as well.

Answer 13

D. ECB can only secure short messages, whereas CTR can secure long ones as well.

Counter does not propagate errors, so Answer (A) is eliminated. Answer (B) has the cipher modes reversed, so it is incorrect. ECB does not propagate errors, so Answer (C) is eliminated.

Question 14

Given the plain text word “rambo”, which of the following statements is correct?

A. A Caesar cipher for “rambo” would yield “abrmo.”
B. A collision occurs when two different cryptographic keys encrypt “rambo” and produce the same results.
C. A transposition cipher, with reorder sequence 53421 would yield “ombar.”
D. The SHA1 hash value for “rambo” would be exactly 16 bytes long.

Answer 14

C. A transposition cipher, with reorder sequence 53421 would yield “ombar.”

(A) Is incorrect. A Caesar cipher is a mono-alphabetic substitution cipher, where each letter in the plaintext is replaced by a letter a fixed number of positions down the alphabet. For example, D is rotated back by three to become A, and E would be rotated back three to become B, and so forth.
(B) Is incorrect. The term collision is tied to hashing and does not utilize keys. What they are describing in (B) is known as “Key Clustering”.
100
(D) Is incorrect. Sha1’s hash length/value is 20 bytes, aka 160 bits. Not 16 bytes.

Question 15

Which of the following is correct?

A. An initialization vector (IV) is used to make sure that encryptions of important texts do not change each time they are encrypted.
B. Confusion refers to making the relationship between the cipher text and the key as complex as possible; diffusion refers to dissipating the statistical structure of the plaintext over the bulk of the cipher text.
C. Only one substitution and one permutation can occur in an SP- network.
D. The avalanche effect in an encryption algorithm means that the algorithm is resistant to small changes in the plaintext.

Answer 15

B. Confusion refers to making the relationship between the cipher text and the key as complex as possible; diffusion refers to dissipating the statistical structure of the plaintext over the bulk of the cipher text.

Answer (B) is correct. Claude Shannon first identified these two properties in his 1945 classified report, “A Mathematical Theory of Cryptography.” Answer (A) is incorrect; IVs are used to help ensure that text does completely change when encrypted. Answer (C) is wrong; SP networks use many rounds of both substitution and permutation. The AES cipher is an excellent example of this. Answer (D) is wrong, as with the avalanche effect, a small change in the text will produce a large change in the output.

Question 16

Which statement BEST describes how the term “key space” affects “cryptanalysis”?

A. The larger the key space, the easier the cryptanalysis.
B. The key space doubles each time you add a bit to the key length, which makes cryptanalysis more difficult.
C. Cryptanalysis is designing algorithms, and key space means testing the keys to ensure they work properly.
D. Cryptanalysis is most often accomplished by systematically reducing the size of the keyspace.

Answer 16

B. The key space doubles each time you add a bit to the key length, which makes cryptanalysis more difficult.

(A) is the opposite of the truth. Similarly (C) is wrong, as Cryptography is about designing algorithms, and cryptanalysis is about breaking them. Finally, answer (D) is wrong, as it is not most often accomplished this way.

Question 17

What are the key and block sizes for the AES algorithm?

A. Keys are 128 bits; blocks are 128 and 256 bits.
B. Keys are 128 bits, as are blocks.
C. Both keys and blocks can be 128, 192, and 256 bits.
D. Keys are 128, 192, and 256 bits and blocks are 128 bits.

Answer 17

D. Keys are 128, 192, and 256 bits and blocks are 128 bits.

Rjindael, the algorithm from which AES was derived, was able to use the range of block sizes described in Answer (C), but the NIST specification in 2001 for the new Advanced Encryption Standard specified a block size of 128 bits only. AES does allow 128, 192, and 256 bit keys, which eliminates Answers (A) and (B).

Question 18

Which of the following contains BOTH a hashing and an asymmetric key algorithm?

A. DES and SHA2
B. SHA2 and MD5
C. MD5 and ECC
D. AES and ECC

Answer 18

C. MD5 and ECC

A. DES and SHA2 - Symmetric and Hashing
B. SHA2 and MD5 - Hashing and Hashing
C. MD5 and ECC - Hashing and Asymmetric
D. AES and ECC - Symmetric and Asymmetric

Question 19

Which of the following is an attack against hashes?

A. Plain text Attack
B. Dictionary Attack
C. Stream cipher Attack
D. Cipher text attack

Answer 19

B. Dictionary Attack

Passwords are stored as hashes, and the only password attack listed is the Dictionary Attack. Other hashing attacks against passwords are the Birthday attack, the use of hash tables, and the use of rainbow tables. Answers (A) (C), and (D) are all attacks intended to find the key.

Question 20

Which of the following is no longer a common and effective attack on wireless networks?

A. A Plaintext Attack
B. A Rainbow Table Attack
C. A Stream Cipher Attack
D. A Ciphertext Attack

Answer 20

C. A Stream Cipher Attack

Was, but is no longer” implies the use of WEP or WPA rather than WPA2, which was introduced in 2004. WEP and WPA used RC4, a stream cipher. Answers (A), (B) and (D) are all otherwise too broad.

Question 21

The Simple Integrity Property provides what permission?

A. Read at the same level or at a higher level.
B. Write at the same level or at a lower level.
C. Read at the same level or at a lower level.
D. Write at the same level or at a higher level.

Answer 21

A. Read at the same level or at a higher level.

With integrity models you can
READ UP, but not DOWN.
WRITE DOWN, but not UP. (confidentiality models are the opposite)

The SIMPLE integrity property is a READ capability for the Biba model. This eliminates Answers (B) and (D) which concern the STAR property. In Biba, reading up is okay, but reading down is not, as you would thereby be accepting less accurate information. This eliminates Answer (C).

Question 22

Which security model is designed to help ensure that high level activities (inputs) do not determine what low-level users can see (outputs)?

A. The Lattice model
B. The Information Flow model
C. The Clark-Wilson model
D. The Non-interference model

Answer 22

D. The Non-interference model

A non-interference model aims at a strict separation of differing security levels to ensure that higher-level activities don’t determine what lower-level users can see or gain access to.

(A) Lattice models allow for strict distinction between different levels and defines clear rules for interactions between them, such as Bell-LaPadula. (B) Information flow models focus on the ways in which information can flow or be exchanged within a system. (C) The Clark-Wilson model is an integrity model focused on ensuring well-formed transactions.

Question 23

Originally there were three Cloud Service models (CSMs) and four Cloud Deployment models (CDMs). Which statement below has two original CSMs and two CDMs?

A. SaaS, IDaaS, Public, and Private
B. SaaS, PaaS, Community, and Hybrid
C. IaaS, PaaS, On-site and Off-site
D. Naas, CaaS, Hybrid, and Commercial

Answer 23

B. SaaS, PaaS, Community, and Hybrid

“on-site and off-site” are not deployment models.

Question 24

Which fire prevention system does not hold water above the area it protects, contains multiple heat-sensing elements, and only begins to fill with water when the valve is triggered by excessive heat?

A. A Dry-Pipe System
B. A Deluge System
C. A Wet-Pipe System
D. A Pre-Action System

Answer 24

D. A Pre-Action System

A Dry-Pipe system only has one heat sensing element, which is the sprinkler head. Pre- Action systems, on the other hand, include both primary and secondary (supplemental) heat sensing elements. The supplemental sensor pre-fills the pipes before the primary sensor (the sprinkler head) triggers and sprays the water in the room

Question 25

Which statements below BEST describe fundamental security monitoring for a system?

1. The Reference monitor and security kernel are used to determine whether a user should be allowed to access an object.
2. The Reference monitor is a large software item.
3. “Complete mediation” means that all subjects must be authenticated and their access rights verified before they can access any object.
4. The definition of the Trusted Computing Base (TCB) concept wasf irst formalized by ITSEC.

A. 1 and 2
B. 1 and 3
C. 1 and 4
D. 3 and 4

Answer 25

B. 1 and 3

Question 26

Which of the following demonstrates the authenticity and origin of a communication, thereby providing for non- repudiation?

A. Using Elliptic Curve Cryptography techniques
B. Assigning Denial of Service Certificates to senders
C. Digital Signatures
D. E-Commerce Digital Certificates

Answer 26

C. Digital Signatures
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. This may also be referred to as providing non-repudiation or proof-of-origin.

(A) ECC may be used to encrypt a hash to get a digital signature, but RSA is more often used. Furthermore, “cryptography techniques” is very ambiguous.
(B) Denial of Service certificate are not a real thing.
(D) E-Commerce Digital certificates are used by SSL and TLS enabled servers to initiate SSL/TLS VPNs, not to provide non-repudiation.

Question 27

Which security model focuses on preventing conflicts of interest when a given subject would otherwise have access to objects with sensitive information associated with two competing parties?

A. Information Flow
B. Non-Interference
C. Clark-Wilson
D. Brewer and Nash

Answer 27

D. Brewer and Nash

Answer (D) is correct. It may also be called the Chinese Wall model.

CW is about making sure that the 3 rules of data integrity for achieving well- formed transactions are maintained.

Question 28

Which of the following is MOST accurate with respect to individual computing devices (ICDs) on a cluster versus on a grid system?

A. If a Grid ICD fails, the Grid must be restarted.
B. If a Cluster ICD fails, the cluster must be restarted.
C. Grid systems are homogeneous, while Cluster systems are heterogeneous.
D. Cluster ICDs all share the same operating system (OS) and application software, but Grid ICDs can have many different OSs, while still working on solving the same problem.

Answer 28

D. Cluster ICDs all share the same operating system (OS) and application software, but Grid ICDs can have many different OSs, while still working on solving the same problem.

Question 29

Which of the following best describes a Common Criteria “Protection Profile”?

A. A set of security requirements to be used to evaluate a Security Target.
B. A set of security requirements for a category of products that meet specific consumer security needs.
C. An implementation-independent set of functional security requirements for a category of products that meet specific consumer
security needs.
D. An implementation-specific set of assurance requirements for products that meet specific consumer security needs.

Answer 29

B. A set of security requirements for a category of products that meet specific consumer security needs.

Answer (A) is wrong, as the security product to be evaluated is called the Target of Evaluation (ToE). All CC evaluations provide for both Assurance and Functionality, so Answers (C) and (D) leave out something, and are thus eliminated.

Question 30

Albert received a message sent to him over the Internet by John. Albert changed the content of the message and then then claimed that the altered message was the one he’d received from John. Which technique would prevent Albert from being able to make this claim?

A. John used Public Key Cryptography to deliver the message.
B. John digitally signed the message.
C. John used the 512 bit version of SHA2 to hash the message and then sent this hash along with the message to Albert.
D. John used hybrid encryption with the strong AES 256 algorithm and the ECC public key algorithm to send the message to Albert.

Answer 30

B. John digitally signed the message.

Digital signatures provide integrity and non-repudiation, aka proof-of-origin!

Question 31

Which of the following describes the correct way to create and use a digital signature?

A. Add the sender’s name to the document, then encrypt it with the recipient’s public key, send the encrypted document to the recipient.
B. Encrypt the document with the sender’s Private key, and then send the encrypted document to the recipient.
C. Hash the document, then encrypt both the hash and the document with the sender’s private key, then send the encrypted information to the recipient.
D. Hash the document, then encrypt only the hash with the sender’s private key, send both the plain text document and the encrypted hash to the recipient.

Answer 31

D. Hash the document, then encrypt only the hash with the sender’s private key, send both the plain text document and the encrypted hash to the recipient.

(A) provides encryption, but does not offer non-repudiation. Non-repudiation (proof-of-origin) is the entire point of the signatures and what we are looking for. Simply adding the sender’s name does not provide proof-of-origin.
(B) is incorrect, because you don’t encrypt the document with the sender’s private key. If you did, they would never be able to read it.
(C) is incorrect because you don’t encrypt the document along with the hash.
As (D) demonstrates, only the hash is encrypted with the senders private key.

Question 32

From a security perspective, which of the following are the MOST important resources in any computing system?

1. Memory
2. Buffer overflow
3. Storage
4. Speed

A. 1 and 4
B. 1 and 2
C. 2 and 4
D. 1 and 3

Answer 32

D. 1 and 3

Answer (D) is correct. Neither buffer overflows (where a program writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations) nor speed (a desirable attribute) are “resources.”

Question 33

A cloud storage server has been brought online that is intended to serve hospitals exclusively. Several hospitals, all owned by different entities, have begun using this highly secured cloud server. What type of cloud deployment model matches this type of server?

A. Public
B. Private
C. Community
D. Hybrid

Answer 33

C. Community

A community cloud is shared by a group of similar organizations that all have similar needs. In this example, it is a server built only to serve hospitals.

Question 34

A contractor working for the company updated several applications and plugins on the cloud platform causing a massive outage. Of the options below, what would best prevent this from happening again?

A. Secure Web Gateway (SWG)
B. Cloud Access Security Broker (CASB)
C. Mirrored backup site
D. Containerization

Answer 34

B. Cloud Access Security Broker (CASB)

Secure Web Gateway. Its an application firewall built to serve cloud applications. While these are capable of inspecting traffic and filtering out scripting attacks, it is unlikely that the gateway would block an application from receiving an update.
Cloud Access Security Broker. This is an on-premise or cloud based security software that limits access and enforces access control for the cloud, on a per user basis. Many CASB’s will include SWG functionality and a CASB could block an application or plugin from receiving an update. This technology is very flexible and is one of the best tools for protecting cloud servers. It can also be used to promote compliance, perform monitoring, and prevent malware.

Question 35

Of the cloud service models listed below, which would typically include storage, networking, and servers, but not an operating system?

A. DaaS
B. SaaS
C. PaaS
D. IaaS

Answer 35

D. IaaS

Question 36

Although this situation is unlikely, under what circumstances would it be completely acceptable to use AES in ECB mode with a 128 bit key?

A. When AES is using a 128 bit block size.
B. When AES is set to perform 10 rounds of encryption.
C. When the data to be encrypted is less than 128 bits.
D. When the key was negotiated with DH group 24

Answer 36

C. When the data to be encrypted is less than 128 bits.

The problem with ECB (electronic codebook) mode is that if the message is longer than the key size, it will reuse the same key again without modifying it. This leads to weak confusion, where the relationship between the key and the ciphertext is easy to identify. This could also be described as: because the key repeats, a pattern develops, and a cipher-text only attack will require less work to perform (lower work factor).
(A) AES will always use a 128bit block size… but this doesn’t suddenly make ECB safe to use.
(B) AES will perform 10 rounds of encryption when using a 128 bit key, but still, not considered safe. (D) How the key is negotiated does not have anything to do with ECB mode.

Question 37

A company has developed their own SaaS product. They need a flexible and transparent management tool that grants them the ability to control and monitor who uses their product. What could meet the needs of this company for their new SaaS product?

A. System Info and Event Manager (SIEM)
B. Data Loss Preventer (DLP)
C. Cloud Access Security Broker (CASB)
D. Access Control Matrix

Answer 37

C. Cloud Access Security Broker (CASB)

A Cloud Access Security Broker (CASB) is a service/software that sits between the end-user and the cloud provider. It can offer the following:
* Mediate all access to and from the cloud
* Provide highly granular control over users and data
* Enforce compliance with well-known cloud regulations
* Give visibility into user/app/data usage (allows for monitoring and measured services)
* Prevent most injection/malware threats

Question 38

What best describes the function of microservices in the cloud?

A. Independent applications that are designed as small components and loosely coupled.
B. Applications that are inexpensive when deployed on a large scale.
C. Applications that are small enough to live stream to customers.
D. Applications intended for use on mobile platforms.

Answer 38

A. Independent applications that are designed as small components and loosely coupled.

Microservices are small, simple, agile, standalone apps that communicate through well-known APIs. They are sometimes developed independently and are loosely coupled so they can be deployed as one application (with many services) if needed. Microservices architectures make applications easier to scale and faster to develop, enabling innovation and accelerating time-to-market for new features.

Question 39

Of the options below, what is the best description of containers, as they apply to software virtualization?

A. A secure test environment.
B. An encrypted file that is safe to transmit over unsecured media.
C. A virtual machine with only one OS and one application.
D. Several isolated applications sharing a single OS.

Answer 39

D. Several isolated applications sharing a single OS.

Containers are virtualization at the operating-system level such that a single operating system is partitioned and used by multiple applications. The applications are isolated from each other. In many cases, containers are more efficient than full virtual machines (virtualization at the hardware layer). Containers are used in the cloud to quickly deploy and scale web applications.

Question 40

Of the options below, what is the best description of containerized software?

A. Code and all of its associated dependencies have been packaged together so that it can run on almost any infrastructure.
B. A library of virtual machines that can communicate through well- known APIs.
C. A light weight software that is designed to perform a single dedicated security function.
D. An abstract concept that involves mediating all access from subjects to the software and its associated objects.

Answer 40

A. Code and all of its associated dependencies have been packaged together so that it can run on almost any infrastructure.

Software containerization bundles the application code together with the related configuration files, libraries, and dependencies required for it to run. This single package of software or “container” is abstracted away from the host operating system, and hence, it stands alone and becomes portable—able to run across any platform or cloud, free of issues.

Question 41

Which of the following cloud principles will help manage the risk of a network breach?

A. Self-service
B. Availability
C. Shared responsibility
D. Elasticity and redundancy

Answer 41

C. Shared responsibility

Since both the customer and the CSP have their own specific responsibilities, managing the risk is easier for both of them. The CSP is responsible for security ‘of’ the cloud, while the customer is responsible for security ‘in’ the cloud.
Cloud service providers are responsible for security of:
* Data center
* Data isolated between businesses
* Network security within the data center

Cloud consumers are responsible for security of: * Direct user-access to data (permissions)
* Backup and restoration of data

Question 42

After a recent security summit, management has decided that too much attention has been paid to perimeter defenses and defending network segments. Instead, more focus should be put on securing internal assets, services, and workflows. They explain that this shift will protect the company better in the future considering that more employees will be working remotely. What security concept is closely aligned with managements new security posture?

A. Shared responsibility model
B. Zero trust architecture
C. Complete mediation system
D. Privacy by design

Answer 42

B. Zero trust architecture

Zero trust - An evolving set of security paradigms that shifts focus from perimeter defenses to the internal users, assets, and resources. It assumes no implicit trust is granted to assets or user accounts based off of their network location. This shift in focus is a necessary change consideringtheriseofmobilephonesandremoteemployees.

Question 43

Management has determined that the business has become overly dependent on the cloud service provider and has been attempting to list out all of the benefits that a shift to edge computing would offer. Of the list below, which issue is the least resolved by the implementation of edge computing?

A. High latency with the cloud provider
B. Data sovereignty compliance costs
C. Regular network connectivity faults
D. Limited bandwidth is remaining due to cloud traffic

Answer 43

C. Regular network connectivity faults

(A) Since the data doesn’t have to go to the cloud for processing, latency will be greatly reduced.
(B) Since the data can be kept local, it is considerably easier to remain in compliance with sovereignty regulations.
(C) While edge computing could possibly reduce the impact of network connectivity faults, it doesn’t resolve the faults themselves.
(D) If you have limited bandwidth, not having to send things to the cloud will drastically reduce the bandwidth you consume.

Edge computing is about performing data computation and storage closer to the device that needs it, instead of sending it all the way to the data center. The origins of this concept can be found in the Content Delivery Networks that Netflix and similar services rely on.
Answer: C