Cloud Data Security

Question 1

What are the common stages of the data lifecycle?

Answer 1

• Create
• Store
• Use
• Share
• Archive
• Destroy

Question 2

Data created by the user should be ______ before uploading to the cloud or if created within the cloud.

Answer 2

Encrypted

Question 3

Packet capture, on-path attacks, and insider threats are all prevented by _____.

Answer 3

encryption on data created remotely

Question 4

______ helps to analyze networks, manage network traffic, and identify network performance issues. It also allows IT teams to detect intrusion attempts, security issues, network misuse, packet loss, and network congestion.

Answer 4

Packet capture

Question 5

An ________ is when an attacker sits in the middle between two stations and intercepts, and in some cases, changes the information being sent interactively across the network.

Answer 5

On-path attack

Question 6

What is a means to secure network traffic?

Answer 6

Using TLS (Transport Layer Security) through an HTPPS connection.

Question 7

• Provisioning access rights
• Securing storage locations
• Protect data thru encryption at rest

Are all security controls that are vital during _____ phase?

Answer 7

Store

Question 8

What is the set of features an application provides so that a user may supply input to and receive output from the program.

Answer 8

An application interface

Question 9

What are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols?

Answer 9

APIs

Question 10

What contains information on how developers are to structure the communication (requests and responses) between two applications?

Answer 10

API documentation

Question 11

The application sending the request is called the _____, and the application sending the response is called the _____.

Answer 11

Client, server

Question 12

What is the most popular and flexible APIs found on the web today, where the client sends requests to the server as data, and the server uses this client input to start internal functions and returns output data back to the client.

Answer 12

REST APIs

Question 13

Data must be protected when it is:

Answer 13

Stored, in transit, and at rest.

Question 14

• Strong protections in virtualization and shared service implementation
• Ensure data on virtualized host can’t be read/detected by other VHs on same device
• Implement personnel/admin controls so workers can’t access raw cust data

Answer 14

How CSPs ensure they provide secure environments for data use

Question 15

• Encryption
• IRM
• Tagging and permissions models
• Jurisdiction/legal restrictions (via export or import controls)
• Egress monitoring

Answer 15

Key controls for the Share phase

Question 16

Export restriction that covers State Department prohibitions on defense-related exports:

Answer 16

International Traffic in Arms Regulations (ITAR)

Question 17

Export restriction that covers Dept of Commerce prohibitions on dual-use (commercial and military) items:

Answer 17

Export Admin Regulations (EAR)

Question 18

Import restriction on cryptosystems or encrypted material:

Answer 18

Cryptography

Question 19

Import restriction where 41 member countries agreed to mutually inform each other about conventional military shipments to non-member countries:

Answer 19

The Wassenaar Arrangement

Question 20

What are the security considerations for the Archive phase?

Answer 20

Cryptography and key management

Question 21

Cryptography methodology that uses an algebraic elliptical curve that results in smaller keys that can provide the same level of security as the larger ones:

Answer 21

Elliptical Curve Cryptography

Question 22

What areas of physical security are important to consider in Archive phase?

Answer 22

Location, format, staff, and procedure.

Question 23

What is storage specifically designed to be used for extended periods of time?

Answer 23

Long-term storage.

Question 24

Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive

Answer 24

3 examples of long-term storage

Question 25

What is storage for data that exists only as long as an instance does?

Answer 25

Ephemeral storage

Question 26

What is storage you have direct access to?

Answer 26

Raw storage

Question 27

What are some examples of raw storage?

Answer 27

Hard drive, SSD. You have direct access to underlying storage rather than a storage service.

Question 28

What is the type of storage that’s represented as a drive attached to the user’s virtual machine?

Answer 28

Volume storage

Question 29

A type of volume storage where data is stored/displayed as files and folders:

Answer 29

File storage - file level storage - file based storage

Question 30

A blank volume that the customer/user can put anything into.

Answer 30

Block storage.

Question 31

Volume storage can be offered in any cloud service model but is often associated with _____.

Answer 31

IaaS

Question 32

Object based storage includes:

Answer 32

Production content and metadata for object stored

Question 33

Object storage can be in any service model but is usually associated with _____.

Answer 33

IaaS

Question 34

In the cloud, the database is usually ________, accessed by users utilizing _______.

Answer 34

Back-end storage in the data center
Online apps or APIs through a browser

Question 35

• Traditional relational databases
• Nonrelational databases (key-value databases)
• Document oriented databases

Answer 35

Are types of databases CSPs may provide

Question 36

Databases are most often configured to work with ______.

Answer 36

Paas and Saas

Question 37

Security methods for databases are:

Answer 37

• Minimizing datasets
• Anonymization/
  pseudonymization

Question 38

• Exposure and malicious access
• Risks to data integrity
• Exposure of data
• DDoS

Answer 38

Long term storage threats

Question 39

Same as long term + risk to IR and forensics b/c the devices may be automatically destroyed when systems are terminated unless intentionally preserved.

Answer 39

Ephemeral storage threats

Question 40

Leaving fragments of data available to next user are _____ threats.

Answer 40

Raw storage

Question 41

What is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware – rather than targeting the program or its code directly.

Answer 41

Side channel attack

Question 42

Encryption is used to protect data ________.

Answer 42

At rest, in transit, and in use.

Question 43

Encryption is used w/in the customer’s enterprise environment to ______, and within the datacenter to ______.

Answer 43

Protect data
Keep tenants from accessing each other’s data.

Question 44

What are strings of bits that allow for encryption/decryption to occur?

Answer 44

Encryption keys

Question 45

Encryption keys must be at ______ as the data they protect.

Answer 45

Same level of control or higher

Question 46

What type of encryption is where the encryption key is stored in the database itself?

Answer 46

Transparent encryption

Question 47

What is a device that can safely create, store, and manage encryption keys and is used in servers, data transmission, and log files?

Answer 47

HSM = Hardware security module

Question 48

This is used to hold keys in a secure way so they can be recovered by authorized parties.

Answer 48

Key escrow

Question 49

What are two reasons a key escrow might be used?

Answer 49

Incident response
Legal holds

Question 50

T/F: Keys should be stored in the CP’s data center.

Answer 50

False - somewhere other

Question 51

What are 3rd party providers that handle IAM and key management services?

Answer 51

CASB - Cloud Access Security Broker

Question 52

T/F: The cost of using a CASB is higher than maintaining keys within the org.

Answer 52

False - much lower

Question 53

What are the commonly used CASBs?

Answer 53

Zscaler, Netskope, and McAfee’s Enterprise CASB tool.

Question 54

What is a common issue with keys in the cloud?

Answer 54

Inadvertent exposure of private keys in public repositories.

Question 55

Malicious actors can scan _________ looking for private keys that may have been uploaded w/ other materials when coding projects are submitted.

Answer 55

GitHub and other code repositories

Question 56

Certificates rely on a _______.

Answer 56

Public and private key

Question 57

Certificates may be _______

Answer 57

Self-generated or generated by a CA (Certificate Authority)

Question 58

What uses an algorithm to transform a given string of characters into another value?

Answer 58

Hashing

Question 59

T/F: Hash output is smaller than input provided.

Answer 59

True

Question 60

What are two uses of hashes?

Answer 60

• Checking if a file has changed
• Storing and retrieving data quickly

Question 61

T/F: You can decrypt a hash value.

Answer 61

False

Question 62

T/F: Hashes are one-way functions that have keys.

Answer 62

F - they don’t have keys

Question 63

What allows you to determine what the input was for a given hash?

Answer 63

Rainbow table

Question 64

What is the technique to make data less meaningful, detailed, or readable?

Answer 64

Obfuscation

Question 65

What is the replacement of date or part of the data w/ randomized info?

Answer 65

Randomization

Question 66

When is randomization useful?

Answer 66

When you want to remove the real data but maintain its attributes.

Question 67

Removing identifiable data is _____.

Answer 67

Anonymization

Question 68

What involves using a one-way cryptographic function to create a digest of the original data?

Answer 68

Hashing

Question 69

What is using different entries from within the same dataset to represent the data?

Answer 69

Shuffling

Question 70

What is hiding the data with useless characters?

Answer 70

Masking

Question 71

What is deleting raw data before it is represented?

Answer 71

Nulls

Question 72

What is replacing sensitive data with a replacement value called a token?

Answer 72

Tokenization

Question 73

Obscuring can be done in ______ or _____ configurations.

Answer 73

Dynamic or static

Question 74

New dataset is created as a copy from the original data.

Answer 74

Static obscuring

Question 75

Data is obscured as it’s accessed.

Answer 75

Dynamic obscuring

Question 76

Tokenization is the process of having two distinct databases:

Answer 76

One w/ live, actual sensitive data and one with nonrepresentational tokens mapped to each piece of that data.

Question 77

PCI DSS allows _______ instead of _______ for sensitive cardholder data.

Answer 77

Tokenization, encryption

Question 78

DLP tools are also sometimes called:

Answer 78

Egress monitoring tools

Question 79

DLP identifies controlled data using:

Answer 79

Tagging, pattern matching, etc.

Question 80

• Search for numeric strings to detect SSN
• Use categorization/labels/metadata
• Use keyword searches

Answer 80

DLP functions

Question 81

The monitoring task can be implemented:

Answer 81

At points of network egress or on all hosts that process data within the production environment.

Question 82

Downsides of DLP:

Answer 82

• High processing overhead
• Complicated config and usage due to insufficient data center access

Question 83

What are Amazon, Azure, and Google monitoring services called?

Answer 83

CloudWatch, Azure Monitor, GCP Operations Suite

Question 84

What are the basic elements of any log you capture:

Answer 84

Identity, IP address, geolocation, time stamps

Question 85

ID what you log, what events are most important, which should be alerted, where logs are stored/analyzed, how long you will retain, and how you will secure when designing _____

Answer 85

data security models and architecture

Question 86

What are the best practices for logging and analysis for Amazon, Azure, and Google?

Answer 86

Well-Architected Tools, Well-Architected Framework, Cloud Architecture Framework

Question 87

• Centralize collection of log data
• Enhance analysis capabilities
• Dashboarding
• Automated response

Answer 87

SIEM goals

Question 88

SIEMs are only useful when:

Answer 88

Someone actually looks at what they produce.

Question 89

Data should always be stored in

Answer 89

more than one location

Question 90

– Local: replicas within a single datacenter
– Zone: replicas to multiple datacenters within a region
– Global: region level resiliency (replicas to backup region)

Answer 90

Cloud storage for IaaS levels of storage redundancy

Question 91

Is useful to gain visibility and ensure that adequate security controls are implemented

Answer 91

data flow diagram

Question 92

• Decreased development time and faster deployment of new system features.
• Visibility into data movement, critical for regulatory compliance, where data security is often mandated in law.

These are benefits of a _____.

Answer 92

data flow diagram

Question 93

T/F: Creating the DFD can be both a risk assessment activity and a crucial compliance activity.

Answer 93

True

Question 94

Ephemeral, raw, long term, volume, and object storage are associated with:

Answer 94

IaaS

Question 95

Disk, databases, binary large object (blob) are associated with

Answer 95

PaaS

Question 96

Information storage and management, content and file storage, content delivery network (CDN) are associated with

Answer 96

SaaS

Question 97

• Raw Storage. Physical media, allows a VM access a storage LUN
• Volume storage. Attached as IaaS Instance (EC)
• Object storage. S3 storage bucket, Azure storage

Answer 97

IaaS

Question 98

– Structured. Relational databases
– Unstructured. Big data

Answer 98

PaaS

Question 99

– Information Storage and Mgmt. Data entered via the web interface
– Content/File Storage. File based content
– Ephemeral Storage. It used for any temporary data such as cache, buffers, session data, swap volume, etc.
– Content Delivery Network (CDN) Geo distributed content for (better UX)

Answer 99

SaaS

Question 100

– Unauthorized access threatens
– Improper modification threatens
– Loss of connectivity threatens

Answer 100

C
I
A

Question 101

— Jurisdictional issues
— Denial of service
— Data corruption/destruction
— Theft or media loss
— Malware and ransomware
— Improper disposal

Answer 101

threats to storage

Question 102

Primarily a cost and operational concern. Ease of use can lead to unofficial use, unapproved deployment, and unexpected costs

Answer 102

unauthorized provisioning - shadow IT

Question 103

Privacy legislation bars data transfer to countries without adequate privacy protections, like _____

Answer 103

Germany

Question 104

Defenses for data corruption/destruction are least privilege, _____, and offsite data backups

Answer 104

RBAC

Question 105

Who retains responsibility for preventing the loss of physical media through appropriate physical security controls?

Answer 105

CSP

Question 106

Who is responsible for hardware disposal?

Answer 106

CSP

Question 107

• Back up your computer
• Store backups separately
• File auto versioning

Answer 107

ransomware countermeasures

Question 108

• Update and patch computers
• Use caution with web links
• Use caution with email attachments
• Verify email senders
• Preventative software programs
• User awareness training

Answer 108

ransomware prevention

Question 109

Relies on the use of a single shared secret key. Lacks support for scalability, easy key
distribution, and nonrepudiation

Answer 109

symmetric

Question 110

Public private key pairs for communication between parties. Supports scalability, easy
key distribution, and nonrepudiation

Answer 110

asymmetric

Question 111

_____keys are shared among communicating parties. _____ keys are kept secret.

Answer 111

Public / Private

Question 112

To encrypt a message:
To decrypt a message:

Answer 112

use the recipient’s public key / use your own private key

Question 113

To sign a message:
To validate a signature:

Answer 113

use your own private key / use the sender’s public key

Question 114

bridge, hierarchical, hybrid, and mesh.

Answer 114

trust models used with public key infrastructure ( PKI)

Question 115

Many CSPs offer FIPS compliant virtualized _____ to securely generate, store, and control access to cryptographic keys.

Answer 115

HSMs

Question 116

Organizations that use multiple cloud providers or need to retain physical control over key management may need to implement a _____

Answer 116

bring-your-own-key (BYOK) strategy

Question 117

Provides encryption of data as it is written to storage, utilizing keys that are controlled by the CSP.

Answer 117

storage-level encryption

Question 118

Provides encryption of data written to volumes connected to specific VM instances, utilizing keys controlled by the customer.

Answer 118

Volume-level encryption

Question 119

Encryption of objects as they are written to storage, in which case the CSP likely controls the keys and could potentially access the data.

Answer 119

object-level encryption

Question 120

Implemented in client apps, such as word processing apps like Microsoft
Word or collaboration apps like SharePoint

Answer 120

file level encryption

Question 121

Implemented in an application typically using object storage. Data entered by user typically encrypted before storage

Answer 121

Application level encryption

Question 122

Transparent data encryption (database files, logs, backups), column level or row level encryption, or data masking

Answer 122

Database level encryption

Question 123

The process of removing all relevant data so that it is impossible to identify original subject or person. If done effectively, then GDPR is no longer relevant for the data.

Answer 123

Anonymization

Question 124

De identification procedure using pseudonyms (aliases) to represent other data. Can result in less stringent requirements than would otherwise apply under the GDPR.

Answer 124

Pseudonymization

Question 125

A one way function that scrambles plain text to produce a unique message digest. Conversion of a string of characters into a shorter fixed length value. No way to reverse if properly designed

Answer 125

hashing

Question 126

Verification of digital signatures
Generation of pseudo random numbers
Integrity services

Answer 126

uses of hashing

Question 127

1. They must allow input of any length.
2. Provide fixed length output.
3. Make it relatively easy to compute the hash function for any input.
4. Provide one way functionality.
5. Must be collision free.

Answer 127

5 requirements of good hash functions

Question 128

A system designed to identify, inventory, and control the use of data that an
organization deems sensitive. Spans several categories of controls including detective, preventative, and corrective.

Answer 128

DLP

Question 129

Is a way to protect sensitive information and prevent its inadvertent disclosure. Can identify, monitor, and automatically protect sensitive information in documents monitors for and alerts on for potential breaches, policy violations like oversharing

Answer 129

DLP

Question 130

Are used to verify the identity of a communication party and can also be used for asymmetric encryption by providing a trusted public key. Often used to encrypt a shared session key or other symmetric key for secure transmission.

Answer 130

Certificates

Question 131

This is an encrypted hash of a message, encrypted with the sender’s private key. In a signed email scenario, it provides three key benefits:
Authentication. This positively identifies the sender of the email. Ownership of a digital signature secret key is bound to a specific user
Non repudiation. The sender cannot later deny sending the message. This is sometimes required with online transactions
Integrity. Provides assurances that the message has not been modified or
corrupted. Recipients know that the message was not altered in transit

Answer 131

digital signature

Question 132

Include cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Answer 132

Key Management Design Considerations

Question 133

Create digital certificates and own the policies.

Answer 133

Certification Authorities

Question 134

A trust anchor in a PKI environment from which the whole chain of trust is derived.

Answer 134

the root certificate

Question 135

A Domain Validated (DV) certificate is an X.509 certificate that

Answer 135

proves the ownership of a domain name.

Question 136

Extended validation certificates provide _____ in identifying the entity that is using the certificate.

Answer 136

a higher level of trust

Question 137

Usually maintained in an offline state.
Issues certs to new subordinate CAs.

Answer 137

root ca

Question 138

Also called a Policy CA or Intermediate CA. Issues certs to new issuing CAs. Have the ability to revoke certificates.

Answer 138

Subordinate CA

Question 139

Certificates for clients, servers, devices, websites, etc. issued from here

Answer 139

issuing ca

Question 140

If the issuing CA is breached, its certificate can be

Answer 140

revoked and a new one issued.

Question 141

Contains information about any certificates that have been revoked by a subordinate CA due to compromises to the certificate or PKI hierarchy.

Answer 141

Certificate revocation list (CRL)

Question 142

T/F: CAs are required to publish CRLs, but it’s up to certificate consumers if they check these lists and how they respond if a certificate has been revoked.

Answer 142

True

Question 143

Two potential options for tracking revocation:

Answer 143

ask for the CRL or if available, OCSP endpoint/service.

Question 144

Endpoint to query for CRL or OCSP is on the _____

Answer 144

certificate

Question 145

Offers a faster way to check a certificate’s status compared to downloading a CRL in which the consumer of a certificate can submit a request to obtain the status of a specific certificate.

Answer 145

OCSP - online certificate status protocol

Question 146

Records identifying information for a person or device that owns a private key as well as information on the corresponding public key. It is the message that’s sent to the CA in order to get a digital certificate created.

Answer 146

Certificate signing request (CSR)

Question 147

the Fully Qualified Domain Name (FQDN) of the entity (e.g web server)

Answer 147

CN (common name)

Question 148

Metadata, or data that describes data, is a critical part of discovery in structured data
Semantics, or the meaning of data, is described in the schema or data model and explains relationships expressed in data.

Answer 148

discovery methods for structured data

Question 149

How does unstructured data discovery occur?

Answer 149

through content analysis, like:
Pattern matching, which compares data to known formats like
credit card numbers.
Lexical analysis: attempts to find data meaning and context to
discover sensitive info that may not conform to a specific pattern
Hashing: attempts to identify known data by calculating a hash of
files and comparing it to a known set of sensitive file hashes

Question 150

JSON, XML, HTML, email messages, NoSQL

Answer 150

semi-structured data - may contain meta data to help organize

Question 151

T/F: Network-based DLP may not analyze all traffic between on premises endpoints and cloud.

Answer 151

True

Question 152

T/F: An optimal DLP approach will discover data in on-premises and in cloud repositories, as well as in transit

Answer 152

True

Question 153

T/F: Tools must be able to scan unstructured data within structured data sources, such as relational databases.

Answer 153

True

Question 154

T/F: If a single data classification label has to be placed on a large data source the most sensitive classification found will apply

Answer 154

True

Question 155

T/F: Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges

Answer 155

True

Question 156

Exceptionally grave damage
Serious damage
Damage
No damage

Answer 156

top secret/confidential/proprietary
secret/private
confidential/sensitive
unclassified/public

Question 157

Who regulates PHI?

Answer 157

HIPAA
HITRUST

Question 158

Brings understanding that enables implementation of security controls and classification polices. Usually precedes classification and labeling

Answer 158

mapping

Question 159

Enforce data rights, provisioning access, and implementing access control model. Often implemented to control access to data designed to be shared but not freely distributed. Can be used to block specific actions, like print, copy/paste, download, and sharing. Provide file expiration so that documents can no longer be viewed after a specified time

Answer 159

IRM programs

Question 160

persistence
dynamic policy control
expiration
continuous audit trail
interoperability

Answer 160

IRM objectives

Question 161

• Centralized service for identity proofing and certificate issuance, store of revoked certificates, and for unauthorized identify information access.
• Enables enforcement from anywhere.
• Secrets storage: These solutions require local storage for encryption keys, tokens, or digital certificates used to validate users and access authorizations.
• Local storage requires protection primarily for data integrity to prevent tampering

Answer 161

IRM

Question 162

Provides inventor exclusive use of their invention for a period of time, generally 20 years.

Answer 162

patent

Question 163

Retention happens b/w _____.

Answer 163

archive and destroy

Question 164

• Data Encryption
• Data Monitoring
• eDiscovery and Retrieval
• Backup and DR Options
• Data Format
• Media Type

Answer 164

key elements of data archiving

Question 165

To maintain data governance, it is required that all data access and movements be _____

Answer 165

tracked and logged.

Question 166

T/F: Accountability, traceability, auditability should be maintained in data archiving

Answer 166

True

Question 167

Directly promotes good user behavior and compliance with the organization’s security policy.

Answer 167

auditing

Question 168

Help ensure that management programs are effective and being followed. Commonly associated with account management practices to prevent violations with least privilege or need to know principles. Can also be performed to oversee many programs and processes

Answer 168

security audits and reviews

Question 169

T/F: Because the cloud customer has nearly full control over their compute environment in IaaS, including system and network capabilities, virtually all logs and data events should be exposed and available for capture.

Answer 169

True - same level of detail on app level in PaaS

Question 170

T/F: In SaaS, customer responsibility is limited to access control, shared responsibility for data recovery, and feature configuration

Answer 170

True

Question 171

Sufficient user ID attribution should be accessible, or it may be impossible to determine who performed a specific action at a specific time.

Answer 171

identity attribution

Question 172

What should logs be able to answer?

Answer 172

“Who did (source address and user identity)
what, (event type, severity, flag, and description)
when, (date, time, interaction identifier)
and from where?” Application identifier (name, version, etc.), application address, Service, Geolocation, Window/for/page (URL and HTTP method), and Code location
(script or module name)

Question 173

Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.

Answer 173

chain of custody

Question 174

Documents key elements of evidence movement and handling, including :
- Each person who handled the evidence
- Date and time of movement/transfer
- Purpose evidence movement/transfer

Answer 174

chain of custody

Question 175

Inclusion of sufficient evidence in log files
Digital Signatures

Answer 175

methods to provide non-repudiation