Design Requirements Flashcards

1
Q
Which of the following is the best example of a physical control?
A. Carpets
B. Ceilings
C. Doors
D. Fences
A

D. Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
In which cloud service model is the customer required to maintain the OS?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
A

D. In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer is then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?
A. Homomorphic
B. Polyinstantiation
C. Quantum-state
D. Gastronomic
A

A. Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Gathering business requirements can aid the organization in determining all of these facets of organizational assets except:
A. Full inventory 
B. Usefulness 
C. Value 
D. Criticality
A

B. When we gather information about business requirements, we need to do a complete inventory, receive an accurate valuation of assets (usually from the owners of those assets), and assess criticality. However, this collection of information does not objectively tell us how useful an asset is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
To protect data on user devices in a BYOD environment, the organization should consider requiring all the following except:
A. DLP agents
B. Local encryption
C. Multifactor authentication
D. Two-person integrity
A

D. Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Risk appetite for an organization is determined by which of the following?
A. Reclusion evaluation
B. Senior management
C. Legislative mandates
D. Contractual agreement
A

B. Senior management decides the risk appetite of the organization. There is no such thing as “reclusion evaluation.” Legislative mandates (laws) do not tell an organization which risks are acceptable except in very, very specific industries, and those are outliers. Contracts don’t dictate acceptable risk for an organization; the organization should use its risk appetite to guide how it crafts contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
Devices in the cloud data center should be secure against attack. All the following are means of hardening devices except?
A. Using a strong password policy 
B. Removing default passwords 
C. Strictly limiting physical access 
D. Removing all admin accounts
A

D. Although the rest of the options are good tactics for securing devices, we can’t remove all admin accounts; the device will need to be administered at some point, and that account needs to be there. This question is good practice for the exam, where every word in each question and each answer is important.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
The BIA can be used to provide information about all the following elements except which?
A. Risk analysis
B. Secure acquisition
C. BC/DR planning
D. Selection of security controls
A

B. When we gather information about business requirements, we need to do a complete inventory, receive an accurate valuation of assets (usually from the owners of those assets), and assess criticality. However, this collection of information does not objectively tell us how useful an asset is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In a cloud environment, encryption should be used for all the following except:
A. Long-term storage of data
B. Near-term storage of virtualized images
C. Secure sessions/VPN
D. Profile formatting

A

D. All of these activities should incorporate encryption except for profile formatting, which is a made-up term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?
A. Technological
B. Physical
C. Administrative
D. All of the above
A

D. Layered defense calls for a diverse approach to security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
All the following are ways of addressing risk except:
A. Acceptance
B. Reversal
C. Mitigation
D. Transfer
A

B. Reversal is not a method for handling risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
The process of hardening a device should include all the following except:
A. Improve default accounts
B. Close unused ports
C. Delete unnecessary services
D. Strictly control administrator access
A

A. We don’t want to improve default accounts—we want to remove them. All the other options are steps we take to harden devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
Which of the following is considered a technological control?
A. Firewall software
B. Fireproof safe
C. Fire extinguisher
D. Firing personnel
A

A. A firewall is a technological control. The safe and extinguisher are physical controls, and firing someone is an administrative control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following best describes risk?
A. Preventable
B. Everlasting
C. The likelihood that a threat will exploit a vulnerability
D. Transient

A

C. Option C is the definition of risk—and risk is never preventable. It can be obviated, attenuated, reduced, and minimized, but never completely prevented. Any particular, specific risk may be everlasting or transient, but it’s not the case that all risks could be described by either of these terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified?
A. RMF
B. Contract
C. MOU
D. BIA
A

B. The contract codifies the rights and responsibilities of the parties involved upon completion of the negotiation. The RMF aids in risk analysis and design of the environment. A memorandum of agreement/understanding (MOA/MOU) is shared between parties for a number of possible reasons. The BIA aids in risk assessment, DC/BR efforts, and selection of security controls by determining the criticality and value of assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
Which of the following is considered an administrative control?
A. Access control process
B. Keystroke logging
C. Door locks
D. Biometric authentication
A

A. A process is an administrative control; sometimes, the process includes elements of other types of controls (in this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative. Keystroke logging is a technical control (or an attack, if done for malicious purposes and not for auditing), door locks are a physical control, and biometric authentication is a technological control. This is a challenging question, so don’t be frustrated if you did not get it correct on the first try.

17
Q

The process of hardening a device should include which of the following?
A. Encrypting the OS
B. Updating and patching the system
C. Using video cameras
D. Performing thorough personnel background checks

A

B. Updating and patching the system helps harden the system. Encrypting the OS is a distractor. That would make the OS/machine impossible to use. Video cameras are a security control but not one used to harden a device. Background checks are good for vetting personnel but not for hardening devices.

18
Q
In which cloud service model is the customer required to maintain and update only the applications?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
A

C. In PaaS, the provider supplies the hardware, connectivity, and OS; the customer installs and maintains applications. In IaaS, the customer must also install the OS, and in SaaS, the provider supplies and maintains the applications.

19
Q
What is the risk leftover after controls and countermeasures are put in place?
A. Null
B. High
C. Residual
D. Pertinent
A

C. This is the definition of the term residual.

20
Q
In which cloud service model is the customer only responsible for the data?
A. CaaS
B. SaaS
C. PaaS
D. IaaS
A

B. SaaS is the model in which the customer supplies only the data; in the other models, the customer also supplies the OS, the applications, or both.