Domain 1 and Some 2

Question 1

Many different customers accessing cloud resources hosted on shared hardware.

Answer 1

Multitenancy

Question 2

Only Matthew’s company has access to any resources hosted on the same physical hardware.

Answer 2

Private cloud

Question 3

Matthew’s organization is combining resources of public and private cloud computing.

Answer 3

Hybrid cloud

Question 4

Resource use is limited to members of a particular group.

Answer 4

Community cloud

Question 5

A strong sanitization technique that involves encrypting data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the resulting keys of the second round of encryption.

Answer 5

Cryptographic erasure

Question 6

Cryptographic erasure is effective on:

Answer 6

Magnetic and solid-state drives.

Question 7

T/F: Degaussing and overwriting are not effective on SSDs

Answer 7

True

Question 8

T/F: Containers provide easy portability.

Answer 8

False, because they are dependent on the host operating system.

Question 9

Hypervisors are used to:

Answer 9

Host virtual machines on a device.

Question 10

A platform as a service model that allows cloud customers to run their own code on the provider’s platform without provisioning servers.

Answer 10

Serverless computing

Question 11

Virtual machines are self-contained and have their own internal operating system, which can be moved between:

Answer 11

different host operating systems.

Question 12

Responsibilities of the customer

Answer 12

Use cloud services
perform service trials
monitor services
administer service security
provide billing and usage reports
handle problem reports
administer tenancies
perform business administration
select and purchase service
request audit reports.

Question 13

The ability of a system to dynamically grow and shrink based on the current level of demand.

Answer 13

Elasticity

Question 14

The ability of a system to grow as demand increases but does not require the ability to shrink.

Answer 14

Scalability

Question 15

Zero trust decisions are not based on network location, such as IP address. Instead, it’s based on:

Answer 15

User’s identity, the nature of the requested access, and the user’s geographic (not network!) location.

Question 16

Bare-metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (Type 2) because:

Answer 16

It will offer less attack surface.

Question 17

Network security groups provide functionality equivalent to:

Answer 17

Network firewalls for cloud-hosted server instances.

Question 18

_____ restrict traffic that might reach a server instance.

Answer 18

Network Security Groups

Question 19

T/F Only cloud provider can modify network firewalls

Answer 19

True

Question 20

Restrict the geographic locations from which users may access the servers.

Answer 20

Geofencing

Question 21

_____ may be used to examine the traffic reaching the instance.

Answer 21

Traffic inspection

Question 22

Susceptible to disk failures and user error that may unintentionally destroy or modify data.

Vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service.

Answer 22

Object storage flaws

Question 23

Geofencing may be used to trigger actions, such as an alert, when:

Answer 23

a user or device leaves a defined geographic area.

Question 24

Geotagging annotates log records or other data with:

Answer 24

the geographic location of the user performing an action.

Question 25

The Cloud Security Alliance (CSA) provides an enterprise architecture reference guide that offers vendor-neutral _____.

Answer 25

design patterns for cloud security

Question 26

The use of an API is an example of accessing data programmatically during the _____ phase of the lifecycle

Answer 26

Use

Question 27

Storage that is available as disk volumes.

Answer 27

Block storage

Question 28

Object storage maintains files in:

Answer 28

Buckets

Question 29

T/F Virtualized servers are storage capabilities.

Answer 29

F, Compute capabilities

Question 30

Network capacity is used to connect _____ to each other

Answer 30

Servers

Question 31

The sudo command allows a normal user account to execute administrative commands and is an example of

Answer 31

Privileged access

Question 32

Service access is the access to resources by:

Answer 32

system services, rather than individual people

Question 33

What protects against the risk of a lost device?

Answer 33

Confidentiality

Question 34

________ is when the recipient of a message can prove the originator’s identity to a third party.

Answer 34

Nonrepudiation

Question 35

________ is a means of proving one’s identity.

Answer 35

Authentication

Question 36

_____ demonstrates that information has not been modified since transmission.

Answer 36

Integrity

Question 37

_____ are often used in business impact assessment to capture the impact on intangible factors

Answer 37

Qualitative tools

Question 38

Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for:

Answer 38

easily quantifiable risks.

Question 39

EAL2 assurance applies when the system has been

Answer 39

structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.

Question 40

These tools manage workloads and seamlessly shift them between cloud service providers.

Answer 40

Orchestration

Question 41

Virtualization platforms allow a cloud provider to host:

Answer 41

virtual server instances.

Question 42

Databases are a cloud service offering that allows for

Answer 42

the organized storage of relational data.

Question 43

Cloud access service brokers (CASBs) allow for the consistent enforcement of _____ across cloud providers.

Answer 43

security policies

Question 44

Governs the storage, processing, and transmission of credit card information.

Answer 44

The Payment Card Industry Data Security Standard (PCI DSS)

Question 45

Regulates the financial reporting of publicly traded corporations.

Answer 45

The Sarbanes–Oxley (SOX) Act

Question 46

Protects personal financial information.

Answer 46

The Gramm–Leach–Bliley Act (GLBA)

Question 47

Bring all of an organization’s cloud activities under more centralized control.

They serve as a screening body helping to ensure that cloud services used by the organization meet technical, functional, and security requirements.

They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment.

Answer 47

Cloud governance programs

Question 48

use a pair of keys for each user.

Answer 48

Asymmetric cryptosystems

Question 48

use a pair of keys for each user.

Question 49

Hybrid cloud strategies combine public and private cloud resources,

Answer 49

not resources from multiple public cloud providers.

Question 50

Email is an application-level service that is offered by cloud providers as a software as a

Answer 50

service (SaaS) capability.

Question 51

Block storage and network capacity are infrastructure as a service

Answer 51

(IaaS) offerings and are infrastructure capabilities.

Question 52

Serverless computing is a _____ offering.

Answer 52

PaaS

Question 53

Occurs when a customer (not a service provider) purchases more capacity than they need.

Answer 53

Overprovisioning

Question 54

a mix of public cloud and private cloud services. is an example of a

Answer 54

hybrid cloud environment.

Question 54

a mix of public cloud and private cloud services. is an example of a

Answer 54

hybrid cloud environment.

Question 55

In an infrastructure as a service environment, security duties are a _____.

Answer 55

shared responsibility

Question 56

When Lucca reviews the RTO, he needs to ensure that the organization can recover from an outage in less than two hours based on _____.

Answer 56

the maximum tolerable downtime (MTD) of two hours.

Question 57

How does the recipient of a message that was encrypted using asymmetric cryptography decrypt a message?

Answer 57

Using their own private key

Question 58

The sender using asymmetric cryptography would have previously encrypted

Answer 58

using the recipient’s public key.

Question 59

organization that helps cloud service customers use the services offered by cloud service providers.

Answer 59

cloud service partner

Question 60

cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services.

Answer 60

Cloud service brokers

Question 61

applies specifically to the use of controlled unclassified information (CUI).

Answer 61

NIST 800-171

Question 62

provide a certification process for hardware and software products.

Answer 62

Common Criteria (CC)

Question 63

the Security Requirements for Cryptographic Modules. This guidance is specific to cryptographic requirements.

Answer 63

FIPS 140-2

Question 64

Services should be able to integrate and work together

Answer 64

Interoperability

Question 65

What is the highest level of assurance under the Common Criteria?

Answer 65

EAL7

Question 66

What does EAL7 ensure?

Answer 66

A system has been formally verified, designed, and tested

Question 67

Technology that uses cryptography to create a distributed immutable ledger.

Answer 67

Blockchain

Question 68

Blockchain is the technical foundation behind ________.

Answer 68

Cryptocurrency

Question 69

An emerging technology that uses principles of particle physics to perform computing.

Answer 69

Quantum computing

Question 70

Moves compute power to IoT devices located at the edge of the network.

Answer 70

Edge computing

Question 71

What’s the difference b/w verification and certification?

Answer 71

Verification can involve a 3P testing service and compile results that may be trusted by many different organizations

Question 72

An area of research into methods for protecting data in use through the protection provided by a trusted execution environment (TEE)

Answer 72

Confidential computing

Question 73

The act of management formally accepting (not evaluating) an evaluating system

Answer 73

Accreditation

Question 74

Verification and certification process both

Answer 74

validate security controls

Question 75

What is one of the core capabilities of IaaS?

Answer 75

providing servers on a vendor-managed virtualization platform.

Question 76

Web-based payroll and email systems are examples of

Answer 76

SaaS

Question 77

Does the CP’s brand influence the cost-benefit analysis?

Answer 77

No

Question 78

An application platform managed by

Question 79

T/F: The provider absorbs the cost when the customer requests a modification of the SLA.

Answer 79

False. The customer pays for all costs associated w/ modifications to the SLA. These are chargeable expenses.

Question 80

Creating computer resources to solve a particular problem and then getting rid of them when you no longer need them.

Answer 80

Ephemeral computing

Question 81

Guaranteeing that the service will be available 99% of the time

Answer 81

availability committment

Question 82

Ability of a system to withstand failures

Answer 82

resiliency

Question 83

Why do users have the most control over the environments hosted on IaaS?

Answer 83

because they are able to manually adjust the resources assigned to an application

Question 84

What standard provides the security controls that should be implemented by cloud service providers

Answer 84

ISO 27017

Question 85

What standard provides the security controls that should be implemented for a cybersecurity program

Answer 85

ISO 27001

Question 86

What standard provides the security controls that should be implemented to provide control guidance for privacy programs?

Answer 86

ISO 27701

Question 87

What standard provides a cloud reference architecture and does not offer specific security guidance?

Answer 87

ISO 17789

Question 88

Who oversees the PCI DSS

Answer 88

Payment Card Industry Security Standards Council (PCI SSC)

Question 89

Cloud computing where the customer only provides application code for execution on a vendor-supplied computing platform are examples of

Answer 89

PaaS

Question 90

Providing fully functional application to customers as a cloud service

Answer 90

SaaS

Question 91

CaaS is a subcategory of ____

Answer 91

IaaS

Question 92

In risk acceptance strategy:

Answer 92

the org does nothing but document the risk

Question 93

Purchasing insurance is what type of risk strategy

Answer 93

Risk transference

Question 94

Relocating a data center would be what kind of risk strategy

Answer 94

risk avoidance

Question 95

Reengineering a facility would be what kind of risk strategy

Answer 95

risk mitigation

Question 96

Using existing data to predict future events

Answer 96

Predictive analytics

Question 97

A style of analytics that describes data

Answer 97

Descriptive analytics

Question 98

A style of analytics that optimizes our behavior by simulating scenarios

Answer 98

Prescriptive analytics

Question 99

What allows CPs to meet various demands from customers while remaining financially viable?

Answer 99

Resource pooling

Question 100

The model that allows customers to scale their compute and/or storage needs w/ little or no intervention the provider

Answer 100

On-demand self service

Question 101

Documents, in formal terms, expectations for availability, performance, or other parameters.

Answer 101

SLAs

Question 102

An internal agreement b/w service organizations

Answer 102

OLA

Question 103

The ability to back out of a change.

Answer 103

Reversibiity

Question 104

Capability to move workloads easily between environments

Answer 104

Portability

Question 105

T/F: The customer has no access to or ability to maintain the operating system in the PaaS environment.

Answer 105

True

Question 106

What is block storage used for?

Answer 106

To provide disk volumes.

Question 107

What is object storage used for?

Answer 107

To store individual files. But they cannot be mounted as a disk.

Question 108

When should archival storage be used?

Answer 108

Only in cases where data does not need to be frequently accessed.

Question 109

What is the least disruptive type of disaster recovery test?

Answer 109

Checklist review.

Question 110

Each team member reviews the content of their disaster recovery checklist and suggest necessary changes.

Answer 110

Checklist review

Question 111

Team members come together and walk through a scenario without making any changes to information systems.

Answer 111

tabletop exercise

Question 112

The team activates the disaster recovery site for testing while primary site remains operational.

Answer 112

parallel test

Question 113

Team takes down primary site and confirms the disaster recovery site is capable of handling regular operations. Most thorough test but also most disruptive.

Answer 113

full interruption test

Question 114

In SaaS solution, the vendor manages:

Answer 114

the physical infrastructure and complete application stack so customer accesses a fully managed application.

Question 115

PaaS offerings provide customers with an environment where customers can:

Answer 115

execute their own code.

Question 116

CaaS is a subcategory of IaaS for:

Answer 116

computing resources provided as a service.

Question 117

Security baselines provide a:

Answer 117

starting point to scope and tailor security controls to your orgs needs.

Question 118

T/F: Security baselines ensure systems are always secure and prevent liability.

Answer 118

False

Question 119

Integrating software development, operations, and quality assurance.

Answer 119

DevOps

Question 120

What is ITIL?

Answer 120

A collection of best practices for managing IT orgs.

Question 121

T/F: Customers should have access to underlying infrastructure in a PaaS environment.

Answer 121

False. But IaaS offers.

Question 122

What is RPO?

Answer 122

The amount of data loss that’s acceptable due to an incident.

Question 123

The amount of downtime that the business can safely withstand.

Answer 123

MTO - maximum tolerable outage

Question 124

What is OpenID Connect?

Answer 124

An authentication layer that works w/ OAuth 2.0 as its underlying authorization framework. Used widely by CSPs.

Question 125

SAML, RADIUS, and Kerberos are:

Answer 125

authentication technologies but don’t have the same seamless integration w/ OAuth.

Question 126

A vendor offering a fully functional application as a web-based service is an example of:

Answer 126

SaaS

Question 127

The customer provides their own software in:

Answer 127

IaaS, Compute as a Service (CaaS), and PaaS

Question 128

Where does edge computing service model place computing power?

Answer 128

At the sensor, minimizing the data that is sent back to the cloud over limited connectivity network links.

Question 129

What is the best choice for providing authentication and authorization information?

Answer 129

SAML

Question 130

What is used to exchange user information for SSO?

Answer 130

SPML

Question 131

What is XACML used for?

Answer 131

access control policy markup

Question 132

T/F: In IaaS, the customer is not responsible for server security operations

Answer 132

False

Question 133

T/F: In SaaS, a fully developed and hosted application is provided to the customer.

Answer 133

True

Question 134

Managing security settings, host firewalls, and configuring server access controls are examples of what?

Answer 134

Server security operations

Question 135

T/F: In PaaS, the customer provides application code for execution on a vendor-supplied computing platform.

Answer 135

True

Question 136

T/F: IaaS provides complex infrastructure building blocks to customers?

Answer 136

False, it’s basic building blocks

Question 137

Function as a Service is a subcategory of _____ for ______

Answer 137

PaaS for serverless computing applications

Question 138

What are more traditional methods of software development that aren’t commonly used with DevOps and DevSecOps

Answer 138

waterfall, modified waterfall, spiral models

Question 139

What’s the purpose of a CASB?

Answer 139

to enforce security policies consistently across cloud services

Question 140

Are DLP and DRM solutions effective at consistently enforcing security policies across cloud platforms?

Answer 140

No

Question 141

IPS are designed to:

Answer 141

detect and block malicious activity

Question 142

What is the vendor responsible for in IaaS?

Answer 142

hardware and network related responsibilities

Question 143

Configuring network firewalls, maintaining the hypervisor, and managing physical equipment are the responsibility of:

Answer 143

Vendor

Question 144

In IaaS, who’s responsible for patching OS on VMs?

Answer 144

Customer

Question 145

What is it called when a single platform is shared among many different customers?

Answer 145

Multitenancy

Question 146

T/F: IaaS allows you to set up infrastructure as quickly as you can deploy and pay for it?

Answer 146

True

Question 147

T/F: Security groups are different from firewall rules for IaaS?

Answer 147

False

Question 148

T/F: You cannot configure IaaS networking.

Answer 148

False, it’s done thru use of network security groups and bandwidth provisioning.

Question 149

Who has responsibility for configuring OS securely in serverless computing?

Answer 149

Vendor

Question 150

What is the framework created by government to assess security of systems?

Answer 150

NIST 800-37

Question 151

What is the list of security controls created by government?

Answer 151

NIST 800-53

Question 152

What is the payment card industry’s framework of compliance for all entities accepting credit cards?

Answer 152

PCI DSS

Question 153

What is portability?

Answer 153

The capability to move workloads easily b/w environments

Question 154

T/F: Services that are scalable are always elastic?

Answer 154

F: Services that are elastic are scalable but scalable not always elastic b/c scalability doesn’t shrink

Question 155

In IaaS, the customer has to maintain the

Answer 155

OS

Question 156

T/F: Additional security means measurable less operational capability

Answer 156

True, there’s always a tradeoff b/w security and productivity

Question 157

The minimal amount of effort required to perform your duty to others. This is care a cloud customer is required to demonstrate to protect the data it owns.

Answer 157

Due care

Question 158

T/F: Due diligence and due care are the same thing.

Answer 158

False, due diligence is activity taken in support of furthering due care.

Question 159

Confidential computing protects data in use by

Answer 159

using a TEE - Trusted Execution Environment. Can also use TPMs, HSMs, and PKIs, but they don’t protect date in use.

Question 160

What provides a general certification process for computing hardware?

Answer 160

The common criteria

Question 161

What provides certification process for hardware but is not specific to cryptographic models or used for generalized hardware?

Answer 161

FIPS 140-2

Question 162

What provides a certification process for cloud computing services?

Answer 162

FedRAMP

Question 163

What is the nomenclature for all entries in an LDAP environment?

Answer 163

The distinguished name (DN)

Question 164

Databases are used to store collected info into

Answer 164

related tables

Question 165

Are networking and virtualization technologies used to store data?

Answer 165

No.

Question 166

What is confidential computing designed to support?

Answer 166

The protection of data actively stored in memory

Question 167

T/F: The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy.

Answer 167

True

Question 168

What service model allows an org to retain the most control of their IT assets in the cloud?

Answer 168

IaaS

Question 169

In IaaS, what is the customer responsible for?

Answer 169

OS, apps, and data

Question 170

What model allows org to retain greatest degree of governance?

Answer 170

Private

Question 171

Placing IoTs on a dedicated subnet or network prevents what?

Answer 171

Other users from accessing the devices directly.

Question 172

Does public cloud use vendor datacenters?

Answer 172

Yes

Question 173

Hypervisors enforce isolation b/w:

Answer 173

VMs and are susceptible to escape attacks

Question 174

HSMs and Trusted Platform Modules:

Answer 174

store and manage cryptographic keys

Question 175

Are databases vulnerable to escape attacks?

Answer 175

No.

Question 176

What allows examination of contents of encrypted HTTPS traffic and detect sensitive info?

Answer 176

Traffic inspection

Question 177

Can port blocking detect a security violation?

Answer 177

No.

Question 178

T/F: Cloud minimizes DR costs?

Answer 178

True, you can configure but not activate resources until needed

Question 179

Verifying a user is who they claim to be:

Answer 179

Authentication

Question 180

Granting access based on user identity:

Answer 180

Authorization

Question 181

Not allowing a participant in a transaction to deny they particpated:

Answer 181

Non-repudiation

Question 182

T/F: In symmetric encryption, all data is encrypted and decrypted with the same key.

Answer 182

True

Question 183

How do you validate the authenticity of a digital certificate?

Answer 183

By using the CA’s public key

Question 184

Using computing assets on a temporary basis:

Answer 184

Ephemeral computing

Question 185

Confidential computing uses ____ to protect data in ____

Answer 185

TEE, use

Question 186

Parallel computing uses ______ ________ to perform _________.

Answer 186

multiple processors, different parts of a calculation simultaneously

Question 187

Business continuity ensures

Answer 187

business can function during disruptive event

Question 188

Support the return to normal operations

Answer 188

Disaster recovery

Question 189

T/F: BC and DR use RTO and RPO as metrics to determine success.

Answer 189

True

Question 190

What is paramount in all security efforts?

Answer 190

Health and human safety.

Question 191

What is MTD in disaster recovery?

Answer 191

Maximum tolerable downtime.

Question 192

Identifying the key, user, and how it is used would support what?

Answer 192

Accountability for usage

Question 193

What is the issue with overwriting SSDs and volumes?

Answer 193

Remnant data

Question 194

Tokenization relies on:

Answer 194

two databases, one with tokenized data and one with actual data

Question 195

T/F: Tokenization requires id practices, encryption, and specifies FIPS 140 requirements.

Answer 195

False, it does not

Question 196

What is FIPS 140?

Answer 196

The 140 series of Federal Information Processing Standards are U.S. government computer security standards that specify requirements for cryptographic modules.

Question 197

T/F: You can tokenize data by hashing

Answer 197

True

Question 198

What is tokenizing data?

Answer 198

The process of substituting a sensitive data element with a non-sensitive equivalent.

Question 199

What helps you see how data is created, moves, and is used thru org?

Answer 199

Dataflow diagrams

Question 200

Classification, creation, and date/time are all captured in:

Answer 200

Data labeling

Question 201

Data types, fields/names, services, systems, ports, protocols, and security detail are all included in:

Answer 201

Dataflow diagrams

Question 202

Includes retention periods, reg/comp requirements, data classification impacts on retention, how/when data should be deleted, archiving/retrieval processes.

Answer 202

Retention policies

Question 203

An IRM should maintain a:

Answer 203

certificate revocation list

Question 204

What is an IRM system?

Answer 204

IT security technology used to protect documents containing sensitive information from unauthorized access.

Question 205

How does an IRM system perform provisioning?

Answer 205

Provides rights based on roles and responsibilities.

Question 206

What does a business impact analysis determine?

Answer 206

What data is needed to continue the operations of the business. An assessment of data criticality.

Question 207

Data mapping matches:

Answer 207

fields in databases.

Question 208

BIAs assess:

Answer 208

the importance of data to an organization’s work

Question 209

Data classification describes:

Answer 209

Data based on things like sensitivity, jurisdiction, and criticality

Question 210

Installing a local agent for an IRM system ensures data is properly handled on _____.

Answer 210

Endpoint systems

Question 211

What is a local agent?

Answer 211

A program that collects information or performs a task in the background at a particular schedule.

Question 212

Examples of unstructured data

Answer 212

images, audio, video, word processing files

Question 213

T/F: Ingress and egress fees are cheap

Answer 213

False

Question 214

T/F: Working with the original drive is a best practice.

Answer 214

False, not a forensic best practice

Question 215

T/F: IRM cannot prevent copying, printing, and making copies

Answer 215

False, this is what it does.

Question 216

T/F: Discovery can be conducted using local tools in each region.

Answer 216

True

Question 217

It is common to archive data to a _____ storage tier

Answer 217

lower cost and lower performance

Question 218

The ____ phase often includes modification of data.

Answer 218

Use

Question 219

What is the encryption protocol of choice for web app traffic?

Answer 219

TLS - Transport layer security (replaced SSL)

Question 220

MD5 and SHA-1 are _______ algorithms.

Answer 220

Hashing

Question 221

Uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit

Answer 221

TLS

Question 222

Used to establish a secure session between a client and a server. Public key cryptography.

Answer 222

asymmetric encryption

Question 223

What is symmetric encryption?

Answer 223

Used to exchange data within a secured session created by asymmetric encryption. You use the same key to encrypt and decrypt.

Question 224

How does asymmetric encryption work?

Answer 224

Uses a mathematically related pair of keys for encryption and decryption: a public key and a private key. If the public key is used for encryption, then the related private key is used for decryption. If the private key is used for encryption, then the related public key is used for decryption.

Question 225

What is a public key?

Answer 225

A key made available to anyone to encrypt data.

Question 226

What is a piece of information used for scrambling data so that it appears random; often represented by a large number, or string of numbers and letters?

Answer 226

Key

Question 227

What’s another word for unencrypted data?

Answer 227

Plaintext

Question 228

What is a private key?

Answer 228

The key used to put encrypted information back into plaintext.

Question 229

Plaintext + key =

Answer 229

Ciphertext

Question 230

Where can you find a public key?

Answer 230

In a website’s SSL/TLS certificate

Question 231

Where is the private key installed?

Answer 231

On the origin server

Question 232

What uses public key cryptography to authenticate the identity of the origin server and exchange data that is used for generating the session keys.

Answer 232

TLS handshake

Question 233

How are bad actors prevented from decrypting communications, even if they identify or steal one of the session keys from a previous session?

Answer 233

Clients and servers agree upon new session keys for each communication session

Question 234

What is spreading data across different storage areas and potentially different cloud providers spread across geographic boundaries?

Answer 234

Data dispersion

Question 235

What is the technique of splitting up and storing encrypted information across different cloud storage services?

Answer 235

Bit splitting. Used by criminals to hide data across the cloud and makes it extremely difficult for forensics to find and obtain.

Question 236

Ephemeral storage is wiped and reclaimed for reallocation only when:

Answer 236

An instance is terminated, not just shut down. For shut downs, it’s retained until the system is reactivated.

Question 237

Ephemeral data is kept for ______ periods of time?

Answer 237

Short (like 45 days)

Question 238

What does it take to complete the destruction process for crypto-shredding?

Answer 238

Securely erasing all copies of the encryption key. Just erasing the key deletes all data associated with it.

Question 239

Deleting replicated data (especially in a relational database - which could accidentally delete a lot of unintentional data), data in a backup, and deleting the right data are all problems solved by _____.

Answer 239

crypto-shredding

Question 240

What is cloud security?

Answer 240

How cloud affects confidentiality, integrity, and availability

Question 241

What does an IRM system rely on to identify systems?

Answer 241

Certificates

Question 242

What can be issued centrally, managed, and used for digital signatures and encryption?

Answer 242

Certificates

Question 243

What is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization.

Answer 243

Certificate

Question 244

________ uses a one-way cryptographic function to replace data with values that can be referenced without exposing the actual data.

Answer 244

Hashing

Question 245

What is long-term storage often used for?

Answer 245

Logs and data storage

Question 246

What storage is allocated as a virtual drive/device w/in cloud?

Answer 246

Volume-based storage

Question 247

What is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.

Answer 247

DevOps

Question 248

What is a code used to identify and authenticate an application or user?

Answer 248

An API key

Question 249

What are processes used to restore the service if the system becomes unavailable for reasons other than regular maintenance?

Answer 249

Break-glass process

Question 250

1. Automated backups in place and executed regularly based on # of secrets and their lifecycle
2. Frequently test the restore procedures
3. Encrypt backups and place on secure, monitored storage

Answer 250

OWASP’s requirements for break-glass secrets backup

Question 251

What is the amount of time before data can be accessed?

Answer 251

Retrieval time

Question 252

What compares two strings to determine if they’re the same?

Answer 252

String comparison

Question 253

What allows IRM to apply rules appropriately?

Answer 253

Tagging and labeling

Question 254

What’s one of the most important things to understand before selecting archival storage?

Answer 254

Data access patterns

Question 255

What influences cost of storage?

Answer 255

Volume of data and amount of time it needs to be stored

Question 256

How are data owners defined?

Answer 256

By data classification policies

Question 257

What do data custodians do?

Answer 257

Be responsible for the data, ensure access control, proper storage, and other operational controls

Question 258

Who processes data as part of a business process?

Answer 258

Data processors

Question 259

Are tokens encrypted?

Answer 259

No

Question 260

T/F: Versioning takes up very little space.

Answer 260

False

Question 261

T/F: Daily backups, recurring snapshots, and archiving processes are able to be quickly restored.

Answer 261

False

Question 262

T/F: You can use least privilege for secrets.

Answer 262

True

Question 263

What type of discovery searches for specific terms in unstructured data?

Answer 263

Content-based

Question 264

What type of discovery relies on data labels?

Answer 264

Label-based

Question 265

What type of discovery uses metadata information?

Answer 265

Metadata-based

Question 266

What can help DLP manage data without relying on pattern matching?

Answer 266

Tagging

Question 267

T/F: Tags are unique allowing events to be tracked to an instance.

Answer 267

True

Question 268

Which sanitization technique is best for solid-state drives (SSDs)?

Answer 268

Cryptographic erasure

Question 269

T/F: Cryptographic erasure is good for SSD and magnetic drives?

Answer 269

True

Question 270

With zero trust architecture, trust decisions are not based on _________.

Answer 270

Network location, like IP address.

Question 271

What is geolocation?

Answer 271

The geographic location of a user or computing device.

Question 272

What security control is best to restrict ports on a server?

Answer 272

Network security groups - they’re like firewalls for cloud server instances.

Question 273

Can a customer modify network firewall rules?

Answer 273

No

Question 274

What restricts locations from which users can access servers?

Answer 274

Geofencing

Question 275

Does geofencing trigger alerts?

Answer 275

Yes

Question 276

What EAL assurace level provides the system has been structurally tested?

Answer 276

EAL2

Question 277

They offer a managed IAM service to customers that integrate security requirements across cloud services.

Answer 277

cloud brokers

Question 278

What’s the highest level of assurance under Common Criteria?

Answer 278

EAL7 - verified, designed, and tested

Question 279

Functionally tested

Answer 279

EAL1

Question 280

Structurally tested

Answer 280

EAL2

Question 281

Methodically tested and checked

Answer 281

EAL3

Question 282

EAL4

Answer 282

Methodically designed, tested, and reviewed

Question 283

EAL5

Answer 283

Semi-formally designed and tested

Question 284

Semi-formally verified, designed, and tested

Answer 284

EAL6

Question 285

Formally verified, designed, and tested

Answer 285

EAL7

Question 286

What optimizes our behavior by simulating many scenarios?

Answer 286

Prescriptive analytics

Question 287

______ storage is used to provide disk volumes, which are storage areas with a single file system.

Answer 287

Block

Question 288

Storage that will be used as a disk attached to a server instance?

Answer 288

Block storage

Question 289

What is used to store individual files but can’t be mounted as a disk?

Answer 289

Object storage

Question 290

OpenID Connect works with ________.

Answer 290

OAuth 2.0

Question 291

A _____ is a condition that must be present for an event to occur.

Answer 291

Necessary condition

Question 292

A _______ is a condition or set of conditions that will produce the event.

Answer 292

Sufficient condition

Question 293

In IaaS, the provider is responsible for hardware and _____ related responsibilities.

Answer 293

Network - this includes configuring firewalls, maintaining hypervisor, and managing physical equipment

Question 294

FedRAMP provides a certification process for ____________.

Answer 294

Cloud computing services

Question 295

Common Criteria provides what?

Answer 295

General certification process for computing hardware that might be used in government applications

Question 296

In a LDAP environment, each entry in a directory server is identified by a ______.

Answer 296

Distinguished name (DN)

Question 297

What does confidential computing protect?

Answer 297

Data actively stored in memory

Question 298

What’s the most cost effective DR approach?

Answer 298

Using a cloud site without activating resources until needed.

Question 299

What are the 3 categories of infrastructure?

Answer 299

1. compute - where processors are
2. storage - object, block, file
3. network - how everything talks

Question 300

GPU

Answer 300

graphics processor for ml/ai

Question 301

Compute

Answer 301

general purpose computing needs, web/app server

Question 302

HPC

Answer 302

high performance computing - things that require lots of power in small footprint

Question 303

Object storage

Answer 303

lower performance but inexpensive, general purpose storage - pictures, documents, data/graphics on web server, etc.

Question 304

Block storage

Answer 304

network storage, attaches iscuzi

Question 305

File storage

Answer 305

attaches with nfs