Domain 3

Question 1

What is the primary requirement for cloud functionality?

Answer 1

ISP connectivity

Question 2

What provides immediate, battery-driven power for a short period of time?

Answer 2

UPS - uninterruptible power supplies

Question 3

What’s the best option for providing backup power for a sustained period of time?

Answer 3

Generators

Question 4

Redundant arrays of inexpensive disks (RAID) and redundant servers are examples of what kind of controls?

Answer 4

high-availability

Question 5

What identifies sensitive information stored on endpoint systems or in transit over a network?

Answer 5

DLP systems

Question 6

What is a duplicate of your system – including lines of communication and network devices – that can act as your business’s main operating system if your primary server goes down for any reason?

Answer 6

Redundant server

Question 7

What creates a single usable data disk, where several physical disks are combined into an array for better speed and fault tolerance.

Answer 7

Redundant arrays of inexpensive disks (RAID)

Question 8

What are the following key concepts for:
* Mirroring: copying data to more than one disk
* Striping: splitting data across more than one disk
* Error correction (fault tolerance): redundant data is stored to allow problems to be detected and possibly fixed

Answer 8

RAID

Question 9

Is RAID a backup solution?

Answer 9

No

Question 10

What is a network encryption protocol used to protect sensitive information?

Answer 10

TLS

Question 11

Can TLS identify sensitive information?

Answer 11

No

Question 12

T/F: The management plane of a cloud service provider’s datacenter should be reserved for use by the provider’s own engineers.

Answer 12

True

Question 13

What does traffic on the management plane control?

Answer 13

Operation of the infrastructure

Question 14

What’s a cost-effective way to track items in a facility?

Answer 14

RFID - Radio frequency identification technology

Question 15

What type of site includes the basic capabilities required for datacenter operations, like space, power, HVAC, and communications?

Answer 15

Cold site, but it lacks hardware required to restore operations

Question 16

What is the most simplistic type of disaster recovery site consisting of elements providing power, networking capability, and cooling

Answer 16

Cold site

Question 17

What type of DR site has storage hardware such as tape or disk drives, servers, and switches but has to have data transported for use in recovery?

Answer 17

Warm site

Question 18

What type of DR site is ideal but challenging to attain that is a fully functional backup site that already has important data mirrored to it?

Answer 18

Hot site

Question 19

What is the maximum acceptable delay between the interruption of service and restoration of service. This determines an acceptable length of time for service downtime.

Answer 19

RTO - recovery time objective

Question 20

What is the maximum acceptable amount of time since the last data recovery point. This determines what is considered an acceptable loss of data.

Answer 20

RPO - recovery point objective

Question 21

Every region consists of multiple __________.

Answer 21

Availability zones

Question 22

What DR strategy is when data is live, services are idle, and some resources are provisioned and scaled after event?

Answer 22

Pilot light

Question 23

What DR strategy is always running, business critical, and scales AWS resources after event?

Answer 23

Warm standby

Question 24

What DR strategy has real-time RPO and RTO, zero downtime, near zero data loss, and is for mission critical services?

Answer 24

Multi-site, active/active

Question 25

What provides the best redundancy and resiliency for backup?

Answer 25

Having your backup at another cloud provider

Question 26

What is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.

Answer 26

Docker

Question 27

What packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime.

Answer 27

Docker

Question 28

What is the highest priority in security?

Answer 28

Human safety

Question 29

What allows every resource on the server to be placed in a partition and can be used to achieve multitenancy, logical separation of data, scalability, and geographic sharding?

Answer 29

Tenant partitioning

Question 30

What partitions virtual machines belonging to different tenants on a virtualization platform?

Answer 30

Hypervisor

Question 31

Where should datacenters be located?

Answer 31

In the core of a building

Question 32

What principle states an individual should react in a situation using the same level of care expected from any reasonable person?

Answer 32

Due care principle

Question 33

What states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner?

Answer 33

Due care

Question 34

In what service model is the vendor responsible for hardware related and network related responsibilities?

Answer 34

IaaS

Question 35

*configuring network firewalls
*maintaining hypervisor
*managing physical equipment
Are three _____ responsibilities in _____.

Answer 35

vendor / IaaS

Question 36

What is customer responsible for in IaaS?

Answer 36

Patching OS on VM and managing ingress/egress via NSGs.

Question 37

What data is included in incremental backup?

Answer 37

Only the data modified since the most recent incremental backup

Question 38

What data is included in differential backup?

Answer 38

All data modified since last full backup

Question 39

What data is included in the full backup?

Answer 39

All data on the server

Question 40

What are transaction log backups designed to support?

Answer 40

Database servers, not effective on file server

Question 41

A computer responsible for the storage and management of data files so that other computers on the same network can access the file.

Answer 41

What is a file server

Question 42

What is a machine running database software dedicated to providing database services.

Answer 42

Database servers

Question 43

What do SIEMs do?

Answer 43

Correlate info from multiple sources and perform analysis on data

Question 44

What does SOAR stand for?

Answer 44

Security orchestration, automation, and response

Question 45

What do SOAR platforms provide?

Answer 45

automated playbook responses

Question 46

What do intrusion prevention platforms do?

Answer 46

Block traffic based on analysis performed by the IPS itself.

Question 47

Do log repositories perform analysis?

Answer 47

No, they just collect log info

Question 48

Do SIEM solutions create an audit trail?

Answer 48

Yes

Question 49

What does an audit trail show you?

Answer 49

Sequential record of all the activity on a specific system

Question 50

What analyzes and blocks suspicious network traffic?

Answer 50

IPS

Question 51

What monitors endpoints for malware and responds to malware infections?

Answer 51

Endpoint detection and response platforms

Question 52

The process of protecting devices like desktops, laptops, mobile phones, and tablets from malicious threats and cyberattack

Answer 52

Endpoint security

Question 53

What are physical devices that connect to a network system such as mobile devices, desktop computers, virtual machines, embedded devices, and servers.

Answer 53

Endpoints

Question 54

Who enforces an org’s security policies across cloud providers?

Answer 54

CASB - Cloud access security broker

Question 55

What can handle large-scale DDoS attacks?

Answer 55

Content delivery network

Question 56

What is a network of servers that distributes content from an origin server by caching content close to where each end user is accessing the internet via a web-enabled device.

Answer 56

CDN - content delivery network. It speeds up webpage loading for data-heavy applications.

Question 57

What is designed to overwhelm a system until it can no longer process legitimate requests?

Answer 57

DoS attack

Question 58

What principle does DDoS affect?

Answer 58

Availability

Question 59

Is an IPS an example of risk mitigation?

Answer 59

Yes

Question 60

What determines the critical path of assets, resources, and data w/in an org?

Answer 60

BIA - business impact plan - useful in shaping BC/DR plan

Question 61

What should be redundant in a well-designed datacenter?

Answer 61

power, cooling, and network connectivity

Question 62

What allows for the programmatic interaction w/ services and platforms?

Answer 62

APIs

Question 63

What is a file that generally contains a short self-contained set of instructions, i.e., lines of code, that perform a specific task.

Answer 63

Python script

Question 64

What do the following do:
Use HTTPS
Activate Authentication & Authorization
Validate User Input
Limit Access to Sensitive Data
Monitor and Log API Activity
Keep Software and Libraries Up-to-date
Perform Regular Security Audits

Answer 64

Secure the backend

Question 65

What are the elements of hardware and software that ensure that a system can only be controlled by those w/ proper permissions

Answer 65

TCB - Trusted Computing Base

Question 66

What coordinates access to physical hardware and enforces isolation b/w different virtual machines running on the same physical platform?

Answer 66

Hypervisor

Question 67

What’s the most cost-effective way to provide network segmentation that’s used to create logical separation b/w systems in a datacenter?

Answer 67

Virtual local area networks (VLANs)

Question 68

What’s used to connect remote users and sites over an insecure network?

Answer 68

VPN - virtual private network

Question 69

What’s an option to route traffic b/w network sites?

Answer 69

BGPs - border gateway protocol

Question 70

What tier is expected to achieve 99.741% availability?

Answer 70

Tier 2

Question 71

What tier is expected to achieve 99.671% availability?

Answer 71

Tier 1

Question 72

What tier is expected to achieve 99.982% availability?

Answer 72

Tier 3

Question 73

What tier is expected to achieve 99.995% availability?

Answer 73

Tier 4

Question 74

Does running unnecessary services on a server increase the attack vector?

Answer 74

Yes

Question 75

How are compute nodes measured?

Answer 75

In terms of how many CPUs/how much RAM is available in the center

Question 76

Do compute nodes include virtual and hardware machines?

Answer 76

Yes

Question 77

T/F: Block storage provides disk volumes for use by servers.

Answer 77

True

Question 78

What is a named logical area of the physical disk?

Answer 78

Volume

Question 79

B/c entire machines could be stolen in highly-portable, easily copied formats, _____ must be protected?

Answer 79

VM file stores

Question 80

What is a common attack vector that uses malicious SQL code for backend database manipulation to access PI?

Answer 80

SQL Injection

Question 81

What is a programming language for storing and processing information in a relational database?

Answer 81

SQL

Question 82

What attack executes code on a remote user’s system?

Answer 82

Cross-site scripting

Question 83

What attack exploits trust relationships by tricking systems into authorizing unauthorized activity?

Answer 83

Cross-site request forgery and server-side request forgery

Question 84

What is a measure of data that can be lost in an outage w/out damaging the organization?

Answer 84

RPO

Question 85

What strategy most affects RPO?

Answer 85

Data replication

Question 86

What’s a measure of how long an org can endure an outage w/out irreparable harm?

Answer 86

RPO

Question 87

This is how long an org can suffer an outage before ceasing to be an org

Answer 87

MAD - maximum allowable downtime

Question 88

What technology performs the following:
Encryption: hides the data being transferred from third parties
Authentication: ensures that the parties exchanging information are who they claim to be
Integrity: verifies that the data has not been forged or tampered with

Answer 88

TLS

Question 89

What’s the primary protocol used to implement HTTPS for secure communication?

Answer 89

TLS

Question 90

What is separating and storing data in separate logical partitions or storage areas, even if those partitions or storage are on the same physical device.

Answer 90

Logical separation

Question 91

What is separating and storing data on different physical systems or networks.

Answer 91

Physical separation

Question 92

What is a protocol used to implement VPNs?

Answer 92

IPsec

Question 93

What is a group of protocols for securing connections between devices that helps keep data sent over public networks secure. It is often used to set up VPNs?

Answer 93

IPsec

Question 94

What works by encrypting IP packets, along with authenticating the source where the packets come from to secure connections b/w devices?

Answer 94

IPsec

Question 95

What is it called when you assign users only the permissions they need to perform their job responsibilities?

Answer 95

Least privilege

Question 96

What is the unintentional accumulation of privileges over time?

Answer 96

Aggregation or privilege creep

Question 97

What is it called when two people must work together to perform a sensitive action?

Answer 97

Two-person control

Question 98

What is the reliance upon secrecy of security mechanisms to provide security for a system or process?

Answer 98

Security through obscurity

Question 99

What hypervisor provides a greater degree of security b/c they run directly on top of hardware, decreasing the attack surface?

Answer 99

Type 1 (bare-metal)

Question 100

What’s the major driver to lease space in a colocation facility?

Answer 100

A reduction in cost achieved by sharing cost among multiple clients.

Question 101

At a minimum, the Uptime Institute requires it to offera UPS; a designated space for IT systems; dedicated cooling equipment that runs outside of office hours; and an engine generator.

Answer 101

Tier 1 datacenters

Question 102

What is a voltage regulator that protects sensitive electronics, such as computers, lab equipment, home theaters from voltage fluctuations and power surges?

Answer 102

Line conditioners

Question 103

Dual-power supplies are a requirement for what datacenter tier?

Answer 103

Tier 3

Question 104

What handles traffic b/w SDN controllers and SDN applications?

Answer 104

NBI - northbound interface

Question 105

What is used to access the SDN controller and allows a network administrator to access the SDN to configure it or to retrieve information from it?

Answer 105

NBI - northbound interface

Question 106

In what do applications often need to communicate with network controllers to query or modify the current state of the network?

Answer 106

SDN - Software defined networking

Question 107

What is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network?

Answer 107

SDN - Software defined networking

Question 108

What is basically SSO across multiple organizations?

Answer 108

Federation

Question 109

What is a method of linking a user’s identity across multiple separate identity management systems allowing users to quickly move between systems while maintaining security.

Answer 109

Federated identity

Question 110

What are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Answer 110

Hardware security modules

Question 111

What technology provides for the management of physical keys?

Answer 111

KMBs - Key management boxes

Question 112

Components of Kerberos authentication process.

Answer 112

TGT - ticket granting tickets

Question 113

What is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third-party for authenticating client-server applications and verifying users’ identities.

Answer 113

Kerberos

Question 114

What provides a secure operating environment inside a computer system?

Answer 114

TCB - trusted computing base

Question 115

Technological capabilities of virtualization create the ease of use that can cause ______.

Answer 115

Sprawl

Question 116

Sprawl should be addressed from a _________ perspective.

Answer 116

Managerial

Question 117

T/F: It’s helpful to have a moderator to guide participants thru tabletop exercises.

Answer 117

True

Question 118

The ________ contains the suite of security controls applied uniformly thru an environment.

Answer 118

Baseline

Question 119

Forensic analysis is an important part of ______.

Answer 119

Incident response

Question 120

What is the term used to describe the ability of customers to access their systems remotely?

Answer 120

Ping

Question 121

What is the term used to describe the network connectivity that supports servers’ connections to the internet?

Answer 121

Pipe

Question 122

What is the software layer between the hardware and the guest operating systems that acts as a resource manager to enable the sharing of processing power and memory.

Answer 122

Hypervisor

Question 123

What reroutes traffic based on current customer demand, creates logical subnets w/out having to change any physical connections, and filters access to resources based on specific rules or settings?

Answer 123

SDNs

Question 124

What splits a large network into a grouping of smaller, interconnected networks to help minimize traffic and increases network speed?

Answer 124

Subnet

Question 125

What delivers streaming media content efficiently by placing it closer to the end user?

Answer 125

CDN

Question 126

What is a group of servers with mostly shared storage between them that can be used to facilitate high availability for your applications and services and can also be used to create the benefits of reliability, performance, and lower TCO?

Answer 126

Failover clusters

Question 127

What is a group of independent computers that work together to increase the availability and scalability of clustered roles

Answer 127

Failover cluster

Question 128

What’s another word for clustered servers?

Answer 128

Nodes

Question 129

How can you ensure your data is not held hostage or lost if a provider becomes unusable?

Answer 129

Having a backup with a different provider.

Question 130

What are two things that provide compute capability?

Answer 130

Virtual server instances and containers

Question 131

____ is the most significant reason cloud datacenters use VMs

Answer 131

Cost

Question 132

What shuts down the primary operating facility and shifts operations to the backup facility?

Answer 132

Full tests or full interruption tests

Question 133

What test for backup and restore capabilities restores a system that hasn’t actually broken down to an alternate location?

Answer 133

Parallel test - activates the facility but doesn’t move production responsibility to it.

Question 134

What kind of attack is when the attacker is able to leave the confines of its own VM and access resources belonging to another customer?

Answer 134

Escape attack

Question 135

What type of vulnerability occurs when there is more data in a buffer than it can handle and causes data to overflow into adjacent storage, which can cause a system crash or, worse, create an entry point for a cyberattack.

Answer 135

Overflow vulnerability

Question 136

What kind of vuln exists in the following example: A search form where visitors send their search query to the server, and attackers typically send victims custom links that direct unsuspecting users toward a vulnerable page.

Answer 136

Scripting vulnerability

Question 137

What vulnerability causes escape attacks to occur?

Answer 137

A vuln in the hypervisor, b/c it’s supposed to be the separation that prevents customers from accessing each other’s resources.

Question 138

Disk volumes are stored on _____ storage, except when snapshotting is used to create a backup, then they’re stored on less expensive ______ storage.

Answer 138

Block - Object

Question 139

Hot and warm sites are not needed when your data is backed up __________.

Answer 139

In the cloud

Question 140

T/F: A specified configuration built to defined standards and with a controlled process can be used to show that all VMs w/in an environment include certain controls.

Answer 140

True

Question 141

What records provide the “telephone bill” level of communication detail but not the content?

Answer 141

Netflow records

Question 142

What is a commonly used standard for monitoring network flow data that allows you to monitor IP network traffic information as data packets enter or exit an interface.

Answer 142

NetFlow

Question 143

What standard provides the most accurate reconstruction of user activity but is costly to implement due to data storage requirements?

Answer 143

Packet capture

Question 144

What is a networking term for intercepting a data packet that is crossing a specific point in a data network, and once captured in real-time, is stored for a period of time so that it can be analyzed, and then either be downloaded, archived or discarded.

Answer 144

Packet capture

Question 145

What type of backup provides the best redundancy and resiliency?

Answer 145

Having your backup at another cloud provider

Question 146

Every plan/policy should include mention of:

Answer 146

The governance documents, by reference, that drive the formation of the plan/policy

Question 147

What is SAML?

Answer 147

Security Assertion Markup Language - based on XML

Question 148

What is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP).

Answer 148

SAML

Question 149

HTTP is used for port ___ web traffic

Answer 149

80

Question 150

What is used to load web pages using hypertext links?

Answer 150

HTTP - hypertext transfer protocol

Question 151

What is used to present web pages?

Answer 151

HTML

Question 152

What is the universal alphanumeric character set?

Answer 152

ASCII

Question 153

Moving information into another jurisdiction may affect your:

Answer 153

Regulatory compliance

Question 154

What are the 4 major risk management strategies?

Answer 154

Risk acceptance
Risk transference
Risk avoidance
Risk reduction

Question 155

What most affects RPO?

Answer 155

Data replication strategies, which determine how much recent data is available for recovery purposes

Question 156

T/F: Data replication affects RPO more than RTO.

Answer 156

True

Question 157

What is the process of granting users and other security principles access to resources in an environment?

Answer 157

Authorization

Question 158

When using two different cloud providers, a customer runs the risk of:

Answer 158

Data/software formats being different and not readily adapted, causing delays during a failover

Question 159

In what model does the customer have most configuration control?

Answer 159

IaaS

Question 160

In what model does the customer have least configuration control?

Answer 160

SaaS

Question 161

Public cloud makes a ______ _______ more likely.

Answer 161

Guest escape

Question 162

What is used to create an encrypted communication tunnel over an untrusted medium?

Answer 162

VPN

Question 163

What are used for central repositories for identification, authentication, and authorization purposes?

Answer 163

ACLs

Question 164

What is an access control model used to assign permissions based on job functions w/in an org?

Answer 164

RBAC

Question 165

What is the address at which an item (memory cell, storage element, network host) appears to reside from the perspective of an executing application program.

Answer 165

Logical address

Question 166

What is the least disruptive type of disaster recovery test?

Answer 166

Checklist review

Question 167

Accessing source code is necessary for ______

Answer 167

Static analysis

Question 168

Which dev model is most frequently associated with cloud services?

Answer 168

Agile

Question 169

What is the best solution to prevent 3Ps from intercepting and accessing data sent via API calls?

Answer 169

TLS

Question 170

What provides protection against inadvertent data exposure when multiple tenants share the same underlying infrastructure?

Answer 170

Encryption at rest

Question 171

T/F: Multiple paths are ideal for CI/CD pipeline.

Answer 171

False

Question 172

Automation, use of metrics, and version control are all recommended best practices for ________.

Answer 172

CI/CD pipelines

Question 173

IdPs integrate with _______ or ______.

Answer 173

OpenID Connect or SAML

Question 174

In what phase of the SDLC is user input most necessary?

Answer 174

Define

Question 175

Customer responsible for apps, data, runtime, middleware, and OS. CSP responsible for virtualization, servers, storage, and networking.

Answer 175

IaaS

Question 176

Customer responsible for apps and data. CSP responsible for runtime, middleware, OS, virtualization, servers, storage, and networking.

Answer 176

PaaS

Question 177

Shared responsibility for apps and data. CSP also responsible for runtime, middleware, OS, virtualization, servers, storage, and networking

Answer 177

SaaS

Question 178

Standard measures such as locks, security personnel, lights, fences, visitor check in procedures.

Answer 178

CSP data center physical security measures

Question 179

_____ controls Identity and access management (IAM), single
sign on (SSO) provider, multifactor authentication (MFA) and logging.

Answer 179

Logical access

Question 180

Customer is responsible for configuring the VMs, virtual network, and guest OS security as if the systems were on premises. CSP responsible for physical host, physical storage, and physical network. CSP provides the tooling to secure the VM but customer must configure them.

Answer 180

IaaS

Question 181

CSP is responsible for the physical components, the internal network, and the tools provided. Cheaper for customer, but less control. Customer is responsible for configuration of application and data access security. CSP is responsible internal network, and the tools provided.

Answer 181

PaaS

Question 182

The customer remains responsible for configuring access to the cloud service for their users, as well as shared responsibility for data recovery. CSP owns physical infrastructure, as well as network and communication. CSP may provide the tools for data recovery, but customer may need to perform recovery in some cases.

Answer 182

SaaS

Question 183

Maximum utilization of compute resource by a customer (e.g. VM) which are allowed to change dynamically based on current conditions and consumption

Answer 183

limits

Question 184

A weighting given to a particular VM used to calculate percentage based access to pooled resources when there is contention. In cases of shortage, host scoring determines who gets capacity.

Answer 184

shares

Question 185

A minimum resource that is guaranteed to a customer.

Answer 185

reservation

Question 186

The infrastructure components that deliver compute resources, such
as the VMs, disk, processor, memory and network resources.

Answer 186

compute

Question 187

The _____ remains responsible for the maintenance and security of the physical components of compute.

Answer 187

csp

Question 188

The security of the hypervisor is always the responsibility of the _____.

Answer 188

csp

Question 189

– Flawed hypervisor can facilitate inter VM attacks
– Network traffic between VMs is not necessarily visible
– Resource availability for VMs can be impacted
– VMs and their disk images are simply files, can be portable and movable

Answer 189

risks associated with virtualization

Question 190

Install all updates to the hypervisor as they are released by the vendor.
Restrict administrative access to the management interfaces of the hypervisor.
Capabilities to monitor the security of activity occurring between guest operating systems (VMs).

Answer 190

hypervisor security recommedations

Question 191

Install all updates to the guest OS promptly.
Back up the virtual drives used by the guest OS on a regular basis

Answer 191

Security recommendations for the guest OS

Question 192

• preventing physical access to the servers.
• limiting both local and remote access to the hypervisor.

Answer 192

csp’s hypervisor security

Question 193

T/F: The virtual network between the hypervisor and the VM is also a potential attack surface.

Answer 193

True - Responsibility for security in this layer is often shared between the CSP and the customer. These components include virtual network, virtual switches, virtual firewalls, virtual IP addresses, etc.

Question 194

A malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.

Answer 194

VM escape

Question 195

Ensure patches on hypervisor and VMs are always up to date. Ensure guest privileges are low, server level redundancy and HIPS/HIDS protection.

Answer 195

Protection from VM escape

Question 196

Whose responsibility:
- physical protection of data centers and the storage infrastructure they contain.
- security patches and maintenance of underlying data storage technologies and other data services they provide

Answer 196

csp

Question 197

Whose responsibility:
- properly configuring and using the storage tools.
- logical security and privacy of data they store in the CSP’s environment.

Answer 197

customer

Question 198

• Assessing the adequacy of these controls and properly configuring and using the controls available.
• Ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP.
• Configuring secure access, whether private or public.

Answer 198

customer storage responsibilities

Question 199

Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space

Answer 199

customer storage challenge

Question 200

• only storing data in an encrypted format
  – retaining control of the keys needed to decrypt the data

Answer 200

compensating controls for lack of physical storage

Question 201

Provides the tools (web interface and APIs) necessary to configure, monitor, and control your cloud environment. Provides virtual management options equivalent to the physical administration options a legacy data center would provide.

Answer 201

management plane

Question 202

You interact with the _____ through tools including the CSP’s cloud portal, PowerShell or other command line, or client SDKs

Answer 202

management plane

Question 203

_____ is what you are calling when you create top level cloud resources with ARM & Bicep (Azure), CloudFormation (AWS) or Terraform (IaC)

Answer 203

Control plane

Question 204

Performs operations on resources created through the control plane

Answer 204

data plane

Question 205

The main web interface for the CSP platform.

Answer 205

cloud portal

Question 206

• create tenant partitioning or isolation
• limit and secure remote access
• monitor the cloud infrastructure
• allow for the patching and updating of systems

Answer 206

things logical data center design should provide

Question 207

Who’s responsible for implementing and enforcing controls that address the unique multitenant risks of the public cloud?

Answer 207

CSP and tenant

Question 208

Single login for on premises and cloud

Answer 208

hybrid identity

Question 209

– federate a customer’s existing IAM system with their CSP tenant
– identity as a service ( IDaaS

Answer 209

methods to facilitate IAM between cloud and on premises

Question 210

the native remote access protocol for Windows operating systems.

Answer 210

RDP

Question 211

the native remote access protocol for Linux operating systems, and common for remote management of network devices.

Answer 211

SSH

Question 212

a bastion host at the boundary of lower and higher security zones .

Answer 212

jumpbox

Question 213

software tools that allow remote connection to a VM for use as if it is your local machine

Answer 213

virtual clients

Question 214

Requires significant investment
Offers the most control over datacenter design
Requires knowledge and skill to match quality of other option

Answer 214

build

Question 215

Generally, lower cost of entry (especially in shared)
Less flexibility in service design (limited to what provider)
Shared datacenters come with additional security challenges

Answer 215

buy

Question 216

A strong fence line of sufficient height and construction
Lighting of facility perimeter and entrances
Video monitoring and alerting
Electronic monitoring for tampering
Visitor access procedures with controlled entry points
Interior access controls (badges, key codes, secured doors)
Fire detection and prevention systems
Protection of sensitive assets, systems, wiring closets, etc.

Answer 216

physical security mechanisms

Question 217

simply measures the amount of time a system is running

Answer 217

uptime

Question 218

encompasses availability of the infrastructure, applications, and services

Answer 218

availability

Question 219

• Involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption.
• Must have an uninterruptible power supply that can handle brief power outages, as well as sags and spikes
• Must also have dedicated cooling equipment that can run on 24/7, and a generator to handle extended power outages expected to provide 99.671% availability

Answer 219

Tier 1 - basic site infrastructure

Question 220

• Provides partial redundancy, meaning an unplanned interruption will not necessarily cause an outage
• Adds redundant components for important cooling and power systems
• Facilities must also have the ability to store additional fuel to support the generator
  expected to provide 99.741% availability

Answer 220

Tier 2 - redundant site infrastructure

Question 221

• Adds even more redundant components
• Has a major advantage in that it never needs to be shut down for maintenance
• Enough redundant components that any component can be taken offline for
  maintenance and data center continues to run
• Expected to provide 99.982% availability

Answer 221

Tier 3 - concurrently maintainable site infrastructure

Question 222

• Can withstand either planned or unplanned activity without affecting availability
• This is achieved by eliminating all single points of failure
• Requires fully redundant infrastructure, including dual commercial power feeds,
  dual backup generators
• Expected to provide 99.995% availability

Answer 222

Tier 4 - fault-tolerant site infrastructure

Question 223

_____ is an audit standard to enhance the quality and usefulness of System and Organization Control (SOC) reports.

Answer 223

SSAE 18

Question 224

Connectivity to data center locations from more than one internet service provider (ISP) is _____.

Answer 224

multi vendor pathway connectivity

Question 225

Best practice for CSPs or data centers is _____ for high availability.

Answer 225

dual entry, dual provider

Question 226

HA firewalls, active passive or active active
Multi vendor pathway connectivity
Web server farm (behind redundant load balancers)
Database cluster (Windows / Linux cluster feature)

Answer 226

resilient design

Question 227

Two risk management frameworks

Answer 227

• ISO/IEC 31000:2018 Risk Management Guidelines
• NIST SP 800 37, Guide for Applying the Risk Management Framework to Federal Information Systems

Question 228

Assigns a dollar value to evaluate effectiveness of countermeasures. Objective, ensure controls are cost effective.

Answer 228

quantitative risk assessment

Question 229

What will the impact be if that goes wrong?

Answer 229

Single loss expectancy (SLE) $

Question 230

How likely is it to happen?

Answer 230

Annualized Rate of Occurrence (ARO) - decimal

Question 231

ARO =
An incident that happens twice a year has an ARO of
An incident that happens once every two years has an ARO of
An incident that happens once every five years has an ARO of

Answer 231

Incidents/Year
2.0
0.5
0.2

Question 232

The possible yearly cost of all instances of a specific realized threat against a specific asset.

Answer 232

annualized loss expectancy (ale)

Question 233

SLE x ARO

Answer 233

ALE

Question 234

• Business units
• Vendor management
• Privacy
• Information security

Answer 234

risk areas

Question 235

Authentication Risk
Data Security
Supply Chain Risk Management (SCRM)
Geographic dispersion of the CSP data centers
Downtime
Compliance
General technology risk

Answer 235

common cloud risks

Question 236

Different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Capabilities depend on tools, experience, and funding. Other external environmental threats, such as fire and floods, and manmade threats, such as the accidental deletion of data or users.

Answer 236

external threats

Question 237

A malicious insider, a threat actor who may be a dissatisfied employee (someone overlooked for a promotion). Another internal threat is human error, which is when data is accidentally deleted.

Answer 237

internal threats

Question 238

1. Data Breaches
2. Misconfiguration and inadequate change control
3. Lack of cloud security architecture and strategy
4. Insufficient identity, credential access and key management
5. Account hijacking
6. Insider threat
7. Insecure interfaces and APIs
8. Weak control plane
9. “Metastructure ” and “applistructure ” failures
10. Limited cloud usage visibility
11. Abuse and nefarious use of cloud services

Answer 238

The CSA Egregious 11

Question 239

What’s the most common account hijacking approach?

Answer 239

phishing

Question 240

What mitigates insider threat?

Answer 240

Job rotation, privileged access management, auditing , security training

Question 241

MFA, RBAC, and key based API access are controls for _____.

Answer 241

insecure interfaces and APIs

Question 242

The protocols and mechanisms that provide the interface between the cloud layers, enabling management and configuration.

Answer 242

metastructure

Question 243

Applications deployed in the cloud and the underlying application services used to build them.

Answer 243

applistructure

Question 244

Selecting a qualified CSP
Designing and architecting with security in mind
Consider security at every step, starting with design
Encryption, and data should be encrypted at rest and in transit. Storage and database encryption at rest, TLS and VPN in transit
Ongoing monitoring and management to maintain posture.

Answer 244

risk mitigation strategies

Question 245

– ability to restrict physical access at multiple points
– ensuring a clean and stable power supply
– adequate utilities like water and sewer
– the availability of an adequate workforce

Answer 245

physical and environmental protection

Question 246

Visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters.

Answer 246

site selection criteria

Question 247

Automation of configuration
Responsibilities for protecting cloud systems and services
Monitoring and maintenance

Answer 247

security practices for people and processes

Question 248

Policy and Procedures
Separation of System and User Functionality
Security Function Isolation
Denial of Service Protection
Boundary Protection
Cryptographic Key Establishment and Management

Answer 248

system, storage, and communication protection

Question 249

Preventing malicious traffic from entering the network
Preventing malicious traffic from leaving your network
Protecting against data loss (exfiltration)
Configuring rules/policies in routers, gateways, or firewalls

Answer 249

boundary protection

Question 250

What is typically enforced with adequate logging and monitoring of system activity?

Answer 250

accountability

Question 251

– SaaS apps used as users travel make identifying anomalous / malicious behavior more difficult
– Bad password practices (reuse across services)
– Use of personal devices in BYOD scenarios

Answer 251

Cloud challenges in enforcing accountability

Question 252

_____ are the weakest form of authentication

Answer 252

passwords

Question 253

Oath tokens create _____

Answer 253

one time passwords (OTP)

Question 254

This is a software based authenticator that implements two step verification services using the Time based One time Password Algorithm and HMAC based One time Password algorithm, for authenticating users of software applications.

Answer 254

authentication applications

Question 255

This is where the server is pushing down the authentication information to your mobile device. Uses the mobile device app to be able to receive the pushed message and display the authentication information.

Answer 255

push notifications

Question 256

This is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization.
Often includes a number of organizations that have established trust for shared access to a set of resources.

Answer 256

Federation

Question 257

Refers to the ability to discover relationships between two or more events across logs.

Answer 257

correlation

Question 258

Packet capture tools are also called _____

Answer 258

protocol analyzers

Question 259

An open source protocol analyzer, with CLI and GUI versions, available for Windows and Linux.

Answer 259

Wireshark - packet capture

Question 260

_____focuses on the whole business, while _____ focuses more on the technical aspects
of recovery

Answer 260

BCP / DRP

Question 261

The plan to move from the disaster recovery site back to your business environment or back to normal operations.

Answer 261

BRP (Business Resumption Plan)

Question 262

A time determination for how long a piece of IT infrastructure will continue to work before it fails.

Answer 262

MTBF (Mean Time Between Failures)

Question 263

A time determination for how long it will take to get a piece of hardware/software repaired and back on line.

Answer 263

MTTR (Mean Time to Repair)

Question 264

The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.

Answer 264

MTD (Max tolerable downtime)

Question 265

The overall organizational plan for “how to” continue business after an event has occurred. A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond

Answer 265

Disaster Recovery Plan

Question 266

The plan for recovering from an IT disaster and having the IT infrastructure back in operation.

Answer 266

DRP (Disaster Recovery Plan) - tech focused

Question 267

This is used to determine which processes are critical and which are not.

Answer 267

BIA

Question 268

A BIA typically contains a _____

Answer 268

cost benefit analysis (CBA) and a calculation of the return on investment (ROI)

Question 269

The ____ is responsible for determining how to recover in the case of a disaster in the cloud.

Answer 269

customer

Question 270

CSPs can further protect customers in disaster by not allowing _____ within a single physical datacenter within a cloud region.

Answer 270

two availability zones

Question 271

The plan that details how relevant stakeholders will be informed in event of an incident. Would include plan to maintain confidentiality, such as encryption to ensure that the event does not become public knowledge. Contact list should be maintained that includes stakeholders from the government, police, customers, suppliers, and internal staff.

Answer 271

communication plan

Question 272

This is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down

Answer 272

rpo

Question 273

This is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated
with a break in continuity.

Answer 273

rto

Question 274

This measures the compute resources needed to keep production environments running during a disaster. It is a percentage measure (0-100%) of how much computing power you will need during a disaster based upon a percentage of computing used by production environments versus others, such as development, test, and QA

Answer 274

recovery service level - rsl

Question 275

design - based on bia priorities
implement the plan
test the plan
report and revise

Answer 275

BCDR plan process

Question 276

A BCP and DRP should be tested at least _____

Answer 276

annually

Question 277

Members of the disaster recovery team gather in a large conference room and role play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members refer to the document and discuss the appropriate responses to that particular type of disaster.

Answer 277

tabletop testing

Question 278

In this test, some of the response measures are tested (on non critical functions).

Answer 278

dry run

Question 279

Involves actually shutting down operations at the primary site and shifting them to the recovery site. When the entire organization takes part in an unscheduled, unannounced practice scenario, of full BC/DR activities.

Answer 279

full test

Question 280

✓ multiple availability zones
✓ automatic failover to backup region(s)
✓ direct connection to a CSP.

Answer 280

high availability features for disaster recovery