Domain 3

Question 1

Infrastructure as a Service (Iaas)

Answer 1

Customer is responsible for configuring VM’s, Virtual network and guest OS security as if systems were on Premises. CSP is responsible for the physical components, internal network and tool provided.

Question 2

Platform as a Service(Paas)

Answer 2

CSP is responsible for physical components, the internal network, and tools provided. Cheaper for customer but less control.

Question 3

Software as a Service(Saas)

Answer 3

Customer is responsible for configuring access to the cloud service for their users as well as shared responsibility for data recovery.

Question 4

Public Cloud

Answer 4

Everything run on the cloud providers hardware

Question 5

Private Cloud

Answer 5

Cloud environment in your data centre

Question 6

Hybrid Cloud

Answer 6

Combines Public and Private Cloud

Question 7

Multi Cloud

Answer 7

2 or more public cloud providers

Question 8

Multitenancy

Answer 8

Logical isolation in CSP

Question 9

Infrastructure as a Code

Answer 9

Management of infrastructure (Networks, VM, load balancers and connection topology) described in code. It is a key DevOps practice and is used in conjunction with continuous integration and continuous delivery

Question 10

Serverless Architecture

Answer 10

Cloud computing execution model where cloud provider dynamically manages the allocation and provisioning of servers

Question 11

Microservices

Answer 11

Microservices are an architectural style in software development where a system is built as a collection of small, independent, and loosely coupled services. Each service is designed to perform a specific business function and communicates with other services through well-defined APIs.

Question 12

Logical segmentation

Answer 12

Vlans ( Layer 2) - Logically segment a local area network into subnetworks

Question 13

VPN

Answer 13

Creating an encrypted tunnel between devices or networks to pass traffic using protocols like IPsec

Question 14

Virtual routing and forwarding

Answer 14

Allows a single router or switch to function as a multiple virtual router or switches.

Question 15

Software Defined Network (SDN)

Answer 15

Network architecture approach that enables the network to be centrally controlled or programmed using software. Has a capacity to reprogram the data plane at any time. Use cases include SD-Lan and SD-Wan

Question 16

Containerization

Answer 16

Lightweight portable way to package applications for multiple platforms

Question 17

Virtualization

Answer 17

Server Virtualization the process of dividing a physical server into multiple unique and isolated virtual servers by means of software application (Hypervisor)

Question 18

VM Escape

Answer 18

Where attacker gains access to a VM then attacks either the host machine that holds all the VMs, the hypervisor or any other VMs

Question 19

VM Sprawl

Answer 19

Unmanaged VM on the network

Question 20

IOT (Internet of Things)

Answer 20

Connected to the internet . Elective curve(Smaller keys). Limited Compute resources and Limited ability to patch

Question 21

SCADA ( Supervisory Control and Data Acquisition)

Answer 21

Large amount of industrial equipment. Do not have direct access for greater security. Should be segmented

Question 22

RTOS (Real time operating systems)

Answer 22

Smart devices like wearables and embedded systems Operate with very specific scheduling.

Question 23

Embedded Systems

Answer 23

Technology component of an IOT devices . A full computer system embedded inside another larger system ( Examples - GPS, Drones, VoIP phones)

Question 24

Availability

Answer 24

Ensuring a system or service is accessible to authorised users when needed

Question 25

Resilience

Answer 25

System availability to handle disruptions

Question 26

Responsiveness

Answer 26

Ability to respond to user request or events in a timely manner

Question 27

Scalability

Answer 27

Ability to scale resources

Question 28

Ease of deployment

Answer 28

Complexity and effort required implementation

Question 29

Risk Transference

Answer 29

Security risks mitigated by transferring some responsibility to third parties

Question 30

Internet

Answer 30

A Private network that is designed to host the information internal to the organisation

Question 31

Extranet

Answer 31

Section of an organisation network that has been sectioned off to act as intranet for the private network but also serves information to external business partners

Question 32

Screened Subnet

Answer 32

DMZ/ Perimeter network

Question 33

Attack vectors

Answer 33

Consist of all the threat vectors that a system is exposed to

Question 34

Fail-Open

Answer 34

Allows everything to pass through system when it fails. No security controls are enforced. There is no disruption in network activity

Question 35

Fail- Closed

Answer 35

Nothing can pass through the system when it fails . No security controls are ignored, network traffic is disrupted

Question 36

NIPS/NIDS - Inline

Answer 36

Place near the fire wall as an additional layer of security

Question 37

NIPS/ NIDS - Tap ( Out of band)

Answer 37

replicates traffic. Active taps - require power to operate. Passive taps -does not require operate

Question 38

Jump Server

Answer 38

Place on Screened Subnet allows admins to connect remotely to the network

Question 39

Forward Proxy

Answer 39

Server that controls requests from clients seeking resources on the internet or an external network

Question 40

Reverse Proxy

Answer 40

Placed on a screened subnet, performs the authentication and decryption of a secure session to enable it to filter the incoming traffic

Question 41

IDS

Answer 41

Analyses whole packets, both headers and payload looking for known events. Known event is detected, a log is generated

Question 42

IPS

Answer 42

Analyses whole packets both header and payload looking for known events. Know event is detected, packet is rejected

Question 43

HIDS/HIPS

Answer 43

Host Based IDS/IPS - Monitor activity on a single system

Question 44

NIDS/NIPS

Answer 44

Can monitor activity on a network

Question 45

Behaviour based

Answer 45

Baseline of activity to identify normal behaviour

Question 46

Signature Based

Answer 46

Uses Signature - Used for known attack methods

Question 47

NIC

Answer 47

Network Interface Card - Dual network cards paired together to give maximum throughput

Question 48

802.1x

Answer 48

Is a IEEE standard for port based network access control . It is Authentication process

Question 49

EAP

Answer 49

Extensible Authentication Protocol - Allows for new authentication technologies to be compatible with existing wireless or point to point connection technologies

Question 50

PEAP

Answer 50

Encapsulates EAP within a TLS tunnel

Question 51

LEAP

Answer 51

LEAP is insecure

Question 52

EAP-TLS

Answer 52

secure version of wireless authentication requires X.509 . Involves 3 parties

Question 53

EAP- TTLS

Answer 53

Uses two phases

Question 54

Static Packet - Filtering Firewall

Answer 54

Operate layer 3 - Filters traffic by examining data from a message header

Question 55

Application Level Firewall

Answer 55

Operates at Layer 7 - Filters traffic based on a single internet service, protocol or application

Question 56

Circuit Level Firewall

Answer 56

Layer 5 - Used to establish communication sessions between trusted partners

Question 57

Stateful Inspection Firewall

Answer 57

Evaluates the state, session or the context of network traffic

Question 58

Stateless Firewall

Answer 58

Watch network traffic . Block packets based on source and destination addresses or static values. Heavier traffic loads

Question 59

Statefull

Answer 59

Can watch traffic streams from end to end

Question 60

WAF (Web Application Firewall)

Answer 60

HTTP traffic ( Protects from XSS, CSRF, SQL injection)

Question 61

NGFW ( Next Generation)

Answer 61

Deep Packet firewall. Adds Application level inspection, IPS and brings intelligence from outside. It is multifunctional

Question 62

Deep Packet Inspection

Answer 62

Filters the header and payload

Question 63

Unified Threat Management

Answer 63

Multifunction device (IDS, IPS, TLS/SSL proxy, web filtering, bandwidth throttling, NAT, VPN anchoring, antivirus

Question 64

Split Tunnel

Answer 64

Traffic destined for corporate network only, Internet traffic direct through normal route

Question 65

IPSEC Protocols

Answer 65

AH ( Authentication Header and ESP (Encapsulating Security Payload). AH does not perform encryption ESP provides data confidentiality, integrity, data origin authentication)

Question 66

SD-WAN ( Software Define Wide Area Network)

Answer 66

Enables users in branch office to remotely connect to enterprise network. Security is based on IP Security, VPN tunnel, NGFW, micro segmentation

Question 67

SASE (Secure Access Service Edge)

Answer 67

Related to Zero Trust Architecture - Brings together networking and security functions and delivers them as an integrated cloud service ( Includes Firewall, Antimalware, Secure web gateway, DLp, IPS , CASB

Question 68

Regulated Data

Answer 68

Data Subjects to Specific laws and regulations governing its collection, storage and Use . Examples PHI, financial information, PII

Question 69

Trade Secret

Answer 69

Intellectual property of inventor Eg: Formulas, product design

Question 70

Intellectual Property

Answer 70

Creation of minds - Intangible assets Patents (20 Years), Copyrights, Trademarks (10 Years), Trade secret (must be disclosed), Copyright (70 years)

Question 71

Financial Information

Answer 71

Financial Records (GLBA and PCI-Dss)

Question 72

Public Data

Answer 72

Freely accessible information intended for general public

Question 73

Private Data

Answer 73

Information about individual that should be kept Confidential (PII, PHI)

Question 74

Confidential Data

Answer 74

Organisation intends to keep secret within a designated group

Question 75

Restricted Data

Answer 75

Subject to external regulations or legal requirement

Question 76

Sensitive Data

Answer 76

Information is not publicly known (includes private, confidential, restricted)

Question 77

Restricted Data

Answer 77

Subject to external regulations or legal requirements that limit access and control its handling

Question 78

Full Disk Encryption

Answer 78

Helps to encrypt Windows and Linux Iaas VM’s using Bitlocker for Windows and Dm-Crypt for Linux

Question 79

Transparent Data Encryption

Answer 79

Helps to protect SQL database and data warehouses against threat of malicious activity with real time encryption and decryption of database

Question 80

Data Sovereignty

Answer 80

Data is subject to the laws and regulation of the country in which it was created. It cannot be moved to another region. Data is subject to the laws of where it is stored

Question 81

Geolocation

Answer 81

Use GPS to give the actual location of a mobile device - Somewhere you are

Question 82

Encryption

Answer 82

Two way function ( Symmetric and Asymmetric)

Question 83

Hashing

Answer 83

One way function that scrambles plain text to produce a unique message digest

Question 84

Data Masking

Answer 84

Only partial data is left in a data field

Question 85

Tokenization

Answer 85

Meaningful data is replaced with a token that is generated randomly and original data is held in a vault

Question 86

Pseudonymization

Answer 86

De-identification procedure in which PII fields within a data record are replaced by one or more artificial identifiers or pseudonyms

Question 87

Anonymization

Answer 87

process of removing all relevant data so that it is impossible to identify original subject or person

Question 88

Obfuscation

Answer 88

Intentionally making data less readable or understandable

Question 89

Segmentation

Answer 89

Method involving dividing data into smaller isolated segments

Question 90

Clustering

Answer 90

Combines multiple servers into a single, highly available entity ensuring continuous service even when individual servers fail

Question 91

Platform Diversity

Answer 91

Utilizing mix of different platforms

Question 92

COOP (Continuity of Operations)

Answer 92

Procedures and Resources to maintain critical business functions

Question 93

Cold Site

Answer 93

A data centre space

Question 94

Warm Site

Answer 94

Preventative site

Question 95

HOT site

Answer 95

Hot site allows you to keep servers and a live backup site up and running

Question 96

Capacity Planning

Answer 96

Process of proactively assessing and ensuring an organisation has sufficient resources

Question 97

Tabletop

Answer 97

Structured Walkthrough _ Paper based, hypothetical (Talking Only)

Question 98

Failover

Answer 98

Shut down primary site and test recovery site

Question 99

Simulation

Answer 99

Test the plans in a simulated operational environment

Question 100

Parallel Processing

Answer 100

Activating it during the test

Question 101

Onsite/ Offsite

Answer 101

Onsite - Physical location, Offsite - Separate locations

Question 102

Snapshot

Answer 102

Point in time copies of data at a specific moment - Common in VM

Question 103

Recovery

Answer 103

Restoring data from a backup to its original location or a new location

Question 104

Replication

Answer 104

Creating identical copies of data in multiple location

Question 105

Journaing

Answer 105

Transaction logging, records all changes made to data in a sequential log file

Question 106

UPS (Uninterrupted Power Supply)

Answer 106

Self charging battery - Primary power fails it provides power

Question 107

Generator

Answer 107

Standby power source that is powered by diesel, gasoline, propane or natural gas for extended period of time