Domain 5

Question 1

What defines service-level targets and responsibilities for IT service provider?

Answer 1

SLAs

Question 2

What’s an internal agreement b/w the IT service provider and another part of the same org and supports the service provider’s delivery of the service.

Answer 2

OLAs - operational level agreement

Question 3

What’s used to determine whether a service meets its quality and functionality goals?

Answer 3

SAC - service acceptance criteria

Question 4

What defines the requirements of a service from the customer’s perspective?

Answer 4

SLR - service level requirement

Question 5

Reactive communications are used for:

Answer 5

data breach notification, regulatory compliance, and problem management

Question 6

T/F: Major cloud vendors provide their own customized versions of Linux that include additional agents and tools that help them work better w/ the provider’s infrastructure?

Answer 6

True

Question 7

When managing systems at scale in the cloud, is it best to use the cloud IaaS vendor’s tools?

Answer 7

Yes

Question 8

Why is it best to use the cloud IaaS vendor’s tools when managing systems at scale in the cloud?

Answer 8

B/c they’re designed to handle OS that may have special features to work in the vendor’s environment and applications.

Question 9

Do CSPs allow direct or 3P audits of their systems?

Answer 9

No - but they will provide audit results

Question 10

What is used to create, store, and manage secrets?

Answer 10

HSM - hardware security module

Question 11

What uses code and config files or variables to allow rapid deployment using scripts and automated tools?

Answer 11

Infrastructure as code design

Question 12

What’s used to access data from services?

Answer 12

APIs

Question 13

What are two practices to improve service continuity?

Answer 13

1. Understanding the number of business practices that have continuity planning in place.
2. Assessing which gaps in coverage are critical.

Question 14

Are Agile and DevOps well-suited to rapid release cycles w/ CI/CD delivery processes?

Answer 14

Yes

Question 15

T/F: Agile and DevOps are better with CI/CD than Waterfall and Spiral

Answer 15

True

Question 16

What is the first step in ITIL 4 continual service improvement process?

Answer 16

Identify strategy for improvement

Question 17

What comes after you identify strategy for improvement in ITIL 4 continual service improvement process?

Answer 17

Define what to measure

Question 18

What happens after you define what to measure in ITIL 4 continual service improvement process?

Answer 18

Gather data

Question 19

What happens after you gather data in ITIL 4 continual service improvement process?

Answer 19

Process the data

Question 20

What happens after you process the data in ITIL 4 continual service improvement process?

Answer 20

Analyze the information and data

Question 21

What happens after you analyze the information and data in ITIL 4 continual service improvement process?

Answer 21

Present and use the information

Question 22

What’s the last step in ITIL 4 continual service improvement process?

Answer 22

Implement improvement

Question 23

What mode migrates VMs to other hosts or waits until they are powered down to allow for hardware or other maintenance.

Answer 23

Maintenance

Question 24

What does centralized log collection, analysis, and detection?

Answer 24

SIEM tools

Question 25

What is used to detect and stop attacks?

Answer 25

IPS - intrusion prevention system

Question 26

What is a government funded research organization w/ a heavy focus on security work?

Answer 26

MITRE

Question 27

What is an encryption protocol used to secure data in transit?

Answer 27

TLS

Question 28

What’s used to logically separate network segments?

Answer 28

VLANs

Question 29

What’s intended to provide security to domain name system requests?

Answer 29

DNSSEC

Question 30

What provides IP addresses and other network config info to systems automatically?

Answer 30

DHCP

Question 31

Will the default SSH port stop attackers and 3Ps from accessing SSH as long as it hasn’t been changed to a port outside of port 22?

Answer 31

Yes

Question 32

What stores config management and info about relationships b/w configuration items?

Answer 32

Configuration Management Database

Question 33

Who patches PaaS environments?

Answer 33

The vendor

Question 34

What are designing services for availability, availability testing, and availability monitoring and reporting?

Answer 34

ITIL subprocesses for availability management

Question 35

Do customers need to tell their vendors about breaches?

Answer 35

No

Question 36

Do vendors need to tell their customers about breaches?

Answer 36

Yes

Question 37

What’s necessary to establish a configuration management database?

Answer 37

Having an inventory to create a baseline.

Question 38

What can you do once a baseline is ceated?

Answer 38

Establish CMB, deploy new assets configured to meet baseline, and document deviations.

Question 39

What adds functionality like use of GPUs (graphics processing unit), shared clipboards, and drag and drop b/w guest OS, shared folders, and similar features that require additional integration b/w guest OS and underlying hypervisor?

Answer 39

Guest OS virtualization tools

Question 40

What focuses on whether security practices and procedures align to risk tolerance for the org and includes verification and testing like SOC2 Type 2 audit does.

Answer 40

Security review objective

Question 41

What topics does the security review objective cover?

Answer 41

Design, testing, and incident management

Question 42

Is manual static code review a good fit for CI/CD?

Answer 42

No b/c of speed requirements

Question 43

Do WAFs and IPSs test code and make application more secure?

Answer 43

No

Question 44

Who is responsible for network-based risks in IaaS?

Answer 44

Customer and provider

Question 45

What does configuration management start with?

Answer 45

Baselining

Question 46

What is the critical factor when transaction volume is key?

Answer 46

Network latency

Question 47

Azure’s best practices suggest creating disk snapshots for VM’s OS and data disks and then ______.

Answer 47

Safely storing the snapshots and then comparing hashes b/w images and originals

Question 48

Will comparing hashes of a snapshot validate it against the original?

Answer 48

No

Question 49

Can VMs be exported as hashes?

Answer 49

No

Question 50

Do businesses manage customer capacity?

Answer 50

No, they assess their own capacity, known as business capacity mgmt

Question 51

What do data breach regulations typically focus on?

Answer 51

Customer notification

Question 52

What is the process for preserving data for legal action?

Answer 52

Legal hold

Question 53

What is a critical part of instance scheduling?

Answer 53

Tagging

Question 54

What allows schedules to be easily applied to all instances w/ the proper tags?

Answer 54

Tagging

Question 55

Is adding new hardware to increase performance an element of hardening?

Answer 55

No

Question 56

What is the process of provisioning a specific element against an attack?

Answer 56

Hardening

Question 57

Do audits protect against attacks?

Answer 57

No, they detect and direct responses to attacks

Question 58

Are humans in the loop for patching?

Answer 58

Yes, and they can be installed in non-production environments to be validated before further installation

Question 59

What speeds patching and patch accuracy via automation?

Answer 59

Automated patching systems

Question 60

What controls the entirety of the virtual environment?

Answer 60

Management systems, and they should be isolated physically and virtually.

Question 61

Does ITIL 4 categorize deployment management as part of release management?

Answer 61

Yes

Question 62

Who is responsible for the fit for purpose for continual service improvement?

Answer 62

Process owner

Question 63

Who improves ITSM processes and services?

Answer 63

CSI (continual service improvement) managers

Question 64

Who ensures processes work together and support each other effectively?

Answer 64

Process architects

Question 65

What performs firewall-like rules-based filtering?

Answer 65

Network security groups

Question 66

What captures and observes attacker behaviors?

Answer 66

Honeypots

Question 67

What detects and prevents attacks based on behaviors and signatures, respectivly?

Answer 67

IDSs and IPSs

Question 68

Hardware redundancy, local sharing and balancing, and failure mode design are all:

Answer 68

common practices when designing redundancy into cloud datacenters

Question 69

Will vendors allow customers to conduct PCI assessments of their underlying infrastructure?

Answer 69

No

Question 70

Will IaaS vendors allow customers to scan their own internal systems?

Answer 70

Yes, but they may recommend that instances w/ lower resources are not scanned to avoid disruption

Question 71

Are scanning tools required to be used in an IaaS environment?

Answer 71

No

Question 72

Is external scanning prohibited?

Answer 72

Yes, b/c it can affect other customers

Question 73

Is scheduling a time or date required for advanced/specialized testing?

Answer 73

Yes

Question 74

Using load balancing to drain load from existing systems and then replacing them w/ new, patched instances is a common best practice for _____.

Answer 74

Cloud-hosted service environment patching

Question 75

Could manual and scripting patching and re-IPing cause outages?

Answer 75

Yes, as systems are swapped over

Question 76

1. Transferring users
2. Preventing new connections
3. Notifying customers

Answer 76

common practices for maintenance mode

Question 77

Are HSMs used for boot security?

Answer 77

No

Question 78

What allows you to add TPM 2.0 virtual crypto processor to a VM?

Answer 78

A virtual trusted platform module vTPM

Question 79

What provides hardware-based, security-related functions such as random number generation, attestation, and key generation?

Answer 79

vTPM

Question 80

What enables the guest operating system to create and store keys that are private, while not exposing the keys to the guest operating system and thereby reducing the virtual machine attack surface?

Answer 80

vTPM

Question 81

What runs on top of an OS?

Answer 81

Type 2 hypervisor

Question 82

What’s ITIL’s overall goal?

Answer 82

Restore service as soon as possible after an incident

Question 83

What are top focuses of ITIL?

Answer 83

Identification, containment, resolution, and maintenance

Question 84

What’s an interruption of normal service, including reductions in the quality of services that may violate an SLA?

Answer 84

Incidents

Question 85

What resolves the cause of problems?

Answer 85

Problem management

Question 86

What restores services to normal levels?

Answer 86

Incident response

Question 87

Is the number of individuals impacted a useful KPI for availability?

Answer 87

No

Question 88

What is the basis of security management in ITIL?

Answer 88

Infosec policies - more specifically “underpinning infosec policies”

Question 89

In what is automated testing conducted and code must pass testing before it’s released?

Answer 89

CI/CD pipeline

Question 90

Is human intervention/approval required for CI/CD pipelines?

Answer 90

No

Question 91

What’s the most common means of capturing disk images from VMs in an IaaS environment?

Answer 91

Snapshots

Question 92

What makes using forensic image acquisition tools difficult in a cloud environment?

Answer 92

A lack of access to the underlying hardware

Question 93

What is DBAN?

Answer 93

A wiping tool

Question 94

Do copy utilities provide a complete forensically sound copy?

Answer 94

No

Question 95

TerraForm, CloudFormation, Ansible, Chef, and Puppet are what kind of tools?

Answer 95

Infrastructure as Code

Question 96

What ISO describes service management?

Answer 96

20000-1

Question 97

What ISO describes an information security management system?

Answer 97

27001

Question 98

What’s the best tool to centralize logs and incident information?

Answer 98

SIEM

Question 99

What can block legitimate traffic if it’s improperly identified?

Answer 99

IPS

Question 100

Which needs to be placed in-line with traffic? IDS or IPS

Answer 100

IPS

Question 101

Do IPS and IDS use signature and behavior-based detection?

Answer 101

Yes

Question 102

Can an IDS fail open or closed?

Answer 102

No, b/c it’s not in-line

Question 103

A system set to ________ does not shut down when failure conditions are present.

Answer 103

Fail open

Question 104

________ is when a device or system is set, either physically or via software, to shut down and prevent further operation when failure conditions are detected.

Answer 104

Failing closed

Question 105

An ________ sits in line with traffic flows and inspects all traffic before permitting it to continue on to its destination.

Answer 105

IPS

Question 106

What shows which IP address contacted another IP address, source/destination ports, and volume of data?

Answer 106

Flow logging

Question 107

AI features in SIEM devices are used to:

Answer 107

1. Analyze and learn network traffic patterns
2. Use log correlation and threat intelligence to identify unexpected/potentially malicious behavior

Question 108

default gateway
subnet mask
DNS server info
IP address
Are all provided by

Answer 108

DHCP

Question 109

A ________ is a router that connects your host to remote network segments.

Answer 109

default gateway

Question 110

A _________ is a number that distinguishes the network address and the host address within an IP address.

Answer 110

subnet mask

Question 111

________ is an Internet service that translates domain names (e.g., its.umich.edu) into IP addresses.

Answer 111

Domain Name System (DNS)

Question 112

________ is a protocol for automatically assigning IP addresses and other configurations to devices when they connect to a network.

Answer 112

Dynamic Host Configuration Protocol (DHCP)

Question 113

An ________ is a unique numerical identifier for every device or network that connects to the internet and is used for communicating across the internet.

Answer 113

Internet Protocol (IP) address

Question 114

________ is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.

Answer 114

Secure Boot

Question 115

Disabling _________ b/w VMs and the console is a standard security practice.

Answer 115

cut and paste

Question 116

Removing ________ is a standard security practice.

Answer 116

unnecessary hardware

Question 117

Use of the VM console is considered direct access and should only be used for ________.

Answer 117

critical actions - use virtualization management platform for most actions

Question 118

Are honeypots used to capture traffic to stop attacks?

Answer 118

No - just to study

Question 119

What 3 things can stop attacks by preventing malicious traffic from entering the network?

Answer 119

network security groups, firewalls, and IPSs

Question 120

What can be associated with subnets or individual virtual machine instances within that subnet to activate a rule or access control list (ACL) to allow or deny network traffic to your virtual machine instances in a virtual network.

Answer 120

Network security groups

Question 121

use multiple vendors
have SLAs in place
use self-hosted failover capabilities

Answer 121

high availability techniques

Question 122

Invest in redundant systems
Additional monitoring

Answer 122

availability management techniques

Question 123

T/F: Disk images, VM snapshots, and network packet capture require low-level access that can’t typically be accessed in SaaS.

Answer 123

True

Question 124

What measures performance and checks it against requirements set in SLAs and service-level requirements?

Answer 124

Service capacity management

Question 125

What involves interpreting business needs into requirements for services and architecture?

Answer 125

Business capacity management

Question 126

What focuses on the actual components of an infrastructure?

Answer 126

Component capacity management

Question 127

________ is dedicated file storage that enables multiple users and heterogeneous client devices to retrieve data from centralized disk capacity.

Answer 127

Network-attached storage (NAS)

Question 128

________ is a management platform for Windows endpoints providing inventory, software distribution, operating system imaging, settings and security management.

Answer 128

Microsoft Endpoint Configuration Manager

Question 129

What mode is used to remove running systems for a VM cluster to allow for hardware/software upgrades?

Answer 129

Maintenance mode

Question 130

What hides details of a system to make management simpler?

Answer 130

Abstraction

Question 131

Like honeypots, these are set up to detect network attacks and techniques.

Answer 131

Honeynets

Question 132

What’s used to look for unexpected traffic indicating probes by potential attackers?

Answer 132

Darknets

Question 133

What’s used to provide secure access from a lower security zone to a higher one?

Answer 133

Bastion hosts

Question 134

What’s the next step after data/artifacts are identified in forensics?

Answer 134

Preservation

Question 135

________ is the managing and provisioning of infrastructure through code instead of through manual processes.

Answer 135

Infrastructure as Code (IaC)

Question 136

Benefits of ______ include:
Increase consistency by removing human error
Easily updated
Increases speed

Answer 136

IaC

Question 137

A ________ ensures uptime and availability by helping you manage hardware, application, and site failures.

Answer 137

clustered environment

Question 138

The benefits of ________ include flexibility and scalability, availability and performance, reduced IT costs, and a customizable infrastructure.

Answer 138

server clustering

Question 139

• Identifying/specifying attributes for each config item type/subcomponent
• The relationship b/w each CI/subcomponent and others in the org

Are all things _____ includes.

Answer 139

ITIL’s config identification subprocess

Question 140

What focuses on managing changes in the config management system?

Answer 140

Config control

Question 141

What validates that configs match what’s expected?

Answer 141

Config verification

Question 142

Typically, ________measure input/output operations per second (IOPS), filesystem performance, caching, and autoscaling.

Answer 142

cloud performance metrics

Question 143

Availability, capacity, throughput, latency, cpu capacity, and error rates are all ____ that should be monitored for _____.

Answer 143

metrics / IaaS

Question 144

What are the components/services managed as part of a config mgmt effort?

Answer 144

Config items

Question 145

What are used to evaluate changes and causes of incidents?

Answer 145

Config models

Question 146

What describes config item relationships and settings?

Answer 146

Config records

Question 147

Is latency usually billed?

Answer 147

No

Question 148

Can customers obtain forensic data from underlying infrastructure as a service environment?

Answer 148

No

Question 149

Memory for instance, disk volumes, and logs are all:

Answer 149

cloud forensic artifacts

Question 150

Will SaaS providers allow 3Ps to scan their production services?

Answer 150

No

Question 151

27037, 27041, 27043, and 27050-1 all relate to _____ ?

Answer 151

forensics

Question 152

______ covers standards for infosec management and ____ describes security controls

Answer 152

27001 and 27002

Question 153

What ISO series covers quality management?

Answer 153

9000

Question 154

Do SOCs provide eDiscovery services?

Answer 154

No

Question 155

________ is a form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings.

Answer 155

E-discovery

Question 156

What ISO standard focuses on business capacity mgmt, service capacity mgmt, and component capacity mgmt?

Answer 156

20000-1

Question 157

What plans focus on creating and deploying releases?

Answer 157

Release and deployment plans

Question 158

What ISO standard requires orgs to establish, approve, and communicate their infosec policy?

Answer 158

20000-1

Question 159

What moves VMs from heavily loaded hosts to those w/ more resources available to help balance load across the cluster?

Answer 159

Distributed resource scheduling

Question 160

What’s a form of load balancing where requests are distributed to each server in a cluster as they come in based on a list?

Answer 160

Round-robin load balancing

Question 161

Powered-on time, temp, and drive health are all elements of _______.

Answer 161

Hardware monitoring

Question 162

What allows an app to run in a secure location while still allowing access to it from a lower-trust device?

Answer 162

Selecting a virtual client that allows apps to run in a cloud-hosted environment

Question 163

What includes detailed plans for returning systems and services to a working state and recovering data to a known consistent state?

Answer 163

ITIL Recovery plan

Question 164

What focuses on how to ensure continuity during specified disasters for services and systems?

Answer 164

Service continuity plans

Question 165

Is it best to engage a 3P when facing cloud forensic investigations?

Answer 165

Yes

Question 166

Assignment of tasks, including deviation notification and documentation, are things _____ should include.

Answer 166

Change management policies

Question 167

What should be isolated to ensure security of production activities?

Answer 167

Provisioning, management, and access to storage

Question 168

Ping, power, and pipe refers to _______, _______, and ________ with services like HVAC.

Answer 168

connectivity, power, and facility space

Question 169

Tier 1 datacenters are cheapest and needed only for _______.

Answer 169

occasional backup

Question 170

Creating and maintaining proper chain of custody documentation provides ________.

Answer 170

nonrepudiation

Question 171

What are logical overlays used to segregate network devices?

Answer 171

VLANs

Question 172

What’s used to create secure channels b/w networks over untrusted networks?

Answer 172

VPNs

Question 173

What’s used to prevent loops in networks?

Answer 173

STP - spanning tree protocol

Question 174

What are three options for backup power?

Answer 174

Batteries, redundant utility lines, and generator

Question 175

What is two power lines with separate routes so the fault of one line cannot compromise the functionality of the other?

Answer 175

Redundant utility lines

Question 176

What is a chip that resides on motherboard, is multi-purpose, and provides OS w/ access to keys while preventing drive removal and data access?

Answer 176

TPM - Trusted Platform Module

Question 177

What is also called a cryptographic coprocessor?

Answer 177

Trusted Platform Module

Question 178

What are virtual TPMs part of?

Answer 178

The hypervisor

Question 179

Can a TPM be added or removed at later date?

Answer 179

No, b/c it’s a physical component of the system hardware

Question 180

What uses tamper-proof hardened devices to provide crypto processing and protection of keys?

Answer 180

HSM

Question 181

What can be used in place of software crypto libraries and acclerators?

Answer 181

HSM

Question 182

What is a security method for protecting sensitive data at the hardware level by encrypting all data on a disk drive?

Answer 182

Full disk encryption

Question 183

What verifies the keys match before the secure boot process takes place?

Answer 183

Hardware root of trust

Question 184

When certificates are used in FDE, they use a _______ for key storage.

Answer 184

Hardware root of trust

Question 185

What offers the ability to protect devices at a lower level with passwords and is a low level software for booting a device?

Answer 185

UEFI - unified extensible firmware interface

Question 186

What is a physical computing device that manages digital keys?

Answer 186

HSM

Question 187

Are HSMs removable/external?

Answer 187

Yes

Question 188

Key escrows use ____ to store and manage private keys

Answer 188

HSM

Question 189

T/F: Hardware root of trust is less susceptible to attacks b/c security solutions are on a chip

Answer 189

True

Question 190

• TPM - module embedded in system
• SED - self encrypting drives
• HSM - dedicated crypto processor

These are the three foundations of a _____.

Answer 190

TEE (trusted execution environment)

Question 191

What is a network architecture approach that allows the network to be intelligently and centrally controlled using software?

Answer 191

Software Defined Networks

Question 192

Can SDNs reprogram the data plane?

Answer 192

Yes, at any time.

Question 193

How do you secure an SDN?

Answer 193

With TLS.

Question 194

What consists of cloud resources, where the VMs for one company are isolated from the resources of another company.

Answer 194

Virtual Private Cloud

Question 195

How are VPCs isolated?

Answer 195

By using public and private networks.

Question 196

How are virtual networks connected to other networks?

Answer 196

Via VPN gateway or network peering.

Question 197

When do you use NAT gateways?

Answer 197

For VDIs

Question 198

1. Secure build
2. Secure initial configuration
3. Host hardening and patching
4. Host lock down
5. Secure ongoing config maintenance

Are all _____ best practices.

Answer 198

cloud host servers

Question 199

1. Redundancy
2. Scheduled downtime/maintenance
3. Isolated network/robust access controls - access to virtual mgmt tools should be tightly controlled
4. Config mgmt/change mgmt - for tools to stay in hardened state.
5. Logging and monitoring - can create additional overhead

Answer 199

management tooling considerations

Question 200

What are the two main forms of control for virtual hardware security?

Answer 200

Configuration and patching

Question 201

Who owns patching in IaaS?

Answer 201

Customer

Question 202

Who owns patching in PaaS?

Answer 202

CSP

Question 203

What enables granular network segmentation in a zero trust network architecture?

Answer 203

VPC

Question 204

What is a security feature that’s similar to ACL that has distinct rules for inbound/outbound traffic?

Answer 204

Security groups

Question 205

1. Prevent oversubscription
2. Don’t share w/ other network traffic
3. Encrypt
4. Isolate and compartmentalize
5. Create separate isolated virtual switch

Answer 205

storage network controller best practices

Question 206

What is the native remote access protocol for Windows operating systems.

Answer 206

Remote Desktop Protocol

Question 207

What is the native remote access protocol for Linux operating systems, and common for remote management of network devices.

Answer 207

Secure Shell

Question 208

What is a system for secure local access?

Answer 208

Secure terminal/console-based access

Question 209

What is a bastion host at the boundary of lower and higher security zones.

Answer 209

Jumpbox

Question 210

What are software tools that allow remote connection to a VM for use as if it is your local machine.

Answer 210

Virtual clients

Question 211

What is a software feature that you can install on physical Linux machines to create virtual machines

Answer 211

KVM - kernel-based virtual machine

Question 212

What extends a private network across a public network, enabling users and devices to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Answer 212

VPN

Question 213

What means using VPN for all traffic, both to the Internet and corporate network?

Answer 213

Full tunnel

Question 214

What uses an always on mode where both packet header and payload are encrypted?

Answer 214

Site to site

Question 215

What uses VPN for traffic destined for the corporate network only, and Internet traffic direct through its normal route.

Answer 215

Split tunnel

Question 216

This is where a connection is initiated from a users PC or laptop for a connection of shorter duration.

Answer 216

Remote access

Question 217

• Session Encryption
• Strong Authentication
• Enhanced logging and reviews
• Use of identity and access management tool
• Single Sign On (SSO)

Answer 217

local and remote access controls

Question 218

Use a _____ for sensitive functions and a _____ for day to day use.

Answer 218

dedicated admin account / standard account

Question 219

What addresses the limitations of the legacy network perimeter based security model, treats user identity as the control plane, and assumes compromise / breach in verifying every request?

Answer 219

Zero Trust Security

Question 220

Network Security Group (NSG)
Network Firewalls
Inbound and outbound traffic filtering/inspection
Centralized security policy management and enforcement

Answer 220

elements of zero trust architecture

Question 221

What acts as a virtual firewall for virtual networks and resource instances, carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances, and provides a virtual firewall for a collection of cloud resources with the same security posture?

Answer 221

Network security groups

Question 222

What restricts services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic?

Answer 222

Segmentation

Question 223

These have their own CIDR IP address range and cannot connect directly to the internet.

Answer 223

Private subnets

Question 224

In segmentation, rules are enforced by the _____.

Answer 224

IP address ranges of each subnet

Question 225

Within a virtual network, ____can be used to achieve isolation and port filtering through a network security group.

Answer 225

subnet

Question 227

What uses these IP addresses:
10.0.0.0
172.16.x.x
172.31.x.x
192.168.0.0

Answer 227

Private subnet

Question 228

This is where traffic moves laterally between servers within a data center.

Answer 228

East-West Traffic

Question 229

This is where a collection of devices communicate with one another as if they made up a single physical LAN.

Answer 229

VLAN

Question 230

This is where a subnet is placed between two routers or firewalls. Bastion host(s) are located within that subnet.

Answer 230

Screened subnet

Question 231

This is a sandboxed area within the larger public cloud that takes the form of a VLAN?

Answer 231

VPC

Question 232

Two methods for securing connection to VPC

Answer 232

VPN and network peering

Question 233

A set of specifications primarily aimed at reinforcing the integrity of DNS with cryptographic authentication using digital signatures.

Answer 233

DNSSEC

Question 234

What provides proof of origin and makes cache poisoning and spoofing attacks more difficult?

Answer 234

DNSSEC

Question 235

Data in motion is most often encrypted
using _____ or ______.

Answer 235

TLS or HTTPS

Question 236

_____ uses an x.509 certificate with a public/private key pair.

Answer 236

TLS

Question 237

What allows a SIEM to leverage IP addresses associated with a system event to track an IP address to a specific endpoint?

Answer 237

Dynamic Host Configuration Protocol

Question 238

Digital signatures (public/private key pair)
Message authentication code (session key)
Hash-based message authentication code (hash and cryptographic key)

Answer 238

three ways to provide non-repudiation

Question 239

This is a host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it’s connected to.

Answer 239

Bastion host

Question 240

Additional security measures like hash based message authentication code (HMAC) can be used to detect _____.

Answer 240

Intentional tampering

Question 241

HMAC can simultaneously verify both

Answer 241

data integrity
and message authenticity

Question 242

A host used to allow administrators to access a private network from a lower security zone, will have a network interface in both the lower and higher security zones, and will be secured at the same level as the higher security zone it’s connected to.

Answer 242

Bastion host

Question 243

Two common names for bastion hosts.

Answer 243

Jumpbox or jumpserver

Question 244

What can be applied to a single VM image, or to a VM template created that is then used to deploy all VMs

Answer 244

Baselines

Question 245

_____ is a high level description, _____ contains a security recommendation, and _____ is the implementation of the benchmark.

Answer 245

Control, Benchmark, Baseline

Question 246

The U.S. Defense Information Systems Agency (DISA) produces baseline documents known as _____.

Answer 246

Security Technical Implementation Guides (STIGs)

Question 247

Vendor-supplied baselines
DISA STIGs
NIST checklists
CIS benchmarks

Answer 247

baseline options

Question 248

What verifies the deployment of
approved patches to system

Answer 248

System audits

Question 249

What is the management of infrastructure (networks, VMs, load balancers, and connection topology) described in code

Answer 249

IaC

Question 250

T/F: Binary code in the IaC model results in the same environment every time it is applied.

Answer 250

True

Question 251

Cloud native controls support

Answer 251

IaC

Question 252

What helps reduce
errors and configuration drift?

Answer 252

Declarative (must know current state) and idempotent (applied multiple times w/out changing result).

Question 253

These include high availability via redundancy, optimized performance via distributed workloads, and the ability to scale resources.

Answer 253

Cluster advantages

Question 254

Often part of hypervisor or load balancer software, this is responsible for mediating access to shared resources in a cluster.

Answer 254

Cluster management agent

Question 255

This is the coordination element in a cluster of VMware ESXi hosts that mediates access to the physical resources and handles resources available to a cluster, reservations and limits for the VMs running on the cluster, and maintenance features.

Answer 255

DRS - Distributed resource scheduling

Question 256

This is pool storage, providing reliability, increased performance, or possibly additional capacity.

Answer 256

Storage clusters

Question 257

Resiliency of the physical hypervisor cluster, networks, and storage are responsibility of the _____.

Answer 257

CSP

Question 258

This concept says monitoring should include utilization, performance, and availability of 1) CPU, 2) memory, 3) storage and 4) network.

Answer 258

Core 4

Question 259

In PaaS, _____ owns infrastructure backups, _____ owns backups of data.

Answer 259

CSP / Customer

Question 260

In Iaas, _____ owns backup/recovery of VMs.

Answer 260

Customer

Question 261

______ says backups should be stored on different hardware or availability zones.

Answer 261

Physical separation

Question 262

Specifies requirements for “establishing,
implementing, maintaining and continually improving a service management system (SMS)”

Answer 262

ISO 20000-1

Question 263

Provides virtual management options analogous to physical admin options of a legacy datacenter.

Answer 263

Management plane

Question 264

_____ is the automated configuration and management of resources in bulk

Answer 264

Orchestration

Question 265

The web-based consumer interface for managing resources.

Answer 265

Management console

Question 266

Supports management of the service lifecycle, including planning, design, transition, delivery and service improvement.

Answer 266

ISO 20000-1

Question 267

Process of evaluating a change request to decide if it should be implemented

Answer 267

Change control

Question 268

This reduces operational overhead and human error, reduces security risk, and enables more frequent releases while maintaining a strong security posture.

Answer 268

Automating change management

Question 269

This specifies the requirements needed for an organization to plan, implement, operate, and continually improve the continuity capability.

Answer 269

ISO 22301:2019 Security and resilience
BC management systems

Question 270

ISO 27001
ISO 27017
ISO 27018
ISO 27701
NIST RMF
SP 800 53
NIST CSF
AICPA SOC 2

Answer 270

Security control standards

Question 271

Security standard developed for CSPs

Answer 271

ISO 27017

Question 272

Standard for cloud privacy

Answer 272

ISO 27018

Question 273

Standard for privacy risk

Answer 273

ISO 27701

Question 274

NIST RMF

Answer 274

Cybersecurity risk management

Question 275

Critical element of continual service improvement

Answer 275

Monitoring and measurement

Question 276

Any observable action

Answer 276

Event

Question 277

Unplanned events with adverse impact

Answer 277

Incidents

Question 278

6 steps of incident management

Answer 278

preparation - to ensure they can respond
identification
containment
eradication
recovery
lessons learned

Question 279

What does problem management use to identify underlying problem?

Answer 279

root cause analysis

Question 280

CI/CD positively impacts the _____.

Answer 280

Frequency of releases

Question 281

SLAs are focused on _ that define _ and _.

Answer 281

measurable outcomes / availability / levels of service

Question 282

Availability means the service is up and _____.

Answer 282

useable

Question 283

Responsibility for capacity management belongs to _____ at the platform level, but belongs to _____ for deployed apps and services

Answer 283

CSP / customer

Question 284

What is the identification, collection, preservation, analysis, and review of electronic information?

Answer 284

eDiscovery

Question 285

Guide for collecting, identifying, and preserving electronic evidence

Answer 285

ISO/IEC 27037:2012

Question 286

Guide for incident investigation

Answer 286

ISO/IEC 27041:2015

Question 287

Guide for digital evidence analysis.

Answer 287

ISO/IEC 27042:2015

Question 288

Guide for incident investigation principles and processes

Answer 288

ISO/IEC 27043:2015

Question 289

Offers a framework, governance, and best practices for forensics, eDiscovery, and evidence management

Answer 289

ISO 27050

Question 290

Offers guidance on legal concerns related to security, privacy, and contractual obligations

Answer 290

CSA Security Guidance

Question 291

Evidence collection process

Answer 291

1. Logs are essential
2. Document everything
3. Consider volatility

Question 292

1. Use original physical media
2. Verify data integrity
3. Follow documented procedures
4. Establish and maintain communications

Answer 292

evidence collection best practices

Question 293

1. Data location
2. Rights and responsibilities
3. Tools
4. Regulatory and jurisdiction
5. Breach notification laws
6. Control
7. Multitenancy
8. Data volatility and dispersion

Answer 293

cloud forensics challenges

Question 294

5 attributes of useful evidence

Answer 294

1. Authentic
2. Accurate
3. Complete
4. Convincing
5. Admissible

Question 295

1. Relevant
2. Material
3. Competent/Reliable
4. Obtained legally

Answer 295

admissible requirements in court

Question 296

Volatility in order

Answer 296

1. CPU, cache, and register contents
2. Routing tables, ARP cache, process tables, kernel statistics
3. Live network connections and data flows
4. Memory (RAM)
5. Temporary file system and swap/pagefile
6. Data on hard disk
7. Remotely logged data
8. Data stored on archival media and backups

Question 297

T/F: Volatile evidence should be collected first.

Answer 297

True

Question 298

1. Collection
2. Examination
3. Analysis
4. Reporting

Answer 298

4 phases of digital evidence handling

Question 299

Proper evidence handling and decision making should be
a part of _____.

Answer 299

the incident response procedures and training

Question 300

With evidence preservation, collect _____ and work from _____.

Answer 300

originals / copies

Question 301

1. locked cabinets/safes
2. dedicated/isolated storage facilities
3. environment maintenance
4. access restrictions/document/track activity
5. blocking interference

Answer 301

Protections for evidence storage

Question 302

When either the forensic copy or the system image is being analyzed, the data and applications are _____ at collection.

Answer 302

hashed

Question 303

Hashes can be used as a

Answer 303

checksum to ensure integrity later.

Question 304

Data provenance effectively provides a historical record of _____.

Answer 304

data, its origin, and forensic activities performed on it

Question 305

_____ is the process of tracking flow of data over time, showing
where the data originated, how it has changed, and its ultimate destination.

Answer 305

Data lineage

Question 306

An image or exact sector by sector, copy of a hard disk or other storage device taken using specialized software, preserving an exact copy of the original disk.

Answer 306

Forensic copy

Question 307

Deleted files, slack space, system files and executables (and documents renamed to mimic system files and executables) are all part of a _____.

Answer 307

forensic image

Question 308

Threat Prevention
Threat Detection
Incident Management
Continuous Monitoring & Reporting
Alert Prioritization
Compliance Management

Answer 308

Key functions of SOC

Question 309

Tools such as _____ automate monitoring and provide real time analysis of events.

Answer 309

IDSs or SIEMs

Question 310

NIST SP 800 37: Risk Management Framework (RMF) specifies the creation of a continuous monitoring strategy for getting _____.

Answer 310

near real time risk information

Question 311

What is hardware called in the cloud (virtual)?

Answer 311

Network Virtual Appliance

Question 312

Typically caters specifically to application communications. Often that is HTTPS or Web traffic.

Answer 312

Application

Question 313

An application installed on a host OS, such as Windows or Linux, both client and server operating systems.

Answer 313

Host-based

Question 314

In the cloud, firewalls are implemented as _____

Answer 314

virtual network appliances (VNA).

Question 315

Watch network traffic and restrict or block packets based on source and destination addresses or other static values, not ‘aware’ of traffic patterns or data flows. Typically, faster and perform better under heavier traffic loads.

Answer 315

Stateless firewall

Question 316

Can watch traffic streams from end to end. Are aware of communication paths and can implement various IP security functions such as tunnels and encryption. Better at identifying unauthorized and forged communications.

Answer 316

Stateful firewalls

Question 317

Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection.

Answer 317

Web application firewall

Question 318

A deep packet inspection firewall that moves beyond port/protocol inspection and blocking, adds application level inspection, intrusion prevention, and brings intelligence from outside the firewall.

Answer 318

Next generation firewall

Question 319

Generally responds passively by logging and sending notifications

Answer 319

IDS

Question 320

Is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target

Answer 320

IPS

Question 321

Can monitor activity on a single system only. A drawback is that attackers can discover and disable them.

Answer 321

HIDS

Question 322

Can monitor activity on a network, and isn’t as visible to attackers.

Answer 322

NIDS

Question 323

Can monitor activity on a network, and isn’t as visible to attackers.

Answer 323

NIPS

Question 324

A system that often has pseudo flaws and fake data to lure intruders.

Answer 324

Honeypot

Question 325

Honeypots only entice, not

Answer 325

entrap

Question 326

A subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.

Answer 326

Deep learning

Question 327

This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day. It tracks the devices that the user normally uses and the servers that they normally visit.

Answer 327

User entity behavior analysis (ueba)

Question 328

Using Artificial intelligence and machine learning to identify attacks.

Answer 328

Sentiment analysis

Question 329

Centralized alert and response automation with threat specific playbooks.

Answer 329

SOAR

Question 330

Log centralization and aggregation
Data integrity - on separate host w/ own access control
Normalization of incoming data
Automated or continuous monitoring - algorithms to ID potential attacks
Alerting - auto generate alerts
Investigative monitoring

Answer 330

SIEM key features

Question 331

The key to optimizing event detection and visibility and scale security operations:

Answer 331

log collection

Question 332

Log collectors
Log aggregation
Packet capture
Data inputs

Answer 332

SIEM benefits

Question 333

400 series HTTP response codes are

Answer 333

client side errors

Question 334

500 series HTTP response codes are

Answer 334

server side errors

Question 335

Network log files may be helpful in stopping

Answer 335

DDoS attack

Question 336

Web log files collect info about each web session and show evidence of _____.

Answer 336

potential threats and attacks

Question 337

These files contains information about hardware changes, updates to devices, time synchronization, group policy application, etc.

Answer 337

System files

Question 338

These files contain information about software applications, when launched, success or failure, and warnings about potential problems or errors.

Answer 338

Application

Question 339

These files contain information about a successful login, as well as unauthorized attempts to access the system and resources.

Answer 339

Security

Question 340

These files contain virtually all DNS server level activity, such as zone transfer, DNS server errors, DNS caching, and DNSSEC.

Answer 340

DNS

Question 341

These files contain information about login events, logging success or failure

Answer 341

Authentication

Question 342

These systems provide information on the calls being made and the devices that they originate from. may also capture call quality by logging the Mean Optical Score (MOS), jitter, and loss of signal.

Answer 342

VoIP and Call Managers

Question 343

This is used for internet based calls and the log files generally show: the 100 events, known as the INVITE, the initiation of a connection, that relates to ringing, and the 200 OK is followed by an acknowledgement.

Answer 343

Session Initiation Protocol (SIP) Traffic

Question 344

Preparation
Detection and analysis
Containment, eradication, recovery
Post-incident activity

Answer 344

incident response lifecycle

Question 345

A much more powerful version of the vulnerability scanner that has higher privileges.

Answer 345

Credentialed scan

Question 346

Has lower privileges than a credentialed scan. It will identify
vulnerabilities that an attacker would easily find.

Answer 346

Non-credentialed scan

Question 347

These are passive and merely report vulnerabilities. They do not cause damage to your system.

Answer 347

Non-intrusive scans

Question 348

Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.

Answer 348

Intrusive scans

Question 349

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

Answer 349

Configuration Review

Question 350

Before applications are released, coding experts perform regression testing that will check code for deficiencies.

Answer 350

application scans

Question 351

the overall score assigned to a vulnerability

Answer 351

cvss

Question 352

a list of all publicly disclosed vulnerabilities

Answer 352

cve

Question 353

• software flaws
• missing patches
• open ports
• services that should not be running
• weak passwords

Answer 353

Vulnerabilities reported by a vuln scanner

Question 354

The most effective vulnerability scan

Answer 354

credentialed vulnerability scan