Exam Flashcards

1
Q

How many tiers should an ISCM per NIST 800-137 have:
A. 2 – Tier 1 (Org Bus Process), Tier 2 (Cloud Computing
Strategy Implem)
B. 2 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process)
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy)
Tier 3 (Cloud Computing Strategy Implem)
D. 3 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process), Tier 3 (ICSM Strategy)

A
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy) 
     Tier 3 (Cloud Computing Strategy Implem)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Cloud services i.e.: IaaS, PaaS, SaaS can be delivered by several models. Select 3. 
A. Private Cloud
B. Community Cloud
C. Hybrid Cloud
D. E. Shared Cloud
Social Cloud
A

A. Private Cloud
B. Community Cloud
C. Hybrid Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is not risk for multi-tenancy design?
A. Co-mingled tenant data
B. Inadequate logical Sec Cntl
C. Overcharging for extreme use of resources
D. Uncoordinated change cntl and mis-config

A

C. Overcharging for extreme use of resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Consider the following about hybrid cloud solutions:
- In hybrid cloud, both the provider and consumer share
the mgmt responsibility
- In hybrid cloud, both the provider and consumer share
the ownership
- In hybrid cloud, the provider and consumer use the
combination of on-premise and off-premise
infrastructure
- In hybrid cloud, both the provider and consumer have
trusted and untrusted users.
Which statement is correct?
A. Statement 1 & 2 are correct
B. Statement 1, 3, & 4 are correct
C. Statement 2, 3, & 4 are correct
D. All Statement are correct

A

D. All Statement are correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Consider the context of data center avail and physical Sec. Which Tier ensures highest AVAILABILITY
A. Tier I
B. Tier II
C. Tier III
D. Tier IV
A

D. Tier IV

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a device that safeguards and manages digital keys for strong authentication along with providing crypto processing called?

A. Hardware Sec Module (HSM)
B. Key Mgmt Device (KMD)
C. Public Key Infrastructure
D. Windows File Server

A

A. Hardware Sec Module (HSM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the benefits of Least Privilege Access?

A. Better service stability, security, & ease of Deployment
B. Better service stability, lower complexity, better security, & ease of Deployment
C. Improved availability, lower risk, lower cost of development, and deployment
D. It is mainly about the best service availability

A

A. Better service stability, security, & ease of Deployment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Consider the replication schemes and active costs, such as electricity and network bandwidth. Which DR solution is most advantageous?

A. Online Backup
B. Cold site DR
C. Warm site DR
D. Hot site DR

A

C. Warm site DR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What allows an org and cloud provider to trust and share digital identities?

A. Federal Identity
B. Identity and Access Mgmt
C. Multi-factor Authentication
D. Tokenization

A

A. Federal Identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A new e-commerce applic (predicted to deliver 70% of company revenue) is being developed and will be hosted on IaaS and PaaS with well known public cloud provider. The application will process personal data, orders, and also take payment details for processing for external payment processing companies. What should not be a key concern of the security manager?

A. Ability of the application to handle the increase in
number of users after a certain limit
B. Availability of the system when under DDoS attack
C. Integrity of financial transactions
D. Personal Identifiable Data of persons from outside
US, stored in the US data centers
E. Payment processing not fully outsourced, hence the
system in the full scope of PCI DSS.

A

A. Ability of the application to handle the increase in

number of users after a certain limit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The Heartbleed bug in the OpenSSL was open to which of the following attacks?

A. Brute-force of the cryptographic keys used to encrypt network transmission
B. DoS attack to make website unresponsive
C. Network snooping attack with a side channel for decryption of the encrypted traffic
D. Private memory (RAM) read attack what could reveal private or session keys

A

D. Private memory (RAM) read attack what could reveal private or session keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What would typically be the responsibility of a cloud customer security operations team?

A. Facilities, Network Infrastructure, Hyper-visor security
B. Facilities, Physical security, Physical Infrastructure, Network Infrastructure, Operating Systems
C. Facilities, Physical security, Physical Infrastructure, Network Infrastructure, Virtualization Infrastructure
D. Operating System, Application, Account Mgmt, Security Roles, Network Configuration

A

D. Operating System, Application, Account Mgmt, Security Roles, Network Configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following statements correctly depicts the use of a Concept of Operations (CONOP) document?

A. Mandatory document required by ISO 27001 related
to security operations
B. Mandatory document required by ISSO 27023 related
to security operations
C. It helps an org to document in plain language what is
required and what should be built for an information
system
D. It provide requirements for an org to implement
security mgmt related to identity and access mgmt.

A

C. It helps an org to document in plain language what is
required and what should be built for an information
system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Due diligence is the investigation process before committing to a contractual agreement for cloud services. As part of process, it is recommended to use a step-by-step approach or check list/plan which would help to look into the little details. Which plan needs to be part of the due diligence process and has the scope of all the services to be migrated to the cloud?

A. Transition Plan
B. Project Plan
C. Migration Plan
D. Implementation Plan

A

A. Transition Plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Network isolation is an important factor to establish a cloud infrastructure and hardening process. The networking devices need to be config with proper port config to mitigate the switch spoofing and double tagging threats. What type of attack can be targeted from these threats?

A. VM Theft
B. VLAN Hopping
C. VM Hopping
D. VLAN Escape

A

B. VLAN Hopping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
A Container is a form of OS Virtualization that is more efficient than typical HW Virtualization.Containers can be used as alt to OS level Virtualization to run multiple isolated systems on single host; however, there are differences in the char of Virtualization and Container. Which of the 	following character associated to OS-level Virtualization and not Containers?
A. Applying limits per process
B. Single Network file system caching
C. Emulation of devices
D. Single kernel
A

C. Emulation of devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Business Continuity is key component of any IT, Security, and Cloud Strategy. Which 3 key elements does it include? Select 3 options.

A. Availability
B. Contingency
C. Resilience
D. Recovery 
E. Scalability
A

B. Contingency
C. Resilience
D. Recovery

18
Q

What provides assurance that the message received has not lost its original form?

A. Authentication
B. Confidentiality
C. Integrity
D. Non-Repudiation

A

C. Integrity

19
Q
The Risk Assessment methodology has 9 steps. Which step is THREAT IDENTIFICATION?
A. First
B. Second
C. Third
D. Fourth
A

B. Second

20
Q

What is not an activity related to Incident Mgmt in the cloud?

A. Handling complicated troubleshooting due to
continuous environment changes
B. Limiting incident spill over to multi cloud tenants
C. Managing incident investigation in virtualized
environment
D. Managing access to appropriate levels of data

A

D. Managing access to appropriate levels of data

21
Q

What is not a char of SOA?

A. All components should be exposed as services
B. All services should use SOAP/WSDL interfaces
C. All services are discover-able from a portal
D. All services should use WS-* security

A

C. All services are discover-able from a portal

22
Q

Which attack vector allows an attacker to break out of a VM and interact with the host OS?

A. Hyper jacking
B. VM Escape
C. VM Hopping
D. VM Theft

A

B. VM Escape

23
Q

Cloud is very effective enabler for DR or BC. For multi-site solution, what would help to identify the data replication method to use with regard to DR?

A. RTO
B. RPO
C. Multi-Site Active-Active
D. Data Center Tiers

A

B. RPO

*Data Replication method that you employ will be determined by the RPO you choose

24
Q

Critical Business functions and the supporting infrastructure should be unaffected by most disruptions. What BC element ensures this??

A. Availability
B. Contingency
C. Recovery
D. Resilience

A

D. Resilience

  • Resilience refers to critical business function and the supporting infrastructure that are designed in such a way that they are materially unaffected by most disruptions.
25
Q

Which org has provided a globally accepted Cloud Computing Ref Architecture?

A. Carnegie Mellon University
B. Institute of Electrical and Electronics Engineers
C. Nat’l Institute of Standards and Technology (NIST)
D. Resilience Massachusetts Institute of Technology

A

C. Nat’l Institute of Standards and Technology (NIST)

26
Q

Who is the Relying Party in a federated environment, and what do they do?

A. The Customer. They consume tokens generated by
the Identity Provider.
B. The Service Provider. They consume tokens
generated by the customer.
C. The Identity Provider. They consume tokens
generated by the service provider.
D. The Service Provider. They consume tokens
generated by the Identity Provider.

A

D. The Service Provider. They consume tokens

generated by the Identity Provider.

27
Q

What is the key benefit provided to a customer when using Infrastructure as a Service (IaaS) solution?

A. Ability to scale up infrastructure services on the basis
of projected usage
B. Transfer in the cost of ownership
C. Usage is measured and priced on basis of consumed
units
D. Efficiency of cooling system and increased energy

A

C. Usage is measured and priced on basis of consumed

units

28
Q

Which of the following are the six components of the STRIDE Threat Model?

A. Spoofing, Repudiation, Tampering, Information
Disclosure, Social Engineering and Denial of Service
B. Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, Elevation of Privilege
C. Tampering, Spoofing, Non-Repudiation, Denial of
Service, Information Disclosure and Elevation of
Privilege
D.Spoofing, Tampering, Information Disclosure,
Repudiation, Distributed Denial of Service, Elevation
of Privilege

A

B. Spoofing, Tampering, Repudiation, Information

Disclosure, Denial of Service, Elevation of Privilege

29
Q

Which of these are data storage types that can be used with Platform as a Service?

A. Unstructured and Ephemeral
B. Tabular and Object
C. Structured and Unstructured
D. Raw and Block

A

C. Structured and Unstructured

30
Q

What is Cloud Security Alliance Cloud Controls Matrix?

A. Regulatory requirements for Cloud Service Providers
B. A set of SDLC requirements for Cloud Service
Providers
C. An inventory of security controls for Cloud Service
arranged into distinct security domains
D. An inventory of security controls for Cloud Service
arranged into security domains hierarchy

A

C. An inventory of security controls for Cloud Service

arranged into distinct security domains

31
Q

Where does the encryption engine reside when using transparent encryption of database?

A. In Key Management System
B. Within the database
C. On instance(s) attached to the volume
D. At the database-using application

A

B. Within the database

32
Q

What is presented to a cloud service organization or customer in an audit scope statement?

A. List of security controls at are to be audited
B. Results of the audit, findings and recommendations
C. Required level of information for the organization or
client being audited in order to understand and agree
with the focus, scope and type of assessment that is
to be performed
D. The projected cost of audit and auditor credentials

A

C. Required level of information for the organization or
client being audited in order to understand and agree
with the focus, scope and type of assessment that is
to be performed

33
Q

Which key issue related to the Object Storage type should the Cloud Service Provider be aware of?

A. Access Control
B. Data consistency can only be achieved after change
propagation to all replica instances occurs
C. Continuous Monitoring
D. Data consistency can only be achieved after change
propagation to specific percentage of replica
instances occurs

A

B. Data consistency can only be achieved after change
propagation to all replica instances occurs

*Whenever a file is updated, you have to wait for the change to be propagated to all replicas before requests can return latest version. This is why object storage is unsuitable for data that constantly changes.

34
Q

Which of the following is a unique identifier for every set of data and its metadata?

A. Port ID
B. Object ID
C. Set ID
D. VIN

A

B. Object ID

35
Q

In data, a blob refers to which of the following?

A. Metadata
B. Policies
C. Replica
D. Large binary obj

A

D. Large binary obj

36
Q

Which cloud services model is the most minimal, offering the consumer the capability to deploy applications but not manage or control the cloud infrastructure?

A. AaaS
B. SaaS
C. IaaS
D. PaaS

A

D. PaaS

37
Q

Which of the following is a just-in-time essential characteristic of cloud computing?

A. Unilateral provisioning
B. On-demand self service
C. Resource pooling
D. Ubiquitous access

A

B. On-demand self service

38
Q

Data about data is know as which of the following?

A. Metadata
B. Trait
C. Point
D. Element

A

A. Metadata

39
Q

Ultimately who is accountable for the choice of public cloud and the security and privacy of the outsourced service?

A. The organization
B. Vendor and end user
C. End user
D. Vendor

A

A. The organization

40
Q

Issues that can arise from different clients being on the same system would be categorized as which of the following?

A. Assemblage
B. Multi-tenant
C. Elastic
D. Segregated

A

B. Multi-tenant