Exam Questions Flashcards
What is reversability ?
Reversibility is a metric that indicates the ease with which your cloud services can be migrated between cloud environments.
What does EAL4 in common criteria tell us ?
It has been methodically designed, tested, and reviewed
What does EAL1 in common criteria tell us ?
It has been functionally tested
What does EAL2 in common criteria tell us ?
It has been structurally tested
What does EAL3 tell us ?
Methodically tested and checked
What does EAL5 tell us ?
Semi-formally designed and tested
What does EAL6 tell us ?
Semi-formally verified design and tested
What does EAL7 tell us ?
Formally verified design and tested
Within LDAP, which of the following acts as the primary key for an object?
DN
Artificial intelligence that incorporates emotional intelligence, social intelligence, and cognitive learning and responses is known as?
Humanised
Finite State Model” is one of the 11 sections that are defined in which standard?
FIPS140-2
An organization is running VMware Workstation. What type of hypervisor is this?``
Software
Which of the following organizations publishes security standards applicable to any systems used by the federal government and its contractors?
NIST
What are the four types of blockchain ?
private, public, consortium, and hybrid
CorrectThe FIPS 140-2 standard defines four levels of security. Of the four levels, which provides the HIGHEST level of security and tamper protection?
4
disadvantage of resource pooling?
multitenancy
When systems are given a set of seed data and patterns to search for and then continuously change their behavior depending on information and analysis of continuing trends, this process is referred to as?
Machine Learning
What is a cloud service partner ?
cloud service partner is a third-party provider of cloud-based services (infrastructure, storage and application, and platform services) through the CSP with which it is associated. The third-party cloud service partner makes use of the cloud service provider’s service in this scenario
What is an example of a type 1 hypervisor ?
VMware ESXI is an example of a type 1 hypervisor.
What is meant by the term portability ?
Portability is the feature that allows data to move between multiple cloud providers without any issues
When data is used in an application where it is viewable to users, customers, etc., it is known as which stage of the cloud secure data life cycle?`
Share
How many layers of encryption are typically used on database storage systems?
Two layers Database storage systems are generally encrypted with two layers of encryption. First, the files on the database can be protected through a file system level encryption. Second, encryption can be used within the application itself.
Which of the following is NOT a component of DLP that Maxwell has to be concerned with?
Evidence and Custody
As you are drafting your organization’s cloud data destruction policy, which of the following is NOT a consideration that may affect the policy?
Data Discovery
When is the MOST optimal time to determine if data is classified as secure?
Create
What is used to consolidate large amounts of structured data, often from desperate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?
Data Warehouse
The most common and well understood threat to storage is?
Unauthorized access to data
Which phase of the cloud data lifecycle is the first phase in which security controls are implemented to protect data at rest?
Store
What term is used to describe the business intelligence and user-driven process in which data is analyzed and represented visually in order to look for specific attributes and patterns within that data?
Data Discovery
An organization utilized data event logging recommendations by OWASP in their cloud auditing plan. Which of the following is NOT a recommendation?
Network
The purpose of labeling data is to accomplish which of the following?
Group data elements together and provide information about those elements
What is erasure decoding ?
Erasure encoding is a technique employed by data dispersion to encrypt data with parity bits added.
A security incident occurred within an organization that affected numerous servers and network devices. A security engineer was able to use the SIEM to see all of the logs pertaining to that event, even though they occurred on different devices, by using the IP address of the source. Which function of a SIEM is being described in this scenario?
Correalation
Select the correct order of the cloud data lifecycle?
Create, store, use, share, archive, destroy
In which phase of the cloud data lifecycle should security controls using SSL/TLS be implemented?
Create
What is network segmentation ?
Network segmentation Network segmentation is the process of separating different parts of the network and/or restricting access to certain areas of the network. Network segmentation can be done using physical separation methods or software/virtual separation methods
Storage in the cloud typically consists of?
SAN aand RAID
What is the typical magnitude of servers in a on site data center ?
Thousands A traditional data center will likely house thousands of computers for a large enterprise corporation. This means that they will have incredible cooling and utility requirements. On the other hand, a major cloud environment may house hundreds of thousands of servers across many physical locations with their own cooling and utility requirements. In the cloud environment, however, the concern for these requirements is moved away from the cloud customer to the cloud provider.
How to cloud providers prioritise resources under high utilisation ?
In the event that there are not enough resources to serve all hosts, cloud providers must prioritize and weigh which systems will receive the limited resources available. This concept is known as shares. Reservations refer to the minimum amount of resources that each cloud customer will receive, and limits refer to the maximum that they will receive.
In the event of an ISP failure, the customer is responsible for ensuring communication with the CSP. Which of the following would be the BEST strategy for ensuring that a means of communication with the cloud vendor is always available?
Redundant ISP
When selecting a cloud service provider, what is the MOST preferred attestation report to receive from vendors providing cloud services?
SOC 2 Type 2
What is the purpose of hot/cold aisles?
To avoid one row of racks pushing hot air directly into another row
IRM restrictions are typically provisioned by a data owner. In what access model is the owner responsible for defining the restrictions on a per-document basis?
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.
An organization is the process of building a new data center. They want to ensure that the moisture level is not too high in their data center. What is the recommended maximum moisture level for a data center
50 percent relative humidity
An organization is the process of building a new data center. They want to ensure that the moisture level is not too high in their data center. What is the recommended minimum moisture level for a data center
40 percent relative humidity
For the organizations’ cloud environment, they are using a SaaS IAM manager and users will be using the same username and password for both the cloud and on-premise IAM systems. Due to the risks this may present, what is an important component to the organization’s cloud IAM strategy?
User Education
Organization A typically leaves their images offline at the business continuity and disaster recovery (BCDR) site when not in use. What risk is associated with this?
Images may not be patched and up to date with production system baselines and configurations
Who is responsible for the security of the public internet?
Users
In order to access their cloud environment remotely, a cloud engineer set up a method to connect in. This method uses a system which is publicly accessible on the Internet; however, the machine is extremely hardened to prevent attacks and is focused to allow access to a single application. Which of the following did the cloud engineer create?
Bastion
What is RPO ?
RPO stands for recovery point objective, and it is the minimum amount of data that would be needed to be retained and recovered for an organization to function at a level which is acceptable to stakeholders. The RPO does not mean that the organization has to be operating at full capacity, just at an acceptable level where crucial systems are online.
Give examples of internal and external redundancy ?
Generators External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure. Internal redundancy includes power distribution units, power feeds to rack, cooling units, networking, storage units, and physical access points
An engineer entered a data center and noticed that the humidity level was 20 percent relative humidity. What risk could this pose to systems?
Excess electrostatic discharge
Which of the following is NOT one of the main risks that needs to be assessed during the “assess risk” phase of developing a BCDR plan?
Budgetary restraints are not a main risk when developing a BCDR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.
What is the ideal temp for a data center ?
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that data centers have a temperature between 64.4-80.6 degrees Fahrenheit and a humidity level of between 40-60 percent relative humidity.
After a BCDR plan has been implemented, it can only be considered valid after which of the following has been done?
Testing
What is the danger of a compromised hypervisor ?
A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors.
how is data in use typically protected?
Secure API calls and web services
Give an example of a white box test ?
Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code
To allow automation and orchestration within a cloud environment, what network protocol must be enabled?
DHCP The Dynamic Host Configuration Protocol (DHCP) assigns an IP address and other networking information to devices in the network automatically. This facilitates the creation of a centralized management system. New hosts can be activated with DHCP, as well as hosts that need to be auto-scaled, dynamically optimized, or relocated between physical hardware programmatically. DHCP allows network information to be readily updated and changed as needed.
What is OAuth used for?
Authorisation
In which IAM model are applications configured to trust identity providers, and identity providers authenticate users using digital security tokens?
SSO
Which of the following is NOT in the top three threats to cloud computing according to CSA’s 2020 Egregious 11?
Abuse and nefarious use of cloud services
To monitor and control access to application services of a SaaS solution, what should be implemented?
An approved API is critical for ensuring the security of system components we are interacting with. Enforcing the usage of APIs to reduce the number of ways for accessing application services simplifies their monitoring and protection
Which type of security test is run against live systems and those testing have limited knowledge of the systems?
DAST
The Treacherous Twelve is a list of twelve risks that are associated specifically with which type of technology?
Cloud Based
At the conclusion of which phase of the software development lifecycle (SDLC), will there be formal requirements and specifications ready for the development team to turn into actual software?
Analysis
Which OWASP Top 10 vulnerability is defined as the capacity of unauthenticated users to see unauthorized and sensitive data, perform unauthorized functions, and modify access rights?
Broken Access Control
Which of the following is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats?
Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time.
Which phase of the software development lifecycle (SDLC) typically takes the LONGEST amount of time?
During the development/coding phase of the SLDC, the plans and requirements are turned into executable programming language. This is the heart of the software development process.
What process is oriented around service delivery of the application service produced in modern DevOps / DevSecOps and occurs at all phases to provide continuous improvement and quality tracking?
Quality Assurance
Which sort of testing embeds an agent within an application and analyzes traffic application performance in real time to identify potential security issues?
IAST Interactive Application Security Testing (IAST) is a gray-box testing technique. An agent is placed in an application to undertake real-time analysis of the program’s traffic performance in order to uncover any security vulnerabilities.
Which type of attack could be caused by a compromised DHCP server?
A DHCP (dynamic host configuration protocol) is used to automatically configure network settings on systems without the need for admins to do this manually on each computer. DHCP servers must be kept secure. If a DHCP server were to be compromised, the attacker would have access to change network settings that are given out by the DHCP server. This would allow them to redirect legitimate users to compromised or spoofed systems.
Your organization is in the process of migrating to the cloud. Mid-migration you come across details in an agreement that may leave you non-compliant. Who would be the BEST contact to discuss your cloud environment compliance with legal jurisdictions?
Regulators
Which institute publishes the most widely used standard for data center topologies?
Uptime Institute