Exam Questions Flashcards

1
Q

What is reversability ?

A

Reversibility is a metric that indicates the ease with which your cloud services can be migrated between cloud environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does EAL4 in common criteria tell us ?

A

It has been methodically designed, tested, and reviewed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does EAL1 in common criteria tell us ?

A

It has been functionally tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does EAL2 in common criteria tell us ?

A

It has been structurally tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does EAL3 tell us ?

A

Methodically tested and checked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does EAL5 tell us ?

A

Semi-formally designed and tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does EAL6 tell us ?

A

Semi-formally verified design and tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does EAL7 tell us ?

A

Formally verified design and tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Within LDAP, which of the following acts as the primary key for an object?

A

DN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Artificial intelligence that incorporates emotional intelligence, social intelligence, and cognitive learning and responses is known as?

A

Humanised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Finite State Model” is one of the 11 sections that are defined in which standard?

A

FIPS140-2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An organization is running VMware Workstation. What type of hypervisor is this?``

A

Software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following organizations publishes security standards applicable to any systems used by the federal government and its contractors?

A

NIST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the four types of blockchain ?

A

private, public, consortium, and hybrid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CorrectThe FIPS 140-2 standard defines four levels of security. Of the four levels, which provides the HIGHEST level of security and tamper protection?

A

4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

disadvantage of resource pooling?

A

multitenancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When systems are given a set of seed data and patterns to search for and then continuously change their behavior depending on information and analysis of continuing trends, this process is referred to as?

A

Machine Learning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a cloud service partner ?

A

cloud service partner is a third-party provider of cloud-based services (infrastructure, storage and application, and platform services) through the CSP with which it is associated. The third-party cloud service partner makes use of the cloud service provider’s service in this scenario

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is an example of a type 1 hypervisor ?

A

VMware ESXI is an example of a type 1 hypervisor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is meant by the term portability ?

A

Portability is the feature that allows data to move between multiple cloud providers without any issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When data is used in an application where it is viewable to users, customers, etc., it is known as which stage of the cloud secure data life cycle?`

A

Share

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How many layers of encryption are typically used on database storage systems?

A

Two layers Database storage systems are generally encrypted with two layers of encryption. First, the files on the database can be protected through a file system level encryption. Second, encryption can be used within the application itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is NOT a component of DLP that Maxwell has to be concerned with?

A

Evidence and Custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

As you are drafting your organization’s cloud data destruction policy, which of the following is NOT a consideration that may affect the policy?

A

Data Discovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When is the MOST optimal time to determine if data is classified as secure?

A

Create

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is used to consolidate large amounts of structured data, often from desperate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?

A

Data Warehouse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The most common and well understood threat to storage is?

A

Unauthorized access to data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which phase of the cloud data lifecycle is the first phase in which security controls are implemented to protect data at rest?

A

Store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What term is used to describe the business intelligence and user-driven process in which data is analyzed and represented visually in order to look for specific attributes and patterns within that data?

A

Data Discovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An organization utilized data event logging recommendations by OWASP in their cloud auditing plan. Which of the following is NOT a recommendation?

A

Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The purpose of labeling data is to accomplish which of the following?

A

Group data elements together and provide information about those elements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is erasure decoding ?

A

Erasure encoding is a technique employed by data dispersion to encrypt data with parity bits added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A security incident occurred within an organization that affected numerous servers and network devices. A security engineer was able to use the SIEM to see all of the logs pertaining to that event, even though they occurred on different devices, by using the IP address of the source. Which function of a SIEM is being described in this scenario?

A

Correalation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Select the correct order of the cloud data lifecycle?

A

Create, store, use, share, archive, destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

In which phase of the cloud data lifecycle should security controls using SSL/TLS be implemented?

A

Create

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is network segmentation ?

A

Network segmentation Network segmentation is the process of separating different parts of the network and/or restricting access to certain areas of the network. Network segmentation can be done using physical separation methods or software/virtual separation methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Storage in the cloud typically consists of?

A

SAN aand RAID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the typical magnitude of servers in a on site data center ?

A

Thousands A traditional data center will likely house thousands of computers for a large enterprise corporation. This means that they will have incredible cooling and utility requirements. On the other hand, a major cloud environment may house hundreds of thousands of servers across many physical locations with their own cooling and utility requirements. In the cloud environment, however, the concern for these requirements is moved away from the cloud customer to the cloud provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

How to cloud providers prioritise resources under high utilisation ?

A

In the event that there are not enough resources to serve all hosts, cloud providers must prioritize and weigh which systems will receive the limited resources available. This concept is known as shares. Reservations refer to the minimum amount of resources that each cloud customer will receive, and limits refer to the maximum that they will receive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

In the event of an ISP failure, the customer is responsible for ensuring communication with the CSP. Which of the following would be the BEST strategy for ensuring that a means of communication with the cloud vendor is always available?

A

Redundant ISP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When selecting a cloud service provider, what is the MOST preferred attestation report to receive from vendors providing cloud services?

A

SOC 2 Type 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is the purpose of hot/cold aisles?

A

To avoid one row of racks pushing hot air directly into another row

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

IRM restrictions are typically provisioned by a data owner. In what access model is the owner responsible for defining the restrictions on a per-document basis?

A

The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

An organization is the process of building a new data center. They want to ensure that the moisture level is not too high in their data center. What is the recommended maximum moisture level for a data center

A

50 percent relative humidity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

An organization is the process of building a new data center. They want to ensure that the moisture level is not too high in their data center. What is the recommended minimum moisture level for a data center

A

40 percent relative humidity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

For the organizations’ cloud environment, they are using a SaaS IAM manager and users will be using the same username and password for both the cloud and on-premise IAM systems. Due to the risks this may present, what is an important component to the organization’s cloud IAM strategy?

A

User Education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Organization A typically leaves their images offline at the business continuity and disaster recovery (BCDR) site when not in use. What risk is associated with this?

A

Images may not be patched and up to date with production system baselines and configurations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Who is responsible for the security of the public internet?

A

Users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

In order to access their cloud environment remotely, a cloud engineer set up a method to connect in. This method uses a system which is publicly accessible on the Internet; however, the machine is extremely hardened to prevent attacks and is focused to allow access to a single application. Which of the following did the cloud engineer create?

A

Bastion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is RPO ?

A

RPO stands for recovery point objective, and it is the minimum amount of data that would be needed to be retained and recovered for an organization to function at a level which is acceptable to stakeholders. The RPO does not mean that the organization has to be operating at full capacity, just at an acceptable level where crucial systems are online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Give examples of internal and external redundancy ?

A

Generators External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure. Internal redundancy includes power distribution units, power feeds to rack, cooling units, networking, storage units, and physical access points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An engineer entered a data center and noticed that the humidity level was 20 percent relative humidity. What risk could this pose to systems?

A

Excess electrostatic discharge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which of the following is NOT one of the main risks that needs to be assessed during the “assess risk” phase of developing a BCDR plan?

A

Budgetary restraints are not a main risk when developing a BCDR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is the ideal temp for a data center ?

A

The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that data centers have a temperature between 64.4-80.6 degrees Fahrenheit and a humidity level of between 40-60 percent relative humidity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

After a BCDR plan has been implemented, it can only be considered valid after which of the following has been done?

A

Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is the danger of a compromised hypervisor ?

A

A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

how is data in use typically protected?

A

Secure API calls and web services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Give an example of a white box test ?

A

Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

To allow automation and orchestration within a cloud environment, what network protocol must be enabled?

A

DHCP The Dynamic Host Configuration Protocol (DHCP) assigns an IP address and other networking information to devices in the network automatically. This facilitates the creation of a centralized management system. New hosts can be activated with DHCP, as well as hosts that need to be auto-scaled, dynamically optimized, or relocated between physical hardware programmatically. DHCP allows network information to be readily updated and changed as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What is OAuth used for?

A

Authorisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

In which IAM model are applications configured to trust identity providers, and identity providers authenticate users using digital security tokens?

A

SSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Which of the following is NOT in the top three threats to cloud computing according to CSA’s 2020 Egregious 11?

A

Abuse and nefarious use of cloud services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

To monitor and control access to application services of a SaaS solution, what should be implemented?

A

An approved API is critical for ensuring the security of system components we are interacting with. Enforcing the usage of APIs to reduce the number of ways for accessing application services simplifies their monitoring and protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Which type of security test is run against live systems and those testing have limited knowledge of the systems?

A

DAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

The Treacherous Twelve is a list of twelve risks that are associated specifically with which type of technology?

A

Cloud Based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

At the conclusion of which phase of the software development lifecycle (SDLC), will there be formal requirements and specifications ready for the development team to turn into actual software?

A

Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which OWASP Top 10 vulnerability is defined as the capacity of unauthenticated users to see unauthorized and sensitive data, perform unauthorized functions, and modify access rights?

A

Broken Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Which of the following is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats?

A

Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which phase of the software development lifecycle (SDLC) typically takes the LONGEST amount of time?

A

During the development/coding phase of the SLDC, the plans and requirements are turned into executable programming language. This is the heart of the software development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What process is oriented around service delivery of the application service produced in modern DevOps / DevSecOps and occurs at all phases to provide continuous improvement and quality tracking?

A

Quality Assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Which sort of testing embeds an agent within an application and analyzes traffic application performance in real time to identify potential security issues?

A

IAST Interactive Application Security Testing (IAST) is a gray-box testing technique. An agent is placed in an application to undertake real-time analysis of the program’s traffic performance in order to uncover any security vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Which type of attack could be caused by a compromised DHCP server?

A

A DHCP (dynamic host configuration protocol) is used to automatically configure network settings on systems without the need for admins to do this manually on each computer. DHCP servers must be kept secure. If a DHCP server were to be compromised, the attacker would have access to change network settings that are given out by the DHCP server. This would allow them to redirect legitimate users to compromised or spoofed systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Your organization is in the process of migrating to the cloud. Mid-migration you come across details in an agreement that may leave you non-compliant. Who would be the BEST contact to discuss your cloud environment compliance with legal jurisdictions?

A

Regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Which institute publishes the most widely used standard for data center topologies?

A

Uptime Institute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Which organization is responsible for developing the Infinity Paradigm?

A

IDCA

76
Q

At which point during the incident response process are new security controls implemented?

A

During the recovery and eradication phases of an incident response, new countermeasures are implemented.

77
Q

Virtualization hosts, along with which of the following, have BIOS settings in place that control hardware configurations as well as security technologies which assist in preventing access to the BIOS?

A

TPMs (Trusted Platform Modules) and virtualization hosts have BIOS settings in place that control hardware configurations and security technologies to prevent unauthorized access to the BIOS. It’s important to ensure that access to the BIOS is locked down for all systems to prevent unauthorized changes to the systems at the BIOS-leve

78
Q

What is a KVM used for?

A

A KVM is used to connect a keyboard, mouse and monitor to physical servers in a data center to provide access. KVM stands for keyboard, video, mouse. It’s important in a data center, that security measures are put in place to prevent unauthorized access using the KVM.

79
Q

To take a snapshot and backup a virtual machine, which of the following backup solutions is typically used?

A

Agentless

80
Q

What are the our key areas of the physical cloud environment?

A

The four key physical components of a cloud environment include CPU, disk, memory, and network. These components are the aspects that a cloud provider must ensure they have adequate resources for. There should be resources in these categories for both the current needs of cloud customers and future needs for the foreseeable future. Cabling is not considered one of the key physical aspects of the cloud environment.

81
Q

What is a concern with virtual images ?

A

Virtual images are susceptible to attacks whether they are running or not

82
Q

What type of technology uses iSCSI, Fibre Channel, and Fiber channel over Ethernet (FCoE) to create dedicated networks for data storage and retrieval?

A

SAN

83
Q

What is a grouping of resources with a coordinating software agent that facilitates communication, resource sharing, and routing of tasks?

A

Clusters are a collection of resources linked together by a software agent that enables communication, resource sharing, and task routing inside the cluster. Clusters are an important aspect of resource pooling, which is fundamental to cloud computing. They are used to provide most of the resources required in modern computing systems, such as processing, storage, network traffic handling, and application hosting

84
Q

Is RDP secure ?

A

No

85
Q

What networking practice is based on hierarchical, distributed tables, and when a change is made to the relationship between a domain and a specific IP address, the change is registered at the top of the hierarchical table and filters down to all remaining entries

A

DNS

86
Q

What is the first step in establishing communications with vendors?

A

The first step in communicating with vendors is to compile a list of all key third parties on which the business relies. This inventory will serve as the basis for risk management operations with third parties or vendors. Additionally, contact with vendors will be nearly entirely driven by contract and service level agreement obligations. All other options are not steps in establishing communications with vendors.

87
Q

An auditor performing a manual audit pulls a registry file from a sample of windows servers and compares it to a baseline. Where would she be pulling the baseline from?

A

The organization’s configuration management database (CMDB) should capture all configuration items (CI’s) that have been placed under configuration management. This database can be used for manual audits as well as automated scanning to identify systems that have drifted out of their secure state

88
Q

As cloud service customers, the majority of businesses will get communications from their cloud service providers. What are the primary responsibilities of cloud service customers?

A

cloud customers have a critical accountability to define SLA terms. This will ensure that the CSC receives the proper level of communication, and through the correct channels from the CSP.

89
Q

TLS is a critical technology for encrypting data while it is in transit. TLS is composed of two protocol layers. What are they?

A

TLS specifies a handshake protocol when two parties establish an encrypted communications channel and TLS record protocol uses keys created during the handshake.

90
Q

Monitoring the effectiveness of your organization’s security procedures is critical. Which security control monitoring component is the MOST fundamental?

A

Monitoring your security controls should begin with documentation that details the purpose and implementation of each control. Additionally, you should have process documentation on how to monitor each security control.

91
Q

What is the final step in deploying a newly upgraded application into production?

A

Change management is a critical component of configuration management and, more broadly, business. The process of committing to a change that will influence production workload is known as change management. In the case of any change that will have an impact on production, change management is the last stage and approval process.

92
Q

Which network device is in charge of managing the flow of traffic in and out of the network based on configured rules?

A

The firewall is the main device that is used to manage the flow of traffic in and out of the network based on rules configured on the firewall. Firewalls can be virtual devices or physical devices.

93
Q

Which built-in VMware tool can be used to automate patches of both the vSphere hosts and the virtual machines running under them?

A

VUM (vSphere Update Manager) is a utility which is built into VMware. VUM is able to automate patches of both the vSphere hosts as well as the virtual machines running under them. VUM also provides a dashboard which gives administrators a glimpse into their patching status across the environment.

94
Q

What is capacity management ?

A

Capacity management is concerned with having and providing the required system resources to meet SLA requirements of customers in a cost-effective and efficient manner. It’s important to ensure that systems are not under-provisioned, leading to service and performance issues, but also not over-provisioned, leading to higher costs to the organization.

95
Q

What is the MAIN difference between high availability and fault tolerance?

A

Fault tolerance involves the use of specialized hardware that can detect faults and automatically switch to redundant systems. High availability makes use of shared and pooled resources to maintain a high level of availability and minimize downtime. Fault tolerance is different, in that it utilizes a specialized hardware which can detect faults and automatically switch to redundant systems based on the type of failure.

96
Q

How do you mitigate log manipulation ?

A

Sending or copying the logs to a centralized location such as a SIEM prevents this since the attacker may be able to delete them on the system itself, but will likely not have gotten access to the SIEM to change them there as well.

97
Q

In which layer of the TLS protocol does the secure communications method for transmitting data occur?

A

TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established. During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

98
Q

Where is the BIOS stored?

A

The BIOS is a form of firmware. It is typically stored in read-only memory. The BIOS is crucial for secure booting processes, as it verifies the hardware and firmware configurations of a system before allowing the operating system or applications to execute.

99
Q

Which of the following BEST describes a SOC?

A

A centralized group in an organization that handles security issues A SOC (security operations center) is a centralized group within an organization that handles security issues.

100
Q

What is SOX ?

A

SOX (Sarbanes-Oxley Act) regulates accounting and financial practices within an organization. IT engineers need to be aware of SOX, as it can affect which type of data needs to be stored/retained, and for how long

101
Q

Which standard provides guidelines on contract negotiations with cloud service providers about eDiscovery, searchability, and data preservation?

A

Cloud Security Alliance (CSA) Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery provides guidance on contract negotiations with cloud service providers about eDiscovery search ability and data preservation

102
Q

Which jurisdiction does NOT have a standard national/regional data privacy regulation that applies to all personal information?

A

USA

103
Q

What is the FIRST stage of the risk treatment process?

A

In regard to risk treatment and the risk management process, the first stage is framing risk. Framing risk refers to determining what risk and levels are to be evaluated.

104
Q

Which one of the ten key principles of GAPP focuses on organizations having well documented and communicated privacy policies and procedures?

A

The management principle of the Generally Accepted Privacy Principles (GAPP) focuses on ensuring that organizations have well documented privacy policies and procedures.

105
Q

Which Russian law states that any collecting, processing, or storing of data on Russian citizens must be done from systems which are physically located in the Russian Federation?

A

Russian law 526-FZ was enacted in September of 2015. The law states that any collecting, processing, or storing of personal or private data that pertains to Russian citizens must be done from systems and databases which are physically located within the Russian Federation.

106
Q

An organization wants a way to ensure to the general public that their systems are safe and secure. What type of report should be done in order to share it with the general public?

A

SOC 3 reports are meant to be consumed and reviewed by the general public.

107
Q

Which of the following, published by the Cloud Security Alliance, provides a detailed framework and approach for handling controls that are pertinent and applicable in a cloud environment?

A

The Cloud Controls Matrix (CCM) outlines a detailed approach for handling controls in a cloud environment.

108
Q

Is ediscovery easier in cloud or on prem ?

A

eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment. Within a traditional data center environment, any systems needed for an investigation can easily be physically isolated and preserved. In a cloud environment, most cloud customers do not own their own hardware, but instead share physical hardware in a multi-tenant cloud.

109
Q

Which of the following is NOT one of the ten key principles of the Generally Accepted Privacy Principles (GAPP) standard?

A

Transparency GAPP was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. It includes ten key privacy principles as listed below: 1. Management 2. Notice 3. Choice and consent 4. Collection 5. Use, retention, and disposal 6. Access 7. Disclosure to third parties 8. Security for privacy 9. Quality 10. Monitoring and enforcement Reference:

110
Q

Your data in the cloud is stored in the EU region—what law or regulation would the data be governed by?

A

The nation where the data is collected Data sovereignty refers to the concept that data is subject to a nation’s laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed

111
Q

Under the Federal Information Security Management Act (FISMA), all U.S. Government agencies are required to conduct risk assessments that align with what framework?

A

The NIST Risk Management Framework acts as a guide for risk management practices used by United States federal agencies. NIST developed the NIST CSF to assist commercial enterprises in developing and executing security strategies. FedRAMP is a cloud-specific version of NIST 800-53 that contains policies and procedures to assist cloud service providers in adopting security controls and risk assessment.

112
Q

In log management, what defines which categories of events are and are NOT written into logs?

A

The clipping level determines which events, such as user authentication events, informational system messages, and system restarts, are written in the logs and which are ignored. Clipping levels are used to ensure that the correct logs are being accounted for.

113
Q

Some communication policies are required by law or regulation. What law is MOST referenced to when talking about mandatory reporting or communications?

A

SOX Some post-incident communication policies are mandated by legislation or regulation. Sarbanes-Oxley (SOX) is the most frequently mentioned standard when discussing obligatory reporting and communications.

114
Q

Which is NOT one of the three key elements of incident management?

A

Incident Classification

115
Q

What are the three elements of incident management ?

A

Incident Response Team, Incident Response Plan, Root Cause Analysis

116
Q

What is the MOST commonly used communications protocol for network-based storage?

A

iSCSI allows for the transmission of SCSI commands over a TCP-based network. SCSI allows systems to use block-level storage that behaves like a SAN would on physical servers, but leverages the TCP network within a virtualized environment. iSCSI is the most commonly used communications protocol for network-based storage.

117
Q

What role goes through an onboarding, management, maintenance, and offboarding process to ensure that the cloud customer security expectations are met?

A

Partners frequently have the same amount of access to an organization’s systems as employees do, but they are not directly under the organization’s authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer’s security needs.

118
Q

Which international standard contains information about the architecture and security of Trusted Platform Modules (TPMs)

A

ISO/IEC 11889 specifies how various cryptographic techniques and architectural elements are to be implemented. It consists of four parts including an overview of architectures of the TPN, design principles, commands, and supporting code.

119
Q

The Unified Extensible Firmware Interface (UEFI) replaces the traditional BIOS and incorporates numerous enhancements. What is the theoretical maximum capacity of a hard drive that UEFI can address 4.9 zettabytes 4.4 zettabytes 10 zettabytes 9.4 zettabytes ?

A

9.4 zettabytes

120
Q

Which of the following is mainly concerned with minimizing the impact of issues in an organization by identifying the root cause of the issue?

A

The focus of problem management is to identify and analyze potential issues in an organization to determine the root cause of that issue. Problem management is responsible for implementing processes to prevent the issues from occurring in the future.

121
Q

What is the role of IPSEC ?

A

Encrypt and authenticate packets during transmission between two servers IPsec can be used to encrypt and authenticate packets during transmission between two systems.

122
Q

Which organization produced the “Data Center Design and Implementation Best Practices” standard, which includes specification for items such as hot/cold aisle setups?

A

BICSI (Building Industry Consulting Service International) has been around since 1977. Of the all the standards that BICSI has developed, the ANSI/BICSI 002-2014 is the most prominent. This standard is “Data Center Design and Implementation Best Practices.” In this standard, items such as hot/cold aisle setups, power specifications, and energy efficiency are all covered.

123
Q

Which of the following is NOT one of the most commonly used risk ratings?

A

Minimal

124
Q

What is the role of the data custodian ?

A

A data custodian is anyone who uses or consumes data which is owned by someone else. The data custodians must adhere to any policies set forth by the data owner in regard to the use of the data

125
Q

Under the General Data Protection Regulation (GDPR) passed in the EU, how long does a data controller have to notify the applicable government agency after a data breach or leak of personal or private information?

A

72 Hours

126
Q

What are the five key principles of ISO/IEC 27018

A

The five key principles of ISO/IEC 27018 are communication, consent, control, transparency, and independent and yearly audits.

127
Q

Which eDiscovery investigative method includes services set forth by pre-arranged contractual obligations that can be exercised when necessary?

A

Hosted eDiscovery, your cloud service provider incorporates eDiscovery into contractual responsibilities that can be executed as needed. However, a list of pre-selected forensic solutions may have limitations.

128
Q

Which of the following industries needs to meet the specialized compliance requirements set forth by the NERC/CIP?

A

Electric utilities The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a not-for-profit organization that collaborates with industry stakeholders to set standards for the operations and monitoring of the power system and its enforcement.

129
Q

A forensic investigator must complete the task of identifying, collecting, and securing electronic data and records so that they can be used in a criminal court hearing. What task is this forensic investigator completing?

A

eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

130
Q

Which regulatory framework specifies how long financial records must be preserved?

A

SOX

131
Q

An audit must have parameters to ensure the efforts are focused on relevant areas that can be effectively audited. Setting these parameters for an audit is commonly known as?

A

Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems

132
Q

What is a data steward ?

A

While the data owner maintains sole responsibility for the data and the controls surrounding that data, there is sometimes the additional role of data steward, who will oversee data access requests and the utilization of the data

133
Q

Name three PII types ?

A

The two main types of PII (personally identifiable information) include contractual PII and regulated PII. Another type of PII is PHI or protected health information, which is a special type of PII pertaining to healthcare data

134
Q

Which type of security test is run against live systems and those testing have limited knowledge of the systems?

A

Dynamic application security testing (DAST) is a “black-box” type of security test, meaning that the tester is not given any special information about the systems they are testing. DAST is performed on live systems

135
Q

What is the MAIN reason that eDiscovery is typically easier in a traditional data center than it is in a cloud environment?

A

Systems aren’t able to be simply physically isolated and preserved in a cloud environment When eDiscovery must be done within a traditional data center, it’s possible to physically isolate the system and preserve the data. In a cloud environment, however, many cloud customers are using the same hardware, so it’s not possible to physically isolate a system and preserve it.

136
Q

Which of the following is NOT one of the ten key principles of the Generally Accepted Privacy Principles (GAPP) standard?

A

Transparency

137
Q

Data dispersal in cloud settings can have a mixed effect on an organization’s security. What are the disadvantages of data dispersion?

A

Relocation of data Segment dispersion can create complications in cloud environments. If data is distributed to regions with varying legal and regulatory requirements, the organization may become subject to unforeseen laws and regulations.

138
Q

Which of the following standards establishes internationally recognized standards for eDiscovery?

A

ISO/IEC 27050 provides internationally accepted standards related to eDiscovery processes and best practices

139
Q

Communication, Consent, Control, Transparency, and Independent and yearly audits are the five key principles found in what standard that cloud providers adhere to?

A

SO/IEC 27018 is a standard privacy requirement for cloud service providers to adhere to. It is focused on five key principals: communication, consent, control, transparency, and independent and yearly audits

140
Q

Which of the following is a disadvantage of resource pooling?

A

Resource pooling is one of the many benefits of cloud computing. Multiple clients share a set of resources, such as servers, storage, and application services, and each customer pays only for the resources they consume. This can create a problem when resources are pooled, since multi-tenancy may result, and a competitor or rival may share physical hardware with you.

141
Q

Structured and unstructured storage pertain to which of the three cloud service models?

A

PaaS Each cloud service model uses a different method of storage as shown below: * Platform as a Service (PaaS) - structured, unstructured * Infrastructure as a Service (IaaS) - volume, object * Software as a Service (SaaS) - content and file storage,

142
Q

There are two main types of storage in SaaS environments. Which SaaS storage type is the classic form of storing data within databases that the application uses and maintains?

A

Information storage and management is the classic form of storing data within databases that the application uses and maintains.

143
Q

What is the SLE ?

A

The difference between the original value of an asset and the remaining value of an asset after a single successful exploitation

144
Q

Which standard provides guidelines on contract negotiations with cloud service providers about eDiscovery, searchability, and data preservation?

A

CSA Cloud Security Alliance (CSA) Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery provides guidance on contract negotiations with cloud service providers about eDiscovery search ability and data preservation.

145
Q

A hacker was able to send untrusted data to a user’s browser without going through any validation process. What type of attack is being described here?

A

Cross-site scripting (XSS) is a type of injection attack. XSS attacks occur when an attacker is able to send data to a user’s browser without having to go through any validation process. Essentially, the victim visits a website or web application which delivers and executes the malicious code to the user’s browser. Web forums and message boards are common locations to find XSS attacks.

146
Q

In which phase of the software development lifecycle (SDLC) should a cost-benefit analysis be done?

A

During the requirement gathering and feasibility stage of the SDLC, overall goals as well as desired outcomes should be documented. Timing and duration of the project should also be defined. During this phase, a cost-benefit analysis should be done to determine the feasibility of the project.

147
Q

BEST defines ARO?

A

The estimated number of times a threat will successfully exploit a vulnerability in a given year ARO stands for annualized rate of occurrence, which is defined by the estimated number of times a threat will successfully exploit a vulnerability in a given year

148
Q

FISMA is piece of legislation that pertains specifically to which

A

Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

149
Q

An organization has just completed the design phase of developing their business continuity and disaster recovery (BCDR) plan. What is the next step for this organization?

A

The steps of developing a BCDR plan are as follows: Define scope, gather requirements, analyze, assess risk, design, implement, test, report, and finally, revise. Once an organization has completed all of the design phase, they are ready to implement their BCDR plan.

150
Q

Which is NOT a way to measure business requirements and capabilities for business continuity and disaster recovery in the cloud?

A

How much data storage capacity is not a good indicator of business requirements and capabilities for continuity and disaster recovery in the cloud. Three metrics are used to assess business capabilities: RTO, which indicates how long systems are down, RPO, which indicates how much data may be lost, and recovery service level (RSL), which indicates how much processing power is required to maintain systems following a disaster.

151
Q

Securing supply chain management software in the cloud and securely connecting vendors globally through cloud services reduces what type of risk?

A

IT-related risk Supply chain management entails a plethora of dangers, one of which is cloud computing. By protecting supply-chain management software in the cloud and securely linking providers globally via cloud services, risk associated with information technology is reduced.

152
Q

In cloud computing, what would be considered the opposite of reservations?

A

Limits and reservations are both terms referring to how resources are allocated in a cloud environment. Reservations refer to the minimum amount of resources that a cloud customer is guaranteed to receive. The opposite of reservations are limits. Limits refer to the maximum of resources that a cloud customer may utilize.

153
Q

Which of the following is the MAIN concern for using a BCDR solution in the cloud?

A

The location where the data is stored and the local laws and jurisdictions that apply to it When using a cloud environment as a BCDR solution, it’s likely that data will be housed in numerous cloud datacenters in various geographical locations. It’s important to take into consideration what types of regulations and jurisdictions are applicable to the locations where your data is being stored.

154
Q

Which of the following terms BEST describes the role of someone who connects existing systems and services to the cloud?

A

A cloud service integrator is someone who connects (or integrates) existing systems and services to the cloud for a cloud customer.

155
Q

Compare SOAP to REST ?

A

SOAP does not allow for caching, making it less scalable and having lower performance than REST. SOAP does not allow for caching, making it less scalable and having lower performance than REST. Because of this, SOAP is typically used only when there are restrictions which prevent the use of REST in the environment. REST is more flexible and supports a variety of data formats, including both JSON and XML, while SOAP only allows the use of XML-formatted data.

156
Q

What is the FIRST stage of the risk treatment process?

A

Framing risk In regard to risk treatment and the risk management process, the first stage is framing risk. Framing risk refers to determining what risk and levels are to be evaluated.

157
Q

The mechanism that directs and controls the provisioning and use of cloud services both internally and externally is referred to as?

A

Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance will put a framework in place to ensure compliance with regulatory obligations

158
Q

Your data in the cloud is stored in the EU region—what law or regulation would the data be governed by?

A

The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria.

159
Q

What is a LUN ?

A

LUNs Volume storage is where storage is allocated to a virtual machine and configured as a typical hard drive and file system on that server. In a volume storage system, the main storage system is sliced into pieces called LUNs (logical units) and then allocated to a particular virtual machine by the hypervisor.

160
Q

Which type of AI is purely cognitive-based?

A

Analytical artificial intelligence (AI) is solely cognitive-based, focusing on a system’s ability to analyze past data and make future decisions.

161
Q

NOT a risk associated with having a BCDR plan?

A

The risks associated with a business continuity and disaster recovery (BCDR) plan include changes in location, maintaining redundancy, having proper failover mechanisms, having the ability to bring services online quickly, and having functionality with external services. Budget is something that should already be factored in and accounted for and, therefore, should not pose any risks to your BCDR plan

162
Q

Which of the following reports is focused on the effectiveness of controls during a set point in time?

A

SOC 1 Type 1 report is focused on the effectiveness of controls during a set point in time.

163
Q

An audit must have parameters to ensure the efforts are focused on relevant areas that can be effectively audited. Setting these parameters for an audit is commonly known as?

A

Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems.

164
Q

Which of the following standards was developed by a joint privacy task force consisting of the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants?

A

GAPP (Generally Accepted Privacy Principles) is a privacy standard developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

165
Q

In which phase of the cloud data lifecycle should security controls using SSL/TLS be implemented?

A

The create phase is an ideal time to implement technologies such as SSL/TLS technologies with the data that is inputted or imported. It should be done in the create phase so that the data is protected initially before any further phases.

166
Q

What is the FIRST stage in the software development lifecycle (SDLC) in which security engineers should be involved?

A

Security engineers should be a part of every single phase of the SDLC, including the first stage: requirement gathering and feasibility. It is much more efficient to add security into an application as it’s being developed, than to attempt to add in security features later on (after it’s in production). During the requirement gather and feasibility stage of the SDLC, security engineers look at the risks associated with the project.

167
Q

DLP solutions are used to protect data in which state?

A

data loss prevention (DLP) solutions must be deployed on each of the systems that house data, including any servers, workstations, and mobile devices. This is the simplest of DLP solutions but, in order to be most effective, it may also require network integration.

168
Q

Cloud environments are constantly maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn’t become overloaded. What is this process known as?

A

Dynamic optimization is the process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn’t become overloaded. Distributed resource scheduling is a method for providing high availability, workload distribution, and balancing of jobs in a cluster. When a host is in maintenance mode, no virtual machines can run under that physical host.

169
Q

Which of the following has the LEAST impact when collecting forensic evidence in the cloud?

A

Typically, collecting forensic evidence in the cloud has no operational impact.

170
Q

The decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are separate from each other when which of the following technologies is being used?

A

Within a software defined network (SDN), decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are completely separate from each other.

171
Q

What is the final step in deploying a newly upgraded application into production?

A

Change management is a critical component of configuration management and, more broadly, business. The process of committing to a change that will influence production workload is known as change management. In the case of any change that will have an impact on production, change management is the last stage and approval process

172
Q

You’re revising your organization’s data destruction policy to guarantee that your cloud deployment is adequately protected. Which stage of the cloud data lifecycle will be impacted by this policy?

A

Data destruction policies encompass all phases of the data lifecycle. This is because data destruction may occur at all phases of the cloud data lifecycle.

173
Q

Describe the create phase in the data life cycle ?

A

The create phase is the initial phase of the cloud data lifecycle. While it may sound like data must be newly created from scratch in this phase, that is not the case. Rather, any time data can be considered new, it is in the create phase. This encompasses data which is newly created, data that is being imported from elsewhere, and also data that already exists but has been modified into a new form.

174
Q

Does OWASP cheat sheet mention network logging ?

A

No - The logging cheat sheet looks mainly at application level logging

175
Q

An engineer needs to ensure his organization is aware of all ten key principles of GAPP. Which is NOT a key principle of the GAPP standard?

A

Restriction The Generally Accepted Privacy Principles (GAPP) includes 10 key privacy principles and over 70 privacy objectives and methods for measuring and evaluating criteria. The 10 key privacy principles are listed below: 1. Management 2. Notice 3. Choice and consent 4. Collection 5. Use, retention, and disposal 6. Access 7. Disclosure to third parties 8. Security for privacy 9. Quality 10. Monitoring and enforcement

176
Q

Who is responsible for the security of the public internet?

A

The individuals using the public internet are responsible for security. Security is a shared responsibility. The CSP, CSC or ISP would not be responsible.

177
Q

What does the GAP Management principle focus on ?

A

The management principle of the Generally Accepted Privacy Principles (GAPP) focuses on ensuring that organizations have well documented privacy policies and procedures. In addition, this information is communicated to necessary parties, and official measures are taken to ensure accountability.

178
Q

Which of the principles are always covered in a SOC2 audit

A

Security

179
Q

What five principles are potentially covered by SOC ?

A

Security, Confidentiality, Process Integrity, Availability, Privacy

180
Q

What are the three main building blocks that are covered in a cloud management plan ?

A

Orchestration, Maintenance and Scheduling

181
Q

What question is the CSA Star program trying to answer ?

A

If we can trust a cloud provider

182
Q

What is level 3 in the CSA Star program ?

A

Certification and Attestation against continuous monitoring

183
Q

What is level 2 in the CSA Star program ?

A

Third party external audit

184
Q

What is level 1 in the CSA Star program ?

A

Self assement against CAIQ which has 261 questions derived from CSA matrix

185
Q

Is RDP secure and available on most OS ?

A

Available on most OS but not secure

186
Q

During which phase of the SDLC are formal requirements for risk mitigation/minimization integrated with the programming designs?

A

While the requirements for risk mitigation and minimization may be determined during the requirement gathering and feasibility stage of the software development lifecycle (SDLC), they are not integrated with the programming designs until the design phase of the SDLC

187
Q
A