LeanZapp Practice 3

Question 1

What should data archiving and retention policies include?

A. Names of personnel allowed to receive backup media, if third party off site archiving services are used
B. Explicit statement of data format and types of storage media
C. A list of personnel whose data will be archived on a regular basis
D. Which ISP should be used for backup procedures

Answer 1

B. Explicit statement of data format and types of storage media

Explanation:
It is important to indicate the data format and media type for long term storage in order to ensure restoration capability; outdated or obsolete data formats and media may not be useful for restoration of data to the operational environment several years after it has been stored

Question 2

Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?

A. PaaS
B. SaaS
B. BaaS
D. IaaS

Answer 2

A. PaaS

Explanation:
PaaS will allow her developers to create and design their software on a variety of OSs, increasing the breath of the market she can sell to. Also, she can use geographically dispersed programmers increasing the breadth of the market she can sell to

Question 3

What the the optimal number of entrances to the cloud data center campus?

A. One
B. Two
C. three
D. Four

Answer 3

A. One

Explanation:
Controlling access is optimized by minimizing access

Question 4

Which of the following is considered a technological control?

A. Firewall software
B. Fireproof safe
C. Fire extinguisher
D. Firing personal

Answer 4

A. Firewall software

Explanation:
A firewall is a technological control

Question 5

Which of the following is not an essential element defining cloud computing?

A. Broad network access
B. Metered service
C. Offsite storage
D. On demand self service

Answer 5

C. Offsite storage

Explanation:
Offsite storage is not intrinsic of the definition of cloud computing; all the other options are

Question 6

The architecture of the World Wide Web, as it works today is _________

A. JSON
B. DoS
C. REST
D. XML

Answer 6

C. REST

Explanation:
The web is mainly HTTP, which is a RESTful protocol

Question 7

In the cloud, the data processor is usually _______

A. The party that assigns access rights
B. The cloud customer
C. The cloud provider
D. The cloud access security broker

Answer 7

C. The cloud provider

Explanation:
In legal terms, when data processor is defined, it refers to anyone who stores, handles, moves or manipulates data on behalf of the data owner or controll. In the cloud computing realm, this is the cloud provider

Question 8

When building a new data center within an urban environment, which of the following is probably the most restrictive aspect?

A. The size of the plot
B. Utility availability
C. Staffing
D. Municipal codes

Answer 8

D. Municipal codes

Explanation:
In any large metro area, government restrictions on development and construction can severely limit how you use your property; this can be significant limiting factor in building a data center

Question 9

DLP solutions can aid in deterring loss due to which of the following?

A. Malicious disclosure
B> Performance issues
C. Bad policy
D. Power failure

Answer 9

A. Malicious disclosure

Explanation:
DLP tools can identify outbound traffic that violates the organizations policies

Question 10

Risk should always be considered from a business perspective. Risk is often balanced by corresponding _________

A. Profit
B. Performance
C. Cost
D. Opportunity

Answer 10

D. Opportunity

Explanation:
The only reason organizations accept any level of risk is because of the potential benefit by a risky activity

Question 11

____________ is an agentless means of ensuring a VMs security baseline does not change over time by examining such things as physical location and network settings

A. ECC
B. VMI
C. HIDS
D. NIDS

Answer 11

B. VMI

Explanation:
Virtual machine introspection is an agentless means of ensuring a VMs security baseline does not change over time by examining things such as physical address, network settings and installed OS. These ensure that the baseline has not been inadvertently or maliciously tampered with

Question 12

In working with various networking technologies such as Frame Relay, ATM and Ethernet, the capability of the network to provide better service to select traffic is called:

A. QaS
B. ASP
C. OLA
D. QoS

Answer 12

D. QoS

Explanation:
Quality of service refers to the capability of a network to provide better service for certain traffic regardless of the network type or topology

Question 13

Which of the following best describes the purpose of a DMZ?

A. Isolates public facing network elements that would otherwise be vulnerable to attack
B. Isolates email servers that are Internet facing and protects them from attacks
C. Provides network elements such as routers that are Internet facing to protect them from attack
D. Tracks incoming attack patterns

Answer 13

A. Isolates public facing network elements that would otherwise be vulnerable to attack

Explanation:
A DMZ isolates network elements that are public facing and would otherwise be vulnerable to attack

Question 14

Which of the following best describes a qualitative risk assessment?

A. Typically employs a set of methods, principles or rules for assessing risk based on numerical categories
B. Typically employs a set of methods, principles or rules for assessing risk based on numbers
C. Typically employs a set of methods, principles or rules for assessing risk based on nonnumerical categories
D. Typically employs a set of methods, principles or rules for assessing risk based on threat categories

Answer 14

C. Typically employs a set of methods, principles or rules for assessing risk based on nonnumerical categories

Explanation:
As opposed to quantitative assessments, which use specific numerical values such as 1,2 and 3, qualitative assessments use nonnumerical categories that are relative in nature such as high medium or low

Question 15

In regard to most privacy guidance, the data controller is _________

A. The individual described by the privacy data
B.The entity that collects or creates the privacy data
C. The entity that uses privacy data on behalf of the controller
D. The entity that regulates privacy data

Answer 15

B.The entity that collects or creates the privacy data

Explanation:
Option B is the definition of the data controller

Question 16

Which of the following laws resulted from a lack of independence in audit practices?

A. HIPAA
B. GLBA
C. SOX
D. ISO 27064

Answer 16

C. SOX

Explanation:
SOX was passed primarily to address the issues if audit independence, poor board over sight, and transparency of findings

Question 17

When designing a cloud data center, which of the following is not necessary to ensure continuity of operations during contingency operations?

A. Access to clean water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the data center

Answer 17

C. Extended battery backup

Explanation:
Backup power does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator

Question 18

Availability refers to which of the following?

A. The amount of uptime in any given 30 day period
B. The amount of uptime specified in the SLA
C. Whether authorized users can access services and/or data
D. The amount of uptime promised by the cloud vendor

Answer 18

C. Whether authorized users can access services and/or data

Explanation:
Availability is one of the three legs of the CIA triad, this represents when services and/or data can be accessed in an authorized manner

Question 19

What are the two general delivery modes for SaaS model?

A. Ranked and free
B. Hosted application management and software on demand
C. Intrinsic motivation complex and undulating perspective details
D. Framed and modular

Answer 19

B. Hosted application management and software on demand

Explanation:
In SaaS, the cloud provider might license and deliver commercially available software for the customer, via the cloud or provide the customer access to the providers proprietary software

Question 20

Which of the following aspects of cloud computing can enhance the customers business and continuity and disaster recovery efforts?

A. Ondemand self service
B. Pooled resources
C. Virtualization
D. The control plane

Answer 20

A. Ondemand self service

Explanation:
On demand self service allows the cloud customer to provisioned those production resources during a contingency without any delay in ordering or allocating those resources

Question 21

To protect data on user devices in BYOD environment, the organization should consider requiring all of the following except:

A. DLP agents
B. Local encryption
C. MFA
D. Two person integrity

Answer 21

D. Two person integrity

Explanation:
Although all the other options are ways to harden a mobile device, two person integrity is a concept that has nothing to do with the topic

Question 22

During a cost benefit analysis, your company determines that it spends a disproportionate amount of money on software licensing and administration. Which cloud model may best help your company reduce these costs?

A. IaaS
B. PaaS
C. SaaS
D. Hybrid

Answer 22

C. SaaS

Explanation:
In SaaS model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud providers operations

Question 23

According to CSA, an organization that operates in the cloud environment and suffers a data breach may be required to __________

A. Notify affected users
B. Reapply for cloud services
C. Scrub all affected physical memory
D. Change regulatory framework

Answer 23

A. Notify affected users

Explanation:
Data breach notification laws are plentiful; organizations operating in the cloud are almost sure to be subject to one or more such laws

Question 24

Which of the following attack vectors is new to the cloud environment and was not typically found in on premises, legacy environments?

A> DDoS
B. Guest Escape
C. Internal Threats
D. Inadvertent Disclosure

Answer 24

B. Guest Escape

Explanation:
Guest Escape is prevailing threat in a vritualized, multi tenant cloud environment and was not commonly found in traditional environments

Question 25

____________ often uses access control and encryption to prevent unauthorized copying and limitation of distribution to only those who pay

A. PCI
B. IRM
C.SDN
D. Doctrine of the Proper Law

Answer 25

B. IRM

Explanation:
Information rights management is a means to prevent unauthorized copying and limitation of distribution to only those who pay for content

Question 26

If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would be best?

A. IaaS
B. PaaS
C. SaaS
D. Hybrid

Answer 26

B. PaaS

Explanation:
PaaS allows the cloud customer to install any kind of software, includi9ng software to be tested, on an architecture that includes any desired OSs

Question 27

Which of the following is an example of 2FA?

A. Strong passwords
B. Unique user ID and password
C. Something you know
D. User ID and physical characteristics

Answer 27

D. User ID and physical characteristics

Explanation:
Only option D involves two distinct factor

Question 28

Which of the following is not an acceptable means of sanitizing hardware?

A. Burning
B. Deletion
C. Industrial Shredding
D. Drilling

Answer 28

B. Deletion

Explanation:
Hardware cannot be sanitizied by deleting data. Deleting, an an operation, does not erase the data; it simply removes the logical pointers to the data for processing purposes

Question 29

Software developers should receive cloud specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these chalennges is __________

A. The massive additional hacking threat, especially from foreign sources
B. The prevalent use of encryption in all data life cycle phases
C. Drastic increase of risk due to DDoS attacks
D. Additional regulatory mandates

Answer 29

B. The prevalent use of encryption in all data life cycle phases

Explanation:
Because cloud operations are so dependent on encryption protections in all data life cycle phases, developers will have to accomodate the additional overhead and interoperability encryption requires

Question 30

WHich of the following SOC report subtypes spans a period of time?

A. SOC 2
B. SOC 3
C. SOC 1
D. Type II

Answer 30

D. Type II

Explanation:
A SOC Type II report is designed around a period of time as opposed to a specific point in time

Question 31

Which type of framework contains only the information required for a specific business application to reach a targeted level of trust?

A. ONF
B. ISMS
C. RIsk assessment
D. ANF

Answer 31

D. ANF

Explanation:
An ANF is a subset of an ONF that contains only the information required for a specific business application to reach the targeted level of trust. There is many to one relationship between the ANF and ONF

Question 32

When putting a system into maintenance mode, its important to do all the following except:

A, Transfer any live virtual guest off of the host
B. Turn off logging
B. Lockout the system from accepting new guests
D. Notify customers if there are any interruptions

Answer 32

B. Turn off logging

Explanation:
Auditing is probably even more important during maintenance mode than normal operation because administrator activity is almost always involved

Question 33

The TLS protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what form cryptography is used for the session key?

A. Symmetric Key
B. Asymmetric key
C. Hashing
D. One asymmetric pair

Answer 33

A. Symmetric Key

Explanation:
In TLS, the parties will establish a shared secret, symmetric key, for the duration of the session

Question 34

Which of the following would make a good provision to include in the SLA between cloud customer and provider?\

A. Location of the data center
B. Amount of data uploaded/downloaded during a pay period
C. Type of personnel security controls for network admins
D. Physical security barriers on the perimeter of the data center campus

Answer 34

B. Amount of data uploaded/downloaded during a pay period

Explanation:
Option B is the only element that lends itself well to a discrete, objective metric

Question 35

Of the following control techniques/solutions, which can be combined to enhance the protections offered by each?

A. Razor tape/background checks
B. Least privilege/generators
C. DLP/DRM
D. Personnel badging/secure baselines

Answer 35

C. DLP/DRM

Explanation:
Theoretically, all combinations of security controls are preferable to any one security control used by itself.

Question 36

The PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Merchants are assigned different tiers under PCI DSS based on:

A. Availability
B. Redundancy
C. Location of their corporate headquarters
D. Number of transactions per year

Answer 36

D. Number of transactions per year

Explanation:
The different merchant tiers are based on the number of transactions a specific merchant conducts annually. All the other options are incorrect

Question 37

Why might an organization choose to comply with ISO 27001 standard?

A. Price
B. Ease of implementation
C. International acceptance
D. Speed

Answer 37

C. International acceptance

Explanation:
The ISO standards are almost universally accepted and recognized and they are even mandated for certain industries/locales

Question 38

Which of the following is one of the benefits of a private cloud deployment?

A. Less cost
B. Higher performance
C. Retaining control of governance
D. Reduction in need for maintenance capability on the customer side

Answer 38

C. Retaining control of governance

Explanation:
With a private cloud deployment, the customer gets to dictate government requirements, which is a significant benefit for customers in highly regulated industries

Question 39

The OWASP Top Ten often includes invalidated redirects and forwards. Which of the following is a good way to protect against the problem?

A. Dont use redirects/forwards in your applications
B. Refrain from storing credentials long term
C. Implement SIEM/SIM
D. Implement DRM solutions

Answer 39

A. Dont use redirects/forwards in your applications

Explanation:
Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid the problem altogether, and redirects/forwards are not necessary for efficient usage

Question 40

Which of the following is not a component of the STRIDE model?

A. Spoofing
B.Repudiation
C. Information Disclosure
D. External pentest

Answer 40

D. External pentest

Explanation:

Question 41

From a security perspective, automation of configuration aids in ___________

A. Enhancing performance
B. Reducing potential attack vectors
C. Increasing ease of use of the systems
D. Reducing the need for administrative personnel

Answer 41

B. Reducing potential attack vectors

Explanation:
A secure baseline configuration, applied and maintained automatically, ensures the optimum security footprints with the least attack surface
All the other options are benefits of automatic configuration but are not specifically security enhancements

Question 42

A DAM functions at layer _______ of the OSI model

A. 1
B. 2
C. 5
D. 7

Answer 42

D. 7

Explanation:
A DAM is a Layer 7 appliance

Question 43

MTD/MAD is a measure of which of the following:

A. A point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible
B. The optimal time it takes to recovery a system after an outage
C. A weak point in a specific program that makes it unrecoverable after an outage has occurred
D. A point in time before an incident occurs

Answer 43

A. A point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible

Explanation:
The maximum tolerable downtime/maximum allowable downtime is a point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible

Question 44

TLS uses _________ to authenticate a connection and create a shared secret for the duration of the session

A. SAML 2.0
B. X.509 certs
C. 802.11x
D. The Diffie Hellman Process

Answer 44

B. X.509 certs

Explanation:
TLS uses X.509 certs to establish a connection and create a symmetric key thats last for only one session. SAML is used for federation authentication/identification; option A is incorrect

Question 45

Who should be involved in review and maintenance of user accounts/access?

A. The user’s manager
B. The security manager
C. The account department
D. The incident response team

Answer 45

A. The user’s manager

Explanation:
The best answer would be the data own, because the data owner should be the ultimate arbiter of who has what access to the data under the owners control.

Question 46

A ______ specifies which users or system processes have access to a specific object such as an application or process in addition to what operations they can perform

A. DNS
B. SDN
C. ACL
D. SLA

Answer 46

C. ACL

Explanation:
An access control list specifies which users or system processes have access to an object

Question 47

What is probably the single most important way of countering the highest number of items on the OWASP Top Ten?

A. Social engineering training
B. Disciplined coding practices and processes
C. White box source code testing
D. Physical controls at all locations at which the application is eventually used

Answer 47

B. Disciplined coding practices and processes

Explanation:

Question 48

Cloud providers will probably not allow ________ as part of a customers pen test

A. Network mapping
B. Vulnerability scanning
C. Reconnaissance
D. Social engineering

Answer 48

D. Social engineering

Explanation:
Performing live deception and trickery against employees of the cloud provider could be construed as unethical and possible illegal, especially without their knowledge and/or consent. Social engineering probably wont be involved in pentests run by customers

Question 49

The TLS protocol creates a secure communications channel over public media (such as the Internet). IN a typical TLS session, who intiiates the protocol?

A.The server
B. The client
C. The certifying authority
D. The ISP

Answer 49

B. The client

Explanation:
In a typical TLS handshake, the client sends the message that initiates the negotiation of the session

Question 50

Bit splitting also provides security against data breaches by _________

A. Removing all access to unauthorized parties
B. Ensuring that an unauthorized user only gets a useless fragment of data
C. Moving data cross jurisdictional boundaries
D. Tracking all incoming access requests

Answer 50

B. Ensuring that an unauthorized user only gets a useless fragment of data

Explanation:
Bit splitting involves chopping data sets up into segments and storing those segments in multiple places/devices
An attacker getting access to one segment wont be gaining anything of value because one segment of the data set would most likely make no sense out of context

Question 51

How are virtual machines moved from active hsots when the host is being put into maintenance mode?

A. As a snapshotted image file
B. In encrypted form
C. As a live instance
D. Via portable media

Answer 51

C. As a live instance

Explanation:
Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device

Question 52

The CSA CCM lists security controls from all the following frameworks except __________

A. ISACAs Control Objective for Information of Related Technology
B. PCI DSS
C. CMM
D. ISO 27001

Answer 52

C. CMM

Explanation:
The CMM is not included in the CSA CCM and indeed is not even a security framework

Question 53

DRM tools should enforce _________, which is interoperability with the organizations other access control activities

A. Persistence
B. Support for existing authentication security infrastructure
C. Continuous audit trail
D. Dynamic policy control

Answer 53

B. Support for existing authentication security infrastructure

Explanation:
The question describes support for authentication security infrastructure, one of the required traits for a DRM solution of any quality

Question 54

An audit against the _________ will demonstrate that an organization has a holistic, comprehensive security program

A. SAS 70 Standard
B. SSAE 18 Standard
C. SOC 2, Type 2 Report matrix
D. ISO 27001 cert requirements

Answer 54

D. ISO 27001 cert requirements

Explanation:
The ISO 27001 cert is for the info security management system, the organizations entire

Question 55

The term auditability means which of the following?

A. A particular service or data that is covered under state or federal regulations
B. Someone being in a state of readiness for auditing
C. The state of data being covered by audit standards of the AICPA
D. AICPA standard for SCO reports

Answer 55

B. Someone being in a state of readiness for auditing

Explanation:
Something is said to be auditable when it is in a state of readiness of auditing

Question 56

You are the security manager for a company that is considering cloud migration to an IaaS environment. You are assisting your companys IT architects in constructing the environment. Which of the following options do you recommend?

A. Unrestricted public access
B. Use of a Type 1 Hypervisor
C. Use of a Type 2 hypervisor
D. Enhanced productivity without encryption

Answer 56

B. Use of a Type 1 Hypervisor

Explanation:
The Type 1 hypervisor is preferable, as it offers less attack surface

Question 57

DRM solutions (sometimes referred to as infomration rights management or IRM) can be used to protext all sorts of sensitive data but are usually particularly designed to secure _________

A. PII
B. Intellectual property
C. Plans and policies
D. Marketing material

Answer 57

B. Intellectual property

Explanation:
DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here.

Question 58

What is the term used to describe the loss of access to data because the cloud provider has ceased operation?

A. Closing
B. Vendor lock out
C. Vendor lock in
D. Masking

Answer 58

B. Vendor lock out

Explanation:
Vendor lock in is the result of a lack of portability, for any number of reasons. Masking is a means to hide raw datasets from users who do not have need to know.

Question 59

Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BCDR backup/archive?

A. Physical intrusion
B. Proprietary formats/lack of interoperability
C. Vendor lock in/lock out
D. Natural disasters

Answer 59

B. Proprietary formats/lack of interoperability

Explanation:
When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment cant be readily adapted to the other providers service, thus causing delays during an actual failover

Question 60

You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. What additional risk are you accepting?

A. The cloud provider will suspend your access for violating its terms of service
B. The cloud provider may sue your organization for breach of contract
C. Your organization is subject to the vulnerability the patch addresses
D. Your end clients will no longer trust tour organization and this will hurt your revenue

Answer 60

C. Your organization is subject to the vulnerability the patch addresses

Explanation:
It is perfectly reasonable to not want to use the first version of a patch as there may be interoperability problems or even additional vulnerabilities contingent with its implementation. However, for as long as your environment remains unpatched, you are subject to attack through that new vulnerability

Question 61

The OWASP Top Ten list sometimes includes missing function level access control. Which of these is a techqniue to reduce the potential for a missing function level access control?

A. Set the default to deny all access to functions, and require authentication/authorization for each access request
B. HTML escape all HTML attributes
C. Restrict permissions based on an ACL
D. Refrain from including direct access information in URLs

Answer 61

A. Set the default to deny all access to functions, and require authentication/authorization for each access request

Explanation:
Setting the default to denying access forces all resource requests to be verified, thus ensuring that no particular function may be ran without explicitly ensuring that it was called by an autyhorized user

Question 62

0All of the following might be used as data discovery characteristics in a content analysis based data discovery effort except ___________

A. Keywords
B. Pattern matching
C. Frequency
D. Inheritance

Answer 62

D. Inheritance

Explanation:
Inheritance has nothing to do with content analysis; it is usually referring to object oriented traits derived from originating objects

Question 63

Industry best practices dictate that cloud customers do not ________

A. create their own IAM solutions
B. Create contract language that favors them over the provider
C. Retrain personnel for cloud operations
D. Encrypt data before it reaches the cloud

Answer 63

A. create their own IAM solutions

Explanation:
According to ENISA, custom IAM builds can become weak if not properly implemented

Question 64

According to OWASp recommendations, active software security testing should include all of the following except ______

A. Information gathering
B. User surveys
C. Configuration and deployment management testing
D. Identity management testing

Answer 64

B. User surveys

Explanation:
User surveys are not an element of active security testing, although they might be used in acceptance testing. All of the other options are included in the guide to active security testing

Question 65

If the cloud is used for BCDR purposes, the loss of __________ could gravely affect your organizations RTO

A. Any cloud admin
B. A specific VM
C. Your policy and contract documentation
D. ISP connectivity

Answer 65

D. ISP connectivity

Explanation:
Without ISP connectivity, nobody will be able to use the Internet and thus, the cloud. Ofcourse realistically, without internet connectivity, not much business will get done anyway

Question 66

What do you need to do in order to fully ensure that a BCDR action will function during a contingency?

A. Audit all performance functions
B. Audit all security functions
C. Perform a full scale test
D. Mandate this capability in the contract

Answer 66

C. Perform a full scale test

Explanation:
Without a full test, you cant be sure the BCDR plan/process will work the way it is intended

Question 67

You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management?

A. Building a completely new data center
B. Leasing a data center that is currently owned by another firm
C. Renting private cloud space in a Tier 2 data center
D. Staying with current data center

Answer 67

A. Building a completely new data center

Explanation”

Question 68

PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS?

A. Around a dozen
B. About 20
C. About 100
D. Over 200

Answer 68

D. Over 200

Explanation:
The PCI DSS is extremely thorough and wide reaching

Question 69

How often should the CMB meet?

A. Whenever regulations dictate
B. Often enough to address organizational needs and attenuate frustration with delay
C. Every week
D. Annually

Answer 69

B. Often enough to address organizational needs and attenuate frustration with delay

Explanation:
Frustrated employees and manages can increase risk to the organization by implementing their own, unapproved modifications to the environment.

Question 70

Which of the following is an open source cloud based software project characterized by a toolset that includes components called Nova, Neutron, Heat, Ironic and Cinder?

A. OWASP
B. OAuth
C. OpenStack
D. Mozilla

Answer 70

C. OpenStack

Explanation:
OpenStack is an open source project for creating cloud environments regardless of hardware brand. OWASP is an open source web application development project and does not involve the use of any of the tools mentionedin the question

Question 71

Your organization is migrating the production environment to an IaaS cloud implementation. Your users will need to be able to get access to their data and share data with other users in a defined way, according to a hierarchy. You should configure the cloud memory as _____________

A. Object storage
B. Volume Storage
C. Synthetic storage
D. Databases

Answer 71

A. Object storage

Explanation:
Object storage is usually arranged in a file hierarchy. Volume storage has data with no defined structure

Question 72

OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________

A. Volcanic principle
B. Inherency principle
C. Repo principle
D. openness principle

Answer 72

D. openness principle

Explanation:
The openness principle requires any entity that gathers PII about a person to allow that person to access the information

Question 73

In IaaS arrangement, all of the following are examples of object storage encryption except ___________

A. File level encryption
B. DRM
C. Application level encryption
D. TLS

Answer 73

D. TLS

Explanation:
TLS is encryption used in a communication session, not a storage volume

Question 74

Which of the following is not a method for enhancing data portability?

A. Cryptoshredding
B. Using standard data formats
C. Avoiding proprietary services
D. Favorable contract terms

Answer 74

A. Cryptoshredding

Explanation:
Cryptoshredding is for secure sanitization, not portability

Question 75

All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _________

A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications
B. Starting with a clean installation (hardware or virtual) of the desired OS
C. Including only the default account credentials and nothing customized
D. Halting or removing all unnecessary services

Answer 75

C. Including only the default account credentials and nothing customized

Explanation:
Default credentials are the bane of security everywhere, THis is definitely the correct answer because it should not be part of the baseline build

Question 76

___________ is an example of due care and ____________ is an example of due diligence

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy
B. GDPR; GLBA
C. Locks on doors; turnstiles
D. Perimeter defenses; internal defenses

Answer 76

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy

Explanation:
Due care is the mininal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data its owns`

Question 77

What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute?

A. 1
B. 1,000
C. 12 hours
D. As much as needed to ensure all systems may be gracefully shut down and data securely stored

Answer 77

C. 12 hours

Explanation:

Question 78

The application normative framework is best described as which of the following?

A. A stand alone framework for storing security practices for the Organizational Normative Framework (ONF)
B. A subset of the Organizational Normative Framework (ONF)
C. A superset of the Organizational Normative Framework (ONF)
D. The complete Organizational Normative Framework

Answer 78

B. A subset of the Organizational Normative Framework (ONF)

Explanation:
Remember there is a one to many ratio of ONF to application normative framework; each organization has one Organizational normative Framework and many ANFs

Question 79

Task centric training is typically for __________

A. All personnel
B. Specific personnel
C. Management personnel
D. HR personnel

Answer 79

B. Specific personnel

Explanation:
Training is usually a formal process involving detailed information. This is for those personnel who are involved with the specific topic or tasks for which the training is intended

Question 80

WHich of the following is an example of useful and sufficient data masking of the string CCSP?

A. XCSP
B. PSCC
C. TtLp
D. 3X91

Answer 80

C. TtLp

Explanation:
This answer requires some thought about how the original data is displayed and its properties

Question 81

The BCDR plan/policy should include all of the following except ________

A. Tasking for the office responsible for maintaining/enforcing the plan
B. Contact information for essential entities, including BCDR personnel and emergency services agencies
C. Copies of the laws/regulations/standards governing specific elements of the plan
D. Checklists for BCDR personnel to follow

Answer 81

C. Copies of the laws/regulations/standards governing specific elements of the plan

Explanation:

Question 82

Which of the following best describes SAML?

A. A standard for developing secure application management logistics
B. A standard for exchanging authentication and authorization data between security domains
C. A standard for exchanging usernames and passwords across devices
D. A standard used for directory synchronization

Answer 82

B. A standard for exchanging authentication and authorization data between security domains

Explanation:

Question 83

Which common characteristic of the cloud data center also servers customer business continuity and disaster recovery needs?

A. Multitenancy
B. Virtualization
C. Redundancy
D. Software defined networking

Answer 83

C. Redundancy

Explanation:
The ubiquitous redundancy of systems and capabilities within most cloud data centers not only serves the provides requirements to meet customer service level agreements but also enhances the data centers resistance to disasters and interruptions

Question 84

Storage controllers will be used in conjunction with all the following protocols except __________

A. HTTPS
B. iSCSI
C. Fibre Channel
D. Fibre Channel over Ethernet

Answer 84

A. HTTPS

Explanation:
HTTPS is not a storage protocol

Question 85

OWASP Top Ten list often includes using components with known vulnerabilities. Which of the following is a good way to protect against this problem?

A> Using only components your organization has written
B. Update to current versions of component libraries as soon as possible
C. Never use anyone elses component library
D. Apply patches to old component libraries

Answer 85

B. Update to current versions of component libraries as soon as possible

Explanation:

Question 86

________________ is the process of transitioning all or part of a companys data, applications and services from onsite premises behind the firewall to the cloud

A. Forklifting
B. Cloud portability
C. Cloud enablement
D. Cloud migration

Answer 86

D. Cloud migration

Explanation:
Cloud migration is the process of transitioning all or part of a companys data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the internet to an on demand basis

Question 87

Which of the following is not an example of an essential internal stakeholder?

A. IT analysts
B. IT director
C. CFO
D. HR Director

Answer 87

A. IT analysts

Explanation:
An IT analyst is generally not high enough of a position to be able to provide quality information to other stakeholders. However, the IT director would be in such a position as would the others

Question 88

The goals of DLP solution implementation include all of the following except:

A. Policy enforcement
B. Elasticity
C. Data discovery
D. Loss of mitigation

Answer 88

B. Elasticity

Explanation:
DLP does not have anynthing to do with elasticity, which is the capability of the environment to scale up or down according to demand

Question 89

You are the security policy lead for your organization, which is considering migrating from your on premises, traditional IT environment into the cloud. You are reviewing the CSA CCM as a tool for your organization.
Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selectingn and applying the proper controls to meet your organizations regulatory needs?

A. The CAIQ
B. OWASP Top Ten
C. CSC List
D. NIST FIPS 140-2

Answer 89

A. The CAIQ

Explanation:
The CAIQ is a self administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls. The OWASP Top Ten is used to indicate trends in poor design of web applications

Question 90

DLP solutions may use all of the following techniques to identify sensitive data except ____________

A. Pattern matching
B. Inference
C. Keyword identification
D. Metadata tags

Answer 90

B. Inference

Explanation:
Inference is an attack technique that dervies sensitive material from an aggregation of innocuous data; DLP tools, thus far do not have this capability

Question 91

When data labels are being used in an environment (for discovery and other purposes), when should the labels be applied?

A. During the risk assessment
B. As part of the BIA
C. At collection/creation
D .When the discovery tools are implemented

Answer 91

C. At collection/creation

Explanation:
For the most efficient classification/categorization process, and to streamline the application of proper controls, data labelling should be performed when the data is first being collected/created

Question 92

Encryption is an essential tool for affording security to cloud based operations. While it is possible to encrypt every system, piece of data and transaction that takes place on the cloud, why might that not be the optimum choice for an organization?

A. Key length variances dont provide any actual additional security
B. It would cause additional processing overhead and time delay
C. it might result in vendor lockout
D. The data subjects might be upset by this

Answer 92

B. It would cause additional processing overhead and time delay

Explanation:
Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability

Question 93

Firewalls can detect attack traffic by using all these methods except _________

A. Known past behavior in the environment
B. Identity of the malicious user
C. Point of origination
D. Signature matching

Answer 93

B. Identity of the malicious user

Explanation:
While it would be wonderful, for security purposes, to know the identify of attackers before or while they are making an attack, this is information the attack doesnt usually share

Question 94

In a virtualized cloud environment, the management plane is usually responsible for provisioning virtual machine instances with all of the following resources except _________

A. CPU
B. Memory
C. User Interface
D. Permanent Storage

Answer 94

C. User Interface

Explanation:
The user interface to the virtualized instance can be handled by a variety of mechanisms, but it is not the function of the management plane
All the other options are resources provisioned to the virtual machines by the management plane

Question 95

Which of the following is a possible negative aspect of bit spltting?

A. It may require trust in additional third parties beyond the primary cloud service provider
B. There may be cause for management concern that the technology will violate internal policy
C. Users will have far greather difficulty understand the implementation
D. Limited vendors make acquisition and support challenging

Answer 95

A. It may require trust in additional third parties beyond the primary cloud service provider

Question 96

The OWASP Top Ten list often includes cross site request forgery. Which of the following is a good way to deter CSRF attacks?

A. Have your website refuse all HTTP resource requests
B. Ensure that all HTTP resource requests include a unique, unpredictable token
C. Dont allow ecommerce on your website
D. Process all user requests with only one brand of browser, and refuse all resource requests from other browsers

Answer 96

B. Ensure that all HTTP resource requests include a unique, unpredictable token

Explanation:
This is the option OWASP recommends as the very least form of protection.

Question 97

What has enabled cloud computing to become a real and scalable service offering due primarily to savings, sharing capabilities and allocation of resources across multiple tenants and environments?

A. Virtualization technologies
B. Storage technologies
C. International agreements
D. Increases in computing power

Answer 97

A. Virtualization technologies

Explanation:
Virtualization technologies have been the driving force behind enabling cloud computing to become a real and scalable service due to the savings, sharing and allocation of resources across multiple tenants and environments

Question 98

In designing a data center to meet their own needs and provide optimum revenue/profit, the cloud provide will most likely aim to enhance __________

A. Functionality
B. Automation of services
C. Aesthetic value
D. Inherent value

Answer 98

B. Automation of services

Explanation:
All the options are correct except C. Option B is the most correct because it will lead to maximizing performance, value and profitability

Question 99

Backdoors are sometimes left in software by developers _______

A. In lieu of other security controls
B. As a means to counter DoS attacks
C. In advetently or on purpose
D. As a way to distract attackerts

Answer 99

C. In advetently or on purpose

Explanation:
BAckdoors that were used legit during the development process can sometimes be left in a production version of the delivered software accidentally, when developers forget to remove them

Question 100

A cloud provider might only release SOC 2 Type 2 Reports to ____________

A. Regulators
B. The public
C. Potential customers
D. Current customers

Answer 100

D. Current customers

Explanation:
Because of the sensitive nature of the material covered in the SOC 2 Type 2 report, a cloud provider might not be willing to share it with any entity that does not have a financial stake in the cloud service

Question 101

Access to specific data should be granted by _____________

A. The data subjects
B. The data owners
C. The data processors
D. The data regulators

Answer 101

B. The data owners

Explanation:
The data owner is most familiar with the risks and impacts associated with the data sets under their control. The data subject may grant permission for a data owner to have the subjects data but will not govern the granular assignment of access rights

Question 102

Which of the following is considered an administrative control?

A. Access control process
B. Keystroke logging
C. Door locks
D. Biometric authentication

Answer 102

A. Access control process

Explanation:
A process is an administrative control; sometimes, the process includes elements of other types of controls, but the process itself is administrative

Question 103

If bit splitting is used to store data across multiple jurisdiction, how may this enhance security?

A. By making seize of data by law enforcement more difficult
B. By hiding it from attackers in a specific jurisdiction
C. By ensuring that users can only accidentally disclose data to one geographic area
D. By restricting privilege user access

Answer 103

A. By making seize of data by law enforcement more difficult

Explanation:
When law enforcement entities wish to seize assets (including data), they must cooperate with other law enforcement agencies in other jurisdictions if the data is not contained fully within their own

Question 104

Which of the following models offers the capability of using an application solution running on a vendors or cloud providers infrastructure?

A. SaaS
B. IaaS
C. PaaS
D. AaaS

Answer 104

A. SaaS

Explanation:
SaaS offers the user the capability of using the vendors or cloud providers application solution on their existing infrastructure

Question 105

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the service providers?

A. Each organization
B. A trusted third party
C. The regulator overseeing their industry
D. All of their patients

Answer 105

A. Each organization

Explanation:
In a web of trust model, each member organization usually supplies both the access/identification credentials and the resources that the users want to access, so the organizations are both the identity providers and service providers in a web of trust federation model

Question 106

What is the federal agency that accepts applications for new patents?

A. USDA
B. USPTO
C. OSHA
D. SEC

Answer 106

B. USPTO

Explanation:
The US Patent and Trademark Office accepts, reviews and approves applications for new patents

Question 107

When applying patches, it is necessary to do all of the following except ____________

A. Test the patch in a sandbox that simulates the production environment
B. Put the patch through the formal change management process
C. Be prepared to roll back to the last known good build
D. Inform users of any impacts or interruptions

Answer 107

B. Put the patch through the formal change management process

Explanation:
In many cases, patches are released to deal with an imminent vulnerability/risk