LeanZapp Practice 6

Question 1

Which of the following best describes a Type 1 hypervisor?

A. Synchronization device for Cloud IT environments
B. Uses a minimal piece of software to manage the underlying hardware resources such as RAM, CPU and storage
C. Access control mechanisms for cloud admins
D. Uses a separate piece of hardware to manage the underlying hardware resources such as RAM, CPU, and storage

Answer 1

B. Uses a minimal piece of software to manage the underlying hardware resources such as RAM, CPU and storage

Explanation:
A Type 1 hypervisor uses a minimal piece of software to manage the underlying resources. A Type 2 hypervisor is a piece of software installed on top of or as part of a devices OS

Question 2

_________ is a direct identifier, __________is an indirect identifier

A. Username, password
B. Users name; users age
C. Users IP Address; Users MAC address
D. Location; income level

Answer 2

B. Users name; users age

Explanation:
The users name is a direct identifier, explicitly stating who that person is. The users age is not a direct identifier because it doesn’t specify a certain person

Question 3

__________ are software or devices that monitor or systems for malicious activities or policy violations and produce electronic alerts and/or reports to a management station

A. OSs
B. HSMs
C. NIDs
D. VPNs

Answer 3

C. NIDs

Explanation:
NIDs watch for anomalous or malicious system activity at the network level and provider alerts and/or reports on such activity

Question 4

Which of the following is not true about risk mitigation?

A. The cost of the control/countermeasure per year is simple; the overall cost divided by life span, in years
B. Ignoring risk is not risk mitigation; ignoring risk is risk acceptance
C. The cost of mitigation can be compared against the cost of a control/countermeasure to determine the optimum course of action
D. Risk is fluid, so all risk assessments are pointless

Answer 4

D. Risk is fluid, so all risk assessments are pointless

Explanation:
A risk assessment may, indeed, be an estimate of a moving target, but it is invaluable in terms of measuring risk at any given point in time

Question 5

Which of the following is not a feature of SAST?

A. Source code review
B. Team building efforts
C. White box testing
D. Highly skilled, often expensive2 outside consultants

Answer 5

B. Team building efforts

Explanation:
Team building has nothing to do with SAST; all the rest of the answers are characteristics of SAST

Question 6

In which cloud service model is the customer only responsible for the data?

A. CaaS
B. SaaS
C. PaaS
D. IaaS

Answer 6

B. SaaS

Explanation:
SaaS is the model in which the customer only supplies the data; in the other models, the customer also supplies the OS, the application or bothj

Question 7

Which of the following does not have a personal privacy law that limits the way all citizens and entities can share personal data?

A. Japan
B. Belgium
C. Argentina
D. The US

Answer 7

D. The US

Explanation:
The US does not have a single, overarching personal privacy law; instead, the US often protects personal information by industry (HIPAA, GLBA, FERPA, etc)

Question 8

Regardless of which model the organization uses for system development, in which phase of the SDLC will user input be requested and considered?

A. Define
B. Design
C. Develop
D. Detect

Answer 8

A. Define

Explanation:
In the Define phase, we are trying to determine the purpose of the software, in terms of meeting the users needs; therefore, we may solicit input from the user community

Question 9

What is the name of the security discipline that enables the right individuals to access the right reesources at the right time and right reasons?

A. Homomorphic encryption
B. IAM
C. GAPP
D. SDLC

Answer 9

B. IAM

Explanation:
The security discipline is called IAM and it ensures that the right user always has access to right right resources at the right times for the right reasons

Question 10

Which of the following constitutes a MFA process or procedure?

A. Using an automated teller machine (ATM) to get cash with your credit or debit card
B. Using a password and PIN to log into a website
C. Presenting a voice sample and fingerprint to access a secure facility
D. Displaying a birth cert and a credit card

Answer 10

A. Using an automated teller machine (ATM) to get cash with your credit or debit card

Explanation:
At the ATM, the customer will use the card and enter a PIN

Question 11

Why is the term ISC2 Cloud Secure Data Life Cycle actually somewhat inacurrate?

A. The term is not used only by ISC2
B. Not all phases are secure
C. Not all phases take place in the cloud
D. Its not actually a cycle

Answer 11

D. Its not actually a cycle

Explanation:
The Cloud Secure Data Life Cycle phases are in order Create, Store, Use, SHare, Archive, Destroy

Question 12

DLP can be combined with what other security technology to enhance data controls?

A. DRM
B. SIEM
C. Kerberos
D. Hypervisors

Answer 12

A. DRM

Explanation:
DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that dalls into special categories

Question 13

What are the US Commerce Department controls on technology exports known as?

A. International Traffic in Arms Regulations
B. Export Administration Regulations (EAR)
C. Evaluation Assurance Level (EAL)
D. Digital Rights Management (DRM)

Answer 13

B. Export Administration Regulations (EAR)

Explanation:
Export administration regulations (EAR) is a Commerce Department Program

Question 14

Management is interested in adopting an Agile development style. In order for this to happen, the company will have to increase the involvement of _____________

A. Security personnel
B. Budget and finance representatives
C. Members of the user group
D. Senior management

Answer 14

C. Members of the user group

Explanation:
Agile requires interaction between developers and personnel who will use the software

Question 15

You are performing an audit of the security controls used in a cloud environment. Which of the following would best serve your purpose?

A. The business impact analysis
B. A copy of the VM baseline configuration
C. The latest version of the companys financial records
D. A SOC 3 report from another external auditor

Answer 15

B. A copy of the VM baseline configuration

Explanation:
The baseline configuration can be used as a template of controls applied throughout the environment

Question 16

All of the following are terms used to described the practice of obscuring original raw data so that only a portion is displayed for operational purposes except:

A. Tokenization
B. Data discovery
C. Obfuscation
D. Masking

Answer 16

B. Data discovery

Explanation:
Data discovery is a term used to describe the process of identifying information according to specific traits or categories

Question 17

A cloud environment that lacks security controls is vulnerable to exploitation, data loss and interruptions. Conversely, excessive use of security controls ____________

A. Can lead to customer dissatisfaction
B> is a health and human safety
C. Brings down the organizations stock price
D. Negates the need for insurance

Answer 17

A. Can lead to customer dissatisfaction

Explanation:
If excessive controls impact the user/customer experience to the extent that system response speeds and results and delayed significantly, and performance is degraded to the point where competitors systems are far superior, customer dissatisfaction can be a severe problem

Question 18

In a centralized broker identity federation, which entity typically creates and sends the SAML token?

A. The cloud provider
B. The ISP
C. The broker
D. The cloud customer

Answer 18

C. The broker

Explanation:
In a centralized broker federation, the broker acting as the identity provider, creates the SAMl identity assertion tokens and delivers them to the relying parties

Question 19

The destruction of a cloud customers data can be required by all of the following except:

A. Statute
B. Regulation
C. The cloud providers policy
D. Contract

Answer 19

C. The cloud providers policy

Explanation:
The cloud provider cannot typically require the destruction of the customers data simply because of its own policy

Question 20

All of the following are reasons overwriting is not a viable secure sanitization method for data stored in the cloud except:

A. Overwriting an entire storage resource would affect other tenants data
B. Regulators usually frown on the practice
C. Locating the specific storage locations of cloud data is almost impossible
D. Data is being backed constantly in the cloud; before you finished overwriting an entire data set, it would have been replicated elsewhere

Answer 20

B. Regulators usually frown on the practice

Explanation:
Regulators do not disapprove of secure sanitization; it is an acceptable form of secure data destruction if implemented properly

Question 21

Which SOC report might be best to use for your initial review of several different cloud providers in order to narrow down the field of potential services in a fast and easy way?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

Answer 21

D. SOC 3

Explanation:
The SOC 3 Report is an attestation that the target was audited and that is passed the audit; without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s

Question 22

What is probably the best way to avoid problems associated with vendor lock out?

A. Using strong contract language
B. Use non proprietary data and media formats
C. Use strong cryptography
D. Use another provider for backup purposes

Answer 22

D. Use another provider for backup purposes

Explanation:
Vendor lockout occurs when the provider suddenly leaves the market, as during a bankruptcy or acquisition

Question 23

Which of the following is considered a physical control?

A. Carpets
B. Ceilings
C. Doors
D. Fences

Answer 23

D. Fences

Explanation:
Fences are physical controls

Question 24

What is a form of cloud storagew where data is stored in a logical storage area assigned to the user but not necessarily physically attached or even geographically proximate to the compute node the user is utilizing?

A. Volume Storage
B. Databases
C. Content Delivery network
D. Object Storage

Answer 24

A. Volume Storage

Explanation:
In volume storage, the user is assigned a logical drive space into which anything (such as raw data, objects or applications) may be saved or installed, similar to a mounted drive on a traditional network

Question 25

Software developers creating productions for cloud environments need to consider:

A. The language used in the geographic area of the end user
B. The overall price of development
C. The shared use of underlying resources
D. How digital certs might be used in the cloud

Answer 25

C. The shared use of underlying resources

Explanation:
Shared resources can create the potential for side channel attacks if the software is not created with proper controls

Question 26

SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP?

A. Standards based
B. Reliant on XML
C. Extremely fast
D. Works over numerous protocols

Answer 26

C. Extremely fast

Explanation:

Question 27

TLS is a session encryption tool that uses _______ encryption to create a _____________ session key

A. Symmetric, symmetric
B. Asymmetric, symmetric
C. Asymmetric, asymmetric
D, Symmetric, Asymmetric

Answer 27

B. Asymmetric, symmetric

Explanation:
TLS uses asymmetric encryption to create a symmetric session key

Question 28

GAPPs are created and maintained by which organization?

A. ISO
B. IEC
C. PCI
D. AICPA

Answer 28

D. AICPA

Explanation:
AICPPA is the organization responsible for generating and maintaing what are the Generally Accepted Accounting Practices in the US

Question 29

Which entity is legally responsible for the protection of personal data?

A. The data subject
B. The data controller
C. The data processor
D. The data steward

Answer 29

B. The data controller

Explanation:
The data controller is legally liable for protecting any privacy data it has.

Question 30

Which of the following is a legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violation laws in the latter?

A. Applicable law
B. Judgements
C. Criminal Law
D. Extradition

Answer 30

D. Extradition

Explanation:

Question 31

Most attacks that overcome encyrption protections exploit ____________

A. Mathematical principles
B. Misconfigurations
C. Supercomputers
D. Statistical probabilities

Answer 31

B. Misconfigurations

Explanation:
Historically, when encryption has been used as a security mechanism, it was not defeated by attacking the encryption directly but rather by subverting the encryption implementation

Question 32

What is the intellectual property protection for a useful manufacturing innovation?

A. Copyright
B. Patent
C. Trademark
D. Trade Secret

Answer 32

B. Patent

Explanation:
Patents protect processes

Question 33

What type of intellectual property protection will your company likely rely upon for legally enforcing your rights?

A. Trademark
B. Patent
C. Copyright
D. Trade secret

Answer 33

C. Copyright

Explanatrion:
Software is protected by copyright. ALl the other options are forms of protections but not applicable to software for the most part

Question 34

Which of these does the cloud customer need to ensure protection of intellectual property created in the cloud?

A. Digital rights management (DRM) solutions
B. IAM Solutions
C. Strong contractual clauses
D. Cryptoshredding

Answer 34

C. Strong contractual clauses

Explanation:

Question 35

TLS protocol creates a secure communications channel over public media. In a typical TLS session, what is the usual means for establishing trust between the parties?

A. Out of band authentication
B. Public key infrastructure certs
C. MFA
D. Preexisting knowledge of each other

Answer 35

B. Public key infrastructure certs

Explanation:
TLS usually relies on PKI certs authenticated and issued by a trusted third party

Question 36

Where are the business requirements most likely to be mapped to software construction?

A. Define
B. Design
C. Test
D. Secure Operations

Answer 36

B. Design

Explanation:
Design is the correct answer, as this is where the requirements gathered during the Define phases are mapped to system designs

Question 37

Is overwriting a feasible secure sanitization method in the cloud?

A. Yes, but only if you use multiple passes
B. No, because you cant get physical access to cloud storage resources
C. Yes, but it requires a final pass with all zeros or ones
D. No, because the logical location of the stored data is almost impossible to determine

Answer 37

D. No, because the logical location of the stored data is almost impossible to determine

Explanation:
Overwriting is the practice of filling the entire storage of the target data with randomized characters

Question 38

Which security tool can perform content inspection of SFTP communications?

A. WAF
B. DAM
C. XML Gateway
D. Single sign on

Answer 38

C. XML Gateway

Explanation:
The XML gateway can provide this functionality; it acts as a reverse proxy and can perform content inspection on many traffic protocols

Question 39

According to CSA, in the event of a data breach, a cloud customer will likely need to comply with all the following data breach notification requirements except ________

A. Multiple state laws
B. Contractual notification requirements
C. All standards based notification schemes
D. Any applicable federal regulation

Answer 39

C. All standards based notification schemes

Explanation:
Option C is correct because an organization is not required to subscribe to all standards but instead only the standards it selects (or imposed by regulations)

Question 40

Which of the following is a data discovery approach that offers insight to trends of trends, using both historical and predictive approaches?

A. Obverse polyglotism
B. Big data
C. Real time analytics
D. Agile analytics/business intelligence

Answer 40

D. Agile analytics/business intelligence

Explanation:
The Agile approach to data analysis offers greater insight and capabilities than previous generations of analytical technologies

Question 41

Which of the following is perhaps the best method for reducing the risk of a specific application not delivering the proper level of functionality and performance when it is moved from the traditional environment into the cloud?

A. Remove the application from the organizations production environment and replace it with something else
B. Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating
C. Make sure the application is fully updated and patched according to all vendor specifications
D. Run the application in an emulator

Answer 41

B. Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating

Explanation:
A trial run in the cloud will reveal any functionality/performance loss before a permanent cloud migration. Option A doesnt reduce any risk for a specific application

Question 42

Which of these subsystems is probably most important for acquiring useful log info?

A. Fan
B. RAM
C. Clock
D. UPS

Answer 42

C. Clock

Explanation:
the clock needs to be synced throughout the environment so that all activity can be contextualized and mapped and a true narrative of events can be reconstructed later

Question 43

A pentest is designed to ________

A. Document ongoing attacks
B. Test a system for vulnerabilities that would allow an attacker to gain control over said system
C. Detect attacks in real time
D. Test a system, network or web application for vulnerabilities that would allow an attacker to gain control over said system, network or application

Answer 43

D. Test a system, network or web application for vulnerabilities that would allow an attacker to gain control over said system, network or application

Explanation:
A pentest is a test that is designed to take advantage of any vulnerability it can find to compromise a system or gain unauthorized access

Question 44

When deciding whether to apply specific updates, it is best to follow, in order to demonstrate due care:

A. Regulations
B. Vendor guidance
C. internal policy
D. Competitors actions

Answer 44

B. Vendor guidance

Explanation:
A data center doesnt follow vendor guidance might be seen as failing to provide due care

Question 45

Which of the following best describes a set of practices that focus on aligning IT services with business needs?

A. ITIL
B. ISO
C. HIPAA
D. GLBA

Answer 45

A. ITIL

Explanation:
ITIL is a set of practices that focus on aligning IT services with business needs

Question 46

Which of the following probably poses the most significant risk to the organization?

A. Not having essential BCDR personnel available during a contingency
B. Not including all BCDR elements in the cloud contract
C. Returning to normal operations too soon
D. Telecommunications outages

Answer 46

C. Returning to normal operations too soon

Explanation:
A premature return to normal operations can jeopardize not only production, but personnel; if the contingency that caused the BCDR action is not fully complete/addressed, there may still be danger remaining

Question 47

TLS uses a new ________ for each secure connection

A. Symmetric key
B. Asymmetric key
C. Public-private key pair
D. Inverse comparison

Answer 47

A. Symmetric key

Explanation:
TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made

Question 48

The process of hardening a device should include which of the following?

A. Encrypting the OS
B. Updating and patching the system
C. Using video cameras
D. Performing thorough personnel background checks

Answer 48

B. Updating and patching the system

Explanation:
Updating and patching the system helps harden the system. Encrypting the OS is a distractor

Question 49

Which of the following is not typically a phase in the SDLC?

A. Define
B. Test
C. Develop
D. Sanitization

Answer 49

D. Sanitization

Explanation:
Secure sanitization is not included in all (or even many) SDLC models

Question 50

What language is used in the SOAP application design protocol?

A. HTML
B. X.509
C. XML
D. HTTP

Answer 50

C. XML

Explanation:
SOAP necessarily uses XML.
HTML is a language to tag tect files so that thjey can be displayed with different fonts, colors, graphics and hyperlinks. HTML is not used in SOAP

Question 51

Storage controllers will typically be involved with each of the following storage protocols except:

A. iSCSI
B. RAID
C. Fibre Channel
D. Fibre Channel over Ethernet

Answer 51

B. RAID

Explanation:
This question might be susceptible to overthinking because it is simplistically straightforward.,

Question 52

Which SSAE 18 audit report is simply an attestation of audit results?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

Answer 52

D. SOC 3

Explanation:
This is the definition of a SOC 3 report

Question 53

Risk is usually viewed with consideration for all the following elements except _________

A. Impact that could occur if a given circumstance is realized
B. The likelihood of probability a circumstance will occur
C. In the context of specific threats to an organization
D. According to risks recently realized by other organizations in the same industry

Answer 53

D. According to risks recently realized by other organizations in the same industry

Explanation:
While historical information, especially that specific to the organizations industry can be useful in assessing threats, risk must be considered independently from other occurrences;

Question 54

According to the CSA, service traffic hijacking can affect which portion of the CIA triad?

A. Confidentiality
B. Integrity
C. Availability
D. All of the triad

Answer 54

D. All of the triad

Explanation:
All. Service traffic hijacking can affect all portions of the CIA triad. Through hijacking, an attacker could eavesdrop on legitimate communication

Question 55

Countermeasures for protecting cloud operations against external attackers include all of the following except:

A. Continual monitoring for anomalous activity
B. Detailed and extensive background checks
C. Hardened devices and systems, including servers, hosts, hypervisors and virtual machines
D. Regular and detailed configuration/change management activities

Answer 55

B. Detailed and extensive background checks

Explanation:
Background checks are controls for attenuating potential threats from internal actors;

Question 56

Federation should be _______ to the users

A. Hostile
B. Proportional
C. Transparent
D. Expensive

Answer 56

C. Transparent

Explanation:
Federation allows ease of use for access to multiple resource providers; this provides a transparent user mechanism

Question 57

All of these can affect the quality of service expected from an application except:

A. Encryption
B. Egress monitoring
C. Antimalware tools
D. Use of known secure libraries/components

Answer 57

D. Use of known secure libraries/components

Explanation:
Using only known secure libraries and components in software design may slow down development efforts but shouldnt impact how the application runs

Question 58

The additional review activities that might be performed for privileged user accounts include all of the following except:

A. Deeper personnel background checks
B. Review of personal financial accounts for privileged users
C. More frequent reviews of the necessity for access
D. Pat down checks of privileged users to deter against physical theft

Answer 58

D. Pat down checks of privileged users to deter against physical theft

Explanation:
The efficacy of frisking admins and managers is doubtful and the harm to morale and disparity

Question 59

Impact resulting from risk being realized is often measured in terms of :

A. Amount of data lost
B. Money
C. Amount of property lost
D. Number of people affected

Answer 59

B. Money

Explanation:
While all the options are somewhat true, because all of that information can be sued to provide the most comprehensive risk picture, the best answer among those listed is money

Question 60

What functional process can aid in BCDR efforts?

A. SDLC
B. Data classification
C. Honeypots
D. Identity Management

Answer 60

B. Data classification

Explanation:
The data classification process is the organizations formal means of determining value of its assets

Question 61

When targeting a cloud customer, a court grants an order allowing law enforcement entity to seize:

A. Electronic data
B. Hardware
C. Electronic data and the hardware on which it resides
D. only data extracted from the hardware

Answer 61

C. Electronic data and the hardware on which it resides

Explanation:
Courts can issue seizure orders for anything and everything

Question 62

A UPS should have enough power to last how long?

A. 12 hours
B. 10 minutes
C. One day
D. Long enough for graceful shutdown

Answer 62

D. Long enough for graceful shutdown

Explanation:
The UPS is intended to last only long enough to save production data currently being processed

Question 63

Which of the following does not typically represent a means for enhanced authentication?

A. Challenge questions
B. Variable keystrokes
C. Out of band identity confirmation
D. Dynamic end user knowledge

Answer 63

B. Variable keystrokes

Explanation:
Variables, in general arent useful for authentication; authentication requires a match against a template or a known quantity

Question 64

Both short term and long term strategies designed to assist organizations in recovering activities that disrupt critical functions are called:

A. BCDR
B. BCP
C. DR
D. BIA

Answer 64

A. BCDR

Explanation:
BCDR are both strategies designed to aid organizations in recovering from disruptions in activities

Question 65

DRM requires that every data resource be provisioned with:

A. A tracking device
B. An access policy
C. A hardware security module
D. A biometric system

Answer 65

B. An access policy

Explanation:
For DRM to work properly, each resource needs to be outfitted with an access policy so that only authorized entities may make use of that resource

Question 66

What is probably the optimum way to avoid vendor lock in?

A. Use nonproprietary data formats
B. Use industry standard media
C. Use strong cryptography
D. Use favorable contract language

Answer 66

D. Use favorable contract language

Explanation:
The contract is probably the cloud customers best tool for avoiding vendor lock in; contract terms will establish how easy it is to migrate your organizations data to another provide in a timely, cost effective, manner

Question 67

In a cloud environment, encryption should be used for all of the following except:

A. Long term storage of data
B. Near term storage of virtualized images
C. Secure sessions/VPN

Answer 67

D. Profile formatting

Explanation:
All of the activites should incorporate encryption, except for profile formatting, which is a made up term.

Question 68

In protections afforded to PII under GLBA, the subject must ______ in order to prevent the vendor from sharing their personal data

A. Opt in
B. Opt out
C. Undergo screening
D. Provide a biometric template

Answer 68

B. Opt out

Explanation:
Under GLBA, financial and insurance vendors are allowed tro share account holders personal data with other entities unless the account holder explicitly states in writing that the vendor is not allowed to do so

Question 69

The _________ controls the entire infrastructure and is independent of physical network configuration

A. Hypervisor
B. SDN
C. Management plane
D. IaaS

Answer 69

C. Management plane

Explanation:
the management plane is used to crreate logical networking connections regardless of physical layout

Question 70

Which of the following is not included in OWASP Top Ten web application security threats?

A. Injection
B. Cross Site scripting
C. Internal theft
D. Sensitive data exposure

Answer 70

C. Internal theft

EExplanation:
Internal theft is not listed in the Top 10

Question 71

Who should be responsible for ensuring the state, security and control of all evidence from the time its collected until its presented in court?

A. The data controller
B. The evidence custodian
C. The security manager
D. The IT Director

Answer 71

B. The evidence custodian

Explanation:
The evidence custodian is the person designated to maintain the chain of custody for the duration of the investigation

Question 72

Using one cloud provider for your operational environment and another for your BCDR backup will also give you the additional benefit of:

A. Allowing any custom VM builds you use to be instantly ported to another environment
B. Avoiding vendor lock/lock out
C. Increased performance
D. Lower costs

Answer 72

B. Avoiding vendor lock/lock out

Explanation:
Having an additional backup with a different provider means that if your primary provider becomes unusuable for any reason, your data is not being held hostage or lost

Question 73

Cloud customers in a public cloud managed services environment can install all the following types of firewalls except:

A. Provider operated
B. Host based
C. Third party
D. Hardware

Answer 73

D. Hardware

Explanation:
cloud customer with rare exceptions, will not be allowed to add hardware to the cloud data center

Question 74

In PII content, who is the processor?

A. the cloud customer
B. the cloud provider
C. the regulator
D. the individual

Answer 74

B. the cloud provider

Explanation:
In PII context, the processor is any entity that processes data on behalf or at the behest of the data owner.

Question 75

Which of the following should occur during the final phase of the Cloud Secure Data Life Cycle?

A.Data Dispersion
B. Cryptoshredding
C. Cryptoparsing
D. Cryptospordium

Answer 75

B. Cryptoshredding

Explanation:

Question 76

Which of the following frameworks focuses specifically on design implementation and management?

A. ISO 31000-2009
B. HIPAA
C. ISO 27017
D. NIST 800-92

Answer 76

A. ISO 31000-2009

Explanation:
ISO 31000-2009 speficially focuses on design implementation and management

Question 77

The inclusion of security controls in the software design process is dictated by _________

A. NIST 800-37
B. AICPA
C. ISO 27034
D. HIPAA

Answer 77

C. ISO 27034

Explanation:
ISO 37034 addresses the sets of controls used in software throughout the environment

Question 78

You work for a small application development company. Which of the following traits of cloud functionality is probably the most crucial in terms of deciding which cloud provider you will choose?

A. Portability
B> Interoperability
C. Resiliency
D. Governance

Answer 78

B> Interoperability

Explanation:
Because you will bee creating proprietary software, you will probably be most concerned with how it will function across many platforms

Question 79

What is one possible risk associated with the use of algorithm masking for obscuring a data set?

A. You could corrupt the production data
B. The data could be subject to easy inadvertent disclosure
C. Algorithms are two way operations
D. A null set has no test value

Answer 79

C. Algorithms are two way operations

Explanation:
Using an algorithm to mask data suggests that the same algorithm, if learned or reverse engineered by an aggressor, could be sued on the masked data to reveal the production data

Question 80

Which Common Criteria Evaluation Assurance Level is granted to those products that are formally verified in terms of designed and tested by an independent third party?

A. 1
B. 3
C. 5
D. 7

Answer 80

D. 7

Explanation:
EAL 7 is for those products that have undergone independent third party testing and verification of security feature design.

Question 81

A loosely coupled storage cluster will have performance and capacity limitations based on the:

A. Physical backplane connecting it
B. Total number of nodes in the cluster
C. Amount of usage demanded
D. The performance and capacity in each node

Answer 81

D. The performance and capacity in each node

Explanation:
In a loosely coupled storage cluser, each node acts as an independent data store that can be added or removed from the cluster without affecting other nodes

Question 82

All of the following are identity federation standards commonly found in use today except:

A. WS Federation
B. OpenID
C. OAuth
D. Pretty Good Privacy (PGP)

Answer 82

D. Pretty Good Privacy (PGP)

Explanation:
PGP is an email encryption, not an identity federation standard

Question 83

Administrative penalties for violating GDPR can range up to:

A. $100,000 USD
B. 500,000 euros
C. 20,000,000 euros
D. 1,000,000 euros

Answer 83

C. 20,000,000 euros

Explanation:

Question 84

Where should the cloud providers data discovery requirements be listed?

A. NIST 800-53
B. Applicable laws and regulations
C. PCI DSS
D. The managed services contract and SLA

Answer 84

D. The managed services contract and SLA

Explanation:
The cloud customer will have to determine which levels of performance/responsibilities on the part of the provider will be necessary to meet the customer’s needs for data discovery. These should be codified in the contract/SLA

Question 85

Which typee of attacks occurs when an application received untrusted data and then sends it to a web browser without proper validation?

A. SQL Injection
B. Brute force
C. XSS
D. Man in the middle

Answer 85

C. XSS

Explanation:
A XSS attack occurs when an application receives untrusted data and then sends it to a web browser without proper valiidation, allowing an attacker to execute scripts in the users browser, hijack sessions or engage in other malicious behavior

Question 86

When implementing a DRM solution in a cloud environment, which of the following does not pose an additional challenge for the cloud customer?

A. Users might be required to install a DRM agent on their local devices
B. DRM Solutions might have difficult interfacing with multiple different operating systems and services
C. DRM solutions might have difficult interacting with virtualized instances
D. Ownership of intellectual property might be difficult to ascertain

Answer 86

D. Ownership of intellectual property might be difficult to ascertain

Explanation:
The owner of intellectual propert will not change whether the materials is stored in the cloud or in a legacy environment. Moving into the cloud will probably result in more use of personal devices, requiring users to install local DRM agents, so option A is true. Options B and C are also true due to the nature of cloud computing and are therefore also not suitable for this question

Question 87

You are the security directory for a call center that provides live support for customers of various vendors. Your staff handles calls regarding refunds, complaints and the use of products customers have purchased. To process refunds, your staff will have access to purchase info, determine which credit card the customer used and identify specific elements of personal data. How should you best protect this sensitive data and still accomplish the purpose?

A . Encrypt the data while it is at rest but allow the call center personnel to decrypt it for refund transactions
B. Encrypt the data while call center personnel are performing their operations
C. Mask the data while call center personnel are performing their operations
D. Have the call center personnel request the pertinent information from the customer for every transaction

Answer 87

C. Mask the data while call center personnel are performing their operations

Explanation:
Masking the data should suffice for the purpose; it allows the call center personnel to determine which card was used in the sale but does not reveal the card number to the call center

Question 88

Synthetic performance monitoring may be preferable to real user monitoring (RUM) because:

A. It costs less
B. It is a more accurate depiction of user behavior
C. It is more comprehensive
D. It can take place in the cloud

Answer 88

C. It is more comprehensive

Explanation:
Synthetic agents can simulate user activity in a much faster, broader manner and perform these actions 24/7 without rest

Question 89

Sprawl in the cloud can lead to a significant additional costs to the organization because of:

A. Larger necessary physical footprint
B. Much larger utility consumption
C. Software licensing
D. Requisite additionnal training

Answer 89

C. Software licensing

Explanation:
In some instances, more virtualized machines will entail a relative increase in the number of software seatr licenses, which can be a significant expense

Question 90

Security best practices in a virtualized environment would include which of the following?

A. Using distinct ports and port groups for VLANs on a vritual switch rather than running them through the same port
B. Running iSCSI traffic unencrypted in order to have it observed and monited by a NIDS
C. Adding a HIDS to all virtual guests
D. Hardening all outward facing firewalls in order to make them resistant to attack

Answer 90

A. Using distinct ports and port groups for VLANs on a vritual switch rather than running them through the same port

Explanation

Question 91

Symmetric encryption involves ___________

A. The Diffie Helman Key exchange
B. Passing keys out of band
C. Mathematically related key pairs
D. A one way mathematical algorithm for validating messages

Answer 91

B. Passing keys out of band

Explanation:
In symmetric encryption, thee key must usually be passeed through a different medium than will be used for sending and receiving the encrypted messages
DH is usually used for asymmetric encryption to establish a temporary symmetric key

Question 92

There are two reasons to conduct a test of the organizations recovery from backup in an environment other than the primary production environment. Which of the following is one of them?

A. It is good to invest in more than one community
B. You want to approximate contingency conditions, which includes not operating in the primary location
C. It is good for your personnel to see other places occasionally
D. Your regulators wont follow you off site so you ll be unobserved during your test

Answer 92

B. You want to approximate contingency conditions, which includes not operating in the primary location

Explanation:
Assuming your facility is not available during contingency operations allow you to better approximate an emergency situation, which adds realism to the test

Question 93

Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits?

A. Cryptography is present
B, Auditors dont like the cloud
C. Cloud equipment is resistant to audit
D. They often rely on data the provider chooses to disclose

Answer 93

D. They often rely on data the provider chooses to disclose

Explanation:
In many circumstances, a cloud audit will depend on which info a cloud provider discloses, which makes auditing difficult and less trustworthy

Question 94

A cloud environment that lacks security controls is vulnerable to exploitation, data loss and interruptions. Conversely, excessive use of security controls ___________

A. Can lead to DDoS
B. Allows malware infections
C. Increases the risk of adverse environmental effects
D. Is an unnecessary expense

Answer 94

D. Is an unnecessary expense

Explanation:
From a simple financial perspective (which is often the managerial perspective), money spent on excessive anything is money wasted; spending to no good effect is detrimental

Question 95

You are in charge of building a cloud data center. What purposes does the raise floor serve?

A. Allows airflow and increases structural soundness for holding large components
B. Cold air feed and place to run wires for the machines
C. Additional storage for critical components and a dedicated access to a landline
D. Fire suppression systems and personnel safety

Answer 95

B. Cold air feed and place to run wires for the machines

Explanation:
The raised floor in a data center will serve as an air plenum (usually for cold air) and a wiring chase. All the other options are incorrect

Question 96

MFA consists of at least two items. Which of the following best represents this concept?

A. A complex password and a secret code
B. Complex passwords and an HSM
C. A hardware token and a magnetic stripe card
D. Something you know and something you have

Answer 96

D. Something you know and something you have

Explanation:
Option D is the best, most general, and most accurate answer

Question 97

What is the principal issue concerning transborder data flow?

A. Government taxation standards differ
B. Differences may exist in customs or procedures
C. Encryption must be implemented
D. Legal requirements may not be the same

Answer 97

D. Legal requirements may not be the same

Explanation:
The concern with trans-border data flow is that the legal requirements may be different between the countries. An additional concern with trans border data flow is that the level of risk may different depending on privacy and laws affecting intellectual property, such as trademark and copyright

Question 98

Which of the following is not a goal of site survey?

A. Threat definition
B. Target identification
C. Pentesting
D. Facility characteristics

Answer 98

C. Pentesting

Explanation:
The pentest is not part of the site survey

Question 99

How does representational state transfer (REST) make web service requests?

A. XML
B. SAML
C. URIs
D. TLS

Answer 99

C. URIs

Explanation:
REST calls web resources by using uniform resource identifiers (URIs)
XML may be used for REST, but it is not a requirement as it is in SOAP

Question 100

You are designing a private cloud data center for an insurance underwriter, to be located in a major metro area. Which of the following airflow management schemes is preferable?

A. Hot aisle
B. Cold aisle
C. Either hot aisle or cold aisle
D. Free flow

Answer 100

C. Either hot aisle or cold aisle

Explanation:
It shouldnt matter which design you use as long as airflow is managed. Neither hot or cold aisle containment is preferable to the other