LearnZapp Practice 1 Flashcards

Question

What is the lowest tier of data center redundancy according to the Uptime Institute? A. 1 B. 3 C. 5 D. 7

Answer 1

A. 1 Explanation: There are four tiers of data center redundancy, with 1 being the lowest and 4 being the highest

Answer 2

A. Joint operating agreements Explanation: Having a joint operating agreement with a sister facility can assist greatly when dealing with a local disaster that does not affect a large area

Answer 3

D. DAM Explanation: Database activity monitoring is a security technology used for monitoring and analyzing database activity that operates independently of the database management system. NIST is the National Institute of Technology, SAST is a type of application testing, and SAML is a technology used with identity access management

Answer 4

A. Trademark Explanation: Trademarks are designed to protect symbols such as company logo or trade name

Answer 5

C. Cloud customer Explanation: The cloud customer, also the data owner, is always ultimately legally responsible for unauthorized disclosures

Answer 6

C. Data Explanation: Regardless of model, the customer owns the data and will therefore always be allowed to access it

Answer 7

A. Access control lists Explanation: Only access control lists are a technical control. All others are physical and administrative

Answer 8

B. Two databases Explanation: Tokenization requires two databases one containing the raw, original data and a second that contains the tokens that map to the original data

Answer 9

B. Availability Explanation: The element of availability is impacted if a remote user cannot access the cloud provider

Answer 10

D. Centralization of log streams Explanation: In addition to centralization of log streams, SIEMs provide the ability to do trend analysis and view dashboards of activity

Answer 11

C. Data masking Explanation: Data masking is a technique whereby similar text strings are used in place of real data.

Answer 12

A. 12 hours Explanation: Based on Uptime Institute guidelines, enough fuel should be on hand to keep the generator running for at least 12 hours regardless of the data center tier

Answer 13

D. Cloud providers resellers and brokers Explanation: All options except D are important dependencies when reviewing the BIA

Answer 14

D. Code review Explanation: All of the other items listed are features of dynamic application security testing

Answer 15

C. Copyright Explanation: Copyrights are designed to protect the tangible expressions of creative works, like books, articles, music and so on

Answer 16

B.Audit trails Explanation: Audit trails are an example of a technical control. Fire suppression equipment, security policies and configuration procedures are all examples of administrative controls

Answer 17

A. PaaS Explanation: PaaS allows the customer to install and run any applications they want on any OS environment they may need

Answer 18

B. Patching and updating Explanation: Updating and keeping systems patched is one of he most effective ways to keep them secure. If you were to encrypt the OS, you would not be able to use the system, and SSL and PKI refer to ways of protecting communications

Answer 19

A. Encrypt device drives

Answer 20

C. Masking Explanation: Masking is a form of confidentiality assurance that often replaces the original information with asterisks or Xs

Answer 21

A. United States Explanation: The US is the only entity in this list that does not have a comprehensive policy directed at protecting its citizens privacy

Answer 22

C. Content delivery network

Answer 23

C. Reverse Explanation: Risk cannot be reversed. It can only be mitigated, transferred or accepted

Answer 24

A. Does not spoil Explanation: One primary advantage of LP gas is that it does not spoil the way gasoline and diesel fuel can

Answer 25

B. SOC 3 Explanation: SOC 3 is the least detailed report, designed for public dissemination. There is no SOC 3 Type 2 report

Answer 26

A. Local language variations Explanation: Local languages having nothing to do with physical security. All the others are valid concerns

Answer 27

A. Business impact requirements Explanation: BIA is designed to identify and ascertain the value of assets in addition to the critical paths and processes

Answer 28

B. SOC 2 Type 3 Explanation: SOC 2 Type 3 is not an actual report format. All of the other options are part of the levels of the CSA STAR cert program

Answer 29

D. Power redundancy Explanation: One of the foundational design characteristics in modern data center design involves ensuring redundant power systems. Data centers can be located anywhere, and typically have strong physical security

Answer 30

B. Health and human safety Explanation: While the other options are important, they are all subordinate to human health and safety, which is the first priority of any security programs

Answer 31

C. Self assessment, attestation and ongoing monitoring cert Explanation: Self assessment, attestation and ongoing monitoring cert are the three levels of STAR cert

Answer 32

B; Virtualization Explanation: Virtualization allows scalable resource allocation, which has in turn dramatically increased the viability of cloud services

Answer 33

C. Cloud customer Explanation: The cloud customer is always the data owner and therefore ultimately responsible for the security of PII

Answer 34

A. Data dispersion Explanation: Data dispersion uses chunks of data, erasure coding and encryption

Answer 35

C. PaaS Explanation: In PaaS, the customer is paying for access to a virtual machine with an OS on which to install applications. Since the customer owns the applications, it is their responsibility to keep the applications up to date

Answer 36

D. Homomorphic encryption Explanation: Homomorphic encryption is an experimental technology that would allow ciphertext to be manipulated in processes and still produce the same results as when the unencrypted plaintext of the same data is processed.

Answer 37

B. To a level at least as high as the data they are protecting Explanation: Cryptographic keys should always be protected with safeguards at least as stringent, if not more, than the level of the data they are protecting

Answer 38

A. Checklists Explanation: A BCDR event is no time to be scrambling around trying to figure out what to do. Having a plan in place and executing it is dependent on everyone understanding the plan and checklists are the way we work through steps of the plan in order

Answer 39

D. Business requirements Explanation: BUsiness requirements will and should always be what drives security decisions

Answer 40

A. Continual monitoring for anomalous activity Explanation: Continual monitoring for anomalous activity is a great way to detect potential external attacks. The other answers having nothing to do with protecting cloud operations from external threats

Answer 41

B. Changes in regulations Explanation: A change in regulations has never resulted in a data center outage, but each of the other options has caused many outages

Answer 42

A. IaaS Explanation: Object and volume storage are both related to infrastructurew

Answer 43

A. Statutory Compliance Explanation: Statutory compliance refers to state and federal laws. They cannot force a customer to stay with a cloud provider. HOwever, all the rest are problems that can lead to vendor lock in

Answer 44

B. Data Discovery Explanation: Egress monitoring has nothing to do with elasticity, metered service or satellite links. However, egress monitoring tools often feature data discovery functions

Answer 45

C. Patent Explanation: Patent are designed to protect the intellectual property of processes

Answer 46

B. Business requirements Explanation: Security controls should always be based on the needs of the business. Regulations, state laws, and best practices may all shape the business requirements but are not direct drivers themselves

Answer 47

A. Tests performed on application or software product while it being executed in memory Explanation: Dynamic application security testing is testing conducted while the application is resident in memory and being executed

Answer 48

C. Redundant ISPs Explanation: Having redundant ISPs or carriers provides the data center with protection against such external threats as DDoS international fiber cuts, and similar effects

Answer 49

A. Over-subscription Explanation: The question is the definition of over subscription. This can happen in a multi tenant environment like cloud computing if not properly managed

Answer 50

C. Dual power supplies Explanation: While having secondary redundant power supplies helps with device redundancy, it has nothing to do with device hardening. Each of the other options helps in the hardening process.

Answer 51

A. 4 Explanation: The Uptime Institute has four tiers of data center redundancy rating, with the highest being 4 and the lowest being 1

Answer 52

A. SOC 1 Explanation: The SOC 1 report is primarily for reporting on financial controls

Answer 53

A. Trade secret Explanation: A recipe that is not secret could be protected by a patent

Answer 54

A. Media present checks Explanation: Media present checks look to see if protected media is present before allowing content to be played or distributed

Answer 55

A. Data classification Explanation: Data classification is vital in egress monitoring solutions. This typically occurs at the same time of data creation

Answer 56

A. eDiscovery

Answer 57

B. Senior management Explanation: Senior management determines the risk appetite of an organization

Answer 58

B. A TPM Chip Explanation: A TPM is a security device found on an individual machine and is designed to store encryption keys securely. Options A, C and D are all features of secure KVMs

Answer 59

A. Line conditioning Explanation: Battery backups also provide a critical function in that they condition the line. What this means is that they add and suppress power curves that are a part of normal minute by minute fluctuations in volytage and amperage delivered. THis smoothing out, or conditioning, helps equipment to last much longer since it is no longer subjected to varying voltages or amps

Answer 60

A. Storing them separately from data Explanation: You never want to store encryption keys with the data they are protecting, They should always be stored on a seprate system3

Answer 61

B. Programming as a Service Explanation: Programming as a Service is not a common offering; the others are ubiquitous throughout the industry

Answer 62

C. FedRAMP Explanation: FedRAMP is a US federal program that mandates a standardized approach to security assessments, authorization and continuous monitoring of cloud products and services

Answer 63

C. Independent (private) Labs Explanation: Vendors seeking HSM certs under FIPS 140-2 send their products to independent labs that have been validated as Cryptographic Module Testing Labs under the National Voluntary Lab Accreditation Program

Answer 64

C. Strict access control mechanisms Explanation: While physical controls that inhibit movement affect personnel, they are not regarded as personnel controls. All the other options are examples of personnel controls

Answer 65

B. The vendor/manufacturer Explanation: The vendor/manufacturer of a given product will pay to have it certified, with the premise that cert costs are offset by premium prices

Answer 66

A. Be less expensive to operate securely in the production environment Explanation: When security is created as an aspect of the software itself, there is less need to acquire and apply additional security controls to mitigate the risks after deployment

Answer 67

C. OLSame Explanation: This is a nonsense term with no meaning

Answer 68

A. The basis for deciding which laws are most appropriate in a situation where conflicting laws exist Explanation: The Restatement (Second) Conflict of Law is the basis used for determining which laws are most appropriate in a situation where conflicting laws exists

Answer 69

B. Type I Explanation: A SOC Type 1 report is designed around a specific point in time as opposed to a report of effectiveness over a period of time

Answer 70

A. The amount of expected loss due to any specific single incident Explanation: The single loss expectancy is the amount of expected damage or loss from any single specific security incident

Answer 71

A. Create Explanation: Data should be labeled and classified as soon as it is created/collected. All the other options are incorrect

Answer 72

A. Never Explanation: PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multitenant environment

Answer 73

D. PaaS Explanation: PaaS is what cloud customer use when they need to rent hardware, OS, storage and network capacity over the Internet

Answer 74

D. 12 hours Explanation: The Uptime Institute dictates 12 hours of generator fuel for all cloud datacenter tiers

Answer 75

A. Payload encryption Explanation: DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer. This does not include payload encryption - confidentiality is not an aspect of DNSSEC

Answer 76

D. Internet Engineering Task Force Explanation: The IETF is an international organization of network designers and architects who work together in establishing standards and protocols for the internet

Answer 77

B. Hardware security module (HSM) Explanation:

Answer 78

A. Continuous audit trail Explanation: Capturing all relevant system events is the definition of a continuous audit trail, one of the required traits for a DRM solution of any quality.

Answer 79

C. IDS/IPS Explanation: IDSs/IPSs do not secure data, they detect attack activity

Answer 80

C. It connects physically to the specific storage area allocated to a given customer Explanation: All management functions should take palce on a highly secure, isoalted network

Answer 81

A. Automatic registration with the configuration management system Explanation: Version control can be difficult in a virtual environment because saved VMs dont receive updates. Ensuring that each VM is the correct version is a function of configuration management, and CM controls can be built into the baseline

Answer 82

D. Access to an IT environment usually via the Internet Explanation: Cloud providers offer customers access to an IT environment, usually via the Internet

Answer 83

C. Personal cloud storage Explanation: Personal cloud storage is the storage of a single users data in the cloud, allowing them access from anywhere on the Internet

Answer 84

C. Suspension of service Explanation: The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements. This can be fatal to a customers operations and is a great motivation to make timely payments

Answer 85

B. Use Digital rights management and data loss prevention solutions widely throughout the cloud operation Explanation: DRM and DLP are used for increased authentication/access control and egress monitoring, respectively and would actually decrease portability instead of enhancing it

Answer 86

D. FEDRAMP Explanation: Federal Risk and Authorization Management Program is the US program for federal entities operating in the cloud

Answer 87

B. Encryption protocols Explanation: DHCP servers do not normally orchestrate encryption All the other options are common functions of DHCP servers

Answer 88

B. GRE Explanation: Generic route encapsulation is a tunneling mechanism, specifically designed for the purpose of tunneling

Answer 89

C. Every organization Explanation: Every organization is responsible for performing its own risk assessment for its own particular business needs. Cloud providers will not perform risk assessments on behalf of their customers

Answer 90

B. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers Explanation: A cloud carrier is the intermediary who provides connectivity and transport of cloud services between cloud providers and cloud customers

Answer 91

D. Authentication of privileged users Explanation: Data masking does not support authentication in any way. All the others are excellent use cases for data masking

Answer 92

C. Periodic and effective use of cryptographic sanitization tools Explanation: Cryptographic sanitization is a means of reducing the risks from data remnance, not a way to minimize escalation of privilege

Answer 93

A. The cloud provider also managing the organizations keys Explanation: Cryptoshredding relies on the eventual destruction of the final keys; if keys are not under the management of the customer, they may be replicated or difficult to dispose of.

Answer 94

C. Persistence Explanation: Access rights following the object in whatever form or location it might be or move to is the definition of persistence, one of the required traits for a DRM solution of any quality

Answer 95

B. The ability of internal personnel to trigger business continuity/ disaster recovery activities Explanation: The STRIDE threat model does not deal with business continuity and disaster recovery actions. All the other options are elements of STRIDE and therefore not correct

Answer 96

D. Voice Over Internet Protocol (VoIP) conversations Explanation: Commercial DLP products that monitor speech in real time and censor conversations are not yet widely available.

Answer 97

D. Elevation of dropped ceilings Explanation: The height of dropped ceilings is not a security concern, except in action moves. The rest of the answers are all aspects of physical security that should be taken into account when planning and designing a data center

Answer 98

A. They want to enhance security by keeping information about physical layout and controls confidential Explanation: '

Answer 99

D. Function Explanation: Function is usually the functional requirement, describing what action the tool/process satisfies. All the others are nonfunctional requirements typically.

Answer 100

D. MFA Explanation: MFA offers additional protections for assets that are critical to the organization. All logins should utilize strong passwords, whether or not they are ciritcal.

Answer 101

B. International Organization Standardization (ISO) 28000:2007 Explanation: ISO 28000-2007 applies to security controls in supply chains. The others are cloud computing standards but have little to do with supply chanin management

Answer 102

D. Payment Card Industry Data Security Standard (PCI DSS) Explanation: The PCI DSS is a voluntary standard, having only contractual obligation. All the other options are statues, created by law making bodies.

Answer 103

B. Real time analytics Explanation: Real time analytics allow for reactive and pmredictive operations (such as recommending other, related products_) based on customers current and past shopping behaviors

Answer 104

A. Number of transactions per year Explanation: The four merchant levels in PCI are distinguished by the number of transactions that merchant conduct in a year.

Answer 105

A. Integrity Explanation: Integrity ensures that data has not been altered by unauthorized activity. That includes being complete and accurate

Answer 106

C. Background checks for provider personnel Explanation: The SLA wont typically include direct mention of the sorts of personnel security measures undertaken by the cloud provider.

Answer 107

D. Encryption Explanation: Encrypted data may be impossible for egress monitoring solution to read, thereby making the tool useless

Answer 108

B. Secure Sockets Layer Explanation: SSL Is encryption used in a communication session, not a storage volume. All the other options are examples of database encryption options

Answer 109

D. Your organization Explanation: The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer

Answer 110

A. Anonymization Explanation: Anonymization is the act of permanently and completely removing personal identifiers from data

Answer 111

A. Prohibitions on port scanning and pentesting Explanation: Many cloud providers prohibit activities that are common for admin and security purposes but can also be construed/used for hacking; this includes port scanning and pentesting lllllll

Answer 112

A. 1 Explanation: Option B describes another type of hypervisor; the other options are incorrect because there is no such thing as a 3 or 4 hypervisor

Answer 113

C. Deletion Explanation: While deletion is a very good way to avoid possibility of inadvertently disclosing production data in a test environment, it also eliminates the usefulness of the data set as a plausible

Answer 114

B. A tightly coupled cloud storage cluster Explanation: By definition, the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not, The other options do not have a set maximum capacity and are therefore incorrect

Answer 115

B. Review all updates/lists/notifications for components your organization uses Explanation: Staying current with published vulnerability for your component is crucial. This might not be simple as there are many versions of design components and nomenclature is not always uniform

Answer 116

B. OWASP Explanation: The OWASP is a volunteer organization that devises standards and solutions for web application development. All the other options are common federation technologies

Answer 117

B. XML and open standards based Explanation: SAML is an XML based, open standard data format designed for the exchange of authentication and authorization data between parties

Answer 118

B. Criminal Explanation: Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well being of its citizens. Violations generally consists of both monetary and/or loss of liberty punishments

Answer 119

A. Remote kill switch Explanation: Dual control is not useful for remote access devices, because we would have to assign two people for every device, which would decrease efficiency and productivity.

Answer 120

C. Line conditioning Explanation: A UPS can provide line conditioning, adjusting power so that it is optimized for the device it serves and smoothing any power fluctuations; it does not offer any of the other listed functions

Answer 121

A. Data format type and structure Explanation: When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform agnostic data set is more portable and less subject to vendor lock in

Answer 122

A. Private Explanation:

Answer 123

B. Less believable, if the changes are not documented Explanation: All forensic processes and activity should be documented with extreme scutinity. It is very important for your actions to be documented and repeatable in order for them to remain credible.

Answer 124

A. Egress monitoring solutions Explanation: Egress monitoring tools are specifically designed to seek out and identify data sets based on content; this is part of how they operate. They can be used for or in conjunction with content base data discovery efforts. DRM is an additional access control solution for objects, so option B is incorrect

Answer 125

B. Object Storage Explanation: Object storage is a means of storing objects in a hierarchy such as a file tree. All the other options are terms used to describe cloud storage areas without file structures

Answer 126

D. Practice a restore from backup Explanation: There is no way to know if the backup actually serves the purpose until the organization tests a restoration. The other options are all backup options but do not actually demonstrate whether the backup is suitable for the business continuity and disaster recovery requirements

Answer 127

D. Data recovery procedures Explanation: All of the elements listed are important aspects of the data retention policy. However, using proper data retrieval procedures is the one without which all the others may become superfluous.

Answer 128

C. Human Resource Explaniation: Identification of personnel is usually verified during the hiring process, when HR checks identification documents such as passports or birth certs to confirm the applicants identity, often as part of a tax registration

Answer 129

C. Service model, deployment model Explanation: in order for developers to properly create and secure applications, they will need to understand the extent of resource sharing and level of control

Answer 130

A. Data format and type Explanation: In order to use the archive for recovery, the data needs to be of a format and type that can be utilized by the organizations system and environment. Saving data in the wrong format can be equivalent to losing the data

Answer 131

A. Each organization Explanation: In a web of trust federation model, all of the participating organizations are identity providers; each group will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials

Answer 132

A. The production team Explanation: In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs

Answer 133

D. Tight gaskets Explanation: When cables come up through a raised floor used as a cold air feed, we do not want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in airflow control.

Answer 134

B. Sharing account credentials between users and services Explanation: Users sharing account credentials is fairly common practice and one that can lead to significant misuse of the organizations resources and greatly increase risk to the organization.

Answer 135

C. Some risk to availability, depending on the implementation Explanation: Ironically, data dispersion can lead to some additional risk of loss of availabilty, depending on the method/breadth of the dispersion. If the data is spread across multiple cloud providers, there is a possibility that an outage at one provider will make the data set unavailable to users, regardless of location

Answer 136

D. Inaccurate or incomplete Explanation: A data discovery effort can only be as effective as the veracity and quality of the data it addresses. Bad data will result in ineffective data discovery. All the other answers do not impact data discovery efforts and are only distractors.

Answer 137

D. System and Organization Controls (SOC) reports Explanation: SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the US.

Answer 138

D. Secure Destruction

Answer 139

D. Community Explanation

Answer 140

A. AWS Explanation:

Answer 141

C. Sandboxing Explanation: Sandboxing allows software to be run in an isolated environment, which can aid in error detection

Answer 142

A. Define Explanation: The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC.

Answer 143

A. Store Explanation: The Cloud Secure Data Life cycle phases are in order Create, Store, Use, Share, Archive, Destroy

Answer 144

D. Source Code Explanation: In SAST, testers review the source code of an application in order to determine security flaws and operational errors

Answer 145

A. Vulnerability assessments and pentesting Explanation: Once the system is deployed operationally, continuous security monitoring including periodic vulnerability assessments and pentesting, is recommended. All the other options are security functions that should take place in phases prior to the systems deployment

Answer 146

A> Most of the cloud customers interaction with resources will be performed through APIs Explanation: Because a significant percentage of cloud customer interactions with the cloud environment will utilize APIs, the threat of insecure APIs is of great concern in cloud computing.

Answer 147

A. Business, security Explanation: Tracking and monitoring personnel training is absolutely vital in order to demonstrate regulatory requirements

Answer 148

C. SOC 1 Explanation: The SOC 1 audit report is not for security controls; it is for financial reporting controls.

Answer 149

D. Chile Explanation: Chile does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do

Answer 150

D. Signing a personal check Explanation: The check involves

Answer 151

D. Randomization Explanation: Firewalls do use rules, behavior and/or content filtering in order to determine which traffic is allowable.

Answer 152

C. VMs located physically in one location but operating in different time zones Explanation: If patches are rolled out across an environment where users are operating virtual machine at different times, there is a possibility that VMs will not be patched in uniform, which could lead to data disruption

Answer 153

D. The grating of right of access to a user, program or process Explanation: Authorization is the granting of right of access to a user, program or process. All the other options are related to authentication

Answer 154

C. The concept of keeping information secret from anyone other than someone with authorized access Explanation: Confidentiality refers to the concept of keeping info secret from anyone other than someone with authorized access

Answer 155

D. Exhaust fans on racks facing exhaust fans on other racks Explanation: The preferred methid is cold aisle containment (hot aisle containment, where the inlets on racks face each other is all right too.

Answer 156

C. Does not spoil Explanation: Liquid propane does not spoil, which obviates necessity for continually refreshing and restocking it and might make it more cost effective

Answer 157

C. SSO allows a user to access multiple applications with a single set of creds for authentication and authorization Explanation: SSO allows a user to access multiple applications with a single set of credentials for authentication and authorization

Answer 158

D. The cloud customer Explanation: While the determination of what sorts of data need to be protected may come from external sources, the classification of data for each data owner/cloud customer will be specific to that entity

Answer 159

B. The brand or vendor of the cloud providers audit or logging tool Explanation: All the answers are processes or elements that should be included in the security operations procedures except for option B; the cloud customer will not get to select, or probably even know, what tools and devices the cloud provider has put into place, so this will not be included in the customers procedures

Answer 160

D. To determine whether the user is still performing well Explanation: Job performance is not a germance aspect of account review and maintenance; that is a management concern, not an access control issue.

Answer 161

C. Trademark Explanation: Logos and symbols and phrases and color schemes that describe brands are trademarks

Answer 162

C. Cold Explanation: Cold air is usually put through raised flooring because warm air naturally raises and using the riases flooring to conduct warm air would require an unnecessary and inefficient expenditure of energy

Answer 163

B. Vulnerability Signatures Explanation: Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities. Scans do not typically require admin access to function; option A is incorrect

Answer 164

A. Allows a single user to authenticate using a process that then allows access across multiple IT systems or even orgs Explanation: Federated SSO allows users to authenticate once but then be granted access to resources of other federated organizations within the federation

Answer 165

C. The average time it takes to repair a device that has failed or is in need of repair Explanation: Mean time to repair (MTTR) is the time required to repair a device that has failed or is in need of repair. The term mean indicates the average time as opposed to the actual or past exerpiences

Answer 166

D. Value of data Explanation: The value of data itself has nothing to do with it being considered part of contractual Personally Identifiable Information (PII) even though it may have value associated with it

Answer 167

C. Hard drives Explanation: While hard drives may be useful in the kit, they are not necesarrily required. All the other items should be included.

Answer 168

D. US Federal Agencies Explanation US federal entities are prohibited from using cryptosystems that are not compliant with FIPS 140-2

Answer 169

D. SSDs Explanation: SSDs are currently the most efficient and durable storage technology, so cloud providers will favor them.

Answer 170

C. Authorization Explanation:

Answer 171

D. Availability Explantion: The ENISA Top 8 Security Risks of Cloud Computing does not include availability, even though it is certainly a risk that could be realized

Answer 172

C. Used to describe a profitability ratio Explanation: Return on investment is a term used to describe a profitiability ratio. It is generally calculated by dividing net profit by net assets

Answer 173

C. Cash Explanation: Although cash is important for a business to function in general, it is not one of the critical BCDR assets, which include personnel, systems and data

Answer 174

A. Extensible Markup Language (XML) Explanation: Security Assertion Markup Language is based on XML. HTTP us used for port 80 web traffic; HTML is used to present web pages. ASCII is the universal alphanumeric characterc set

Answer 175

A. Loss of governance, snapshot and image security and sprawl Explanation: The primary risks associated with virtualization are loss of governance, snapshot and image security and sprawl. Options B and C are incorrect. Public awareness and increased costs are not risks associated with virtualization.

Answer 176

B. Homomorphic encryption Explanation:

Answer 177

B. SOC 2, Type 1 Explanation: This is what a SOC 2, Type 1 report is for. The SOC 1 is for financial reporting; the SOC 2, Type 2 is to review the implementation (not design) of controls; and the SOC 3 is just an attestation that an audit was performed. All these options are incorrect

Answer 178

A. Metered service Explanation: Metered service allows cloud customers to minimize expenses and only pay for what they need and use this has nothing to do with BCDR

Answer 179

B. Automatic or manual Explanation: An organization could implement an automated tool that assigns labels based on certain criteria (location of the source of the data, time, creator, content etc) much like metadata, or the organization could require that data creators/collectors assign labels when the data is first created/collected, according to a policy that includes discrete, objective classification guidance

Answer 180

A. Do not use customer authentication schemes Explanation: Authentication schema should be transparent to users, who will have little or no control over that element of communication.

Answer 181

D. Combination of open source and proprietary Explanation: Using multiple forms of code review will produce more secure results than any one form of review

Answer 182

D. More often than regular user account reviews Explanation: There is no specific rule for the timeliness of privileged user account reviews. However, as a matter of course, privileged user accounts should be reviewed more often than the accounts of regular users because privileged users can cause more damage and therefore entail more risk

Answer 183

B. Static discharge Explanation: A datacenter with less than optimum humidity can have a higher static electricity discharge rate. Humidity has no bearing on breaches or theft and inversion is a nonsense term used as a distraction

Answer 184

B> Firewall Explanation: A firewall is a type of network device that allows only authorized traffic to flow across its interfaces

Answer 185

D. Print spooling Explanation: Print spooling is not a metric for system performance; all the rest area

Answer 186

B. BCP/DR/COOP Explanation: CABs dont usually offer BCP/DR/COOP services; thats something typically offered by cloud providers

Answer 187

B. Backdoors Explanation: Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly or even purposefully leave the backdoors in

Answer 188

B. A testbed/sandbox Explanation: Cloud customers can test different hardware/software implementations in the cloud without affecting production environment and use this information to make decisions before investing in particular solutions

Answer 189

D. Auditability Explanation:

Answer 190

C. Vendor guidance Explanation: While it is important to follow internal policy, industry standards and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular

Answer 191

A. Use limitation principle Explanation: The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected

Answer 192

D. Less detailed audit trail Explanation: If anything, the audit trail for privileged users should be more detailed than that for regular users. All the other options are recommended techniques for privileged user management

Answer 193

D. Access Explanation: Federation allows users from multiple member organizations to access resources owned by various members. All the other answers are simply not correct

Answer 194

B. Inadvertent disclosure Explanation: DLP Solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure

Answer 195

D. Common Criteria Explanation: This is a framework for reviewing product security functions, as stated by the vendor

Answer 196

C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption Explanation: Technically, BC efforts are meant to ensure that critical business functions can continue during a disruptive event and DR efforts are supported to support the return to normal operations. However, in practice, efforts often coincide, use the same plans/personnel and have many of the same procedures

Answer 197

D. Long enough to perform a graceful shutdown of the data center systems Explanation: Traditionally, it would be optimum if the UPS latest as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power.

Answer 198

A. Have another full backup of the production environment stored prior to the test Explanation: A full test will involve both the production environment and the backup data it is possible to create an actual disaster during a full test by ruining the availability of both. Therefore, it is crucial to have a full backup, distinct from the BCDR backup, in order to roll back from the test in case something goes horribly wrong

Answer 199

B. For high risk operations and data that is particularly sensitive Explanation: MFA should be considered for operations that have a significant risk or that deal with highly sensitive data

Answer 200

D. Magnetic swipe cards Explanation; The data on magnetic swipe cards isnt usually encrypted

Answer 201

B. Customer provides administration on behalf of the provider Explanation: The customer does not administer on behalf of the provider

Answer 202

A. SLA Explanation: The SLA is a formal agreement between two or more organizations that may or may not contain incentives or penalties. The primary use of the SLA is to determine if the provider is in fact providing services being purchased

Answer 203

B. Isolation failure Explanation: In the traditional environment, when all resources are owned, controlled and used by the organizations personnel, loss of isolation will only expose data to other members of the organization; isolation failure in the cloud enivronment may expose data to people outside the organization; a more significant impact

Answer 204

C. Availability issues prevent productivity in the cloud Explanation: If users cant access the cloud provider, then the operational environment is, for all intents and purposes, useless. DoS attacks that affect avaialbility of cloud services are therefore a great concern

Answer 205

B. Demonstrating due dilligence Explanation: Applying vendor configurations is an excellent method for demonstrating due dilligence in IT security efforts. Always remember that proper documentation of the action is also necessary.Cry

Answer 206

B. Two Explanation: The proper procedure for cryptoshredding requires two cryptosystems; one to encrypt the target data; the other to encrypt result data encryption keys

Answer 207

C. Civil suit Explanation: Intellectual property disputes are usually settled in civil court, as a conflict among private parties. Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is perinent.

Answer 208

D. AES Explanation: AES is currently used to encrypt and protect US government sensitive and secret data.

Answer 209

C. Segmenting networks Explanation: Network segmentation allows providers to create zones of trust within the cloud environment, tailoring the available services to meet the needs of a variety of clients and markets

Answer 210

B. VM Sprawl Explanation: Because the cost of creating new instances in the cloud environment is transparent to many users/offices, there is a significant likelihood that users/officers will create many new virtual machine instances without the knowledge/oversight of management

Answer 211

A. Accurate data categorization Explanation: DLP tools need to be aware of which information to monitor and which requires categorization DLPs can be implemented with or without physical access or presence.

Answer 212

B. 2 Explanation: Level 2 of the CSA STAR program requires third party assessments of the provider

Answer 213

A. The customer absorsbs the cost Explanation: The customer will have to pay for the costs of modification requested by the customer, regardless of the purpose. The provider does not absorb the cost whgen the customers requests a modification of the SLA.

Answer 214

C. The individual must be able to request a purge of their data Explanation: This is an aspect of the EU legislation, known colloquially as the right to be forgottenn

Answer 215

A. In the application accessing the database Explanation: The application contains the encryption engine used in application level encryption. The OS is responsible for providing the resources an application needs and for running the applications

Answer 216

B. A PLA would force the provider to accept more liability Explanation: Under current laws and regulations, ultimate liability for the security of privacy data rests on the data controller, aka the cloud customer

Answer 217

D. Conflation Explanation

Answer 218

C. Select an appropriate recovery time objective Explanation: The RTO must always be less than the MAD

Answer 219

D. Lower costs for the environment Explanation: Stand alone hosting will cost more than pooled resources and multitenancy

Answer 220

B. ONF Explanation: An Organization Normative Framework (ONF) is a framework of so called containers of application security best practices catalogued and leveraged by the organization and contains at least one or more subcomponents known as application normative frameworks

Answer 221

C. Privileged Users Explanation: The only the most trusted administrators and managers will have access to the cloud data centers management plane. These will usually be cloud provider employees, but some cloud customer personnel may be granted limited access to arrange their organizations cloud resources

Answer 222

C. Use another cloud provider for the BCDR backup Explanation: It is best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary providers environment; this will be more complicated and expensive, but it provides the best redundancy and resiliency

Answer 223

D. 4 Explanation: Because the nature of a life support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes. All the other options are incorrect

Answer 224

C. It may deplete the earths ozone layer Explanation: FM 200 is used as a replaement for older Halon systems specifically because it does not deplete the ozone layer

Answer 225

C. Organizational policies Explanation: Organizational policies dictates rules for access entitlement.

Answer 226

B. The administration/support staff building Explanation: Administrative and suport staff are usually not part of the critical path of a data center; they are nonfunctional requirement elements, not functional requirements

Answer 227

D. Location of many datacenters Explanation: The location of many datacenters - rurally situated, distant from metro areas - may create challenges for finding multiple power utility providers and ISPs

Answer 228

B. Signed nondisclosure agreements Explanation: Having the test participants provide signed NDAs is an absolutely essential part of this process

Answer 229

D. Resource exhaustion Explanation: It is possible that a cloud provider will be unable to handle an increased load during contingency situations where all its customers are demanding additional resources far beyond their usual contracted rate

Answer 230

D. Mantrap structures Explanation: Usually, mantrap areas control access to sensitive locations within a facility, not an entrace to the facility.

Answer 231

D. RAID Explanation: Redundant array of indepedent disks is a way of using a group of smaller and usually less expensive disks as opposed to a single large disk.

Answer 232

B. The cloud customer Explanation: In IaaS model, the provider is only responsible for provisioning the devices and computing/storage capacity; the customer is responsible for everything else, including the security of the applications

Answer 233

D. Copyright Explanation: DRM is often deployed to ensure that copyrighted material is only delivered to and used by licensed recipients

Answer 234

C. BUsiness requirements Explanation: Seciroty is usually not a profit center; and is therefore beholden to business drivers; the purpose of security is to support the business

Answer 235

B. Not stored with the cloud provider Explanation: Cryptographic keys should not be stored along with the data they secure, regardless of the length.

Answer 236

D. AICPA Explanation: The American Institute of Certified Public Accountants publishes the SSAE 18 standard. NIST is a US government entity that publishes many standards for federal agencies

Answer 237

D. Threat modeling Explanation: Threat modeling is used specifically to identify points of vulnerability in order to implement countermeasures as part of the overall system protection activity

Answer 238

D. ALE Explanation: The term that best describes the amount an organization should expect to lose on an annual basis due to one type of incident is ALE and is calculated by multiplying the ARO by SLE

Answer 239

C. Checklist Explanation: Checklists serve as a reliable guide for BC/DR activity and should be straightforward enough to use that someone not already an expert or trained in BC/DR response could ostensibly accomplish the necessary tasks.

Answer 240

B. Luring attackers Explanation: It is important to distinguish the purpose of the honeypot. It is not for luring in attackers; a lure is an invitation, and inviting an attack decreases the organizations ability to have the attacker prosecured or conduct successful litigation against the attacker

Answer 241

A. Simplifying regulatory compliance Explanation: The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks. The CCM does not aid in collecting log files; that is the function of a SIEM

Answer 242

C. 3 Explanation: Tier 3 should probably suffice for Bobs purposes; providing sufficient redundancy and resiliency

Answer 243

B. The dollar value of the asset Explanation: The monetary value of the asset is the most objective, discrete metric possible and the most accurate for the purposes of SLE determination

Brainscape's Knowledge GenomeTM

LearnZapp Practice 1 Flashcards

Brainscape's Knowledge Genome^TM