LearnZapp Practice 2 Flashcards

Question 1

Q

Which of the following poses a secondary risk?

A. Fire exit signs
B. Oxygen displacing fire suppression
C. Automated fire detection systems
D. Failsafe fire egress paths

Answer

A

B. Oxygen displacing fire suppression

Explanation:
Secondary risk is any risks resulting from enacting a control/countermeasure to the original risk. In this case, a suppression system that displaces oxygen is a means to mitigate the original risk but adds a new risk

Question 2

Q

Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations?

A. Cross training
B. Metered usage
C. Proper placement of HVAC temperature measurement tools
D. Raised floors

Answer

A

A. Cross training

Explanation:
Cross training offers attenuation of lost contingency capabilities by ensuring personnel will be able to perform essential tasks, even if they are not primarily assigned to those positions in a full time capacity. Metered usage is a benefit for cloud customers associated with ensuring value for payment but not resiliency

Question 3

Q

Which of the following is a tool that can be used to perform security control audits?

A. Federal Information Processing Standard (FIPS) 140-2
B. GDPR
C. ISO 27001
D. CSA CCM

Answer

A

D. CSA CCM

Explanation:
The Cloud Controls Matrix is an excellent tool for determiniing completelyness and possible replication of security controls

Question 4

Q

Which of the following characteristics is associated with DRM solutions?

A. Automatic expiration
B. Multilevel aggregation
C. Enhanced detail
D. Broad spectrum

Answer

A

A. Automatic expiration

Explanation:
Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual proerty moves into the public domain

Question 5

Q

Which of the following architecture fraemworks was designed for service delivery entities, from the perspective of how they serve customers?

A. SABSA
B. ITIL
C. COBIT
D. TOGAF

Answer

A

B. ITIL

Explanation:
ITIL was specifically designed to address service delivery entities

Question 6

Q

When you are accessing an electronic stroage file for forensic purposes, it is a best practice to use _______

A. Gloves
B. A trust comptuing base
C. Sysadmin access
D. A write blocker

Answer

A

D.A write blocker

Explanation:
It is important that any changes to the data only be made in purposeful, specific ways; a write blocker helps to ensure that extraneous changes arent made to the data

Question 7

Q

Alice is staging an attack against Bobs website. She has discovered that Bob has been sotring cryptograhic keys and violate confidentiality and access controls. This is an example of which type of attack?

A. SQL Injection
B. Buffer overflow
C. Using components with known vulnerabilities
D. Security misconfiguration

Answer

A

D. Security misconfiguration

Explanation:
This is likely a security misconfiguration, as crypto keys must not be disclosed or the cryptosystem does not provide protection

Question 8

Q

Clustering hosts allows you to do all the following except:

A. Meet high availability demands
B. Optimize performance with load balancing
C. Enhance scalability
D. Apply updated, patches or configuration modifications instantly

Answer

A

D. Apply updated, patches or configuration modifications instantly

Explanation:
Cluster does not preclude the time and dilligence necessary to perform patching or updates. All the other options are attributes provided by host clustering

Question 9

Q

What element of credit card holder information may never be stored for any length of time, according to the PCI DSS?

A. The full credit card number
B. The card verification value
C. The cardholders mailing address
D. The cardholders name

Answer

A

B. The card verification value

Explanation:
The PCI DSS disallows the storage of the CVV for any length of time; the CVV may only be used during the payment transaction, and not saved

Question 10

Q

Which of the following is not an element of the identification component of IAM?

A. Proviosning
B. Management
C. Discretion
D. Deprovisoining

Answer

A

C. Discretion

Explanation:
Discretion is not an element of IAM.

Question 11

Q

What is the term that describes the situation when an malicious user or attacker can exit the restrictions of a virtual machine and access another VM residing on the same host?

A. Host Escape
B. Guest Escape
C. Provider Exit
D. Escalation of privileges

Answer

A

B. Guest Escape

Explanation:
The question describes a guest escape

Question 12

Q

The OWASP Top Ten list sometimes includes missing function level access control. WHich of these is a technique to reduce the potential for a missing function level access control?

A. Run a process as both user and privileged user, compare results, and determine similarily
B. Run automated monitoring and audit scripts
C. Include browser buttons/navigation elements to secure functions
D. Enhance user training to include management personnel

Answer

A

A. Run a process as both user and privileged user, compare results, and determine similarily

Explanation:
The method in option A will help you determine if these function that regular users should not have access to and thereby demonstrate that you are missing necessary controls

Question 13

Q

The EU and GDPR addresses performance by _______________

A. Data subjects
B. Data controllers
C. Data processors
D. Data controllers and processors

Answer

A

D. Data controllers and processors

Explanation:
The GDPR describes requirements for data collection by and transfers to data controller and processors

Question 14

Q

An API gateway can typically offer all of the following capabilities except _______

A. Rate limiting
B. Access control
C. Hardware confirmation
D. Logging

Answer

A

C. Hardware confirmation

Explanation:
hardware confirmation is a meaningless term in this respect

Question 15

Q

Which of the following can be included in the cloud security architecture as a means to identify and reject hostile SQL commands?

A. WAF
B. API Gateway
C. DLP
D. DAM

Answer

A

D. DAM

Explanation:
A DAM can recognize and block malicious SQL traffic

Question 16

Q

You are the security manager for an online marketing company. Your company has recently migrated to a cloud production environment and has dpeloyed a number of new cloud absed protection mechanisms offered by both third parties and cloud provider, including DLP and SIEM solutions. After one week of operation, your security team reports an inordinate amount of time responding to potential incidents that have turned out to only be false positive reports. Management is concerned that the cloud migration was a bad idea and that it is too costly in terms of misspent security efforts.

What do you recommend?

A. Change the control set so that you use only security products not offered by the cloud provider
B. Change the control set so that you use only security products offered by cloud provider
C. Wait three weeks before making a final decision
D. Move back to an on premises environment as soon as possible to avoid additional wasted funds and effort

Answer

A

C. Wait three weeks before making a final decision

Explanation:
Many security solutions, particularly DLP and similar tools require a learning curve as they become accustomed to new data sources

Question 17

Q

Due to their reliance on vulnerability signatures, vulnerability scanners will not detect ___________

A. User error
B. Improper control selection
C. Cloud vulnerabilities
D. Unknown vulnerabilities

Answer

A

D. Unknown vulnerabilities

Explanation:
Because scanning tools require vulnerability signatures to operate effectively, unknown vulnerability that might exist in the scanned system wont be detected

Question 18

Q

Which federal standard is for the accreditation of secure and well architected cryptographic modules produced by private sector vendors?

A. FIPS 120
B. ISO 27002
C. COBIT
D. FIPS 140-2

Answer

A

D. FIPS 140-2

Explanation:
FIPS 140-2 is the federal standard for the accreditation and distinguishing of secure and well architected cryptgraphic modules produced by private sector vendors who see to or are in the process of having their solutions and services certified by the US government

Question 19

Q

In which of these options does the encryption engine reside within the application accessing the database?

A. Transparent encryption
B. Symmetric key encryption
C. Application level encryption
D. Homomorphic encryption

Answer

A

C. Application level encryption

Explanation:
In appplication level encryption, the application will encrypt data before it is placed in the data.

Question 20

Q

Why as PaaS environments at a higher likelihood of suffering backdoor vulnerabilities?

A. They rely on virtualization
B. They often used for software development
C. They have multitenancy
D. They are scalable

Answer

A

B. They often used for software development

Explanation:
PaaS environments are attractive for software development because they allow testing of software on multiple OS that are administered by the cloud provider

Question 21

Q

Which of the following techniques for ensuring cloud datacenter storage resiliency uses encrypted chunks of data?

A. Cloud bursting
B. RAID
C. Data dispersion
D. SAN

Answer

A

C. Data dispersion

Explanation:
Data dispersion uses parity bits, data chunks and encryption. Parity bits and disk striping are characteristic of RAID implementations. Cloud bursting is a feature of scalable cloud hosting. SAN is data storage technique but not focused on resiliency

Question 22

Q

Event monitoring tools SIEM/SEM can aid in which of the following efforts?

A. External hacking detection
B. Prediction of physical device theft
C. Data classification/categorization issues
D. Social engineering attacks

Answer

A

A. External hacking detection

Explanation:
Event monitoring tools can help detect external hacking efforts by tracking and reporting on common hack related activity, such as repeated failed login attempts and scanning.

Question 23

Q

WAFs can be used to reduce the likelihood that _________ attacks will be successful

A. Social Engineering
B. Physical Theft
C. Obverse inflection
D. Cross Site Scripting

Answer

A

D. Cross Site Scripting

Explanation:
WAFs can be used to attenuate the possibility that cross site scripting attacks will be successful. WAFs do not protect against social engineering or physical attacks in any way, so options A and B are incorrect
Option C is a nonsense term and is therefore incorrect

Question 24

Q

In addition to having it for business continuity and disaster recovery purposes, data archiving might also be useful for ________

A. Ensuring profitability
B. Increasing performance
C. Motivating users
D. Correcting accidental errors

Answer

A

D. Correcting accidental errors

Explanation:
If users inadvertently erase or modify data, an archived backup copy could be useful for restoring the original, correct version

Question 25

Q

A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls:

A. Can lead to data breaches
B. Causes electromagnetic interference
C. Will affect quality of service
D. Can cause regulatory non compliance

Answer

A

C. Will affect quality of service

Explanation:
Security and operations are always inversely related; excessive controls necessarily degrade performance. Excessive use of controls should not lead to more data breaches; if anything, it may reduce their occurrence. However, it is more likely that there will be no effect.

Question 26

Q

What are the activities involving the generation, storage, distribution, deletion archiving, and application of keys in accordance with a formal security policy?

A. Key management
B. Security management
C. Application management
D. SDLC

Answer

A

A. Key management

Explanation:
These are all activities associated with encryption key management and are critical for the safety and security of key usage

Question 27

Q

Where is isolation failure probably least likely to pose a significant risk?

A. Public cloud
B. Private cloud
C. PaaS Environment
D. SaaS environment

Answer

A

B. Private cloud

Explanation:
Guest escape is less likely to occur and to have a significant impact in an environment provisioned for and used by a single customer

Question 28

Q

Data dispersion uses ________, where the traditional implementation is calling striping

A. Chunking
B. Vaulting
C. Lumping
D. Grouping

Answer

A

A. Chunking

Explanation:
Where RAID used data striping across multiple drives, with data dispersion this technique is referred to as chunking, or sometimes sharing when encryption is also used.

Question 29

Q

You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. What should you not expect the tool to address?

A. Sensitive data sent inadvertently in user emails
B. Sensitive data captured by screenshots
C. Sensitive data moved to external devices
D. Sensitive data in the contents of files sent via FTP

Answer

A

B. Sensitive data captured by screenshots

Explanation:
Its unlikely that any egress monitoring tools will be able to detect sensitive data captured, stored and/or sent as graphic image files, which is the usual form of screenshots

Question 30

Q

Which of the following can enhance data portability?

A. Interoperable export formats
B. Egress monitoring solutions
C. Strong physical protections
D. Agile business intelligence

Answer

A

A. Interoperable export formats

Explanation:
Data formatted in a manner that allows its reuse in other environments is essential for portability. None of the other options are relevant to the issue of data portability

Question 31

Q

You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated?

A. Physical surveillance of their property and personnel
B. Communications tapping of their offices
C. Code signing
D. Subverting insiders

Answer

A

C. Code signing

Explanation:
Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes

Question 32

Q

When a programs source code is open to review by the public, what is that software called?

A. Freeware
B. Malware
C. Open source
D. Shareware

Answer

A

C. Open source

Explanation:
Open source software includes programs where customers (or even the public) can view the softwares source code

Question 33

Q

The American Society of Heating, Refrigeration and Air Conditioning Engineerins (ASHRAE) guidelines for internal environmental conditions within a data center suggest that a temperature setting of _______ degrees (F) would be too high

A. 93
B. 80
C. 72
D. 32

Answer

A

A. 93

Explanation:
The range suggested by the ASHRAE Technical COmmittee 9.9 is 64 to 81 degrees Fahrenheit. All the other options are distractors

Question 34

Q

To optimize airflow within a data center according to industry standards, a raised floor used as an air pienum must have at least _______ of clearance

A. One foot
B. One meter
C. 24 inches
D. 30 inches

Answer

A

C. 24 inches

Explanation:
THe industry standard is 24 inches

Question 35

Q

What is a key component of Gramm LEach Billey Act (GLBA)?

A. The right to be forgotten
B. EU Data Directives
C. The information security program
D. The right to audit

Answer

A

C. The information security program

Explanation:
The most important aspect of GLBA was the creation of a formal information security program

Question 36

Q

Perhaps the best method for avoiding vendor lock out is also a means for enhancing BCDR capabilities. This is _______

A. Having a warm site within 250 miles of the primary production environment
B. Using one cloud provider for primary production and another for backup processes
C. Building a data center above the flood plain
D. Cross training all personnel

Answer

A

B. Using one cloud provider for primary production and another for backup processes

Explanation:
Using distinct cloud providers for production and backup ensuresd that the loss of one provider, for any reason, will not result in a total loss of the organizations data

Question 37

Q

In a PaaS mdoel, who should most likely be responsible for the security of the applications in the production environment?

A. Cloud customer
B. Cloud provider
C. Regulator
D. Programmers

Answer

A

A. Cloud customer

Explanation:
In PaaS, the customer is responsible for the administration (and security) of applications. Neither regulators nor programmers are responsible for the security of the applications in the production environment. That is the responsibility of the cloud customer

Question 38

Q

Which of the following is a federation standard/protocol that does not rely on SOAP, SAML or XML?

A. WS Federation
B. OpenID Connect
C. SOC 2
D. OWASP

Answer

A

B. OpenID Connect

Explanation:
OpenID connect is a federation protocol that uses REST and JSON; it was specifically designed with mobile apps in mind, instead of only web based federation

Question 39

Q

In protections afforded to PII under the US Health Information Portability and Accountability Act, the subject must _____ in order to allow the vendor to share their personal data

A. Opt in
B. Opt out
C. Undergo screening
D. Provide a bio metric template

Answer

A

A. Opt in

Explanation:
Under HIPAA, the subject must opt in to information sharing - that is, the subject (patient) must explicitly state, in writing and with a signature, who the vendor is allowed to share personal information with, such as family members, spouses and children

Question 40

Q

Which of the following is not commonly considered a form of privacy data processing?

A. Storing
B. Computing
C. Destroying
D. Buying

Answer

A

D. Buying

Explanation:
Purchasing is not normally an activity related to privacy data processing. All the other options fall into the definition of processing

Question 41

Q

When using real user monitoring (RUM) for web application activity analysis, which of the following do you need to take into account?

A. False positives
B. Attacker baseline actions
C. Privacy concerns
D. Sandboxed environments

Answer

A

C. Privacy concerns

Explanation:
Depending on the jurisdiction, RUM may entail unlawful surveillance, so the practitioner must take this into account and plan accordingly

Question 42

Q

You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assemply plant, which costs 24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs 15 million. An insurance policy that would cover the full replacement cost of the plant costs 1 million per month. IN order to establish the true annualized loss expectancy (ALE), you would need all of the following information expect:

A. Amount of revenue generated by the plant
B. The rate at which the plant generates revenue
C. The length of time it would take to rebuild the plant
D. The amount of product the plant creates

Answer

A

D. The amount of product the plant creates

Explanation:
Unless this number is being used to determine the measures of options A or B, or we are trying to better estimate the costs of the impact of the first occurrence, the amount of product the plant creates is not as important as the attendant revenue that amount generates for the company

Question 43

Q

Having your BCDR backup stored with the same cloud provider as your production environment can help you ________

A. Maintain regulatory compliance
B. Spend less of your budget on traveling
C. Train your users about security awareness
D. Recovery quickly from minor incidents

Answer

A

D. Recovery quickly from minor incidents

Explanation:
Having the backup within the same environment can allow easy rollback to a last known good state or to reinstantiate clean VM images after minor incidents

Question 44

Q

What can be revealed by an audit of a baseline virtual image, used in a cloud environment?

A. Adequate physical protections in the data center
B. Potential criminal activity before it occurs
C. Whether necessary security controls are in place and functioning properly
D. Lack of user training and awareness

Answer

A

C. Whether necessary security controls are in place and functioning properly

Explanation:
The baseline will contain the suite of security controls applied uniformly throughout the enivornment

Question 45

Q

A localized incident or disaster can be addressed in a cost effective manner by using which of the following?

A. UPS
B. Generators
C. Joint operating agreements
D. Strict adherence to applicable regulations

Answer

A

C. Joint operating agreements

Explanation:
Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organizations own facility and campus can be addressed at a different facility and campus

Question 46

Q

Setting thermostat controls by measuring the ________ temperature will result in the highest energy costs

A. Server inlet
B. Return air
C. Underfloor
D. External ambient

Answer

A

B. Return air

Explanation:
The return air temperature will be slightly higher than anywhere else inside the data center becausethe air has been warmed by passing through the equipment

Question 47

Q

Which of the following best describes HIPAA?

A. US Federal law for electronic healthcare transactions and national identifiers for providers, health plans and employers
B. EU Standards for electronic healthcare transactions and national identified for providers, health plans and employers
C. Contractual standards for electronic healthcare transactions and national identifiers for providers, health plans and employers
D. ISO standards for electronic healthcare transactions and national identifiers for providers, health plans and employers

Answer

A

A. US Federal law for electronic healthcare transactions and national identifiers for providers, health plans and employers

Explanation:

Question 48

Q

Any organization that complies with ISO 27034 will have a maximum of ________ Organizational Normative Frameworks

A. 0
B. 1
C. 5
D. 25

Answer

A

B. 1

Explanation: dictates that an orgnization will have a collection of security controls used for all software within that organization; this collection is called the ONF
ISO

Question 49

Q

WAFs and DAMs function at levels ________ and _______ of the OSI model, respectively.

A. 1 and 7
B. 7 and 1
C. 7 and 7
D. 3 and 4

Answer

A

C. 7 and 7

Explanation:
These are both Layer 7 tools.

Question 50

Q

Legal controls refer to which of the following:

A. Controls designed to comply with laws and regulations related to the cloud environment
B. PCI DSS
C. ISO
D. NIST 800 53r4

Answer

A

A. Controls designed to comply with laws and regulations related to the cloud environment

Explanation:
Legal controls are those controls that are designed to comply with laws and regulations whether they be local or international

Question 51

Q

A fundamental aspect of security principles, ___________ should be implemented in the cloud as well as in traditional environments

A. Continual uptime
B. Defense in depth
C. MFA
D. Separation of duties

Answer

A

B. Defense in depth

Explanation:
Defense in depth, or layered defense, is perhaps the most fundamental characteristic of all security concepts.

Question 52

Q

In a PII context, who is the controller?

A. The cloud customer
B. The cloud provider
C. The regulator
D. The individual

Answer

A

A. The cloud customer

Explanation:
In a PII context, the controller is the entity that creates/collects, owns or manages the data - that is, the data owner

Question 53

Q

Which of the following is not a way to manage risk?

A. Enveloping
B. Mitigating
C. Accepting
D. Transferring

Answer

A

A. Enveloping

Explanation:
Enveloping is a nonsense term, unrelated to risk management

Question 54

Q

Pentesting is an ______ form of security assessment

A.Active
B. Comprehensive
C. Total
D. Inexpensive

Answer

A

A.Active

Explanation:
A pentest requires the tester to analyze the security of an environment from the perspective of an attacker

Question 55

Q

You are the IT director for a small contracting form. Your company is considering migrating to a cloud production environment. WHich service model would best fir your needs if you wanted an option that reduced the chance of vendor lock in but also did not require the highest degree of administration by your own personnel?

A. IaaS
B. PaaS
C. SaaS
D. Tanstaffl

Answer

A

B. PaaS

Explanation:
With PaaS, the cloud provider will administer both the hardware and the OS< but you will be in charge of managing the application and data. There is less likelihood of vendor lock in with PaaS than SaaS

Question 56

Q

DAST is usually considered a __________ form of testing

A. White box
B. Black box
C. Gray box
D. Parched field

Answer

A

B. Black box

Explanation:
Explanation:
DAST is often referred to as black box testing

Question 57

Q

Typically, SSDs are _______

A. More expensive than spinning platters
B. Larger than tape backup
C. Heavier than tape libraries
D. More subject to malware than traditional drives

Answer

A

A. More expensive than spinning platters

Explanation:
SSDs are usually more expensive, per drive, than their counterparts.

Question 58

Q

Developers creating software for the cloud environment should bear in mind cloud specific risks such as ________ and ____________

A. DoS and DDoS
B. Multitenancy and 3rd party administrators
C. Unprotected servers and unprotected clients
D. Default configurations and user error

Answer

A

B. Multitenancy and 3rd party administrators

Explanation:
All the other options are risks that exists in the traditional environment as well as the cloud

Question 59

Q

What is the important input of the SDLC?

A. Senior management direction
B. Legislation/regulation
C.Investor oversight
D. Business requirements

Answer

A

D. Business requirements

Explanation:
Business requirements are paramount because they incorporate the elements of all the other options as well as additional inputs

Question 60

Q

In general, a cloud BCDR solutions will be _____ than a physical solution

A. Slower
B. Less expensive
C. Larger
D. More difficult to engineer

Answer

A

B. Less expensive

Explanation:
Typically, the cost of using the cloud for contingency operations will be much less than creating a physical alternate operating site

Question 61

Q

Data archiving and retention policies should include _________

A. How long the data must be kept before destruction
B. The depth of underground storage bunkers used for archiving
C. The names of specific personnel tasked with restoring data in the event of data loss in the operational environment
D. The names of regulators approving the policy

Answer

A

A. How long the data must be kept before destruction

Explanation:
The policy for data archiving and retention must include guidance on the length of time data is expected to remain

Question 62

Q

The OWASP Top Ten list usually includes injection. In most cases, what is the attacker trying to do with an injection attack?

A. Get the user to allow access for the attacker
B. Insert malware onto the system
C. Trick the application into running commands
D. Penetrate the facility hosting the software

Answer

A

C. Trick the application into running commands

Explanation:
In injection attacks, the attacker enter s a string of command code into a user facing field in an attempt to get the application to run the command

Question 63

Q

Where is a NIDS deployed in a cloud or enterprise environment?

A. On the segment being monitored
B. On the device being monitored
C. Near the firewall or gateway
D. On a virtual server

Answer

A

A. On the segment being monitored

Explanation:
A NIDS is deployed anywhere on the network segment being montiored. THis can be, but does not need to be, near the network gateway

Question 64

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a SSO experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead wnat every user to have access to each organizations specific storage resources. If you are in Canada, one of the standards you will have to adhere to is _________

A. FIPS 140-2
B. PIPEDA
C. HIPAA
D. EFTA

Answer

A

B. PIPEDA

Explanation:
The Personal Information Protection and Electronic Documents Act is a Canadian law governing protection of personal information

Answer 65

A

C. Returning to normal operations too late

Explanation:
Not returning to normal operations in a timely fashion can cause you to exceed the RTO and MAD.

Answer 66

A

B. The external ambient environment

Explanation:

Answer 67

A

D. Immediacy of the technology

Explanation:
All of the following things should be considered when creating data archival policies except option D, which is a nonsense term.

Answer 68

A

C. Average media longevity

Explanation:
Data retention periods should be established in policy regardless of the projected lifetime of the media the data resides on. All the other options do/should influence data retention periods

Answer 69

A

A. Deguassing

Explanation:
Degassing refers to the practice of using strong magnets for scrambling data on magnetic media such as hard drvies and tapes. Although scrubbing generally can scramble data as well as degaussing, it does not use magnets

Answer 70

A

A. CDN

Explanation:
A CDN is a service that replicates data across many locations

Answer 71

A

B. Costs of software licensing

Explanation:
In a tradition environment, enterprise software costs can be exorbitant, and the price of licensing doesnt even reflect the hidden costs associated with licensing, such as managing the license library

Answer 72

A

B. A patch may not be applicable to a given environment

Explanation:
Not all patches are necessary for all environments.

Answer 73

A

C. Full test

Explanation:
The full test will involve every asset in the organizaion, including all personnel.

Answer 74

A

B. Behavioral outliers

Explanation:
Behavioral detection looks for activity beyond the norm of the organizations usual traffic

Answer 75

A

D. Public cloud

Explanation:
A public cloud infrastructure is provisioned for open use by the general public and may be owned, managed and operated by a business, academic or government organization or some combination of them and exists on the premises of the cloud provider

Answer 76

A

D. The ISP between the cloud customer and provider

Explanation:
Option D is the definition of a cloud carrier from NIST

Answer 77

A

A. Security, availability, processing integrity, confidentiality, privacy

Explanation:
SOC 2 reports are relevant to the target entitys internal controls over the five security principles of security, availability, processing integrity, confidentiality and privacy

Answer 78

A

B. Reversal

Explanation:

Answer 79

A

C. Bandwidth providers used to connect to the cloud

Explanation:
Internet service providers dont usually offer firewall services.

Answer 80

A

A. Capital expenditures for IT

Explanation:
As a cloud customer, the organization is not responsible for making up from infrastructure purchases, which are capital expenditures

Answer 81

A

B. Key RISK indicators (KRI)

Explanation:
KRI stands for key risk indicator. KRIs are red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or something more

Answer 82

A

A. User consent and action

Explanation:
Deploying DRM usually requires installing a local agent on each device intended for use in that environment; with BYOD, that means getting all users to agree and install that agent because they own the device

Answer 83

A

A. Data in the cloud is constantly being replicated and backed up

Explanation:
one of the benefits of using managed cloud service is that most providers are constantly performing backup and preservation activities in order to ensure that customers do not lose data

Answer 84

A

D. Sending the data outside the traditional environment for collab purposes

Explanation:
The cloud generally enhances opportunities for collab between organizations, mostly giving external parties some limited access to the owners data in the cloud. While there is risk in this situation, the truly comparable risk in the traditional environment would result from sending data outside the organization to external collaborators

Answer 85

A

B. The particular vulnerabilities exist only in a context not being used by developers

Explanation:
Option B makes the most sense; some vulnerabilities are known to exist only when a component is used in a specific way or with specific services; if the programmers are not including that way of using the component or the risky service, then the vulnerability would not pose a threat to the software they are creating and may therefore be acceptable

Answer 86

A

C. Data disclosure through insufficiently isolated resources

Explanation:
Because of the multitenant nature of public cloud services, processes and resources that are not properly isolated may create a sitatuon where data could be disclosed to other cloud customers. This is a new threat that may result from the migration

Answer 87

A

B. That the right individual gets access to the right resources at the right time for the right reasons

Explanation:
Options A and C are also correct, but included in B, making B the best choice. D is incorrect, because we do not want unauthorized users gaining access

Answer 88

A

B. PaaS

Explanation:
PaaS model will probably best suit your companys needs as it allows the customer to install software and load data onto a hardware infrastructure owned and operated by the provider

Answer 89

A

D. The idea of separating the network control plane from the actual network forwarding plane

Explanation:
SDN is the idea of separating the network control plane from the actual network forwarding plane

Answer 90

A

C. GLBA

Explanation:
GLBA mandates requirements for securing personal account information in the financial and insurance industries

Answer 91

A

D. Portability

Explanation:
Elasticity is the name for the benefit of cloud computing where resources can be apportioned as necessary to meet customer demand.

Answer 92

A

B. The GDPR

Explanation:
GDPR is the current prevailing privacy data legislation. It replaced the Data Directive

Answer 93

A

B. Voluntary disclosure

Explanation:
Most PII is gathered from individuals who voluntarily disclose it

Answer 94

A

B. PaaS

Explanation:
PaaS is optimum for software testing as it allows the software to run across multiple platforms/OSs

Answer 95

A

A. A trusted device

Explanation:
DRM solutions are mainly designed to protect intellectual property assets, but they can also be used to provide enhanced protection to other electronic information

Answer 96

A

C. CPU; RAM

Explanation:
The compute nodes of a cloud data center can be measured in terms of how many CPUs

Answer 97

A

D. Whatever the data owner decides

Explanation:
Each organization has to decide for itself, how to classify its own data. With that said, many factors bear on this determination; external regulations and drivers

Answer 98

A

C. Availability of emergency services

Explanation:
In a rural location, the positioning and depth of first responders (fire, law enforcement, paramedics) may be severely limited in comparison to an urban setting

Answer 99

A

D. Seal of approval

Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service provider

Brainscape's Knowledge GenomeTM

LearnZapp Practice 2 Flashcards

Brainscape's Knowledge Genome^TM