LearnZapp Practice 4 Flashcards
Access should be granted based on all of the following except _______
A. Policy
B. Business needs
C. Performance
D. Acceptable risk
C. Performance
Explanation:
Performance should not determine who gets access to which data
Which of the following methods of addressing risk is most associated with insurance?
A. Transference
B. Avoidance
C. Acceptance
D. Mitigation
A. Transference
Explanation:
Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance involves taking on the risk, and transference usually involves insurance
Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?
A. Anonymization
B. Masking
C. Encryption
D. Training
B. Masking
Explanation:
Masking allows customer service representatives to review clients sales and account information without revealing the entirety of those records
In order for American companies to process personal data belong to EU citizens, they must comply with the Privacy Shield program. The program is administered by the US Department of Transportation and the ____________
A. US State Department
B. Fish and Wildlife
C. Federal Trade Commission
D. Federal Communication Commission (FCC)
C. Federal Trade Commission
Explanation:
The FTC is the local US enforcement arm for the most Privacy Shield Activity
Which type of web application monitoring most closely measures actual activity?
A. Synethetic performance monitoring
B. Real user monitoring
C. SIEM
D. DAM
B. Real user monitoring
Explanation:
RUM harvests infomration from actual user activity, making it the most realistic depiction of user behavior
Which of the following is a risk posed by the use of virtualization?
A. Internal threats interrupting service through physical accidents
B. The ease of transporting stolen virtual images
C. Increased susceptibility of virtual systems to malware
D. Electromagnetic pulse
B. The ease of transporting stolen virtual images
Explanation:
Because virtual machines are stored as imaged files, an attacker able to access the stored files would have a
Your company operates in a highly cooperative market, with a high degree of information sharing between participants. Senior management wants to migrate to a cloud enviornment but is concerned that providers will not meet the companys collab needs. WHich deployment model would best suit the compmanys needs?
A. Public
B. Private
C. Community
D. Hybrid
C. Community
Explanation:
A community cloud entails all participants to have some degree of ownership and responsibility for the cloud environment; this is the preferred model for coop ownership and collaboration among a group with a shared
An event is something that can be measured within the environment. An incident is a ___________ event
Deleterious
B. Negative
C. Unscheduled
D. Major
C. Unscheduled
Explanation:
All the activity in the environment can be considered events. Any event that was not planned or known is an incident. In the security industry, we often ascribe negative effects to the term incident, but incidents are not always mlaicious
Why is the deprovisioning element of the identification component of identitiy and access management so important?
A. Extra accounts costs so much extra money
B. Open but assigned accounts are vulnerabilities
C. User tracking is essential to peformance
D. Encryption has to be mantained
B. Open but assigned accounts are vulnerabilities
Explanation:
Unused accounts that remain open can serve as attack vectors
According to the CSA, which of the followinig is not an aspect of due dilligence that the cloud customer should be concerned with when considering a migration to a cloud provider?
A. Ensuring that any legacy applications are not dependent on internal security contorols before moving them to the cloud environment
B. Reviewing all contract elements to approprioately define each parttys roles, responsibilities and requirements
C. Assessing the providers financial standing and soundness
D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment
D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment
Explanation:
The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular leve2l of control
A hosted based firewall in a virtualized cloud environment might have aspects of all the following types of controls except ________
A. Administrative
B. Deterrent
C. Corrective
D. Preventive
B. Deterrent
Explanation:
A firewall uses aspects of adminnistrative controls. The firewall policy is a set of rules that dictate the type of traffic and source/destination of that traffic
What is an important term in the field of data forensics that refers to maintaining control of evidenbe?
A. eDiscovery
B. Probably cause
C. Chain of custody
D. The Doctrine of Property
C. Chain of custody
Explanation:
Chain of custody refers to documenting control of evidence from the time it is collected until it is presented to the court
Which of the follopwing factors would probably most affect the design of a cloud data center?
A. Geographic location
B. Functional purpose
C. Cost
D. Aesthetic intent
A. Geographic location
Explanation:
APIs are defined as which of the following?
A. A set of protocols, and tools for building software applications to access a web based sofdtware application or tool
B. A set of standards for building software applications to access a web based software application or tool
C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool
D. A set of routiunes and tools for building software applications to access web based software applications
C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool
Explanation:
Dynamic software security testing should include _________
A. Source code review
B. User training
C. Pentest
D. Known bad data
D. Known bad data
Explanation:
Also known as fuzz testing, dynamioc methods should ionclude known bad inputs in order to determine how the program will handle the wrong data
Which of the following best describes data masking?
A. A method where the last few numbers in a dataset are not obscured. These are often used for authentication
B. A method for creating similar but inauthentic datasets used for software testing and user training
C. A method used to protect prying eyes from data such as social security numbers and credit card data
D. Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number
B. A method for creating similar but inauthentic datasets used for software testing and user training
Explanation:
Where should multiple egress points be included?
A. At thee power distribution substation
B. Within the data center
C. In every building on the campus
D. In thje security operations center
C. In every building on the campus
Explanation:
Health and human safety is a paramount goal of securityy
Which of the following best represents the REST approach tyo APIs?
A. Built on protocol standards
B. Lightweight and scalable
C. Relies heavily on XML
D. Only supports XML output
B. Lightweight and scalable
Explanation:l
In the EU, with its implementation of privacy directives and regulations, treats individual privacy as _______
A. a passing fad
B. A human right
C .A legal obligation
D. A business expense
B. A human right
Explanation:
What artifact which should already exist within the organization - can be used to determine the critical assets necessary to protect in the BCDR activity?
A. Quantitative risk analysis
B. Qualitative risk analysis
C. Business impact analysis
D. Risk appetite
C. Business impact analysis
ExplanatiON:
The BIA is designed for this purpose; to determine the critical path of assets/resources/data within the organization
Which of the following is not a risk management framework?
A. NIST SP 800-37
B. ENISA
C. KRI
D. ISO 31000-2009
C. KRI
Explanation:
Key risk indicators are useful but they are not a framework
Which of the following is not a factor an organization might use in the cost benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with whichc cloud provider might be selected
D. Branding associated with whichc cloud provider might be selected
Explanation:
The brand associated with the cloud provider should not influence the cost-benefit analysis
Which of the following best describes the Organizational normative Framework?
A. A container for components of an applications security, best practices, catalogued and leveraged by the organization
B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization
C. A set of application security and best practices catalogued and leveraged by the organization
D .A framework of containers for some of the components of application security, best practices, catalogued and lneveraged by the organization
B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization
Explanation:
Which kind of SSAEW audit report is a cloud customner most likely to receive from a cloud provider?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
D. SOC 3
Explanation:
The SOC 3 is the least detailed, so thje provider is not concerned about revealing it
REST is best described by which of the following?
A. Relies on stateful communications
B. Does not require caching
C. Does not rely on best practices for web services
D. Relies on stateless, client server, cacheable communications
D. Relies on stateless, client server, cacheable communications
Explanation:
RESt relies on stateless, client server, cacheable communications. It is a software architecture consisting of guidelines and best practices for creating scalable web services
What should the priomary focus of datacenter redundancy and contingency planning?
A. Critical path/operations
B. Health and human sdafety
C. Infrastructrure suyporting the production environment
D. Power and HVAC
B. Health and human sdafety
Explanation:
Regardless of the tier level or purpose of any datacenter, design focus for security should always consider health and human safety paramount
Which of the following is not typically included as a basic phase of the SDLC?
A. Define
B. Design
C. Describe
D. Develop
C. Describe
Explanation:
Describe is not a common phase in the SDLC
Which of the following is a good business case for the use of data masking?
A. The shipping department should get only a masked version of the customers address
B. The customer service department should get only a masked version of the customers social security number
C. The billing department should get only a masked version of the customers credit card number
D. HR department should get only a masked version of the employees driverss license number
B. The customer service department should get only a masked version of the customers social security number
Explanation:
The customer service reps may need to see a partial version of the customers SS number to verirfy that the customer is who they claim to be, but that representative does not need to see the full number, which would create an unnecessary risk
Anonymization is the process of removing _____ from data sets
A. Access
B. Cryptographic keys
C. Numeric values
D. identifying information
D. identifying information
Explanation:
Anonymization is the process of removing identifiers from data sets so that the data analysis tools and techqniues cannot be used by malicious entities to divine personal or sensitive data from non sensitive aggregated data sets. All the other answers are incorrect because they are not part of the anonytmization process
WHat does the doctrine of the proper law refer to?
A. How jurisdictional disputes are settled
B. The law that is applied after the first law is applied
C. The determination of what law will apply to a case
D. The proper handling of eDiscoverey materials
A. How jurisdictional disputes are settled
Explanation:
The doctrine of the proper law referes to how jurisdictional disputes are settled
Which of the following best describes SAST?
A. a set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability
B. A set of technologies that ananlyze bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability
C. A set of technologies that analyze application source code, byte code and binaries for coding and design problems that would indicate a security problem or vulnerability
D. A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability
C. A set of technologies that analyze application source code, byte code and binaries for coding and design problems that would indicate a security problem or vulnerability
Explanation:
All the possible answers are good, and are, in fact, correct, however C is the most complete and therefore the best answer
Lack of industry wide standards for cloud computing creates a potential for ______
A. Privacy data breach
B. Privacy data disclosure
C. Vendor lock in
D. Vendor lock out
C. Vendor lock in
Explanation:
Without uniformity of data formats and service mechanisms, there is no assurance that a customer would be able to easily move their cloud operation from one provider to another; this can result in lock in
If personal financial account reviews are peerformed as an additional review control for privileged users, which of the following characteristics is least likely to be a useful indicator for review p]urposes?
A. Too much moneyh in the account
B. Too little money in thhe account
C. The bank branch being used by the privileged user
D. Specific senders/recipients
C. The bank branch being used by the privileged user
Explanation:
Which bank branch a privileged user frequents is unlikely to be of consequence. too much money can inidcate that the privileged user is accepting payment from someone other than the emp]loyer
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except :
A. Access to audit logs and performance data
B. SIM, SIEM and SEM logs
C. DLP solution results
D. Security control administration
D. Security control administration
Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer
To deploy a set of microservices to clients instead of buiilding one monolithic application, it is best to use an ______ to coordinate client requests
A. XML Gateway
B. API Gateway
C. WAF
D. DAM
B. API Gateway
Explanation:
An API Gateway translates requests from clients into multiple requests to many microservices and delivers the content as a whole via an API it assigns to that client/session
What is the intellectual property protection for the tangible expression of a creative idea?
A. Copyright
B. Patent
C. Trademark
D. Trade secret
A. Copyright
Explanation:
Copyrights are protected tangible expressions of creative works
Privileged user (administrators, managers and so forth) accounts need to be reviewed mroe closely than basic user accounts. Why is this?
A. Privileged users have more encryption keys
B. Regular users are more trustworthy
C. There are extra controls on privileged user accounts
D. Privileged users can cause more damage to the organization
Explanation:
The additional capabilities of privileged users make their activities riskier to the organization, so these accounts bear extra review
Tokenization is a method of obscuring data that, other than encryption, can be used to comply with ______ standards
A. GLBA
B. PCI
C. COPA
D> SOX
B. PCI
Explanation:
PCI requires that credit card numbers and other cardholder data be obscrubed when stored for any length of time
Patching can be viewed as a configuration modification and therefore subject to the organizations configuration management program and methods. What may also be an aspect of p]atching in terms of configuration management?
A. Patching doesnt need to be performed as a distinct effort; patching can go through the normal change request process like all other modifications
B. Any patches suggested or required by vendors to maintain compliance with service contracts must be made immaditately regardless of internal process restrictions
C. Any patches suggested by third parties should not be considered as they may invalidate service contracts or warranties
D. The configuration or change management committee or board may grant blanket approval for patches (at a certain impact level) without the need to go through the formal change process
D. The configuration or change management committee or board may grant blanket approval for patches (at a certain impact level) without the need to go through the formal change process
ExplanatIon:
In order to ensure timely application of patches, patching may receive blanket approval and only be reviewed by the committee of board after the fact for final approval
All of the following techniques are used in OS hardening except _______
A. Removinig default accounts
B. Disallowingff local save of credentials
C. Removing unnecessary services
D. Preventing all administrative access
D. Preventing all administrative access
Explanation:
Administrative access may be limited but not prevented
Access control to virtualization management tools should be ______
A. Rule based
B. Role based
C. User based
D. Discretionary
B. Role based
Explanation:
It is important to limit access to the virtualization toolset to those admins, engineers and architects who are vital for supporting the virtualized environment and nobody else
Which of the following best describes the purpose and scope of ISOI 27034 1?
A. Describes international privacy standards for cloud computing
B. Provides an overview of application security that introduces definitive concepts, principles and processes involved in application secuirty
C. Serves as a newer replacement for NIST 800 53 r4
D. Provides an overview of network and infrastructrure security designed to secure cloud applications
B. Provides an overview of application security that introduces definitive concepts, principles and processes involved in application secuirty
Explanation:
Option B is a desceription of the standard; the others are not
All of the following can be used to properly apportion clouid resources except _______
A. Reservations
B. Shares
C. Cancellations
D. Limits
C. Cancellations
Explanation:
Cancellations is not a term used to describe a resource allotment method
According to the ISC^2 Cloud Secure Data Life Cycle which phase colmes immediately before the Share phase?
A. Create
B. Destroy
C. use
D. Encrypt
C. use
Explantion:
Create, Store, Use, Share, Archive, Destroy
Which of the following cloud environment accounts should only be granted on a temporary basis?
A. Remote users
B. Senior management
C. Internal users
D .External Vendors
D .External Vendors
Explanation:
If external vendors need access to the cloud environment, that access should only be granted on an extremely limited and temporary basis
Which are the two most widely used API formats?
A. SOAP and REST
B. DAST and SAST
C. GLBA and PCI
D. ONF and ANF
A. SOAP and REST
Explanation:
APIs are a set of routines, standards, protocols and tools for building software applications to access a web based software app or tool
Which of the following is not a way to apportion resources in a pooled environment?
A. Reservations
B. Limits
C. Tokens
D. Shares
C. Tokens
Explanation:
Tokenization is a method for obscuring or protecting data using two distinct databases, not a resource allocation method
WHich of the following is not a method for reducing the risk of XSS attacks?
A. Put untrustted data in only allowed slots of HTML documents
B. HTML escape when including untrusted data in any HTML elements
C. Use the attribute escape when including untrsted data in attribute elements
D. Encrypt all HTML documents
D. Encrypt all HTML documents
Explanation:
In many cases, HTML documents are meant to be seen by the public or new users who do not yet have the trust associations (accounts) with the organization, so encrypting every HTML document would be counter to the purpose. Moreover, total encryption of everytrhing, even material that is not particularly sensitive or valuable, incurs an additional cost with no appreicable benefit
A generator transfer switch should bring backup power online within what time frame?
A. 10 seconds
B. Before the recovery point objective is reached
C. Before the UPS duration is exceeded
D. Three days
C. Before the UPS duration is exceeded
Explanation:
Generator power should be online before battery backup fails. The specific amount of time will vary between datacenters
A group of clinics decides to create an identification federation for their users (medical poroviders and clinicians). In this federation, all of the participating organizations would need to be in compliance with that US federal regulation?
A. GLBA
B. FMLA
C. PCI DSS
D. HIPAA
D. HIPAA
Explanation:
While its likely the participating organizations will be subject to other federal regulations, HIPAA covers electronic patient info.
Which of the following frameworks identifies the top 8 security risks based on likelihood and impact?
A. NIST 800 53
B. ISO 27000
C. ENISA
D. COBIT
C. ENISA
Explanation:
ENISA specifically identifies the top 8 security risks based on likelihood and impact
The field of digital forensics does not include the practice of securely ________ data
A. Collecting
B. Creating
C. Analyzing
D. Presenting
B. Creating
Explanation:
With rare exceptions, digital forensics does not include creation of data (other than forensic reports regarding the analysis of data). While this could arguably be considered an aspect of digital forensics as well, the other options are more suited to describing digital forensics,
Which of the following is not a risk management framework?
A. Hex GBL
B. COBIT
C. NIST SP 800-37
D. ISO 31000-2009
A. Hex GBL
Explanation:
Hex GBL is a reference to a computer part
Which of the following is an attack vector that should be specifically addressed in PaaS environments?
A. Fire
B. Insider threat
C. SQL Injection
D. Physical intrusion
C. SQL Injection
Explanation:
PaaS environments often included databases: SQL injection is a common form of attacking databases.
Data dispersion provides protection for all the following security aspects except ___________
A. Protecting confidentiality against external attack on the storage area
B. Loss of availability due to single storage device failure
C. Loss due to seize by law enforcement in a multitenant enviropnment
D. Protecting against loss due to user error
D. Protecting against loss due to user error
Explanation:
Data dispersion cant aid in adventent loss caused by an errant user;l if the user accidentally deletes/corrupts a file, that file will be deleted/corrupted across all the storage spaces where it is dispersed
At which phase of the SDLC is it probably most useful to involve third party personnel?
A. Define
B. Design
C. Develop
D. Test
D. Test
Explanation:
During testing, getting outside perspecotive iss invaluable, for both performance and security purposes; internal development and review capabilities are enhanced by auhmentation from external parties
You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and publish stories about it under the title computer related attack
A. A criminal trial
B. A civil case
C. Both criminal and civil proceedings
D. Federal rackeeting charges
C. Both criminal and civil proceedings
Explanation:
The battery is a crime and may be prosecured as such, and the act may also result in the victim suing the attacker
Which type of cloud storage combines public and privatge cloud storage where some critical information stays inside the enterprise and other information resides outside?
A. Hybrid
B. Community
C. DIstributed
D. Encrypted
A. Hybrid
Explanation:
Hybrid cloud storage is a combination of public cloud storage and private cloud storage, where some critical data resides in the enterprises private cloud and other data is stored and accessible from a public cloud storage provider
_____________ storage is used when files are stored with additional metadata and are accessible through APIs and web interfaces
A. Object
B. RAID
C. Consent
D .Redundant
A. Object
Explanation:
Object files are stored with additional metadata such as cxontent type, redundancy requirements, creation dates and so on and are then accessible via APIs and or through a web interface
Which of the following standards addresses a companys entire security program, involving all aspects of various security disciplines?
A. ISO 27001
B. ISO 27002
C. NIST 800-37
D. SSAE 18
A. ISO 27001
Explanation:
The ISO 27001 standard reviews an organizations security in terms of an information security management system, which involves a holistic view of the entire security program
In which court must the defendat be determine to have acted in a certain fashion according to the preponderance of the evidence?
A. Civil court
B. Criminal court
C. Religious court
D. TRreibal court
A. Civil court
Explanation:
Civil courts are held to the preponderance of evidence standard
Which of the following best describes risk?
A. Preventable
B. Everlasting
C. The likelihood that a threat will exploit a vulnerability
D. Transient
C. The likelihood that a threat will exploit a vulnerability
Explanation:
Option C is the definition of risk and risk is never preventable; it can be obviated, reduced, attenuated and minimized, but never completely prevented. A risk may be everlasting or transient, indicating that risk itself is not limited to being either
Which of the following is true about two person integrity?
A. It forces all employees to distrust one another
B. It requires two different IAM matrices
C. It forces collusion for unauthorized access
D. It enables more thieves to gain access to the facility
C. It forces collusion for unauthorized access
Explanation:
By creating a need for two identity assertions or authentication elements to access assets, two person integrity prevents a single person from gaining unauthorized access and forces a would be criminal to join up with at least one other person to conduct a crime
Who publishes the list of cryptographic modules validated according to the FIPS 140-2?
A. The US Office of Management and Budget
B. ISO
C. ISC^2
D. NIST
D. NIST
Explanation:
NIST publishes the list of validated crypto modules
Which styyandard contains guidance for selecting, implementing and managing information security controls mapped to an information security management system (ISMS) framework?
A. ISO 27002
B. PCI DSS
C. NIST SP 800-37
D. HIPAA
A. ISO 27002
Explanation:
ISO 27002 is used for choosing security controls in order to comply with ISMS, which is contained in ISO 27001
_______ is the legal concept whereby a cloud customer is held to a reasonable expectation for prodividing security of its users and clients privacy data
A. Due care
B. Due dilligence
C. Liability
D. Reciprocity
A. Due care
Explanation:Due dilligence is the process and activities used to ensure that due care is maintained
Whioch ofd the following best defines risk?
A. Threat coupled with a breach
B> Vulnerability coupled with an attack
C. Threat coupled with a threat actor
D. Threat coupled with a vulnerability
D. Threat coupled with a vulnerability
Explanation:
The best definition of risk is that of a threat coupoled with a vulnerability
When a company is first starting and has no defined processes and little documentation, it can be said to be at level _____ of the CMM
A. 1
B. 2
C. 3
D. 4
A. 1
Explanation:
Level 1 is the intial level of maturity for a copmanyt and its processes; activity may be performed in an ad hoc manner
You are the security managher of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. You understand that all of the following aspects of cloud computing may make proper deployment of the tool difficult or costly except _____
A. Data will not remain in one place or form in the cloud
B. The cloud environment will include redundant and resilient architecture
C. There will be a deleterious impact on produjction upon installing the tool
D. You might not have sufgficient proper admionistrative rights in the cloud infrastructure
B. The cloud environment will include redundant and resilient architecture
Explanation:
The fact that cloud data centers are designed with multiple redundancies of all systems and components wont really haver any bearing on your decision and implementation of your egress monitoring solution
If a hospital is considering using a cloud data center, which Uptime Institue Tier should it require?
A. 2
B. 4
C. 8
D. X
B. 4
Explanation:Tier 43 is the highest in the Uptime Institute standard; it is the only suitable tier for life critical systemns
You are the IT director for a European cloud service provider. In reviewing possible certifications your copmany may want to acquire for its data centers, you consider the possibilities of the CSA STAR program the Uptime Institute and _______
A. NIST SP 800-37
B. FedRAMP
C. ISO 27034
D. EuroCloud Star Auidit (ECSA)
D. D. EuroCloud Star Auidit (ECSA)
Explanation:
ECSA is designed as a cloud service cert motif for organizations located in Europe
What is thee term that describes the situation when a malicious user or attacker can exist the restrictions of a single host and access other nodes on the network?
A. Host esscape
B. Guest escape
C. Provider exit
D. Escalation of privileges
A. Host esscape
Explanation:
You are the IT security manager for a video game software development company. WHich of the following is most likely to be your primary concern on a daily basis?
A. Health and human safetry
B. Security flaws in your products
C. Security flaws in your org
D. Regulatory compliance
C. Security flaws in your org
Explanation:
Which comes first?
A. Accreditation
B. Operation
C. Maintenance
D. Certification
D. Certification
Explanation:
In the cert/accreeditation model of system approval, certification is the fundamental step
For which use cases would it probably be best to use dynamic masking?
A. Crating a test environment for a new application
B. Allowing a customer service rep limited access to account data
C. Sending IR notifications
D. Implementing BCDR
B. Allowing a customer service rep limited access to account data
Explanation:
Dynamically masking a users account info each time a customer sevice rep accesses that data is an efficient, secure means of masking data as necessary
You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hostiung its testing environment. Management is interested in adopting an Agile development style. This will be typifieed by which of the following traits?
A. Daily meetings
B. A specific shared toolset
C. Defined plans that dictate all efforts
D. Addressing customer needs with an exhaustive intial contract
A. Daily meetings
Explanation:
Agile development often involves daily meetings (called Scrums)
From a customer perspective, all of the following are benefits of IaaS cloud servciers except ____
A. Reduced cost of ownership
B. Reduced energy costs
C. Metered usage
D. Reduced costs of administering the OS in the cloud environment
D. Reduced costs of administering the OS in the cloud environment
Explanation:
In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer
Which of the following is a risk associated with automated patching, especiallyt in the cloud?
A. Snapshot/saved virutal machine images wont take a patch
B. Remote acceess disallows patching
C. Clod servbice providers arent responsible for patching
D. PAtches arent applied among all cloud data centers
A. Snapshot/saved virutal machine images wont take a patch
Explanation:
When a VM instance is inactive, it is saved as a snapshot image in a file; patches cant be applied until the instance is running
You process credit cards and determined that the costs of maintaining an encrypted storage capability in order to meet compliance requirements are prohibitive. What other technology can you use instead to meet those regulatory needs?
A. Obfuscation
B. Masking
C. Tokenization
D. Hashing +
C. Tokenization
Explanation:
Tokenization is an approved alternative to encryp]tion for complying with PCI requirements
Which phase of the BCDR process can reesult in a second disaster?
A. Event anticipation
B. Creating BCDR p[lans and policy
C. Return to normal operations
D. Indicent intiation
C. Return to normal operations
Explanation:
Returning to normal operations can result in a second disaster if the conditions created by the intial disaster have not been fully addressed/resolved
You aree in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?
A. 10 inches
B. 8 inches
C. 18 inches
D. 2 feet
D. 2 feet
Explanation:
The minimum recommended height of a raised floor in a data center is 24 inches
Which of the following is a cloud provider likely to provide to its customers in order to enhance the customers trust in the provider?
A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access
C. Audit and performance log data
Explanation:
The provider may share audit and performance log data with the customer. The provider will most likely not share any of the other options
According to the CSA, all of the following activity can result in data loss except:
A. Misplaced crypto keys
B. Improper policy
C. Ineffectual backup procedures
D. Accidental overwrite
B. Improper policy
Explanation:
Bad policy wont explicitly lead to data loss but it might hinder efforts to counter data loss. However, misplaced crypto keys can result in a self imposed denial or service
Your companys assets have a high degree of sensitivity and value, and your company has decided to retain control and ownership of the encryption key management system. In order to do so, your company wil have to have which of the following cloud service/deployment models?
A. Public
B. IaaS
C. Hybrid
D. SaaS
C. Hybrid
Explanation:
Managing the encryption keys on premises necessitates some elements of a hybrid cloud model; the key management is done on premises and the production takes place in the cloud
A hypervisor thats runs inside another OS is a Type ______ hypervisor
A. 1
B. 2
C. 3
D. 4
B. 2
Explanation:
The question describes a Type 2 Hypervisor
During maintenance mode for a given node in a virtualized environment, which of the following conditions is not accurate?
A. Generation of new instances is prevented
B. Admin access is prevented
C. Alerting mechanisms are suspended
D. Events are logged
B. Admin access is prevented
Explanation:
Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity
Risk appetitee for an organization is determined by which of the following?
A. Reclusion evaluation
B. Senior management
C. Legislative mandates
D. Contractual agreement
B. Senior management
Explanation:
Senior management decides the risk appetite of the organization
Which of the following is a popular API construction model?
A. SSO
B. GUI
C. REST
D. HTML
C. REST
Explanation:
REST is a method for designing APIs at the moment.
All security controls necessarily _______
A. Are expensive
B. Degrade performance
C. Require senior management approval
D. Will work in the cloud environment as well as they worked in the traditional environment
B. Degrade performance
Explanation:
Security and productivity/operations are always trade offs
In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure
A. Vendor
B. Customer
C. State
D. Administrator
B. Customer
Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent
The Reporting phase of forensic investigation usually involves presenting findings to ________
A. Senior management
B. Regulators
C. The court
D. Stakeholders
C. The court
Explanation:
The ultimate recipient of all forensic evidentiary collection and analysis - the entity getting the reports - will be the couirt, in order to make a final determination of its merits and insights
Under ISO 27034, every application within a given organization will have an attendant set of controls assigned to it; the controls for a given application are listed in the _______
A. ONF
B. ANF
C. TTF
D> FTP
B. ANF
Explanation:
Each application in an organization compliant with ISO 27034 will be assigned an ANF, which lists all the controls assigned to that application
The Privacy Shield program allows US companies to collect and process privacy information about EU citizens. The program is included in which law?
A. FISMA
B. GDPR
C. HIPAA
D. Sarbanes Oxley Act
B. GDPR
Explanation:
The GDPR copntains the provisions under which the Privacy Shield program was implemented.
Internal data center conditions that exceed the American Society of HVAC guidelines for humidity could lead to an increase of the potential for all of the following except _________
A. Biological intrusion
B. Electrical shorting
C. Corrosion/oxidation
D. Social engineering
D. Social engineering
Explanation:
Being damp does not make people susceptible to trickery
A special piece of numeric code that allows encryption hardware or software to encrypt and then decrypt a message is called an _________
A. HSM
B. Encryption key
C. Elliptical curve
D. Hash
B. Encryption key
Explanation:
An encryption key is the numeric string that allows fore encryption andf decryption to occur
Which of the following entities would not be covered by the PCI DSS?
A. A bank issuing credit cards
B. A retailer accepting credit cards as payment
C. A business that processes credit card payments on behalf of a retailer
D. A company that offers credit card repayment counseling
D. A company that offers credit card repayment counseling
Explanatione:
PCI DSS applies only those those entities thatrr want to engage in the business of taking or processing credit card payments, which would include options A, B and C.
Cloud administration almost necessarily violates the principles of the ___________ security model
A. Brewer Nash (Chinese Wall)
B. Graham Denning
C. Bell LaPadula
D. Biba
A. Brewer Nash (Chinese Wall)
Explanation:
Brewer Nash was specifically created for managed services arrangements, where an administrator for a given customer might also have access to a competitors data/environment; the model requires administrators not be assigned to competing customers
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A. Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel
B. Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel
C. DLP Solutions
D. Scalability
D. Scalability
Explanation:
Scalability is a feature of cloud computing, allowing users to dictate an increase or decrease in services as needed, not a means to counter internal threats
According to OWASP recommendations, active software security testing should include all of the following except __________
A. Session initiation testing
B. Input validation testing
C. Testing for error handling
D. Testing for weak cryptography
A. Session initiation testing
Explanation:
While session management testing is included in the OWASP guide to active software security testing, session initiation is not. All of the other options are included in the OWASP guide to active security testing
Volume storage encryption in an IaaS arrangement will protect against data loss due to all of the following activities except _______
A. Physical loss or theft of a device
B. Disgruntled users
C. Malicious cloud admins accessing the data
D. Virtual machine snapshots stolen from storage
B. Disgruntled users
Explanation:
An authorized user will still be able to access and decrypt the data for which they have been granted permissions so encryption will not offer any protections for that threat
Which form of BCDR tresting has the least impact on operations?
A. Tabletop
B. Dry run
C. Full test
D. Structured test
A. Tabletop
Explanation:
The tabletopp testing involves only essential personnel and none of the production assets
