LearnZapp Practice 7 Flashcards

1
Q

The term RPO is best described by which of the following?

A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced
B. A term used in BC and DR describing a point in time after which an outage has occurred, beyond which recovery becomes extremely difficult or impossible
C. A term used in BC and DR describing the minimum allowable amount of data that might be lost due to an outage before severe consequences are experienced
D. A term used in BC and DR describing the maximum allowable amount of value that might be lost due to an outage before consequences are experienced

A

A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following practices can enhance both operational capabilities and configuration management efforts?

A. Regular backups
B. Constant uptime
C. MFA
D. File hashes

A

D. File hashes

Explanation:
File hashes can serve as integrity checks for both configuration management and audit purposees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This approach to public key cryptography uses much smaller keys than traditional cryptography to provide the same level of security

A. AES
B. SSL
C. Elliptical curve
D. MD5

A

C. Elliptical curve

Explanation:
ECC uses algebraic elliptical curves that resulpt in much smaller keys that can provide the same level of safety as much large ones used in traditional key environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which security principle dictates that encryption key management and storage should be isolated from the data encrypted with those keys?

A. Least privilege
B. Two person integrity
C. Compartmentalization
D. Separation of duties

A

D. Separation of duties

Explanation:
Separation of duties dictates that one person/entity cannot complete an entire transaction alone. In this case, encryption, a single entity should not be able to adminster the issuing is keys, encrypt the data and store the keys because this could lead to a situation where that entity has the ability to access or take encrypted data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How often should cable management efforts take place?

A. Annually
B. Continually
C. Quarterly
D. Weekly

A

B. Continually

Explanation:
Cable management is an ongoing processd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not an example of a highly regulated enivironment?

A. Healthcare
B. Financial services
C. Wholesale or distribution
D. Public companies

A

C. Wholesale or distribution

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

One of the security challnges of operating in the cloud is that additional controls must be placed on file storage systems because ____________

A. File stores are always kept in plain text in the cloud
B. There is no way to sanitize file storage space in the cloud
C. Virtualization necessarily prevents the use of application based security controls
D. Virtual machines are stored as snapshotted files when not in use

A

D. Virtual machines are stored as snapshotted files when not in use

Explanation:
VMs are snapshotted and simply stored as files when they are not being used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a cloud storage architecture that manages the data in a hierarchy of files?

A. Object based storage
B. File based storage
C. Database
D. CDN

A

B. File based storage

Explanation:
Object based storage stores data as objects in volume, with labels and metadata. Databases store data in fields, in a relational motif. A CDN stores data in caches of copies content near locations of high demand

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

For US government agencies, what level of data sensitivitty/classification may be processed by cryptographic modules certified according to the FIPS 140-2 critieria?

A. Sensitive but unclassified
B. Secret
C. Top Secret
D. Sensitive Copartmentalized Information (SCI)

A

A. Sensitive but unclassified

Explanation:
FIPS 140-2 is only used for SBU data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following standards helps organizations to establish and maintain an ISMS?

A. ISO 27001
B. ISO 27009
C. ITIL
D. PCI

A

A. ISO 27001

Explanation:
ISO 27001 describes an information security management system as a set of interrelated elements that organizations use to manage and control information security risks to protect and preserve the confidentiality, integrity and availability of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Whicih of the following is probably the most important activity of those listed?

A. Regularly update the BCDR plan/process
B. Have contact infomation for all personnel in the organization
C. Have contact information for essential BC/DR personnel
D. Have contact info for local law enforcement

A

A. Regularly update the BCDR plan/process

Explanation:
All of these are important but without regular updates, the info will soon become outdated and a los less useful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Full isolation of user activity, processes and virtual network segments in a cloud environment is incredibly important because of risks due to:

A. DDoS
B. Unencrypted packets
C. Multitenancy
D. Insider threat

A

C. Multitenancy

Explanation:
The fact that many various customers will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud enviroment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

WHat is the aspect of the DMCA that has been abused and places the burden of proof on the accused?

A. Toil exemption
B. Decryption program prohibition
C. Takedown notice
D. Puppet platicity

A

C. Takedown notice

Explation:
The DMCA provision for takedown notices allows copyright holders to demand removal of suspect content from the web, and puts the burden of proof on whoeevr posted the material; this function has been abused by griefers and trolls and overzealous content producers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A typical DLP tool can enhance the organizations efforts at accomplishing what legal task?

A. Evidence collection
B. Delivering testimony
C. Criminal prosecution
D. Enforcement of intellectual property rights

A

A. Evidence collection

Explanation:
The data discovery facet of DLP solutions can aid an organization in gathering applicable evidence, especially in response to a legal request such a subpoena

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual benefit the organization realizes in a cloud environment?

A. Altitude of the cloud data center
B. Security controls and countermeasures
C. Loss of ownership of IT assets
D. Costs of Internet connectivity for remote users

A

B. Security controls and countermeasures

Explanation:
Every security process, tool and behavior entails a related cost, both financially and operationally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In software defined networking, the northbound interface usually handles traffic between ________ and the _________

A. Cloud customer; ISO
B. SDN Controllers; SDN Applications
C. Cloud provider; ISP
D. Router; host

A

B. SDN Controllers; SDN Applications

Explanation:
The NBI handles traffic between the SDN controllers and the SDN applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

in regard to most privacy guidance, the data processor is _________

A. The individual described by the privacy data
B. The entity that collects or crates the privacy data
C. The entity that uses privacy data on behalf of the controller
D. The entity that regulates privacy data

A

C. The entity that uses privacy data on behalf of the controller

Explanation:
Option C is the definition of the data processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk mitigation must also always entail which other method of addressing risk?

A, Risk acceptance
B. Risk avoidance
C. Risk transfer
D. Risk attenuation

A

A, Risk acceptance

Explanation:
Because risk can never be mitigated to zero, there will always be some residual risk after mitigation; the residual must be accepted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is not a way in which an eitity located outside the EU can be allowed to gather and process privacy data belong to EU citizen?

A. Be located in a country with nationwide law that complies with the EU laws
B. Appeal to the EU High Court for Permission
C. Create binding contractual language that complies with the EU laws
D. Join the Privacy Shield program in its own country

A

B. Appeal to the EU High Court for Permission

Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following identifies vulnerabilities in applications, operating systems or network devices?

A. Vulnerability assessment
B. Nmap scan
C. Packet analysis
D. WAF

A

A. Vulnerability assessment

Explanation:
A vulnerability assessment or scan is designed to identify known vulnerabilities in applications, operating systems or network devices. An Nmap scan may discover vulnerabilities but is designed primarily as a network services discovery tool and is not generally used with applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Why might an organization choose to comply with NIST SP 800 series standards?

A. Price
B. Ease of implementation
C. International acceptance
D. Speed

A

A. Price

Explanation:
The NIST standards are not particularly easy or fast to implement and they are not widely recognized or mandated outside of the US government federal sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In order for communications from inside a VLAN to reach endpoints outside VLAN

A. The communications must go through a gateway
B. The traffic must be encrypted
C. A repeated must be used
D. The external endpoint must be in receive mode

A

A. The communications must go through a gateway

Explanation:
Gateway devices enforce the VLAN rules and can allow or deny outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is a frame that allows a diverse group of individuals to communicate securely?

A. Digital certificates
B. PKI
C. SSL
D. ECC

A

B. PKI

Explanation:
Public key infrastructure is a framework of programs, procedures, communication protocols and public key cryptography that enables a diverse group of individuals to communicate securely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Egress monitoring solutions usually include a function that ________

A. Arbitrates contract breaches
B. Performs personnel evaluation reviews
C. Discovers data assets according classification/categorization
D. Applies another level of access control

A

C. Discovers data assets according classification/categorization

Explanation:
Egress monitoring solutions will often include a discovery function which will locate data assets according to criteria defined by the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A company is considering a cloud migration to PaaS environment. Which of the following factors might make the company less likely to choose the cloud environment?

A. The company wants to reduce overhead costs
B. The company operates proprietary software
C. The company hopes to reduce energy costs related to operation of a data center
D. The company is seeking to enhance its BCDR capabilities

A

B. The company operates proprietary software

Explanation:
A customer using proprietary software in a PaaS environment faces the risks that updates to the underlying OS and/or hardware infrastructure will not be compatible with the customers sof tware and will affect productivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

According to the CSA’s Notorious Nine list, data breaches can be:

A. Overt or Covert
B. International of subterranean
C. From internal or external sources
D. Volumiunous or specific

A

C. From internal or external sources

Explanation:
The CSA points out that data breaches come from a varieety of sources, including both internal personnel and external actors. Although breaches might be overt or covert, or large or small

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

You are a consultant, performing an external security review on a large manufacturing firm. You determine that its newest assemply plant, which cost 24 million, could be completely destroyed by a fire that a fire suppression system could effectively protect the plan. The fire suppression system costs 15 million. An insurance policy that would cover the full replacement cost of the plant costs 1 million per month. What is the annual rate of occurrence?

A. 12
B. 24 million
C. 1
D. 10 million

A

C. 1

Explanation:
Absent any other information about a total physical loss, we can consider the rate of occurrence as 1; we would not expect the plant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a:

A. Functional requirement
B. Nonfunctional requirement
C. Regulatory issue
D. Third party function

A

B. Nonfunctional requirement

Explanation:
It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the partrricipants in the collective using a third party certification model, who would be the federated service providers in that structure?

A. The third party
B. A CASB
C. The various members of the collective
D. The cloud provider

A

C. The various members of the collective

Explanation:
In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers. In a third party cert model, the third party is known as the identity porovider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following reports is no longer used?

A. SAS 70
B. SSAE 16
C. SOC 1
D. SOC 3

A

A. SAS 70

Explanation:
The SAS 70 was a report used in the past primarily for financial reporting and was oftewntimes misused in the service provider context. The SSAE 16 standard and subsequent SOC reports are its successor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Maintenance mode requires all of the following actions except:

A. Remove all active production instances
B. Initiate enhanced security controls
C. Prevent new logins
D. Ensure logging continues

A

B. Initiate enhanced security controls

Explanation:
While the other answers are all steps in moving from normal operations to maintenance mode, we do nnot necessarily initiate any enhanched security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Cloud customers performing data discovery efforts will have to ensure that the cloud provider attends to all of the following requirements except:

A. Allowing sufficient access to largee volumes of data
B. Preserving metadata tags
C. Assigning Labels
D. Preserving and maintaining the data

A

C. Assigning Labels

Explanation:
Label assignment is a task of the data owner -the cloud customer, not the provider. All of the other answers are requirments for the cloud provider to meet the data discovery needs of the customer and should be negotiated before migraiton

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The Agile Manifesto for software development focuses largely on:

A. Secure build
B. Thorough documentation
C. Working prototypes
D. Proper planning

A

C. Working prototypes

Explanation:
The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

ISO 27001 favors which type of technology?

A. Open Source
B. PC
C. Cloud based
D. None

A

D. None

Explanation:
The ISO 27001 standard is designed to be product agnostic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

CSA CCM addresses all the following security architecture elements except:

A. Physical security
B. IaaS
C. Application Security
D. Business Drivers

A

D. Business Drivers

Explanation:
The CSA CCM does not deal with whether security controls are feasible or correct from a buiness perspective, only whether they are applicable to an organization under certain regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following represents the Security and Privacy Controls for US Federal Information Systems and Organizations?

A. NIST 800-146
B. NIST 800-14
C. NIST 800-52 r4
D. NIST 800-123

A

C. NIST 800-52 r4

Explanation:
NIST 800-53 r4 describes ways to ensure the proper application of appropraite security requirements and security controls to all US fed governemtn, information and informationn management. The others are legit NIST documents with different purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Privileged user account access should be:

A. Temporary
B. Pervasive
C. Thorough
D. Granular

A

A. Temporary

Explanation:
Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value`

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The OWASP Top Ten list often includes insecure direct object references. Which of trhese is a method to counter the risks of insecure direct object references?

A. Perform user seecurity training
B. Check access each time a direct object reference is called by an untrusted source
C. Install high luminosity interior lighting throughout the facility
D. Append each object with sufficient metadata to properly categorize and classify based on

A

B. Check access each time a direct object reference is called by an untrusted source

Explanation:
Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following is a messaging protocol that uses specifications designed for exchanging structured information in web servies and operates independently of the client?

A. Java
B. REST
C. DAST
D. SOAP

A

D. SOAP

Explanation:
SOAP is a messaging specification designed for exchnaging structured information in web services and operates independently of the client OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following characteristics is associated with DRM?

A. Mapping to existing access control lists
B. Delineating biometric catalogs
C. Preventing MFA
D. Prohibiting unauthorized transposition

A

A. Mapping to existing access control lists

Explanation:
Mapping to existing ACls is the trait that allows DRM tools to provide additional access control protections for the organizations assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which entity can best aid the organization in avoiding vendor lock in?

A. Senior management
B. The IT Security Office
C. General Counsel
D. The cloud security representative

A

C. General Counsel

Explanation:
The best method for avoiding vendor lock in is to have strong contract language favorable to the customer; the entity best equipped to craft contracts is the office of the general counsel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Why is it important to force all instantiated virtual machines to check current configuration records?

A. Snapshotted images dont take patches
B. Configurations are constantly changing
C. Documentation is difficult in the cloud
D. Users are always changing configurations

A

A. Snapshotted images dont take patches

Explanation:
VMs are saved as files when not in use; patches cant be applied to these files, so any VM taken out of storage and put into production needs to be checked against configuration versions to determine if there were patches applied to the environment while it was stored

43
Q

In the testing phase of the SDLC, software performance and ______________ should be reviewed

A. Quality
B. Brevity
C. Requirements
D. Security

A

D. Security

Explanation:
Performance and security both need to be reviewed for adequacy

44
Q

You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. In order to get truly hollistic coverage of your environment, you should be sure to include __________ as a step in the deployment process

A. Getting signed user agreement from all users
B. Installation of the solution on all assets in the cloud data center
C. Adoption of the tool in all routers between your users and the cloud provider
D. Ensuring that all your customers install the tool

A

A. Getting signed user agreement from all users

Explanation:
This is a dumb fucking question.

45
Q

Event monitoring tools such as a SIEM, can aid in which of the following efforts?

B. Ensuring proper cloud migration
C. Deciding risk parameters
D. Protecting all physical entry points against the threat of fire

A

A. Detecting ambient heating, ventilation and air conditioning problems

Explanation:
Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the DC

46
Q

Which of the following is a file server that provides data ccess to multiple, heterogenous machines and users on the network?

A. Storage area network
B. Network attached storage
C. Hardware security module
D. Content Delivery Network

A

B. Network attached storage

Explanation:
This is the description of a NAS device. A SANN typically presents storage devices to users as attached/mounted drives

47
Q

Representational state transfer (REST) application programming interfaces (APIs) use _________ protocol verbs.

A. Hypertext Markup Language (HTML)
B. Hypertext Transfer Protocol (HTTP)
C. Extensible Markup Language (XML)
D. American Standard Code for Information Interchange (ASCII)

A

B. Hypertext Transfer Protocol (HTTP)

Explanation:

48
Q

You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. Which of these activities should you perform before deploying the tool?

A. Survey your company’s department about the data under their control
B. Reconstruct your firewalls
C. Harden all your routers
D. Adjust the hypervisors

A

A. Survey your company’s department about the data under their control

Explanation:
in order to train the egress monitoring solution properly, you will need to inform it as to which data in your organization is sensitive and in order to do that, you will need to determine what information your data owners deem sensitive

49
Q

What is the hypervisor malicious attackers would prefer to attack?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

A

B. Type 2

Explanation:
Attackers prefer Type 2 hypervisors because the OS offers more attack surface and potential vulnerabilities.

50
Q

Typically, representational state transfer (REST) interactions do not require ________

A. Credentials
B. Sessions
C. Servers
D. Clients

A

B. Sessions

Explanation:
Generally a REST interaction* involves the client asking the server (through an API) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary. These interactions obviously involve servers and clients

51
Q

What can tokenization be used for?

A. Encryption
B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
C. Enhancing the user experience
D. Giving management oversight to ecommerce functions

A

B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)

Explanation:
Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest. Tokenization is not encryption; there is no encryption engine and no key involved in the process

52
Q

Which of the following is not appropriate to include in an Service level agreement?

A. The number of user accounts allowed during a specified period
B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status
C. The amount of data allowed to be transmitted and received between the cloud provider and the customer
D. The time allowed to migrate from normal operations to contingency operations

A

B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status

Explanation:
Roles and responsibilities should be included in the contract, not the SLA.

53
Q

Which of the following is the best and only completely secure method of data destruction?

A. Degaussing
B. Crypto shredding
C. Physical destruction of resources that store the data
D. Legal order issued by the prevailing jurisdiction where the data is geographically situated

A

C. Physical destruction of resources that store the data

Explanation:
Destroying the drive, disk and media where the data reside is the only true, complete method of data destruction

54
Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of ____________

A. Static testing
B. Dynamic testing
C. Code review
D. Open source review

A

B. Dynamic testing

Explanation:
Testing the product in a runtime context is dynamic testing

55
Q

According to OWASP recommendations, active software security testing should include all of the following except:

A. Authentication testing
B. Authorization Testing
C. Session management testing
D. Pirvacy review testing

A

D. Pirvacy review testing

Explanation:
Priovacy review testing is not included in the OWASP guide to active security testing, althought it might be included as an aspect of compliance testing

56
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a SSO experience across the olrganizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to eachj organizations specific storage resources.
If you are in the US, one of the standards you should adhere to is:

A. NIST 800-53
B. PCI
C. ISO 27014
D. ENISA

A

A. NIST 800-53

Explanation:
NIST 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framewrok.

57
Q

Data transofrmation in a cloud environment should be of great concern to organizations considering migration because __________ could affect data classification processes and implementations

A. Multitenancy
B. Virtualization
C. Remote access
D. Physical distance

A

B. Virtualization

Explanation:
Data transforming from raw objects to virtualized instances snapshotted images back into virtual instances and then back out to users in the form of raw data may affect the organizations current classification methodology; classification techniques and tools that were suitable for the traditional IT environment might not withstand the cloud environment

58
Q

Whether in a cloud or traditional environment, it is important to implement both _________ and ____________ access controls

A. Internal and managed
B. Provider and customer
C. Physical and logical
D. Administrative and technical

A

C. Physical and logical

Explanation:
Both physical and logical controls are possible to implement in both environments

59
Q

An audit scoping statement might include constraints on all of the following aspects of an environment except:

A. Time spent in the production
B. Business areas and topics to be reviewed
C. Automated audit tools allowed in the environment
D. Not reviewing illicit activities that may be discvoered

A

D. Not reviewing illicit activities that may be discvoered

Explanation:
While the auditor is not a law enforcement entitiy, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit

60
Q

TLS provides ______________ and __________ for communications

A. Privacy, security
B. Security, optimization
C. Privacy, integrity
D. Enhancement, privacy

A

C. Privacy, integrity

Explanation:
TLS maintains the confidentiality and integrity of communications; often between a web browser and a service

61
Q

Who should be performing log review?

A. Only certified, trained log review professionals with a great deal of experience with the logging tool
B. The internal audit body
C. External audit providers
D. Someone with knowledge of the operation and a security background

A

D. Someone with knowledge of the operation and a security background

Explanation:
It is important for the log review to be performed by someone who understands the normal opeerations of the organization so that they can discern between regular activity and anomalous behavior

62
Q

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called?

A. Cross certification
B. Proxy
C. Single Sign On
D. Regulated

A

A. Cross certification

Explanation:
The cross certification fedeeration model is also known as a web of trust

63
Q

Egress monitoring solutions usually include a function that __________

A. Arbitrates contract breaches
B . Performs personnel evaluation reviews
C. Disocvers data assets according to classification/categorization
D. Applies another level of access control

A

C. Disocvers data assets according to classification/categorization

Explanation:
Egress monitoring solutions will often include a discovery function, which will locate data assets according to criteria defined by the organization

64
Q

When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is:

A. Legal liability cant be transferred to the cloud provider
B. Many states have data breach notification laws
C. Breaches can cause the loss of proprietary data
D. Breachers can cause the loss of intellectual property

A

A. Legal liability cant be transferred to the cloud provider

Explanation:
State notification laws and the loss of proprietary data/intellectual property are preexised the cloud; only the lack of ability to transfer liability is new

65
Q

Methods for achievhing high availability cloud environment include all of the following except:

A. Extreme redundancy
B. Multiple system vendors for the same service
C. Explicitly documented BCDR functions in the SLA or contract
D. Failover capability back to the customers on premises environment

A

D. Failover capability back to the customers on premises environment

Explanation:
In many cases, the customer will no longer have an on premises environment after a cloud migration. All the other options are methods cloud providers use to achieve high availability environments

66
Q

Which of the following is a US audit standard often used to evaluate cloud providers?

A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770

A

C. SSAE 18

Explanation:
The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certifieed Public Accountants) audit standard
ISO 27001 is an international standard

67
Q

You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. Who may impose penalties on your organization for this decision if the vulnerability is exploited?

A. The cloud provider
B. Regulators
C. Your end clients
D. Your internet service provider (ISP)

A

B. Regulators

Explanation:
If your organization doesnt apply a patch for a known vulnerability, regulators may claim the organization was not performing adequate due dilligencee and peanlize it accordingly

68
Q

Which of the following techniques for ensuring cloud data center storage resiliency uses parity biots and disk striping?

A. Cloud bursting
B. RAID
C. Data dispersion
D. SAN

A

B. RAID

Explanation:
Parity bits and risk striping and characteristic of RAID implementations. Cloud bursting is a feature of scalable cloud hosting. Data dispersion uses parity bits, but not disk striping. Instead, it uses data chunks and encryption. SAN is a data storage techqniue but not focused on resiliency

69
Q

Best practice for planning the physical resiliency for a cloud data center facility includes:

A. Having one point of egress for personnel
B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property
C. Ensuring that all parking areas are near generators so that perosonnel in high traffic areas are always illuminated by emergency lighting, even when utiolity power is not available
D. Ensuring that the foundation of the facility is rated to withstand earthquake tremors

A

B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property

Explanation:
To avoid a situation where severing a given physical connection results in severing its backup as well (such as construction/landscaping etc) have redundant lines on different sides of the building

70
Q

Which Common Criteria EAL is granted to those products that are functionally tested by their manufacturer/vendor?

A. 1
B . 3
C. 5
D. 7

A

A. 1

Explanation:
EAL 1 is for functionally tested products
Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked

71
Q

Which of the following activities can enhance the usefulness and abilities of a data loss prevention or data leak protection solution?

A. Perform emergency egress training for all personnel
B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection
C. Reequire senior management to participate in all security functions, including intial, recurring, and refresher training
D. Display security guidance in a variety of formats, including a web page, banner, posted and hard copy material

A

B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection

Explanation:
DLP tools can function better if appropriate and accurate classification and labeling is applied throughtout the environment and done on a consistent basis

72
Q

The Trust Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is not one of the CSAs TCI fundamental principles?

A. Delegate or federate access control when appropriate
B. Ensure the [trusted cloud] architecture is resilienct, elastic and flexible
C. Ensure the [trust cloud] architecture addresses and supports multiple levels of protection
D. Provide economical services to all customers, regardless of point of origin

A

D. Provide economical services to all customers, regardless of point of origin

Explanation:”
The TCI does not, specifically, require cost effectiveness of cloud services

73
Q

PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate:

A. Different types of audits each must conduct
B. Different amounts of audits each must conduct
C. Different controls sets based on tier level
D. Different cost of controls based on tier level

A

B. Different amounts of audits each must conduct

Explanation:
Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

74
Q

An audit scoping statement might include all of the following constraints except:

A. Limitation of destructive techniques
B. Prohibition of all personnel interviews
C. Prohibition on access to the production environment
D. Mandate of particular time zone review

A

C. Prohibition on access to the production environment

Explanation:
Auditors may find it necessary to speak to particular individuals in order to locate aritfacts and understand the environment. Although there may be some limitation on particular points of contact and nature of intewrviews, there cannot be a total prohibition

75
Q

When considering cloud data replication strategies (ie whether you are making backups at the block, file or database level), which element of your organizations BCDR plan will be most affected by your choice?

A. Recovery time objective
B. Recovery Point Objective
C. Maximum allowable downtime
D. Mean time to failure

A

B. Recovery Point Objective

Explanation:
The recovery point objective (RPO) is a measure of data that can be lost in a outage without irreparably damaging the organization.

76
Q

What is the international standard that dictates creation of an organizatrional information security management system (ISMS)?

A. NIST SP 800-53
B. PCI DSS
C. ISO 27001
D. NIST SP 800-37

A

C. ISO 27001

Explanation:
ISO 27001 mandates an ISMS: organizations can be certified according to compliance with 27001.
NIST SP 800-53 is the list of security controls approved for use by US government agencies and a means to map them to the Risk Management Framework

77
Q

What is the primary characteristic of volume storage?

A. They are volumes attached to virtual storage and act or behave just like a physical drive or array
B. They are drives attached to physical storage and act or behave just like a physical drive or array
C. They are volumes attached to physical storage and act or behave just like a physical drive or array
D. They are drives attached to virtual storage and act or behave just like a physical drive or array

A

A. They are volumes attached to virtual storage and act or behave just like a physical drive or array

Explanation:
Volume storage consists of volumes that are attached to virtual storage and act oe brhave just like a physical drive or array

78
Q

In which phase of the cloud secure data life cycle does data leave the production environment and go into long term storage?

A. Store
B. Use
C. Share
D. Archive

A

D. Archive

Explanation:
This action defines the archive phase.

79
Q

An audit against the _______ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements

A. Statement on Auditing Standards (SAS) 79 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. ISO 27002 certification criteria
D. NIST Special Publication (SP) 800-53

A

C. ISO 27002 certification criteria

Explanation:
The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001

80
Q

What aspect of data center planninng occurs first?

A. Logical design
B. Physical design
C. Audit
D. Policy revision

A

A. Logical design

Explanation:
The logical design should come before the physical design; function dictates form. Audit and revision come after creation

81
Q

Which common security tool can aid in the overall BCDR process?

A. Honeypots
B. DLP
C. SIEM
D. Firewalls

A

B. DLP

Explanation:
DLP solutions typically have the capability to aid in asset validation and location, both important facets of BCDR process. All the other options are common security tools but do not serve BCDR efforts

82
Q

In container virtualization, unlike standard virtualization, which is not included?

A. Hardware emulation
B. OS Replication
D. A single kernel
D. The possibility for multiple kernels

A

A. Hardware emulation

Explanation:
In containernization, the underlying hardware is not emulated; the containers run on the same underlying kernel, sharing the majority of the base OS

83
Q

Which term refers to a systems ability to cordon off or protect certain aspects of the compute environment such as processing memory and other resources needed in the compute transaction?

A. Virtualization
B. Emulation
C. ASLR
D. Sandboxing

A

D. Sandboxing

Explanation:
Sandboxing is often used for testing applications in development or carving out resources that cannot then touch other parts of the same system

84
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The back end of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on the front end of the interface?

A. Simple Object Access Protocol (SOAP)
B. Representational State Transfer (REST)
C. Security Assertion Markup Language (SAML)
D. DLP

A

A. Simple Object Access Protocol (SOAP)

Explanation:
SOAP is a web service programming format that requires that use of XML.
REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect
SAML is a protocol for passing identity assertions over the Internet; option C is incorrect

85
Q

Egress monitoring solutions usually include a function that:

A. Uses biometric to scan users
B. Inspects incoming packets
C. Resides on client machines
D. Uses stateful inspection

A

C. Resides on client machines

Explanation:
Egress monitoring solutions will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. DLP tools do not inspect incoming packets, with or without stateful inspection

86
Q

Dynamic software security testing typically uses ___________ as a measure of how thorough the testing was.

A. User coverage
B. Code coverage
C. Path coverage
D. Total coverage

A

C. Path coverage

Explanation:
In dynamic software testing, the objective is to test a significant sample of the possible logical paths from data into to output

87
Q

Why is Simple Object Access Protocol (SOAP) used for accessing web services instead od the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (COBRA) ?

A. SOAP provides a much more lightweight solution
B. SOAP replaces binary messaging with XML
C. SOAP is much more secure
D. SOAP is newer

A

B. SOAP replaces binary messaging with XML

Explanation:
XML works better over the Internet than the binary messaging of older technologies. SOAP is not particularly lightweight; in fact it is cumbersome

88
Q

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?

A. Confidentiality
B. Integrity
C. Availability
D. None

A

D. None

Explanation:
Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.

89
Q

Which of the following would probably best aid an organization in deciding whether to migrate from a traditional environment to a particular cloud environment to a particular cloud provider?

A. Rate sheets comparing a cloud provider to other cloud provides
B. Cloud provider offers to provider engineering assistance during the migration
C. The cost/benefit measure of closing the organizations relocation site (hot site/warm site) and using the cloud for DR instead
D. SLA satisfaction surveys from other (current and past) cloud customers

A

D. SLA satisfaction surveys from other (current and past) cloud customers

Explanation:
Of the listed options, knowing how other customers feel about a provider may be the realistic depiction of whether an organization realized projected/anticipated benefits after a migration

90
Q

Which of the following is the best advantage of external audits?

A. Independence
B. Oversight
C. Cheaper
D. Better results

A

A. Independence

Explanation:
The primary advantage of external audits based on the choices given would be that of independence. External audits are typically more independent and therefore lead to more effective results

91
Q

Which of the following database encryption techniques can be used to encrypt specific tables within the database?

A. File level encryption
B. Transparent encryption
C. Application level encryption
D. Object level encryption

A

B. Transparent encryption

Explanation:
Encrypting specific tables within the database is one of the options of transparent encryption; this is not true of the other options

92
Q

According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarm from a management perspective?

A. Scalability
B. Multitenancy
C. Resiliency
D. Broadband connections

A

A. Scalability

Explanation:
Because users in cloud customer orgs often do not pay directly for cloud services (and are often not even aware of the cost of use), scalability can be a significant management concern

93
Q

Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?

A. GPS tracking/locator
B. Automated vulnerability scan on system startup
C. ACL of authorized personnel
D. Write protection

A

B. Automated vulnerability scan on system startup

Explanation:
Because VMs do not take updates when they are not in use and updates may be pushed while the VMs are saved, it is important to ensure that they receive updates when they are next instantiated

94
Q

What distinguishes the Federal Information Process Standard (FIPS) 140-2 security levels for cryptographic modules?

A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic location in which the product is allowed

A

B. The amount of physical protection provided by the product, in terms of tamper resistance

Explanation:
The security levels acknowledge different levels of physical protection offered by a cryptomodule, with 1 offering crypto functionality and no real physical protection and 4 offering tamper resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts

95
Q

Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on premises environment into the cloud;. What is probably the biggest factor in her decision?

A. Network scalability
B. Off site backup capability
C. Global Accessibility
D. Reduced overall costs due to outsourcing administration

A

D. Reduced overall costs due to outsourcing administration

Explanation:
WHile all of these are traits of cloud computing and will likely benefit Alice’s company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost

96
Q

Data owners might consider using tokenization for all of the following reasons except:

A. Regulatory or contractual compliance
B. Inference
C. Reduced cost of compliance
D. Mitigating risk from data lost to intrusion

A

B. Inference

Explanation:
Inference is an attack strategy, not a reason for implementing tokenization

97
Q

What was the first international privacy standard, specifically for cloud provider?

A. NIST SP 800-37
B. Personal Information Protection and Electronic Document Act
C. Payment Card Industry
D. ISO 27018

A

D. ISO 27018

Explanation:
ISO 27018 describes a privacy requirements for cloud providers, including an internal audit mandate.

98
Q

In order to ensure proper ____________ in a secure cloud environment, consider the use of Domain Name System Security Extensions (DNSSEC), IPSec, and TLS

A. Isolation
B. Motif
C. Multitenancy
D. Signal Modulation

A

A. Isolation

Explanation:
Isolation in the cloud is imperative, largely because of multitenancy

99
Q

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exists or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment?

A. IAM Capability
B. Distributed Denial of Service Resistance
C. Encryption for data at rest and in motion
D. Field validation

A

C. Encryption for data at rest and in motion

Explanation:
Traditional apps wont usually require encryption in all phases of the data life cycle because data is protected in several stages in the traditional enviornment without the need for traditional environment without the need for additional controls.
In the cloud environment, data exposed at any time in the life cycle might constitute an inadvertent disclosure so cloud apps require encryption for data at rest and in motion

100
Q

Who pays for cryptographic modules to be certified in according with FIPS 140-2 criteria?

A. The US government
B. Module Vendors
C. Certification labs
D. Module users

A

B. Module Vendors

Explanation:
Vendors who want their products certified under FIPS 140-2 must pay the lab that performs the evaluation

101
Q

What is the primary incident response goal?

A. Remediating the incident
B. Reverting to the last known good state
C. Determining the scope of possible loss
D. Outcomes dictated by business requirements

A

D. Outcomes dictated by business requirements

Explanation:

102
Q

The term cloud carrier most often refers to:

A. The cloud provider
B. The cloud customer
C. An ISP
D. A cloud manager

A

C. An ISP

Explanation:
Cloud carrier is the term describing intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP

103
Q
A