LearnZapp Practice 7

Question 1

The term RPO is best described by which of the following?

A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced
B. A term used in BC and DR describing a point in time after which an outage has occurred, beyond which recovery becomes extremely difficult or impossible
C. A term used in BC and DR describing the minimum allowable amount of data that might be lost due to an outage before severe consequences are experienced
D. A term used in BC and DR describing the maximum allowable amount of value that might be lost due to an outage before consequences are experienced

Answer 1

A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced

Explanation:

Question 2

Which of the following practices can enhance both operational capabilities and configuration management efforts?

A. Regular backups
B. Constant uptime
C. MFA
D. File hashes

Answer 2

D. File hashes

Explanation:
File hashes can serve as integrity checks for both configuration management and audit purposees

Question 3

This approach to public key cryptography uses much smaller keys than traditional cryptography to provide the same level of security

A. AES
B. SSL
C. Elliptical curve
D. MD5

Answer 3

C. Elliptical curve

Explanation:
ECC uses algebraic elliptical curves that resulpt in much smaller keys that can provide the same level of safety as much large ones used in traditional key environments

Question 4

Which security principle dictates that encryption key management and storage should be isolated from the data encrypted with those keys?

A. Least privilege
B. Two person integrity
C. Compartmentalization
D. Separation of duties

Answer 4

D. Separation of duties

Explanation:
Separation of duties dictates that one person/entity cannot complete an entire transaction alone. In this case, encryption, a single entity should not be able to adminster the issuing is keys, encrypt the data and store the keys because this could lead to a situation where that entity has the ability to access or take encrypted data

Question 5

How often should cable management efforts take place?

A. Annually
B. Continually
C. Quarterly
D. Weekly

Answer 5

B. Continually

Explanation:
Cable management is an ongoing processd

Question 6

Which of the following is not an example of a highly regulated enivironment?

A. Healthcare
B. Financial services
C. Wholesale or distribution
D. Public companies

Answer 6

C. Wholesale or distribution

Explanation:

Question 7

One of the security challnges of operating in the cloud is that additional controls must be placed on file storage systems because ____________

A. File stores are always kept in plain text in the cloud
B. There is no way to sanitize file storage space in the cloud
C. Virtualization necessarily prevents the use of application based security controls
D. Virtual machines are stored as snapshotted files when not in use

Answer 7

D. Virtual machines are stored as snapshotted files when not in use

Explanation:
VMs are snapshotted and simply stored as files when they are not being used

Question 8

What is a cloud storage architecture that manages the data in a hierarchy of files?

A. Object based storage
B. File based storage
C. Database
D. CDN

Answer 8

B. File based storage

Explanation:
Object based storage stores data as objects in volume, with labels and metadata. Databases store data in fields, in a relational motif. A CDN stores data in caches of copies content near locations of high demand

Question 9

For US government agencies, what level of data sensitivitty/classification may be processed by cryptographic modules certified according to the FIPS 140-2 critieria?

A. Sensitive but unclassified
B. Secret
C. Top Secret
D. Sensitive Copartmentalized Information (SCI)

Answer 9

A. Sensitive but unclassified

Explanation:
FIPS 140-2 is only used for SBU data

Question 10

Which of the following standards helps organizations to establish and maintain an ISMS?

A. ISO 27001
B. ISO 27009
C. ITIL
D. PCI

Answer 10

A. ISO 27001

Explanation:
ISO 27001 describes an information security management system as a set of interrelated elements that organizations use to manage and control information security risks to protect and preserve the confidentiality, integrity and availability of information

Question 11

Whicih of the following is probably the most important activity of those listed?

A. Regularly update the BCDR plan/process
B. Have contact infomation for all personnel in the organization
C. Have contact information for essential BC/DR personnel
D. Have contact info for local law enforcement

Answer 11

A. Regularly update the BCDR plan/process

Explanation:
All of these are important but without regular updates, the info will soon become outdated and a los less useful

Question 12

Full isolation of user activity, processes and virtual network segments in a cloud environment is incredibly important because of risks due to:

A. DDoS
B. Unencrypted packets
C. Multitenancy
D. Insider threat

Answer 12

C. Multitenancy

Explanation:
The fact that many various customers will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud enviroment

Question 13

WHat is the aspect of the DMCA that has been abused and places the burden of proof on the accused?

A. Toil exemption
B. Decryption program prohibition
C. Takedown notice
D. Puppet platicity

Answer 13

C. Takedown notice

Explation:
The DMCA provision for takedown notices allows copyright holders to demand removal of suspect content from the web, and puts the burden of proof on whoeevr posted the material; this function has been abused by griefers and trolls and overzealous content producers

Question 14

A typical DLP tool can enhance the organizations efforts at accomplishing what legal task?

A. Evidence collection
B. Delivering testimony
C. Criminal prosecution
D. Enforcement of intellectual property rights

Answer 14

A. Evidence collection

Explanation:
The data discovery facet of DLP solutions can aid an organization in gathering applicable evidence, especially in response to a legal request such a subpoena

Question 15

Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual benefit the organization realizes in a cloud environment?

A. Altitude of the cloud data center
B. Security controls and countermeasures
C. Loss of ownership of IT assets
D. Costs of Internet connectivity for remote users

Answer 15

B. Security controls and countermeasures

Explanation:
Every security process, tool and behavior entails a related cost, both financially and operationally.

Question 16

In software defined networking, the northbound interface usually handles traffic between ________ and the _________

A. Cloud customer; ISO
B. SDN Controllers; SDN Applications
C. Cloud provider; ISP
D. Router; host

Answer 16

B. SDN Controllers; SDN Applications

Explanation:
The NBI handles traffic between the SDN controllers and the SDN applications

Question 17

in regard to most privacy guidance, the data processor is _________

A. The individual described by the privacy data
B. The entity that collects or crates the privacy data
C. The entity that uses privacy data on behalf of the controller
D. The entity that regulates privacy data

Answer 17

C. The entity that uses privacy data on behalf of the controller

Explanation:
Option C is the definition of the data processor

Question 18

Risk mitigation must also always entail which other method of addressing risk?

A, Risk acceptance
B. Risk avoidance
C. Risk transfer
D. Risk attenuation

Answer 18

A, Risk acceptance

Explanation:
Because risk can never be mitigated to zero, there will always be some residual risk after mitigation; the residual must be accepted

Question 19

Which of the following is not a way in which an eitity located outside the EU can be allowed to gather and process privacy data belong to EU citizen?

A. Be located in a country with nationwide law that complies with the EU laws
B. Appeal to the EU High Court for Permission
C. Create binding contractual language that complies with the EU laws
D. Join the Privacy Shield program in its own country

Answer 19

B. Appeal to the EU High Court for Permission

Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law

Question 20

Which of the following identifies vulnerabilities in applications, operating systems or network devices?

A. Vulnerability assessment
B. Nmap scan
C. Packet analysis
D. WAF

Answer 20

A. Vulnerability assessment

Explanation:
A vulnerability assessment or scan is designed to identify known vulnerabilities in applications, operating systems or network devices. An Nmap scan may discover vulnerabilities but is designed primarily as a network services discovery tool and is not generally used with applications

Question 21

Why might an organization choose to comply with NIST SP 800 series standards?

A. Price
B. Ease of implementation
C. International acceptance
D. Speed

Answer 21

A. Price

Explanation:
The NIST standards are not particularly easy or fast to implement and they are not widely recognized or mandated outside of the US government federal sector

Question 22

In order for communications from inside a VLAN to reach endpoints outside VLAN

A. The communications must go through a gateway
B. The traffic must be encrypted
C. A repeated must be used
D. The external endpoint must be in receive mode

Answer 22

A. The communications must go through a gateway

Explanation:
Gateway devices enforce the VLAN rules and can allow or deny outbound traffic

Question 23

Which of the following is a frame that allows a diverse group of individuals to communicate securely?

A. Digital certificates
B. PKI
C. SSL
D. ECC

Answer 23

B. PKI

Explanation:
Public key infrastructure is a framework of programs, procedures, communication protocols and public key cryptography that enables a diverse group of individuals to communicate securely

Question 24

Egress monitoring solutions usually include a function that ________

A. Arbitrates contract breaches
B. Performs personnel evaluation reviews
C. Discovers data assets according classification/categorization
D. Applies another level of access control

Answer 24

C. Discovers data assets according classification/categorization

Explanation:
Egress monitoring solutions will often include a discovery function which will locate data assets according to criteria defined by the organization

Question 25

A company is considering a cloud migration to PaaS environment. Which of the following factors might make the company less likely to choose the cloud environment? A. The company wants to reduce overhead costs B. The company operates proprietary software C. The company hopes to reduce energy costs related to operation of a data center D. The company is seeking to enhance its BCDR capabilities

Answer 25

B. The company operates proprietary software Explanation: A customer using proprietary software in a PaaS environment faces the risks that updates to the underlying OS and/or hardware infrastructure will not be compatible with the customers sof tware and will affect productivity.

Question 26

According to the CSA's Notorious Nine list, data breaches can be: A. Overt or Covert B. International of subterranean C. From internal or external sources D. Volumiunous or specific

Answer 26

C. From internal or external sources Explanation: The CSA points out that data breaches come from a varieety of sources, including both internal personnel and external actors. Although breaches might be overt or covert, or large or small

Question 27

You are a consultant, performing an external security review on a large manufacturing firm. You determine that its newest assemply plant, which cost 24 million, could be completely destroyed by a fire that a fire suppression system could effectively protect the plan. The fire suppression system costs 15 million. An insurance policy that would cover the full replacement cost of the plant costs 1 million per month. What is the annual rate of occurrence? A. 12 B. 24 million C. 1 D. 10 million

Answer 27

C. 1 Explanation: Absent any other information about a total physical loss, we can consider the rate of occurrence as 1; we would not expect the plant

Question 28

You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a: A. Functional requirement B. Nonfunctional requirement C. Regulatory issue D. Third party function

Answer 28

B. Nonfunctional requirement Explanation: It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement

Question 29

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the partrricipants in the collective using a third party certification model, who would be the federated service providers in that structure? A. The third party B. A CASB C. The various members of the collective D. The cloud provider

Answer 29

C. The various members of the collective Explanation: In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers. In a third party cert model, the third party is known as the identity porovider

Question 30

Which of the following reports is no longer used? A. SAS 70 B. SSAE 16 C. SOC 1 D. SOC 3

Answer 30

A. SAS 70 Explanation: The SAS 70 was a report used in the past primarily for financial reporting and was oftewntimes misused in the service provider context. The SSAE 16 standard and subsequent SOC reports are its successor

Question 31

Maintenance mode requires all of the following actions except: A. Remove all active production instances B. Initiate enhanced security controls C. Prevent new logins D. Ensure logging continues

Answer 31

B. Initiate enhanced security controls Explanation: While the other answers are all steps in moving from normal operations to maintenance mode, we do nnot necessarily initiate any enhanched security controls

Question 32

Cloud customers performing data discovery efforts will have to ensure that the cloud provider attends to all of the following requirements except: A. Allowing sufficient access to largee volumes of data B. Preserving metadata tags C. Assigning Labels D. Preserving and maintaining the data

Answer 32

C. Assigning Labels Explanation: Label assignment is a task of the data owner -the cloud customer, not the provider. All of the other answers are requirments for the cloud provider to meet the data discovery needs of the customer and should be negotiated before migraiton

Question 33

The Agile Manifesto for software development focuses largely on: A. Secure build B. Thorough documentation C. Working prototypes D. Proper planning

Answer 33

C. Working prototypes Explanation: The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs.

Question 34

ISO 27001 favors which type of technology? A. Open Source B. PC C. Cloud based D. None

Answer 34

D. None Explanation: The ISO 27001 standard is designed to be product agnostic

Question 35

CSA CCM addresses all the following security architecture elements except: A. Physical security B. IaaS C. Application Security D. Business Drivers

Answer 35

D. Business Drivers Explanation: The CSA CCM does not deal with whether security controls are feasible or correct from a buiness perspective, only whether they are applicable to an organization under certain regulations.

Question 36

Which of the following represents the Security and Privacy Controls for US Federal Information Systems and Organizations? A. NIST 800-146 B. NIST 800-14 C. NIST 800-52 r4 D. NIST 800-123

Answer 36

C. NIST 800-52 r4 Explanation: NIST 800-53 r4 describes ways to ensure the proper application of appropraite security requirements and security controls to all US fed governemtn, information and informationn management. The others are legit NIST documents with different purposes

Question 37

Privileged user account access should be: A. Temporary B. Pervasive C. Thorough D. Granular

Answer 37

A. Temporary Explanation: Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value`

Question 38

The OWASP Top Ten list often includes insecure direct object references. Which of trhese is a method to counter the risks of insecure direct object references? A. Perform user seecurity training B. Check access each time a direct object reference is called by an untrusted source C. Install high luminosity interior lighting throughout the facility D. Append each object with sufficient metadata to properly categorize and classify based on

Answer 38

B. Check access each time a direct object reference is called by an untrusted source Explanation: Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object

Question 39

Which of the following is a messaging protocol that uses specifications designed for exchanging structured information in web servies and operates independently of the client? A. Java B. REST C. DAST D. SOAP

Answer 39

D. SOAP Explanation: SOAP is a messaging specification designed for exchnaging structured information in web services and operates independently of the client OS

Question 40

Which of the following characteristics is associated with DRM? A. Mapping to existing access control lists B. Delineating biometric catalogs C. Preventing MFA D. Prohibiting unauthorized transposition

Answer 40

A. Mapping to existing access control lists Explanation: Mapping to existing ACls is the trait that allows DRM tools to provide additional access control protections for the organizations assets

Question 41

Which entity can best aid the organization in avoiding vendor lock in? A. Senior management B. The IT Security Office C. General Counsel D. The cloud security representative

Answer 41

C. General Counsel Explanation: The best method for avoiding vendor lock in is to have strong contract language favorable to the customer; the entity best equipped to craft contracts is the office of the general counsel

Question 42

Why is it important to force all instantiated virtual machines to check current configuration records? A. Snapshotted images dont take patches B. Configurations are constantly changing C. Documentation is difficult in the cloud D. Users are always changing configurations

Answer 42

A. Snapshotted images dont take patches Explanation: VMs are saved as files when not in use; patches cant be applied to these files, so any VM taken out of storage and put into production needs to be checked against configuration versions to determine if there were patches applied to the environment while it was stored

Question 43

In the testing phase of the SDLC, software performance and ______________ should be reviewed A. Quality B. Brevity C. Requirements D. Security

Answer 43

D. Security Explanation: Performance and security both need to be reviewed for adequacy

Question 44

You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. In order to get truly hollistic coverage of your environment, you should be sure to include __________ as a step in the deployment process A. Getting signed user agreement from all users B. Installation of the solution on all assets in the cloud data center C. Adoption of the tool in all routers between your users and the cloud provider D. Ensuring that all your customers install the tool

Answer 44

A. Getting signed user agreement from all users Explanation: This is a dumb fucking question.

Question 45

Event monitoring tools such as a SIEM, can aid in which of the following efforts? B. Ensuring proper cloud migration C. Deciding risk parameters D. Protecting all physical entry points against the threat of fire

Answer 45

A. Detecting ambient heating, ventilation and air conditioning problems Explanation: Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the DC

Question 46

Which of the following is a file server that provides data ccess to multiple, heterogenous machines and users on the network? A. Storage area network B. Network attached storage C. Hardware security module D. Content Delivery Network

Answer 46

B. Network attached storage Explanation: This is the description of a NAS device. A SANN typically presents storage devices to users as attached/mounted drives

Question 47

Representational state transfer (REST) application programming interfaces (APIs) use _________ protocol verbs. A. Hypertext Markup Language (HTML) B. Hypertext Transfer Protocol (HTTP) C. Extensible Markup Language (XML) D. American Standard Code for Information Interchange (ASCII)

Answer 47

B. Hypertext Transfer Protocol (HTTP) Explanation:

Question 48

You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. Which of these activities should you perform before deploying the tool? A. Survey your company's department about the data under their control B. Reconstruct your firewalls C. Harden all your routers D. Adjust the hypervisors

Answer 48

A. Survey your company's department about the data under their control Explanation: in order to train the egress monitoring solution properly, you will need to inform it as to which data in your organization is sensitive and in order to do that, you will need to determine what information your data owners deem sensitive

Question 49

What is the hypervisor malicious attackers would prefer to attack? A. Type 1 B. Type 2 C. Type 3 D. Type 4

Answer 49

B. Type 2 Explanation: Attackers prefer Type 2 hypervisors because the OS offers more attack surface and potential vulnerabilities.

Question 50

Typically, representational state transfer (REST) interactions do not require ________ A. Credentials B. Sessions C. Servers D. Clients

Answer 50

B. Sessions Explanation: Generally a REST interaction* involves the client asking the server (through an API) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary. These interactions obviously involve servers and clients

Question 51

What can tokenization be used for? A. Encryption B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) C. Enhancing the user experience D. Giving management oversight to ecommerce functions

Answer 51

B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) Explanation: Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest. Tokenization is not encryption; there is no encryption engine and no key involved in the process

Question 52

Which of the following is not appropriate to include in an Service level agreement? A. The number of user accounts allowed during a specified period B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status C. The amount of data allowed to be transmitted and received between the cloud provider and the customer D. The time allowed to migrate from normal operations to contingency operations

Answer 52

B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status Explanation: Roles and responsibilities should be included in the contract, not the SLA.

Question 53

Which of the following is the best and only completely secure method of data destruction? A. Degaussing B. Crypto shredding C. Physical destruction of resources that store the data D. Legal order issued by the prevailing jurisdiction where the data is geographically situated

Answer 53

C. Physical destruction of resources that store the data Explanation: Destroying the drive, disk and media where the data reside is the only true, complete method of data destruction

Question 54

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of ____________ A. Static testing B. Dynamic testing C. Code review D. Open source review

Answer 54

B. Dynamic testing Explanation: Testing the product in a runtime context is dynamic testing

Question 55

According to OWASP recommendations, active software security testing should include all of the following except: A. Authentication testing B. Authorization Testing C. Session management testing D. Pirvacy review testing

Answer 55

D. Pirvacy review testing Explanation: Priovacy review testing is not included in the OWASP guide to active security testing, althought it might be included as an aspect of compliance testing

Question 56

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a SSO experience across the olrganizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to eachj organizations specific storage resources. If you are in the US, one of the standards you should adhere to is: A. NIST 800-53 B. PCI C. ISO 27014 D. ENISA

Answer 56

A. NIST 800-53 Explanation: NIST 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framewrok.

Question 57

Data transofrmation in a cloud environment should be of great concern to organizations considering migration because __________ could affect data classification processes and implementations A. Multitenancy B. Virtualization C. Remote access D. Physical distance

Answer 57

B. Virtualization Explanation: Data transforming from raw objects to virtualized instances snapshotted images back into virtual instances and then back out to users in the form of raw data may affect the organizations current classification methodology; classification techniques and tools that were suitable for the traditional IT environment might not withstand the cloud environment

Question 58

Whether in a cloud or traditional environment, it is important to implement both _________ and ____________ access controls A. Internal and managed B. Provider and customer C. Physical and logical D. Administrative and technical

Answer 58

C. Physical and logical Explanation: Both physical and logical controls are possible to implement in both environments

Question 59

An audit scoping statement might include constraints on all of the following aspects of an environment except: A. Time spent in the production B. Business areas and topics to be reviewed C. Automated audit tools allowed in the environment D. Not reviewing illicit activities that may be discvoered

Answer 59

D. Not reviewing illicit activities that may be discvoered Explanation: While the auditor is not a law enforcement entitiy, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit

Question 60

TLS provides ______________ and __________ for communications A. Privacy, security B. Security, optimization C. Privacy, integrity D. Enhancement, privacy

Answer 60

C. Privacy, integrity Explanation: TLS maintains the confidentiality and integrity of communications; often between a web browser and a service

Question 61

Who should be performing log review? A. Only certified, trained log review professionals with a great deal of experience with the logging tool B. The internal audit body C. External audit providers D. Someone with knowledge of the operation and a security background

Answer 61

D. Someone with knowledge of the operation and a security background Explanation: It is important for the log review to be performed by someone who understands the normal opeerations of the organization so that they can discern between regular activity and anomalous behavior

Question 62

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called? A. Cross certification B. Proxy C. Single Sign On D. Regulated

Answer 62

A. Cross certification Explanation: The cross certification fedeeration model is also known as a web of trust

Question 63

Egress monitoring solutions usually include a function that __________ A. Arbitrates contract breaches B . Performs personnel evaluation reviews C. Disocvers data assets according to classification/categorization D. Applies another level of access control

Answer 63

C. Disocvers data assets according to classification/categorization Explanation: Egress monitoring solutions will often include a discovery function, which will locate data assets according to criteria defined by the organization

Question 64

When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: A. Legal liability cant be transferred to the cloud provider B. Many states have data breach notification laws C. Breaches can cause the loss of proprietary data D. Breachers can cause the loss of intellectual property

Answer 64

A. Legal liability cant be transferred to the cloud provider Explanation: State notification laws and the loss of proprietary data/intellectual property are preexised the cloud; only the lack of ability to transfer liability is new

Question 65

Methods for achievhing high availability cloud environment include all of the following except: A. Extreme redundancy B. Multiple system vendors for the same service C. Explicitly documented BCDR functions in the SLA or contract D. Failover capability back to the customers on premises environment

Answer 65

D. Failover capability back to the customers on premises environment Explanation: In many cases, the customer will no longer have an on premises environment after a cloud migration. All the other options are methods cloud providers use to achieve high availability environments

Question 66

Which of the following is a US audit standard often used to evaluate cloud providers? A. ISO 27001 B. SOX C. SSAE 18 D. IEC 43770

Answer 66

C. SSAE 18 Explanation: The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certifieed Public Accountants) audit standard ISO 27001 is an international standard

Question 67

You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. Who may impose penalties on your organization for this decision if the vulnerability is exploited? A. The cloud provider B. Regulators C. Your end clients D. Your internet service provider (ISP)

Answer 67

B. Regulators Explanation: If your organization doesnt apply a patch for a known vulnerability, regulators may claim the organization was not performing adequate due dilligencee and peanlize it accordingly

Question 68

Which of the following techniques for ensuring cloud data center storage resiliency uses parity biots and disk striping? A. Cloud bursting B. RAID C. Data dispersion D. SAN

Answer 68

B. RAID Explanation: Parity bits and risk striping and characteristic of RAID implementations. Cloud bursting is a feature of scalable cloud hosting. Data dispersion uses parity bits, but not disk striping. Instead, it uses data chunks and encryption. SAN is a data storage techqniue but not focused on resiliency

Question 69

Best practice for planning the physical resiliency for a cloud data center facility includes: A. Having one point of egress for personnel B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property C. Ensuring that all parking areas are near generators so that perosonnel in high traffic areas are always illuminated by emergency lighting, even when utiolity power is not available D. Ensuring that the foundation of the facility is rated to withstand earthquake tremors

Answer 69

B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property Explanation: To avoid a situation where severing a given physical connection results in severing its backup as well (such as construction/landscaping etc) have redundant lines on different sides of the building

Question 70

Which Common Criteria EAL is granted to those products that are functionally tested by their manufacturer/vendor? A. 1 B . 3 C. 5 D. 7

Answer 70

A. 1 Explanation: EAL 1 is for functionally tested products Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked

Question 71

Which of the following activities can enhance the usefulness and abilities of a data loss prevention or data leak protection solution? A. Perform emergency egress training for all personnel B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection C. Reequire senior management to participate in all security functions, including intial, recurring, and refresher training D. Display security guidance in a variety of formats, including a web page, banner, posted and hard copy material

Answer 71

B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection Explanation: DLP tools can function better if appropriate and accurate classification and labeling is applied throughtout the environment and done on a consistent basis

Question 72

The Trust Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is not one of the CSAs TCI fundamental principles? A. Delegate or federate access control when appropriate B. Ensure the [trusted cloud] architecture is resilienct, elastic and flexible C. Ensure the [trust cloud] architecture addresses and supports multiple levels of protection D. Provide economical services to all customers, regardless of point of origin

Answer 72

D. Provide economical services to all customers, regardless of point of origin Explanation:" The TCI does not, specifically, require cost effectiveness of cloud services

Question 73

PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate: A. Different types of audits each must conduct B. Different amounts of audits each must conduct C. Different controls sets based on tier level D. Different cost of controls based on tier level

Answer 73

B. Different amounts of audits each must conduct Explanation: Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

Question 74

An audit scoping statement might include all of the following constraints except: A. Limitation of destructive techniques B. Prohibition of all personnel interviews C. Prohibition on access to the production environment D. Mandate of particular time zone review

Answer 74

C. Prohibition on access to the production environment Explanation: Auditors may find it necessary to speak to particular individuals in order to locate aritfacts and understand the environment. Although there may be some limitation on particular points of contact and nature of intewrviews, there cannot be a total prohibition

Question 75

When considering cloud data replication strategies (ie whether you are making backups at the block, file or database level), which element of your organizations BCDR plan will be most affected by your choice? A. Recovery time objective B. Recovery Point Objective C. Maximum allowable downtime D. Mean time to failure

Answer 75

B. Recovery Point Objective Explanation: The recovery point objective (RPO) is a measure of data that can be lost in a outage without irreparably damaging the organization.

Question 76

What is the international standard that dictates creation of an organizatrional information security management system (ISMS)? A. NIST SP 800-53 B. PCI DSS C. ISO 27001 D. NIST SP 800-37

Answer 76

C. ISO 27001 Explanation: ISO 27001 mandates an ISMS: organizations can be certified according to compliance with 27001. NIST SP 800-53 is the list of security controls approved for use by US government agencies and a means to map them to the Risk Management Framework

Question 77

What is the primary characteristic of volume storage? A. They are volumes attached to virtual storage and act or behave just like a physical drive or array B. They are drives attached to physical storage and act or behave just like a physical drive or array C. They are volumes attached to physical storage and act or behave just like a physical drive or array D. They are drives attached to virtual storage and act or behave just like a physical drive or array

Answer 77

A. They are volumes attached to virtual storage and act or behave just like a physical drive or array Explanation: Volume storage consists of volumes that are attached to virtual storage and act oe brhave just like a physical drive or array

Question 78

In which phase of the cloud secure data life cycle does data leave the production environment and go into long term storage? A. Store B. Use C. Share D. Archive

Answer 78

D. Archive Explanation: This action defines the archive phase.

Question 79

An audit against the _______ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements A. Statement on Auditing Standards (SAS) 79 standard B. Statement on Standards for Attestation Engagements (SSAE) 18 standard C. ISO 27002 certification criteria D. NIST Special Publication (SP) 800-53

Answer 79

C. ISO 27002 certification criteria Explanation: The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001

Question 80

What aspect of data center planninng occurs first? A. Logical design B. Physical design C. Audit D. Policy revision

Answer 80

A. Logical design Explanation: The logical design should come before the physical design; function dictates form. Audit and revision come after creation

Question 81

Which common security tool can aid in the overall BCDR process? A. Honeypots B. DLP C. SIEM D. Firewalls

Answer 81

B. DLP Explanation: DLP solutions typically have the capability to aid in asset validation and location, both important facets of BCDR process. All the other options are common security tools but do not serve BCDR efforts

Question 82

In container virtualization, unlike standard virtualization, which is not included? A. Hardware emulation B. OS Replication D. A single kernel D. The possibility for multiple kernels

Answer 82

A. Hardware emulation Explanation: In containernization, the underlying hardware is not emulated; the containers run on the same underlying kernel, sharing the majority of the base OS

Question 83

Which term refers to a systems ability to cordon off or protect certain aspects of the compute environment such as processing memory and other resources needed in the compute transaction? A. Virtualization B. Emulation C. ASLR D. Sandboxing

Answer 83

D. Sandboxing Explanation: Sandboxing is often used for testing applications in development or carving out resources that cannot then touch other parts of the same system

Question 84

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The back end of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on the front end of the interface? A. Simple Object Access Protocol (SOAP) B. Representational State Transfer (REST) C. Security Assertion Markup Language (SAML) D. DLP

Answer 84

A. Simple Object Access Protocol (SOAP) Explanation: SOAP is a web service programming format that requires that use of XML. REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect SAML is a protocol for passing identity assertions over the Internet; option C is incorrect

Question 85

Egress monitoring solutions usually include a function that: A. Uses biometric to scan users B. Inspects incoming packets C. Resides on client machines D. Uses stateful inspection

Answer 85

C. Resides on client machines Explanation: Egress monitoring solutions will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. DLP tools do not inspect incoming packets, with or without stateful inspection

Question 86

Dynamic software security testing typically uses ___________ as a measure of how thorough the testing was. A. User coverage B. Code coverage C. Path coverage D. Total coverage

Answer 86

C. Path coverage Explanation: In dynamic software testing, the objective is to test a significant sample of the possible logical paths from data into to output

Question 87

Why is Simple Object Access Protocol (SOAP) used for accessing web services instead od the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (COBRA) ? A. SOAP provides a much more lightweight solution B. SOAP replaces binary messaging with XML C. SOAP is much more secure D. SOAP is newer

Answer 87

B. SOAP replaces binary messaging with XML Explanation: XML works better over the Internet than the binary messaging of older technologies. SOAP is not particularly lightweight; in fact it is cumbersome

Question 88

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad? A. Confidentiality B. Integrity C. Availability D. None

Answer 88

D. None Explanation: Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.

Question 89

Which of the following would probably best aid an organization in deciding whether to migrate from a traditional environment to a particular cloud environment to a particular cloud provider? A. Rate sheets comparing a cloud provider to other cloud provides B. Cloud provider offers to provider engineering assistance during the migration C. The cost/benefit measure of closing the organizations relocation site (hot site/warm site) and using the cloud for DR instead D. SLA satisfaction surveys from other (current and past) cloud customers

Answer 89

D. SLA satisfaction surveys from other (current and past) cloud customers Explanation: Of the listed options, knowing how other customers feel about a provider may be the realistic depiction of whether an organization realized projected/anticipated benefits after a migration

Question 90

Which of the following is the best advantage of external audits? A. Independence B. Oversight C. Cheaper D. Better results

Answer 90

A. Independence Explanation: The primary advantage of external audits based on the choices given would be that of independence. External audits are typically more independent and therefore lead to more effective results

Question 91

Which of the following database encryption techniques can be used to encrypt specific tables within the database? A. File level encryption B. Transparent encryption C. Application level encryption D. Object level encryption

Answer 91

B. Transparent encryption Explanation: Encrypting specific tables within the database is one of the options of transparent encryption; this is not true of the other options

Question 92

According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarm from a management perspective? A. Scalability B. Multitenancy C. Resiliency D. Broadband connections

Answer 92

A. Scalability Explanation: Because users in cloud customer orgs often do not pay directly for cloud services (and are often not even aware of the cost of use), scalability can be a significant management concern

Question 93

Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment? A. GPS tracking/locator B. Automated vulnerability scan on system startup C. ACL of authorized personnel D. Write protection

Answer 93

B. Automated vulnerability scan on system startup Explanation: Because VMs do not take updates when they are not in use and updates may be pushed while the VMs are saved, it is important to ensure that they receive updates when they are next instantiated

Question 94

What distinguishes the Federal Information Process Standard (FIPS) 140-2 security levels for cryptographic modules? A. The level of sensitivity of data they can be used to protect B. The amount of physical protection provided by the product, in terms of tamper resistance C. The size of the IT environment the product can be used to protect D. The geographic location in which the product is allowed

Answer 94

B. The amount of physical protection provided by the product, in terms of tamper resistance Explanation: The security levels acknowledge different levels of physical protection offered by a cryptomodule, with 1 offering crypto functionality and no real physical protection and 4 offering tamper resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts

Question 95

Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on premises environment into the cloud;. What is probably the biggest factor in her decision? A. Network scalability B. Off site backup capability C. Global Accessibility D. Reduced overall costs due to outsourcing administration

Answer 95

D. Reduced overall costs due to outsourcing administration Explanation: WHile all of these are traits of cloud computing and will likely benefit Alice's company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost

Question 96

Data owners might consider using tokenization for all of the following reasons except: A. Regulatory or contractual compliance B. Inference C. Reduced cost of compliance D. Mitigating risk from data lost to intrusion

Answer 96

B. Inference Explanation: Inference is an attack strategy, not a reason for implementing tokenization

Question 97

What was the first international privacy standard, specifically for cloud provider? A. NIST SP 800-37 B. Personal Information Protection and Electronic Document Act C. Payment Card Industry D. ISO 27018

Answer 97

D. ISO 27018 Explanation: ISO 27018 describes a privacy requirements for cloud providers, including an internal audit mandate.

Question 98

In order to ensure proper ____________ in a secure cloud environment, consider the use of Domain Name System Security Extensions (DNSSEC), IPSec, and TLS A. Isolation B. Motif C. Multitenancy D. Signal Modulation

Answer 98

A. Isolation Explanation: Isolation in the cloud is imperative, largely because of multitenancy

Question 99

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exists or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment? A. IAM Capability B. Distributed Denial of Service Resistance C. Encryption for data at rest and in motion D. Field validation

Answer 99

C. Encryption for data at rest and in motion Explanation: Traditional apps wont usually require encryption in all phases of the data life cycle because data is protected in several stages in the traditional enviornment without the need for traditional environment without the need for additional controls. In the cloud environment, data exposed at any time in the life cycle might constitute an inadvertent disclosure so cloud apps require encryption for data at rest and in motion

Question 100

Who pays for cryptographic modules to be certified in according with FIPS 140-2 criteria? A. The US government B. Module Vendors C. Certification labs D. Module users

Answer 100

B. Module Vendors Explanation: Vendors who want their products certified under FIPS 140-2 must pay the lab that performs the evaluation

Question 101

What is the primary incident response goal? A. Remediating the incident B. Reverting to the last known good state C. Determining the scope of possible loss D. Outcomes dictated by business requirements

Answer 101

D. Outcomes dictated by business requirements Explanation:

Question 102

The term cloud carrier most often refers to: A. The cloud provider B. The cloud customer C. An ISP D. A cloud manager

Answer 102

C. An ISP Explanation: Cloud carrier is the term describing intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP