LearnZapp Practice 7 Flashcards
The term RPO is best described by which of the following?
A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced
B. A term used in BC and DR describing a point in time after which an outage has occurred, beyond which recovery becomes extremely difficult or impossible
C. A term used in BC and DR describing the minimum allowable amount of data that might be lost due to an outage before severe consequences are experienced
D. A term used in BC and DR describing the maximum allowable amount of value that might be lost due to an outage before consequences are experienced
A. A term used in BC and DR describing an acceptable amount of data that might be lost due to an outage before severe consequences are experienced
Explanation:
Which of the following practices can enhance both operational capabilities and configuration management efforts?
A. Regular backups
B. Constant uptime
C. MFA
D. File hashes
D. File hashes
Explanation:
File hashes can serve as integrity checks for both configuration management and audit purposees
This approach to public key cryptography uses much smaller keys than traditional cryptography to provide the same level of security
A. AES
B. SSL
C. Elliptical curve
D. MD5
C. Elliptical curve
Explanation:
ECC uses algebraic elliptical curves that resulpt in much smaller keys that can provide the same level of safety as much large ones used in traditional key environments
Which security principle dictates that encryption key management and storage should be isolated from the data encrypted with those keys?
A. Least privilege
B. Two person integrity
C. Compartmentalization
D. Separation of duties
D. Separation of duties
Explanation:
Separation of duties dictates that one person/entity cannot complete an entire transaction alone. In this case, encryption, a single entity should not be able to adminster the issuing is keys, encrypt the data and store the keys because this could lead to a situation where that entity has the ability to access or take encrypted data
How often should cable management efforts take place?
A. Annually
B. Continually
C. Quarterly
D. Weekly
B. Continually
Explanation:
Cable management is an ongoing processd
Which of the following is not an example of a highly regulated enivironment?
A. Healthcare
B. Financial services
C. Wholesale or distribution
D. Public companies
C. Wholesale or distribution
Explanation:
One of the security challnges of operating in the cloud is that additional controls must be placed on file storage systems because ____________
A. File stores are always kept in plain text in the cloud
B. There is no way to sanitize file storage space in the cloud
C. Virtualization necessarily prevents the use of application based security controls
D. Virtual machines are stored as snapshotted files when not in use
D. Virtual machines are stored as snapshotted files when not in use
Explanation:
VMs are snapshotted and simply stored as files when they are not being used
What is a cloud storage architecture that manages the data in a hierarchy of files?
A. Object based storage
B. File based storage
C. Database
D. CDN
B. File based storage
Explanation:
Object based storage stores data as objects in volume, with labels and metadata. Databases store data in fields, in a relational motif. A CDN stores data in caches of copies content near locations of high demand
For US government agencies, what level of data sensitivitty/classification may be processed by cryptographic modules certified according to the FIPS 140-2 critieria?
A. Sensitive but unclassified
B. Secret
C. Top Secret
D. Sensitive Copartmentalized Information (SCI)
A. Sensitive but unclassified
Explanation:
FIPS 140-2 is only used for SBU data
Which of the following standards helps organizations to establish and maintain an ISMS?
A. ISO 27001
B. ISO 27009
C. ITIL
D. PCI
A. ISO 27001
Explanation:
ISO 27001 describes an information security management system as a set of interrelated elements that organizations use to manage and control information security risks to protect and preserve the confidentiality, integrity and availability of information
Whicih of the following is probably the most important activity of those listed?
A. Regularly update the BCDR plan/process
B. Have contact infomation for all personnel in the organization
C. Have contact information for essential BC/DR personnel
D. Have contact info for local law enforcement
A. Regularly update the BCDR plan/process
Explanation:
All of these are important but without regular updates, the info will soon become outdated and a los less useful
Full isolation of user activity, processes and virtual network segments in a cloud environment is incredibly important because of risks due to:
A. DDoS
B. Unencrypted packets
C. Multitenancy
D. Insider threat
C. Multitenancy
Explanation:
The fact that many various customers will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud enviroment
WHat is the aspect of the DMCA that has been abused and places the burden of proof on the accused?
A. Toil exemption
B. Decryption program prohibition
C. Takedown notice
D. Puppet platicity
C. Takedown notice
Explation:
The DMCA provision for takedown notices allows copyright holders to demand removal of suspect content from the web, and puts the burden of proof on whoeevr posted the material; this function has been abused by griefers and trolls and overzealous content producers
A typical DLP tool can enhance the organizations efforts at accomplishing what legal task?
A. Evidence collection
B. Delivering testimony
C. Criminal prosecution
D. Enforcement of intellectual property rights
A. Evidence collection
Explanation:
The data discovery facet of DLP solutions can aid an organization in gathering applicable evidence, especially in response to a legal request such a subpoena
Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual benefit the organization realizes in a cloud environment?
A. Altitude of the cloud data center
B. Security controls and countermeasures
C. Loss of ownership of IT assets
D. Costs of Internet connectivity for remote users
B. Security controls and countermeasures
Explanation:
Every security process, tool and behavior entails a related cost, both financially and operationally.
In software defined networking, the northbound interface usually handles traffic between ________ and the _________
A. Cloud customer; ISO
B. SDN Controllers; SDN Applications
C. Cloud provider; ISP
D. Router; host
B. SDN Controllers; SDN Applications
Explanation:
The NBI handles traffic between the SDN controllers and the SDN applications
in regard to most privacy guidance, the data processor is _________
A. The individual described by the privacy data
B. The entity that collects or crates the privacy data
C. The entity that uses privacy data on behalf of the controller
D. The entity that regulates privacy data
C. The entity that uses privacy data on behalf of the controller
Explanation:
Option C is the definition of the data processor
Risk mitigation must also always entail which other method of addressing risk?
A, Risk acceptance
B. Risk avoidance
C. Risk transfer
D. Risk attenuation
A, Risk acceptance
Explanation:
Because risk can never be mitigated to zero, there will always be some residual risk after mitigation; the residual must be accepted
Which of the following is not a way in which an eitity located outside the EU can be allowed to gather and process privacy data belong to EU citizen?
A. Be located in a country with nationwide law that complies with the EU laws
B. Appeal to the EU High Court for Permission
C. Create binding contractual language that complies with the EU laws
D. Join the Privacy Shield program in its own country
B. Appeal to the EU High Court for Permission
Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law
Which of the following identifies vulnerabilities in applications, operating systems or network devices?
A. Vulnerability assessment
B. Nmap scan
C. Packet analysis
D. WAF
A. Vulnerability assessment
Explanation:
A vulnerability assessment or scan is designed to identify known vulnerabilities in applications, operating systems or network devices. An Nmap scan may discover vulnerabilities but is designed primarily as a network services discovery tool and is not generally used with applications
Why might an organization choose to comply with NIST SP 800 series standards?
A. Price
B. Ease of implementation
C. International acceptance
D. Speed
A. Price
Explanation:
The NIST standards are not particularly easy or fast to implement and they are not widely recognized or mandated outside of the US government federal sector
In order for communications from inside a VLAN to reach endpoints outside VLAN
A. The communications must go through a gateway
B. The traffic must be encrypted
C. A repeated must be used
D. The external endpoint must be in receive mode
A. The communications must go through a gateway
Explanation:
Gateway devices enforce the VLAN rules and can allow or deny outbound traffic
Which of the following is a frame that allows a diverse group of individuals to communicate securely?
A. Digital certificates
B. PKI
C. SSL
D. ECC
B. PKI
Explanation:
Public key infrastructure is a framework of programs, procedures, communication protocols and public key cryptography that enables a diverse group of individuals to communicate securely
Egress monitoring solutions usually include a function that ________
A. Arbitrates contract breaches
B. Performs personnel evaluation reviews
C. Discovers data assets according classification/categorization
D. Applies another level of access control
C. Discovers data assets according classification/categorization
Explanation:
Egress monitoring solutions will often include a discovery function which will locate data assets according to criteria defined by the organization
A company is considering a cloud migration to PaaS environment. Which of the following factors might make the company less likely to choose the cloud environment?
A. The company wants to reduce overhead costs
B. The company operates proprietary software
C. The company hopes to reduce energy costs related to operation of a data center
D. The company is seeking to enhance its BCDR capabilities
B. The company operates proprietary software
Explanation:
A customer using proprietary software in a PaaS environment faces the risks that updates to the underlying OS and/or hardware infrastructure will not be compatible with the customers sof tware and will affect productivity.
According to the CSA’s Notorious Nine list, data breaches can be:
A. Overt or Covert
B. International of subterranean
C. From internal or external sources
D. Volumiunous or specific
C. From internal or external sources
Explanation:
The CSA points out that data breaches come from a varieety of sources, including both internal personnel and external actors. Although breaches might be overt or covert, or large or small
You are a consultant, performing an external security review on a large manufacturing firm. You determine that its newest assemply plant, which cost 24 million, could be completely destroyed by a fire that a fire suppression system could effectively protect the plan. The fire suppression system costs 15 million. An insurance policy that would cover the full replacement cost of the plant costs 1 million per month. What is the annual rate of occurrence?
A. 12
B. 24 million
C. 1
D. 10 million
C. 1
Explanation:
Absent any other information about a total physical loss, we can consider the rate of occurrence as 1; we would not expect the plant
You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a:
A. Functional requirement
B. Nonfunctional requirement
C. Regulatory issue
D. Third party function
B. Nonfunctional requirement
Explanation:
It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the partrricipants in the collective using a third party certification model, who would be the federated service providers in that structure?
A. The third party
B. A CASB
C. The various members of the collective
D. The cloud provider
C. The various members of the collective
Explanation:
In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers. In a third party cert model, the third party is known as the identity porovider
Which of the following reports is no longer used?
A. SAS 70
B. SSAE 16
C. SOC 1
D. SOC 3
A. SAS 70
Explanation:
The SAS 70 was a report used in the past primarily for financial reporting and was oftewntimes misused in the service provider context. The SSAE 16 standard and subsequent SOC reports are its successor
Maintenance mode requires all of the following actions except:
A. Remove all active production instances
B. Initiate enhanced security controls
C. Prevent new logins
D. Ensure logging continues
B. Initiate enhanced security controls
Explanation:
While the other answers are all steps in moving from normal operations to maintenance mode, we do nnot necessarily initiate any enhanched security controls
Cloud customers performing data discovery efforts will have to ensure that the cloud provider attends to all of the following requirements except:
A. Allowing sufficient access to largee volumes of data
B. Preserving metadata tags
C. Assigning Labels
D. Preserving and maintaining the data
C. Assigning Labels
Explanation:
Label assignment is a task of the data owner -the cloud customer, not the provider. All of the other answers are requirments for the cloud provider to meet the data discovery needs of the customer and should be negotiated before migraiton
The Agile Manifesto for software development focuses largely on:
A. Secure build
B. Thorough documentation
C. Working prototypes
D. Proper planning
C. Working prototypes
Explanation:
The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs.
ISO 27001 favors which type of technology?
A. Open Source
B. PC
C. Cloud based
D. None
D. None
Explanation:
The ISO 27001 standard is designed to be product agnostic
CSA CCM addresses all the following security architecture elements except:
A. Physical security
B. IaaS
C. Application Security
D. Business Drivers
D. Business Drivers
Explanation:
The CSA CCM does not deal with whether security controls are feasible or correct from a buiness perspective, only whether they are applicable to an organization under certain regulations.
Which of the following represents the Security and Privacy Controls for US Federal Information Systems and Organizations?
A. NIST 800-146
B. NIST 800-14
C. NIST 800-52 r4
D. NIST 800-123
C. NIST 800-52 r4
Explanation:
NIST 800-53 r4 describes ways to ensure the proper application of appropraite security requirements and security controls to all US fed governemtn, information and informationn management. The others are legit NIST documents with different purposes
Privileged user account access should be:
A. Temporary
B. Pervasive
C. Thorough
D. Granular
A. Temporary
Explanation:
Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value`
The OWASP Top Ten list often includes insecure direct object references. Which of trhese is a method to counter the risks of insecure direct object references?
A. Perform user seecurity training
B. Check access each time a direct object reference is called by an untrusted source
C. Install high luminosity interior lighting throughout the facility
D. Append each object with sufficient metadata to properly categorize and classify based on
B. Check access each time a direct object reference is called by an untrusted source
Explanation:
Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object
Which of the following is a messaging protocol that uses specifications designed for exchanging structured information in web servies and operates independently of the client?
A. Java
B. REST
C. DAST
D. SOAP
D. SOAP
Explanation:
SOAP is a messaging specification designed for exchnaging structured information in web services and operates independently of the client OS
Which of the following characteristics is associated with DRM?
A. Mapping to existing access control lists
B. Delineating biometric catalogs
C. Preventing MFA
D. Prohibiting unauthorized transposition
A. Mapping to existing access control lists
Explanation:
Mapping to existing ACls is the trait that allows DRM tools to provide additional access control protections for the organizations assets
Which entity can best aid the organization in avoiding vendor lock in?
A. Senior management
B. The IT Security Office
C. General Counsel
D. The cloud security representative
C. General Counsel
Explanation:
The best method for avoiding vendor lock in is to have strong contract language favorable to the customer; the entity best equipped to craft contracts is the office of the general counsel
Why is it important to force all instantiated virtual machines to check current configuration records?
A. Snapshotted images dont take patches
B. Configurations are constantly changing
C. Documentation is difficult in the cloud
D. Users are always changing configurations
A. Snapshotted images dont take patches
Explanation:
VMs are saved as files when not in use; patches cant be applied to these files, so any VM taken out of storage and put into production needs to be checked against configuration versions to determine if there were patches applied to the environment while it was stored
In the testing phase of the SDLC, software performance and ______________ should be reviewed
A. Quality
B. Brevity
C. Requirements
D. Security
D. Security
Explanation:
Performance and security both need to be reviewed for adequacy
You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. In order to get truly hollistic coverage of your environment, you should be sure to include __________ as a step in the deployment process
A. Getting signed user agreement from all users
B. Installation of the solution on all assets in the cloud data center
C. Adoption of the tool in all routers between your users and the cloud provider
D. Ensuring that all your customers install the tool
A. Getting signed user agreement from all users
Explanation:
This is a dumb fucking question.
Event monitoring tools such as a SIEM, can aid in which of the following efforts?
B. Ensuring proper cloud migration
C. Deciding risk parameters
D. Protecting all physical entry points against the threat of fire
A. Detecting ambient heating, ventilation and air conditioning problems
Explanation:
Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the DC
Which of the following is a file server that provides data ccess to multiple, heterogenous machines and users on the network?
A. Storage area network
B. Network attached storage
C. Hardware security module
D. Content Delivery Network
B. Network attached storage
Explanation:
This is the description of a NAS device. A SANN typically presents storage devices to users as attached/mounted drives
Representational state transfer (REST) application programming interfaces (APIs) use _________ protocol verbs.
A. Hypertext Markup Language (HTML)
B. Hypertext Transfer Protocol (HTTP)
C. Extensible Markup Language (XML)
D. American Standard Code for Information Interchange (ASCII)
B. Hypertext Transfer Protocol (HTTP)
Explanation:
You are the security manager of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. Which of these activities should you perform before deploying the tool?
A. Survey your company’s department about the data under their control
B. Reconstruct your firewalls
C. Harden all your routers
D. Adjust the hypervisors
A. Survey your company’s department about the data under their control
Explanation:
in order to train the egress monitoring solution properly, you will need to inform it as to which data in your organization is sensitive and in order to do that, you will need to determine what information your data owners deem sensitive
What is the hypervisor malicious attackers would prefer to attack?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
B. Type 2
Explanation:
Attackers prefer Type 2 hypervisors because the OS offers more attack surface and potential vulnerabilities.
Typically, representational state transfer (REST) interactions do not require ________
A. Credentials
B. Sessions
C. Servers
D. Clients
B. Sessions
Explanation:
Generally a REST interaction* involves the client asking the server (through an API) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary. These interactions obviously involve servers and clients
What can tokenization be used for?
A. Encryption
B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
C. Enhancing the user experience
D. Giving management oversight to ecommerce functions
B. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
Explanation:
Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest. Tokenization is not encryption; there is no encryption engine and no key involved in the process
Which of the following is not appropriate to include in an Service level agreement?
A. The number of user accounts allowed during a specified period
B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status
C. The amount of data allowed to be transmitted and received between the cloud provider and the customer
D. The time allowed to migrate from normal operations to contingency operations
B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition to the service to contingency operation status
Explanation:
Roles and responsibilities should be included in the contract, not the SLA.
Which of the following is the best and only completely secure method of data destruction?
A. Degaussing
B. Crypto shredding
C. Physical destruction of resources that store the data
D. Legal order issued by the prevailing jurisdiction where the data is geographically situated
C. Physical destruction of resources that store the data
Explanation:
Destroying the drive, disk and media where the data reside is the only true, complete method of data destruction
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of ____________
A. Static testing
B. Dynamic testing
C. Code review
D. Open source review
B. Dynamic testing
Explanation:
Testing the product in a runtime context is dynamic testing
According to OWASP recommendations, active software security testing should include all of the following except:
A. Authentication testing
B. Authorization Testing
C. Session management testing
D. Pirvacy review testing
D. Pirvacy review testing
Explanation:
Priovacy review testing is not included in the OWASP guide to active security testing, althought it might be included as an aspect of compliance testing
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a SSO experience across the olrganizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to eachj organizations specific storage resources.
If you are in the US, one of the standards you should adhere to is:
A. NIST 800-53
B. PCI
C. ISO 27014
D. ENISA
A. NIST 800-53
Explanation:
NIST 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framewrok.
Data transofrmation in a cloud environment should be of great concern to organizations considering migration because __________ could affect data classification processes and implementations
A. Multitenancy
B. Virtualization
C. Remote access
D. Physical distance
B. Virtualization
Explanation:
Data transforming from raw objects to virtualized instances snapshotted images back into virtual instances and then back out to users in the form of raw data may affect the organizations current classification methodology; classification techniques and tools that were suitable for the traditional IT environment might not withstand the cloud environment
Whether in a cloud or traditional environment, it is important to implement both _________ and ____________ access controls
A. Internal and managed
B. Provider and customer
C. Physical and logical
D. Administrative and technical
C. Physical and logical
Explanation:
Both physical and logical controls are possible to implement in both environments
An audit scoping statement might include constraints on all of the following aspects of an environment except:
A. Time spent in the production
B. Business areas and topics to be reviewed
C. Automated audit tools allowed in the environment
D. Not reviewing illicit activities that may be discvoered
D. Not reviewing illicit activities that may be discvoered
Explanation:
While the auditor is not a law enforcement entitiy, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit
TLS provides ______________ and __________ for communications
A. Privacy, security
B. Security, optimization
C. Privacy, integrity
D. Enhancement, privacy
C. Privacy, integrity
Explanation:
TLS maintains the confidentiality and integrity of communications; often between a web browser and a service
Who should be performing log review?
A. Only certified, trained log review professionals with a great deal of experience with the logging tool
B. The internal audit body
C. External audit providers
D. Someone with knowledge of the operation and a security background
D. Someone with knowledge of the operation and a security background
Explanation:
It is important for the log review to be performed by someone who understands the normal opeerations of the organization so that they can discern between regular activity and anomalous behavior
A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called?
A. Cross certification
B. Proxy
C. Single Sign On
D. Regulated
A. Cross certification
Explanation:
The cross certification fedeeration model is also known as a web of trust
Egress monitoring solutions usually include a function that __________
A. Arbitrates contract breaches
B . Performs personnel evaluation reviews
C. Disocvers data assets according to classification/categorization
D. Applies another level of access control
C. Disocvers data assets according to classification/categorization
Explanation:
Egress monitoring solutions will often include a discovery function, which will locate data assets according to criteria defined by the organization
When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is:
A. Legal liability cant be transferred to the cloud provider
B. Many states have data breach notification laws
C. Breaches can cause the loss of proprietary data
D. Breachers can cause the loss of intellectual property
A. Legal liability cant be transferred to the cloud provider
Explanation:
State notification laws and the loss of proprietary data/intellectual property are preexised the cloud; only the lack of ability to transfer liability is new
Methods for achievhing high availability cloud environment include all of the following except:
A. Extreme redundancy
B. Multiple system vendors for the same service
C. Explicitly documented BCDR functions in the SLA or contract
D. Failover capability back to the customers on premises environment
D. Failover capability back to the customers on premises environment
Explanation:
In many cases, the customer will no longer have an on premises environment after a cloud migration. All the other options are methods cloud providers use to achieve high availability environments
Which of the following is a US audit standard often used to evaluate cloud providers?
A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770
C. SSAE 18
Explanation:
The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certifieed Public Accountants) audit standard
ISO 27001 is an international standard
You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. Who may impose penalties on your organization for this decision if the vulnerability is exploited?
A. The cloud provider
B. Regulators
C. Your end clients
D. Your internet service provider (ISP)
B. Regulators
Explanation:
If your organization doesnt apply a patch for a known vulnerability, regulators may claim the organization was not performing adequate due dilligencee and peanlize it accordingly
Which of the following techniques for ensuring cloud data center storage resiliency uses parity biots and disk striping?
A. Cloud bursting
B. RAID
C. Data dispersion
D. SAN
B. RAID
Explanation:
Parity bits and risk striping and characteristic of RAID implementations. Cloud bursting is a feature of scalable cloud hosting. Data dispersion uses parity bits, but not disk striping. Instead, it uses data chunks and encryption. SAN is a data storage techqniue but not focused on resiliency
Best practice for planning the physical resiliency for a cloud data center facility includes:
A. Having one point of egress for personnel
B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property
C. Ensuring that all parking areas are near generators so that perosonnel in high traffic areas are always illuminated by emergency lighting, even when utiolity power is not available
D. Ensuring that the foundation of the facility is rated to withstand earthquake tremors
B. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property
Explanation:
To avoid a situation where severing a given physical connection results in severing its backup as well (such as construction/landscaping etc) have redundant lines on different sides of the building
Which Common Criteria EAL is granted to those products that are functionally tested by their manufacturer/vendor?
A. 1
B . 3
C. 5
D. 7
A. 1
Explanation:
EAL 1 is for functionally tested products
Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked
Which of the following activities can enhance the usefulness and abilities of a data loss prevention or data leak protection solution?
A. Perform emergency egress training for all personnel
B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection
C. Reequire senior management to participate in all security functions, including intial, recurring, and refresher training
D. Display security guidance in a variety of formats, including a web page, banner, posted and hard copy material
B. Require data owners, stewards and custodians to properly classify and label data at time of creation or collection
Explanation:
DLP tools can function better if appropriate and accurate classification and labeling is applied throughtout the environment and done on a consistent basis
The Trust Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is not one of the CSAs TCI fundamental principles?
A. Delegate or federate access control when appropriate
B. Ensure the [trusted cloud] architecture is resilienct, elastic and flexible
C. Ensure the [trust cloud] architecture addresses and supports multiple levels of protection
D. Provide economical services to all customers, regardless of point of origin
D. Provide economical services to all customers, regardless of point of origin
Explanation:”
The TCI does not, specifically, require cost effectiveness of cloud services
PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate:
A. Different types of audits each must conduct
B. Different amounts of audits each must conduct
C. Different controls sets based on tier level
D. Different cost of controls based on tier level
B. Different amounts of audits each must conduct
Explanation:
Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.
An audit scoping statement might include all of the following constraints except:
A. Limitation of destructive techniques
B. Prohibition of all personnel interviews
C. Prohibition on access to the production environment
D. Mandate of particular time zone review
C. Prohibition on access to the production environment
Explanation:
Auditors may find it necessary to speak to particular individuals in order to locate aritfacts and understand the environment. Although there may be some limitation on particular points of contact and nature of intewrviews, there cannot be a total prohibition
When considering cloud data replication strategies (ie whether you are making backups at the block, file or database level), which element of your organizations BCDR plan will be most affected by your choice?
A. Recovery time objective
B. Recovery Point Objective
C. Maximum allowable downtime
D. Mean time to failure
B. Recovery Point Objective
Explanation:
The recovery point objective (RPO) is a measure of data that can be lost in a outage without irreparably damaging the organization.
What is the international standard that dictates creation of an organizatrional information security management system (ISMS)?
A. NIST SP 800-53
B. PCI DSS
C. ISO 27001
D. NIST SP 800-37
C. ISO 27001
Explanation:
ISO 27001 mandates an ISMS: organizations can be certified according to compliance with 27001.
NIST SP 800-53 is the list of security controls approved for use by US government agencies and a means to map them to the Risk Management Framework
What is the primary characteristic of volume storage?
A. They are volumes attached to virtual storage and act or behave just like a physical drive or array
B. They are drives attached to physical storage and act or behave just like a physical drive or array
C. They are volumes attached to physical storage and act or behave just like a physical drive or array
D. They are drives attached to virtual storage and act or behave just like a physical drive or array
A. They are volumes attached to virtual storage and act or behave just like a physical drive or array
Explanation:
Volume storage consists of volumes that are attached to virtual storage and act oe brhave just like a physical drive or array
In which phase of the cloud secure data life cycle does data leave the production environment and go into long term storage?
A. Store
B. Use
C. Share
D. Archive
D. Archive
Explanation:
This action defines the archive phase.
An audit against the _______ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements
A. Statement on Auditing Standards (SAS) 79 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. ISO 27002 certification criteria
D. NIST Special Publication (SP) 800-53
C. ISO 27002 certification criteria
Explanation:
The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001
What aspect of data center planninng occurs first?
A. Logical design
B. Physical design
C. Audit
D. Policy revision
A. Logical design
Explanation:
The logical design should come before the physical design; function dictates form. Audit and revision come after creation
Which common security tool can aid in the overall BCDR process?
A. Honeypots
B. DLP
C. SIEM
D. Firewalls
B. DLP
Explanation:
DLP solutions typically have the capability to aid in asset validation and location, both important facets of BCDR process. All the other options are common security tools but do not serve BCDR efforts
In container virtualization, unlike standard virtualization, which is not included?
A. Hardware emulation
B. OS Replication
D. A single kernel
D. The possibility for multiple kernels
A. Hardware emulation
Explanation:
In containernization, the underlying hardware is not emulated; the containers run on the same underlying kernel, sharing the majority of the base OS
Which term refers to a systems ability to cordon off or protect certain aspects of the compute environment such as processing memory and other resources needed in the compute transaction?
A. Virtualization
B. Emulation
C. ASLR
D. Sandboxing
D. Sandboxing
Explanation:
Sandboxing is often used for testing applications in development or carving out resources that cannot then touch other parts of the same system
You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The back end of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on the front end of the interface?
A. Simple Object Access Protocol (SOAP)
B. Representational State Transfer (REST)
C. Security Assertion Markup Language (SAML)
D. DLP
A. Simple Object Access Protocol (SOAP)
Explanation:
SOAP is a web service programming format that requires that use of XML.
REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect
SAML is a protocol for passing identity assertions over the Internet; option C is incorrect
Egress monitoring solutions usually include a function that:
A. Uses biometric to scan users
B. Inspects incoming packets
C. Resides on client machines
D. Uses stateful inspection
C. Resides on client machines
Explanation:
Egress monitoring solutions will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. DLP tools do not inspect incoming packets, with or without stateful inspection
Dynamic software security testing typically uses ___________ as a measure of how thorough the testing was.
A. User coverage
B. Code coverage
C. Path coverage
D. Total coverage
C. Path coverage
Explanation:
In dynamic software testing, the objective is to test a significant sample of the possible logical paths from data into to output
Why is Simple Object Access Protocol (SOAP) used for accessing web services instead od the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (COBRA) ?
A. SOAP provides a much more lightweight solution
B. SOAP replaces binary messaging with XML
C. SOAP is much more secure
D. SOAP is newer
B. SOAP replaces binary messaging with XML
Explanation:
XML works better over the Internet than the binary messaging of older technologies. SOAP is not particularly lightweight; in fact it is cumbersome
The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?
A. Confidentiality
B. Integrity
C. Availability
D. None
D. None
Explanation:
Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.
Which of the following would probably best aid an organization in deciding whether to migrate from a traditional environment to a particular cloud environment to a particular cloud provider?
A. Rate sheets comparing a cloud provider to other cloud provides
B. Cloud provider offers to provider engineering assistance during the migration
C. The cost/benefit measure of closing the organizations relocation site (hot site/warm site) and using the cloud for DR instead
D. SLA satisfaction surveys from other (current and past) cloud customers
D. SLA satisfaction surveys from other (current and past) cloud customers
Explanation:
Of the listed options, knowing how other customers feel about a provider may be the realistic depiction of whether an organization realized projected/anticipated benefits after a migration
Which of the following is the best advantage of external audits?
A. Independence
B. Oversight
C. Cheaper
D. Better results
A. Independence
Explanation:
The primary advantage of external audits based on the choices given would be that of independence. External audits are typically more independent and therefore lead to more effective results
Which of the following database encryption techniques can be used to encrypt specific tables within the database?
A. File level encryption
B. Transparent encryption
C. Application level encryption
D. Object level encryption
B. Transparent encryption
Explanation:
Encrypting specific tables within the database is one of the options of transparent encryption; this is not true of the other options
According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarm from a management perspective?
A. Scalability
B. Multitenancy
C. Resiliency
D. Broadband connections
A. Scalability
Explanation:
Because users in cloud customer orgs often do not pay directly for cloud services (and are often not even aware of the cost of use), scalability can be a significant management concern
Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?
A. GPS tracking/locator
B. Automated vulnerability scan on system startup
C. ACL of authorized personnel
D. Write protection
B. Automated vulnerability scan on system startup
Explanation:
Because VMs do not take updates when they are not in use and updates may be pushed while the VMs are saved, it is important to ensure that they receive updates when they are next instantiated
What distinguishes the Federal Information Process Standard (FIPS) 140-2 security levels for cryptographic modules?
A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic location in which the product is allowed
B. The amount of physical protection provided by the product, in terms of tamper resistance
Explanation:
The security levels acknowledge different levels of physical protection offered by a cryptomodule, with 1 offering crypto functionality and no real physical protection and 4 offering tamper resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts
Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on premises environment into the cloud;. What is probably the biggest factor in her decision?
A. Network scalability
B. Off site backup capability
C. Global Accessibility
D. Reduced overall costs due to outsourcing administration
D. Reduced overall costs due to outsourcing administration
Explanation:
WHile all of these are traits of cloud computing and will likely benefit Alice’s company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost
Data owners might consider using tokenization for all of the following reasons except:
A. Regulatory or contractual compliance
B. Inference
C. Reduced cost of compliance
D. Mitigating risk from data lost to intrusion
B. Inference
Explanation:
Inference is an attack strategy, not a reason for implementing tokenization
What was the first international privacy standard, specifically for cloud provider?
A. NIST SP 800-37
B. Personal Information Protection and Electronic Document Act
C. Payment Card Industry
D. ISO 27018
D. ISO 27018
Explanation:
ISO 27018 describes a privacy requirements for cloud providers, including an internal audit mandate.
In order to ensure proper ____________ in a secure cloud environment, consider the use of Domain Name System Security Extensions (DNSSEC), IPSec, and TLS
A. Isolation
B. Motif
C. Multitenancy
D. Signal Modulation
A. Isolation
Explanation:
Isolation in the cloud is imperative, largely because of multitenancy
Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exists or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment?
A. IAM Capability
B. Distributed Denial of Service Resistance
C. Encryption for data at rest and in motion
D. Field validation
C. Encryption for data at rest and in motion
Explanation:
Traditional apps wont usually require encryption in all phases of the data life cycle because data is protected in several stages in the traditional enviornment without the need for traditional environment without the need for additional controls.
In the cloud environment, data exposed at any time in the life cycle might constitute an inadvertent disclosure so cloud apps require encryption for data at rest and in motion
Who pays for cryptographic modules to be certified in according with FIPS 140-2 criteria?
A. The US government
B. Module Vendors
C. Certification labs
D. Module users
B. Module Vendors
Explanation:
Vendors who want their products certified under FIPS 140-2 must pay the lab that performs the evaluation
What is the primary incident response goal?
A. Remediating the incident
B. Reverting to the last known good state
C. Determining the scope of possible loss
D. Outcomes dictated by business requirements
D. Outcomes dictated by business requirements
Explanation:
The term cloud carrier most often refers to:
A. The cloud provider
B. The cloud customer
C. An ISP
D. A cloud manager
C. An ISP
Explanation:
Cloud carrier is the term describing intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP
