Notes To Know

Question 1

What is the difference between encryption and tokenization?

Answer 1

Tokenization only protects against internal threats, while encryption protects against internal and external threats.

Question 2

What is the most risk form of cloud service?

Answer 2

Infrastructure as a Service (IaaS) has the most risk and potential security vulnerabilities.

Question 3

How is cloud data in transit encrypted?

Answer 3

It is encrypted with a PKI, which is a public key infrastructure

Question 4

What is a hypervisor?

Answer 4

‘sIt allows multiple OS’s to share a single hardware host.

Question 5

Type 1 Hypervisor

Answer 5

Installed directly on the hardware. Called a bare metal hypervisor.

Question 6

Type 2 Hypervisor

Answer 6

Installed on an existing OS. An example is a VMWare. It is more vulnerable because the attack vector is larger.

Question 7

Advanced Persistent Threat (API)

Answer 7

Old threats that keep coming back or stay within a system. It is a stealthy threat within a system.

Question 8

OWASP

Answer 8

Open Web Application Security Project: Top ten security threats. The list is updated every few years. For web application security.

Question 9

List the Cloud Data Life Cycle

Answer 9

1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy

Question 10

What is one of the most important aspects of Cloud

Answer 10

Cost

Question 11

What is ISO 27001

Answer 11

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). Has 35 control objectives and 114 controls and 14 domains.

Question 12

What is ISO 27002

Answer 12

The standard is also intended to provide a guide for the development of security standards and effective security management practices. Organizational information security standards.

Question 13

NIST 800-53

Answer 13

NIST 800-53 is a publication that recommends security controls for federal information systems and organizations and documents security controls for all federal information systems, except those designed for national security.

Question 14

PCI DSS

Answer 14

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

12 Domains / requirements

200 controls

Not a law, which means you can’t be put in jail for violation

Question 15

What are the common criteria

Answer 15

It is a 7 standards level testing program broken into Evaluation Assurance Level (EAL). EAL 1 offers the lowest security while EAL 7 offers the highest security.

Question 16

What is FIPS 140-2?

Answer 16

cryptography modules that cover hardware and software

Security level 1 is the lowest level of security

Security level 4 highest level of security

Question 17

What is provided as an IaaS?

Answer 17

• Computer network hardware
• Data center (physical facility)

Question 18

What is included in a PaaS?

Answer 18

• Data center
• Computer and network hardware
• virtual infrastructure including the hypervisor and VMs
• The Operating Systems (OS)

Question 19

What is included as a SaaS?

Answer 19

Everything from IaaS and PaaS, as well as the software and applications.

Question 20

What is 27017:2015?

Answer 20

information security controls applicable to the provision and use of cloud services

Question 21

ISO 27001 favors which technology

Answer 21

It does not favor any specific technology.

Question 22

Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?

Answer 22

ISO 27002

Question 23

Soc 2 Type 1

Answer 23

The SOC 2, Type 1 report only describes IT security controls designed by the target but not how effectively those controls function

Question 24

Soc 2 Type 2

Answer 24

The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

Question 25

Soc 3

Answer 25

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

Question 26

41 In terms of the amount of security functions offered, which is the highest Federal Information Processing Standard (FIPS) 140-2 security level a cryptographic module can achieve in certification?

Answer 26

Level 4