Pocket Prep 12 Flashcards

Question

Which of the following types of SOC reports provides high-level information about an organization's controls intended for public dissemination? A. SOC 2 Type II B. SOC 1 C. SOC 3 D. SOC 2 Type I

Answer 1

C. SOC 3 Explanation: Service Organization Control (SOC) reports are generated by the American Institute of CPAs (AICPA). The three types of SOC reports are: SOC 1: SOC 1 reports focus on financial controls and are used to assess an organization’s financial stability. SOC 2: SOC 2 reports assess an organization's controls in different areas, including Security, Availability, Processing Integrity, Confidentiality, or Privacy. Only the Security area is mandatory in a SOC 2 report. SOC 3: SOC 3 reports provide a high-level summary of the controls that are tested in a SOC 2 report but lack the same detail. SOC 3 reports are intended for general dissemination. SOC 2 reports can also be classified as Type I or Type II. A Type I report is based on an analysis of an organization’s control designs but does not test the controls themselves. A Type II report is more comprehensive, as it tests the effectiveness and sustainability of the controls through a more extended audit.

Answer 2

C. Security Information and Event Manager (SIEM) Explanation: An organization's logs are valuable only if the organization makes use of them to identify activity that is unauthorized or compromising. Due to the volume of log data generated by systems, the organization can implement a System Information and Event Monitoring (SIEM) system to overcome these challenges. The SIEM system provides the following: Log centralization and aggregation Data integrity Normalization Automated or continuous monitoring Alerting Investigative monitoring A syslog server is a centralized logging system that collects, stores, and manages log messages generated by various devices and applications within a network. It provides a way to consolidate and analyze logs from different sources, allowing administrators to monitor system activity, troubleshoot issues, and maintain security. However, it does not help to correlate the logs as the SIEM does. SSH is a networking protocol that encrypts transmissions. It works at layer 5 of the OSI model. It is commonly used to transmit logs to the syslog server. It is not helpful when analyzing logs. It only secures the transmission of the logs. DLP tools are used to monitor and manage the transmission or storage of data to ensure that it is done properly. With DLP, the concern is that there will be a data breach/leak unintentionally by the users.

Answer 3

D. Business Impact Assessment (BIA) Explanation: After defining the scope, the next step of developing a BC/DR plan is to perform a business impact assessment. This stage determines what should be included in the plan and looks at items such as the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). It will be necessary during this stage to identify critical systems within the environment. Based on the knowledge found during the BIA, it is then necessary to develop the recovery strategy. For example, when a failure occurs, will the business fail to a different region within that cloud provider or will they fail to a different cloud provider. The solution must be tested to ensure that it will work when needed. At the end of the BC/DR planning process, everyone who needs to know about the plan is aware.

Answer 4

C. Utilize a cloud Key Management Service (KMS) to encrypt the data encryption key Explanation: It is essential that we understand the options for how and where to encrypt data in the cloud. There are many solutions that vary per cloud service provider. Using a KMS is a great solution today for most companies. The cost is fairly low, if not free for KMS. With KMS, the customer generates a Data Encryption Key (DEK) that is used to encrypt the actual data. The DEK is then encrypted with a Customer Master Key (CMK). The CMK is stored in the KMS. The plaintext data is only available on the server or the customer side. An HSM is a much more expensive option. The encryption and decryption of the data actually occurs within the HSM. Client-side encryption and decryption is not so bad, but the key should never be stored in the VM. When the image is decrypted to be spun up, the key will be accessible to anyone who can see that image. The same can be said about server-side encryption and decryption. It is not entirely wrong, but the key should never be stored within the image. Reference:

Answer 5

A. Server cluster Explanation: Server clusters are a collection of resources linked together by a software agent that enables communication, resource sharing, and task routing. Server clusters are considered active-active since they include at least two servers (and any other needed resources) that are both active at the same time. Server redundancy is usually considered active-passive. Only one server is active at a time. The second waits for a failure to occur; then, it will take over. Storage controllers are used for storage area networks. It is possible that the servers in the question are storage servers, but more likely they contain the applications that the users and/or the customers require. Therefore, server clustering is the correct answer. Security groups are effectively virtualized local area networks protected by a firewall.

Answer 6

D. Infrastructure as a Service Explanation: In an Infrastructure as a Service (IaaS) environment, the customer has the greatest control over its infrastructure stack. This means that it needs to rely less on the service provider than in other service models and, therefore, has fewer potential external security risks and threats.

Answer 7

B. Internet of Things (IoT) Explanation: The Internet of Things (IoT) refers to the use of non-traditional computing devices (such as lamps, thermostats, and other home appliances) accessing the internet. Although some do consider laptops, smart phones, and computers to be part of IoT, for the exam, these items are unlikely to be considered part of the IoT. Machine Learning (ML) is computers being able to process data to determine answers. The answers could confirm (or not) a hypothesis. Or it is possible for ML to come to a conclusion without any preconceived hypothesis. ML is a component of AI. AI is having computers process data the same way a human brain could. Arguably, we are not at AI yet. Some say we are at narrow AI. It is still an evolving technology for sure. Blockchain creates a ledger of transactions that are permanent and verifiable. A common use today is cryptocurrency.

Answer 8

D. Resource Pooling Explanation: The six common characteristics of cloud computing include: Broad Network Access: Cloud services are widely available over the network, whether using web browsers, secure shell (SSH), or other protocols. On-Demand Self-Service: Cloud customers can redesign their cloud infrastructure at need, leasing additional storage or processing power or specialized components and gaining access to them on-demand. Resource Pooling: Cloud customers lease resources from a shared pool maintained by the cloud provider at need. This enables the cloud provider to take advantage of economies of scale by spreading infrastructure costs over multiple cloud customers. Rapid Elasticity and Scalability: Cloud customers can expand or contract their cloud footprint at need, much faster than would be possible if they were using physical infrastructure. Measured or Metered Service: Cloud providers measure their customers’ usage of the cloud and bill them for the resources that they use. Multitenancy: Public cloud environments are multitenant, meaning that multiple different cloud customers share the same underlying infrastructure

Answer 9

B. Non-repudiation Explanation: Non-repudiation refers to a person’s inability to deny that they took a particular action. Chain of custody helps to enforce non-repudiation because it demonstrates that the evidence has not been tampered with in a way that could enable someone to deny their actions. Confidentiality, integrity, and availability are the "CIA triad" that describes the main goals of security.

Answer 10

C. Identity Provider (IdP) Explanation: The organization would act as the identity provider, while the relying party would act as the service provider. The identity provider is the organization that generates tokens for users because it has the ability to authenticate the users. In this scenario, the organization is authenticating their own employees. The SP is the organization that provides the service that will be used by the users, for example, a sales force. The CA is used to verify the X.509 certificates. Encryption should be used within the SSO system, but the question doesn't mention anything encryption related. A domain registrar is the business that corporations go to to register a domain name, for example, PocketPrep.com.

Answer 11

C. Federal Information Security Management Act (FISMA) Explanation: US government agencies must build risk-based policies for cost-effective security. Government agencies are not immune to bad actors attacking them. In the past, the security within government agencies was not very good, so this regulation demands that they do better. GLBA is an extension to Sarbanes-Oxley that demands that personal data be protected with the financial data. The HIPAA requires that Protected Health Information (PHI) be protected.

Answer 12

A. A highly vetted and limited set of administrators Explanation: If compromised, the management plane would provide full control of the cloud environment to an attacker. Due to this, only a highly vetted and limited set of administrators should have access to the management plane. However, you will want more than a single administrator. If the single administrator leaves or is no longer able to perform management duties, the ability of the business to manage their cloud environment would be compromised. Software developers deploying virtual machines may need access, but they would be in the highly vetted group of administrators if that is the case. The same would be true for SOC personnel. They need to be vetted and trusted.

Answer 13

D. take the level of concern away from the cloud customer and place it onto the cloud provider Explanation: While it may seem that a cloud infrastructure is completely different from that of a traditional data center, all the components that exist in a traditional data center are still needed in the cloud. The main difference is that within a cloud environment, the responsibility and level of concern is moved away from the cloud customer to the cloud provider. However, not all concerns, but this answer is the best out of the other three statements. The cloud provider is responsible for the physical data center and its security, and depending on the level of service that the customer buys, they are also possibly responsible for the virtual server and applications. One way to look at the CCSP exam is that it is a data center exam. The language is sometimes changed to the newer cloud language.

Answer 14

C. Virtual Machine Introspection (VMI) Explanation: VMI is a tool that allows for information regarding the runtime state of a running virtual machine to be monitored. It tracks the events, such as interrupts and memory writes, which allow the content of memory to be collected for a running virtual machine. Hashing and digital signatures can be used to provide evidence that the digital evidence has not been changed or modified. Digital forensics is the process of collecting digital forensic evidence and examining it. Digital forensic science includes the analysis of media, software, and networks. Technical readiness would be getting ready to perform evidence collection and analysis when needed in the future.

Answer 15

A. Structured data Explanation: Structured data is data that has a known format and content type. One example of structured data is the data that is housed in relational databases. This data is housed in specific fields that have a known structure and potential values of data. Having the data organized in these fields makes it easy to search and analyze. Data lakes and big data are considered unstructured data. Unstructured data is unpredictable. It includes all different types of data (e.g., documents, spreadsheet, images, videos, etc.) Since each file is not predictable in size or format, it is considered unstructured. Semistructured data is a relational database that has a field that allows for unstructured data to be entered and stored in it. Unmapped data is not really a term, but it could be considered data that is not classified.

Answer 16

C. Digital signatures Explanation: DNSSec is a protocol that works as a security addition to the standard DNS protocol. DNSSEC works by ensuring all Fully Qualified Domain Name (FQDN) responses are validated. The recursive resolver uses a private key to digitally sign information that is sent in DNS updates. The signature allows the receiving DNS server to validate any DNS information that it receives, thus preventing a bad actor from redirecting network traffic. Creation of digital signatures is done with asymmetric algorithms, not symmetric. Symmetric algorithms do not provide a way to prove authenticity because they function with a shared key. The Advanced Encryption Standard (AES) is a symmetric algorithm. Hashing algorithms are not used to validate the source of information. They can be used to verify the integrity, but it is not possible to verify that a FQDN maps to a specific Internet Protocol (IP) address.

Answer 17

B. Use Explanation: Since the user is logging in through the bad actor's site, this would be the use phase. The user is logging in to view the data. It is not being modified, nor is it being shared with someone else. The data is stored on the website, or behind the website, but that is not what the user is doing. The user is accessing it now, so that is use. Archival is when the data is intentionally moved into a long-term storage location. The data is not being moved in this question, only viewed. Similarly, the data is not being destroyed. The bad actor may destroy it when they log in with the stolen credentials, but that is not the concern at the moment. That is in the future.q

Answer 18

A. Federated Identity Management (FIM) Explanation: Federated identity management allows something like the scenario in the question to work well, especially when the university that knows the scientists does the authentication by acting as the identity provider. Each university (if, that is, where each scientist works) can authenticate those that they know, such as their own students or employees. They become the identity provider in a FIM setup. Multifactor authentication is always a good idea or at least to consider. The question, though, is asking about a cloud environment where they can have the university be the IdP, that is a FIM environment. Kerberos is a single sign on that has been used widely since it was developed in the late 1980s. In a way, it is similar to technologies that enable FIM, such as OAuth and SAML. XML is used by SAML and other environments, but it is not the IdP or FIM technology. It may be used within, depending on the setup.

Answer 19

A. SCA Explanation: Some common tools for application security testing include: Static Application Security Testing (SAST): SAST tools inspect the source code of an application for vulnerable code patterns. It can be performed early in the software development lifecycle but can’t catch some vulnerabilities, such as those visible only at runtime. Dynamic Application Security Testing (DAST): DAST bombards a running application with anomalous inputs or attempted exploits for known vulnerabilities. It has no knowledge of the application’s internals, so it can miss vulnerabilities. However, it is capable of detecting runtime vulnerabilities and configuration errors (unlike SAST). Interactive Application Security Testing (IAST): IAST places an agent inside an application and monitors its internal state while it is running. This enables it to identify unknown vulnerabilities based on their effects on the application. Software Composition Analysis (SCA): SCA is used to identify the third-party dependencies included in an application and may generate a software bill of materials (SBOM). This enables the developer to identify vulnerabilities that exist in this third-party code.

Answer 20

B. Internet of Things (IoT) Explanation: The Internet of Things (IoT) refers to the use of non-traditional computing devices (such as lamps, thermostats, and other home appliances) accessing the internet. Although some do consider laptops, smart phones, and computers to be part of IoT, for the exam, these items are unlikely to be considered part of the IoT. Machine Learning (ML) is computers being able to process data to determine answers. The answers could confirm (or not) a hypothesis. Or it is possible for ML to come to a conclusion without any preconceived hypothesis. ML is a component of AI. AI is having computers process data the same way a human brain could. Arguably, we are not at AI yet. Some say we are at narrow AI. It is still an evolving technology for sure. Blockchain creates a ledger of transactions that are permanent and verifiable. A common use today is cryptocurrency.

Answer 21

A. Access Models Explanation: Information rights management (IRM) involves controlling access to data, including implementing access controls and managing what users can do with the data. The three main objectives of IRM are: Data Rights: Data rights define what users are permitted to do with data (read, write, execute, forward, etc.). It also deals with how those rights are defined, applied, changed, and revoked. Provisioning: Provisioning is when users are onboarded to a system and rights are assigned to them. Often, this uses roles and groups to improve the consistency and scalability of rights management, as rights can be defined granularly for a particular role or group and then applied to everyone that fits in that group. Access Models: Access models take the means by which data is accessed into account when defining rights. For example, data presented via a web application has different potential rights (read, copy-paste, etc.) than data provided in files (read, write, execute, delete, etc.). Enforcement is not a main objective of IRM.

Answer 22

D. Internet Protocol Security Explanation: Internet Protocol Security (IPSec) can be used to encrypt and authenticate packets during transmission between two systems. Examples of this include between two servers, between two network devices, and between network devices and servers. It works very nicely from the edge router in the data center across the internet service provider to the edge router in their IaaS deployment. Encapsulating Security Payload (ESP) is the option within IPSec that encrypts the payloads of the IP packets. This is definitely a feature to turn on within IPSec but not the only feature needed. Authentication Header (AH) and tunnel mode would be two more great options to use, which makes IPSec the more complete answer. Transport Layer Security (TLS) is good for ensuring the confidentiality of web-based sessions as well as authentication of the edge appliances. It can be used in other uses. However, it is not the best protocol for router-to-router connections. This is a layer 4 protocol where IPSec is layer 3. Secure Shell (SSH) is a layer 5 protocol that is good for securing the connections from the cloud administrators to their routers, switches, and servers for configuration purposes.

Answer 23

C. Internal auditor Explanation: Internal auditors serve as an organization's trusted counsel. Internal auditors collaborate with Information Technology (IT) to provide a proactive strategy that balances advisory and assurance services. Internal auditors may be affiliated with the organization, or they may be an independent entity that is unaffiliated with the organization. In most cases, an internal auditor will conduct audits in the conventional sense, ensuring that cloud systems comply with contractual and regulatory obligations. The key to the question is works with. The external auditor is hired to perform an audit, but they would not work with IT. Cloud auditors audit the cloud provider. They are usually referred to as the third party. The first party is the cloud customer. The second party is the Cloud Service Provider (CSP). The third party is the external auditor that audits the provider (a cloud auditor). The fourth party is the contractors the third party hires

Answer 24

A. Information Security Management System Explanation: ISO/IEC 27001 provides guidelines for creating and managing an Information Security Management System (ISMS). The statement of Standards for Attestation Engagements (SSAE) can be used to design an audit plan. Data handling procedures is one of the things that can be planned when building an ISMS. eDiscovery management plan is another topic that can be designed using ISO/IEC 27001, and there is ISO 27050 that is specific to eDiscovery.

Answer 25

C. Regulators Explanation: CSPs are likely to have contracts or some form of agreement with vendors, partners, and customers, but rarely (if ever) with a regulator. Cloud providers purchase servers, routers, firewalls, switches, etc., so they will have contracts with vendors. They would have contracts with the auditors that come in and assess their environments, possibly for SOC 2 or ISO 27001 audits. There would be a contract between the CSP and the audit company. Auditors are considered partners according to ISO 17788. The CSP would definitely have contracts with their customers. This is probably the first contract people think of when talking about clouds. The organization/tenant/customer is responsible for ensuring their cloud environment is in compliance with all regulatory obligations applicable to their organization. However, this is not done through a contract with the regulators.

Answer 26

B. Utilize a cloud Key Management Service (KMS) to encrypt the data encryption key Explanation: It is essential that we understand the options for how and where to encrypt data in the cloud. There are many solutions that vary per cloud service provider. Using a KMS is a great solution today for most companies. The cost is fairly low, if not free for KMS. With KMS, the customer generates a Data Encryption Key (DEK) that is used to encrypt the actual data. The DEK is then encrypted with a Customer Master Key (CMK). The CMK is stored in the KMS. The plaintext data is only available on the server or the customer side. An HSM is a much more expensive option. The encryption and decryption of the data actually occurs within the HSM. Client-side encryption and decryption is not so bad, but the key should never be stored in the VM. When the image is decrypted to be spun up, the key will be accessible to anyone who can see that image. The same can be said about server-side encryption and decryption. It is not entirely wrong, but the key should never be stored within the image.

Answer 27

C. Abuse or nefarious use of cloud services Explanation: Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service. Often, when using a free trial, the attacker will configure everything using a fake identity so attacks can't be traced back to them. A Denial-of-Service (DoS) attack is when the bad actor causes a system to max out or fill up so that a user is not able to do any work. Shared technology is the core nature of clouds, especially public clouds. If the cloud provider does not take care to ensure that each tenant is not properly isolated or they do not take care of the operating systems, it could lead to so many possible problems. If the hypervisors, Microsoft servers, Linux servers, or any of the other software is not patched or configured properly, it is possible that data could leak between tenants or cause other issues. Advance Persistent Threats (APT) are when very skilled and aggressive bad actors, probably operating on behalf of a government, create software that will slowly cause problems for another country or business. So the word "advanced" speaks to the skill of the bad actors. The word "persistent" speaks to malicious software being in place over a long period of time to cause a great number of problems. If you are unfamiliar with APTs, do a little research into Stuxnet.

Answer 28

C. Cloud Service Provider Explanation: Some of the important roles and responsibilities in cloud computing include: Cloud Service Provider: The cloud service provider offers cloud services to a third party. They are responsible for operating their infrastructure and meeting service level agreements (SLAs). Cloud Customer: The cloud customer uses cloud services. They are responsible for the portion of the cloud infrastructure stack under their control. Cloud Service Partners: Cloud service partners are distinct from the cloud service provider but offer a related service. For example, a cloud service partner may offer add-on security services to secure an organization’s cloud infrastructure. Cloud Service Brokers: A cloud service broker may combine services from several different cloud providers and customize them into packages that meet a customer’s needs and integrate with their environment. Regulators: Regulators ensure that organizations — and their cloud infrastructures — are compliant with applicable laws and regulations. The global nature of the cloud can make regulatory and jurisdictional issues more complex.

Answer 29

B. Virtual Machine Introspection (VMI) Explanation: VMI is a tool that allows for information regarding the runtime state of a running virtual machine to be monitored. It tracks the events, such as interrupts and memory writes, which allow the content of memory to be collected for a running virtual machine. Hashing and digital signatures can be used to provide evidence that the digital evidence has not been changed or modified. Digital forensics is the process of collecting digital forensic evidence and examining it. Digital forensic science includes the analysis of media, software, and networks. Technical readiness would be getting ready to perform evidence collection and analysis when needed in the future.

Answer 30

C. Injection Explanation: A SQL injection attack occurs when an attacker sends malicious SQL statements to the application via data input fields. To prevent these types of attacks, developers can use techniques such as permit list input validation, using prepared statements, and escaping all user-supplied input. Cross-Site Scripting (XSS) is actually a type of injection attack as well. XSS is a type of security vulnerability that occurs when a web application does not properly sanitize user-supplied input and allows malicious code to be injected into web pages viewed by other users. It is a common attack vector that can have severe consequences if exploited. Cross-Site Request Forgery (CSRF) is a type of security vulnerability that occurs when a malicious actor tricks a victim into unknowingly executing unintended actions on a web application. It takes advantage of the trust a website has in a user's browser and can result in unauthorized actions being performed on the victim's behalf. eXtensible Markup Language (XML) External Entity or XML External Entity (XEE) refers to a security vulnerability that exists in applications processing XML inputs. It occurs when an application allows the inclusion of external entities within an XML document, which can lead to the disclosure of sensitive information, denial of service attacks, or even remote code execution.

Answer 31

D. Data owner Explanation: A data owner is the party that maintains full responsibility and ownership of data. Data owners determine the appropriate controls that are necessary to protect that data, including its classification. The data controller determines if and how personal data can be collected and how long it can be stored, basically at a policy level. The data custodian is simply whoever is in possession of the data, which includes IT, end users, senior staff, etc. The data processor handles data (processes and stores the data) within their systems. The data processor is not the employee of the data controller. Think of a payroll company that handles that process for a small business. The separate payroll company would be the data processor. It does include holding or storing of data, so our cloud providers are data processors if personal data is stored there. This is per GDPR in Europe,

Answer 32

A. Structured data Explanation: The complexity of data discovery depends on the type of data being analyzed. Data is commonly classified into one of three categories: Structured: Structured data has a clear, consistent format. Data in a database is a classic example of structured data where all data is labeled using columns. Data discovery is easiest with structured data because the data discovery tool just needs to understand the structure of the database and the context to identify sensitive data. Unstructured Data: Unstructured data is at the other extreme from structured data and includes data where no underlying structure exists. Documents, emails, photos, and similar files are examples of unstructured data. Data discovery in unstructured data is more complex because the tool needs to identify data of interest completely on its own. Semi-Structured Data: Semi-structured data falls between structured and unstructured data, having some internal structure but not to the same degree as a database. HTML, XML, and JSON are examples of semi-structured data formats that use tags to define the function of a particular piece of data. Mostly structured is not a common classification for data.

Answer 33

A. Black-box Explanation: Software testing can be classified as one of a few different types, including: White-box: In white-box or clear-box testing, the tester has full access to the software and its source code and documentation. Static application security testing (SAST) is an example of this technique. Gray-box: The tester has partial knowledge of and access to the software. For example, they may have access to user documentation and high-level architectural information. Black-box: In this test, the attacker has no specialized knowledge or access. Dynamic application security testing (DAST) is an example of this form of testing.

Answer 34

D. Permissions can be modified after a document has been shared Explanation: Dynamic policy controls allow data owners to modify the permissions for their protected data even after it has been shared with others. The key word is "dynamic"—things can be changed. The other features are true but static as stated. All other options are descriptions of functionalities provided by other features of data rights management solutions. One of the core features of DRM, which is also known as Information Rights Management (IRM), is that copying of data can be controlled, and the control is persistent no matter where the data is. It is possible to control expiration dates and time limits. For example, Amazon video allows the rental of a video. You can hold onto the rental for a couple of months, but once you push play you have 24 or 48 hours to complete the video before it is removed from view.

Answer 35

C. Anonymization Explanation: Anonymization is a data privacy technique used to protect the privacy of individuals by removing or altering Personally Identifiable Information (PII) from datasets. The goal of anonymization is to transform data in such a way that it becomes practically impossible to identify specific individuals from the anonymized data. Masking is a data protection technique used to obfuscate or hide sensitive or PII within a dataset. It involves replacing certain characters or values with non-sensitive or fictional data, usually stars or asterisks, while preserving the overall structure and format of the original data. Obfuscation is a technique used to deliberately obscure or make code, data, or information difficult to understand or analyze. It is commonly employed in software development and cybersecurity to protect intellectual property, prevent reverse engineering, or hinder malicious activities. Tokenization is a data protection technique that involves replacing sensitive data elements, such as credit card numbers or PII, with unique identifiers called tokens. The original data is securely stored in a separate location called a token vault or tokenization system.

Answer 36

C. eDiscovery Explanation: eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings. ISO/IEC 27050 is a guide for eDiscovery. The other terms are not the term of use today.

Answer 37

D. Tenant Partitioning Explanation: Tenant partitioning is an example of a logical consideration for data center design. HVAC and multivendor pathway connectivity are environmental considerations, and location is a physical consideration.

Answer 38

B. Perform evidence management, including maintaining chain of custody Explanation: Evidence management is concerned with maintaining the chain of custody in a forensics investigation. Capacity management is focused on maintaining the required resources needed to meet SLAs. Incident management is focused on limiting the impact of incidents on an organization. Continuity management is concerned with developing a business continuity and disaster recovery plan.

Answer 39

B. Both the requests and responses are encrypted Explanation: Protecting the transmissions by encrypting them is the best answer. Encrypting data in transmission protects the data from prying eyes. This is true whether it is an API that is transmitting information or a standard client-server application. Authenticating the requests is always a good thing to do and is typically done with API keys. They should not be hard coded into the API. The question, though, is about protecting the transmissions. Regular testing is also a good thing to do with any software that includes APIs. Again, the question is asking for the transmission to be protected, and encrypting it is the wise thing to do.

Answer 40

B. Data in use Explanation: The three data states include data in use, data in motion (also called data in transit), and data at rest. Data in use refers to when the data is being actively used, and in this question that is what is happening as they examine the data. Data in motion, or data in transit, refers to when the data is in active transmission across the network. The data will have moved from the database to their screen, but the focus is sales people looking at and analyzing the data. That is data in use. Data at rest refers to data being stored in an idle state. Data in transition is not one of these three data states.

Answer 41

A. It has been methodically designed, tested, and reviewed Explanation: Correct answer: It has been methodically designed, tested, and reviewed The possible Evaluation Assurance Level (EAL) scores are as follows: EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4 - Methodically designed, tested, and reviewed EAL5 - Semi-formally designed and tested EAL6 - Semi-formally verified design and tested EAL7 - Formally verified design and tested This is a simple question, but it is here because you might need this information for the test.

Answer 42

D. Honeypot Explanation: A honeypot is a dummy system designed to attract an attacker’s attention and waste their time while allowing defenders to detect and observe the attack. Bastion hosts are systems designed to provide access to a private network from a less secure one. Sandboxing involves running software in an isolated environment where it can't cause damage to production systems. Containers wrap an application and its dependencies in a package to improve portability.

Answer 43

C. Encryption Explanation: To keep data private anywhere today, encryption is required. There are different types of encryption for data at rest, data in use, and data in transit. For confidentiality, we use symmetric encryption today. Antimalware will not keep data private. It is designed to find any type of malicious software it can. The malicious software could endanger the privacy of data, but we need encryption to actually protect the data. Object storage might help protect the confidentiality of data, but relying on that alone to protect confidentiality is a mistake. We need to render the data unreadable, which is the point of encryption. SAML is a markup programming language that creates a token for a user to submit as proof of their identity.

Answer 44

B. IaaS Explanation: Cloud services are typically provided under three main service models: Software as a Service (SaaS): Under the SaaS model, the cloud provider offers the customer access to a complete application developed by the cloud provider. Webmail services like Google Workspace and Microsoft 365 are examples of SaaS offerings. Platform as a Service (PaaS): In a PaaS model, the cloud provider offers the customer a managed environment where they can build and deploy applications. The cloud provider manages compute, data storage, and other services for the application. Infrastructure as a Service (IaaS): In IaaS, the cloud provider offers an environment where the customer has access to various infrastructure building blocks. AWS, which allows customers to deploy virtual machines (VMs) or use block data storage in the cloud, is an example of an IaaS platform. Function as a Service (FaaS) is a form of PaaS in which the customer creates individual functions that can run in the cloud. Examples include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions.

Answer 45

C. Software as a Service (SaaS) Explanation: SaaS is a cloud service in which the cloud provider manages and maintains everything from the application/software itself to the servers they run on and the platform they were built on. The cloud client is not responsible for anything to do with managing the program; they can simply access it over the internet. IaaS allows a customer to bring their servers, databases, routers, switches, firewalls, Intrustion Detection Systems (IDS), applications, and so on to the cloud provider. Effectively, it allows the customer to build a virtual Data Center (DC). The question says that the cloud provider manages all this, so it cannot be IaaS. PaaS allows a customer to lease a server-based or serverless environment. The customer brings or builds their software with PaaS; therefore, it does not match the question. Communication as a Service is mentioned in the ISO/IEC 17788 document, although most do not consider it one of the main options. However, this would involve some kind of communication software. The question does not mention anything specific about the application, so Software as a Service is a better option as an answer.

Answer 46

D. International Standards Organization/International Electrotechnical Commission (ISO/IEC) 27050 Explanation: The ISO/IEC 27050 standard provides guidelines for eDiscovery processes and best practices. ISO/IEC 27050 covers all steps of eDiscovery processes, including identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive. FISMA is a U.S. act that requires U.S. government agencies to implement processes and controls to protect the confidentiality, integrity, and availability of information systems. NIST SP 800-53 is a catalog of security and privacy controls for information security systems and assets. PCI DSS mandates 12 controls that must be implemented if a company is handling or processing credit card or bank card numbers and associated data.

Answer 47

C. Configuration management Explanation: Configuration management is required. Configuration management technologies aid in cloud deployment management by centrally storing and archiving cloud configurations. It enables the tracking of configuration changes and the identification of the individuals who made the changes. These provisions enable you to guarantee that your cloud conforms with applicable regulations. In ITIL, this is defined as the parameter setting for configuration items. Change management is defined by ITIL as additions, modifications, and removal of anything that can affect services. If configuration management was not an answer option, this could have been the correct one. The question is trying to point specifically to tracking the configuration changes so configuration management is the better answer. Release management is used for adding new services and features or changing them. Capacity management is ensuring that there is a plan to meet the demand for resources or services when needed.

Answer 48

A. Message Digest (MD) 5 Explanation: Hashing is a process that can be used to verify the integrity of data. MD5 is a hashing algorithm. This is because if you use the same hashing algorithm on the same data time and time again, the hash value that is generated will be the same. If the data is changed, the hash value will be different, confirming that the integrity of the data is not intact. AES is a symmetric encryption algorithm. While encryption can protect the data in the database, it does not prove the integrity of the data. KMS is a tool that is used to store and protect cryptographic keys. PKCS is another tool for managing crypto keys. Managing crypto keys is not related to proving integrity. Cryptography is usually used to protect confidentiality, maybe authenticity.

Answer 49

A. Open Source Software Explanation: Some important considerations for secure software development in the cloud include: API Security: In the cloud, the use of microservices and APIs is common. API security best practices include identifying all APIs, performing regular vulnerability scanning, and implementing access controls to manage access to the APIs. Supply Chain Security: An attacker may be able to access an organization’s systems via access provided to a partner or vendor, or a failure of a provider’s systems may place an organization’s security at risk. Companies should assess their vendors’ security and ability to provide services via SOC2 and ISO 27001 certifications. Third-Party Software: Third-party software may contain vulnerabilities or malicious functionality introduced by an attacker. Also, the use of third-party software is often managed via licensing, with whose terms an organization must comply. Visibility into the use of third-party software is essential for security and legal compliance. Open Source Software: Most software uses third-party and open-source libraries and components, which can include malicious functionality or vulnerabilities. Developers should use software composition analysis (SCA) tools to build a software bill of materials (SBOM) to identify any potential vulnerabilities in components used by their applications.

Answer 50

A. FIPS 140-2 Explanation: Cloud providers’ systems may be subject to certification against standards that address a specific component, such as a cryptographic module. Examples of these system/subsystem product certifications include: Common Criteria: Common Criteria (CC) are guidelines for comparing various security systems. A protection profile describes the security requirements of systems being compared, and the evaluation assurance level (EAL) describes the level of testing performed on the system, ranging from 1 (lowest) to 7 (highest). FIPS 140-2: Federal Information Processing Standard (FIPS) 140-2 is a US government standard for cryptographic modules. FIPS compliance is necessary for organizations that want to work with the US government and mandates the use of secure cryptographic algorithms like AES. FedRAMP and G-Cloud are standards used by the US and UK governments.

Answer 51

C. Structured data Explanation: Structured data describes data that is in a known format and content type. The most common example of structured data is found within relational databases (e.g., SQL). Unstructured data is not in a predictable format. Big data and data lakes are an example. Semi-structured data is unstructured data placed in a structured database. Content-based discovery is a type of data discovery.

Answer 52

A. Are identified by Common Weakness Enumeration (CWE) scores based on the Common Weakness Scoring System (CWSS), which is a community developed project Explanation: Correct answer: Are identified by Common Weakness Enumeration (CWE) scores based on the Common Weakness Scoring System (CWSS), which is a community developed project The CWE list identifies known hardware and software weakness types such as XML Injection, whereas the CVE list identifies unique vulnerabilities, such as "local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107." The CWSS is a scoring system designed by the community to prioritize "software weaknesses in a consistent, flexible, open manner." The NIST RMF is a risk management process to give the government and business a way to perform "security, privacy, and cyber supply chain risk management activities into the system development life cycle." The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. NIST uses the CVEs.

Answer 53

C. Information Technology Service Management (ITSM) Explanation: ITSM is effectively ISO 20000-1 and is based on ITIL. Managing the services from the cloud provider matches ITSM slightly better than ITIL, but ITIL was included as an answer option for discussion purposes. ITSM is a comprehensive approach to designing, delivering, managing, and improving IT services within an organization. It focuses on aligning IT services with the needs of the business and ensuring that the IT services provided are efficient, reliable, and of high quality. ITSM involves a set of practices, processes, and policies that guide the entire service lifecycle, from service strategy and design to service transition, operation, and continual service improvement. Key characteristics of ITSM include: Customer-centric: ITSM emphasizes understanding and meeting the needs of customers and end-users. It aims to improve customer satisfaction and overall service experience. Process-oriented: ITSM adopts a process-driven approach, defining workflows and procedures to ensure consistent and repeatable service delivery. Focus on continual improvement: ITSM encourages regular evaluation and optimization of IT services and processes to increase efficiency and effectiveness. ITIL involves managing data centers more specifically, so it matches the work of the cloud provider slightly better. Key characteristics of ITIL include: Service lifecycle approach: ITIL is structured around the service lifecycle, consisting of five core stages: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. Process framework: ITIL defines a range of processes that cover various aspects of IT service management, including incident management, problem management, change management, service level management, and more. Widely adopted standard: ITIL has become a de facto standard for ITSM and is widely adopted by organizations globally. Change management is a structured and organized approach to managing and implementing organizational changes. It involves planning, coordinating, communicating, and monitoring modifications to various aspects of the organization, such as processes, systems, technology, culture, or organizational structure. BCP is about planning for when there are failures, not the basic management of a cloud vendor.

Answer 54

A. Management plane Explanation: In virtual environments, the management plane has access to all the hypervisors and hosted systems. While this creates ease of use for administrators, it can also lead to security risks. If an attacker were able to compromise the management plane, they would be able to compromise all the hypervisors and hosted systems in the environment. If the hypervisor was compromised, that would be a serious problem. The management plane is the access to the hypervisor. Accessing the hypervisor from outside of the cloud provider's network is probably harder than gaining access if the management plane is compromised. So, the management plane is more important here to secure. RDP is a common protocol used by administrators to access servers. If this is used and it was compromised it would be a problem but not as severe, probably, as a management plane compromise. That is because of the wider reach of the management plane in the cloud over control of the virtual environments. If someone could compromise the physical network equipment, that would also be a problem. To compromise the hardware, the path would probably be through compromising the vendor or physically gaining access to the data center. Both are less likely than a management plane compromise. And again, the level of damage that can be caused is probably lower with compromising the physical network rather than the management plane.

Answer 55

C. IdP Explanation: Federated Identity: Federated identity allows users to use the same identity across multiple organizations. The organizations set up their IAM systems to trust user credentials developed by the other organization. Single Sign-On (SSO): SSO allows users to use a single login credential for multiple applications and systems. The user authenticates to the SSO provider, and the SSO provider authenticates the user to the apps using it. Identity Providers (IdPs): IdPs manage a user’s identities for an organization. For example, Google, Facebook, and other organizations offer identity management and SSO services on the Web. Multi-Factor Authentication (MFA): MFA requires a user to provide multiple authentication factors to log into a system. For example, a user may need to provide a password and a one-time password (OTP) sent to a smartphone or generated by an authenticator app. Cloud Access Security Broker (CASB): A CASB sits between cloud applications and users and manages access and security enforcement for these applications. All requests go through the CASB, which can perform monitoring and logging and can block requests that violate corporate security policies. Secrets Management: Secrets include passwords, API keys, SSH keys, digital certificates, and anything that is used to authenticate identity and grant access to a system. Secrets management includes ensuring that secrets are randomly generated and stored securely.

Answer 56

C. Data labeling Explanation: Data dispersion is when data is distributed across multiple locations to improve resiliency. Overlapping coverage makes it possible to reconstruct data if a portion of it is lost. A data flow diagram (DFD) maps how data flows between an organization’s various locations and applications. This helps to maintain data visibility and implement effective access controls and regulatory compliance. Data mapping identifies data requiring protection within an organization. This helps to ensure that the data is properly protected wherever it is used. Data labeling contains metadata describing important features of the data. For example, data labels could include information about ownership, classification, limitations on use or distribution, and when the data was created and should be disposed of.

Answer 57

D. Crypto-shredding Explanation: The optimal solution would be cryptographic shredding. Crypto-shredding destroys the encryption key, rendering the data unrecoverable. Because the key is in the customer's possession, this is very possible. The normal description of crypto-shredding is that first you encrypt and then destroy the key. Here it is already encrypted. If, in the process of destroying data, it has to be encrypted, then delete the key, but that does not ensure that the data that is on the cloud's network is overwritten. When you newly encrypt, you are creating a new copy of the data. Do be careful to ensure that the key the data is encrypted with is destroyed. Shredding, acid bath, and degaussing are all physical destruction methods. You must have the drive in your possession to do this. There are two problems with that: 1) If you are using a public cloud provider, you are highly unlikely to have physical possession of the drives. 2) Data is chunked or sharded and disbursed across many, many drives that are normally shared with other tenants, making it even more unlikely for this to happen. Shredding is putting the drive through a machine that chops the drive into small pieces. An acid bath is where acid is actually put on the drive. Degaussing alters the magnetic state of magnetic media. Basically, it is a large magnet that you bring into contact with a magnetic drive, but this does not work on Solid State Drives (SSD). SSDs need to be shredded.

Answer 58

A. Security Assertion Markup Language (SAML) Explanation: SAML is an XML-based standard used to exchange information in the authorization and authentication process. SAML 2.0, which was adopted in 2005, is the latest standard put out by the nonprofit OASIS consortium and its Security Services Technical Committee. WS-Federation can use token technologies such as SAML. It was originally designed by Microsoft, Verisign, and IBM. OAuth began with work done by Blaine Cook. The Internet Engineering Task Force (IETF) published OAuth 2.0. Open Authorization can be used with Open Identification. OpenID is used to identify and authenticate; this is from the Open ID Foundation.

Answer 59

C. Fog computing Explanation: Fog computing is a term that Cisco created that is gaining traction. Fog computing moves the processing of data to a local fog node or IoT gateway. This would be onboard the train itself. Then, when it reconnects to the internet, it can upload information for the company to manage. Edge computing is the idea of moving the processing to the logical edge of the network as close to the user and their systems as possible. Cloud computing is what this entire course and certification is about. In domain 1, the focus is understanding that the cloud, especially a public cloud, is using servers and services located in a data center somewhere, hopefully not too far away, but then again, it can be for redundancy purposes. The Internet of Things is considered by some to just be the connecting of things like this train to the internet. Others consider it to be anything connected to the internet. Neither is right. It is good to know both to be able to sort out questions. But Internet of Things is not the answer because the question is asking you to enhance IoT.

Answer 60

B. Crypto shredding Explanation: Since this is an IaaS on a public cloud, there is a limit to the options that they have available for this scenario. If they planned properly ahead of time, they can re-encrypt their data and then destroy that new key. Once the key is destroyed, it would be necessary to perform a brute force to find the key. Making it fairly well protected from bad actors. If you combine that with the fact that public cloud providers do not store a single piece of data on a single server, it is divided and dispersed across multiple servers, it makes it a little more difficult for a bad actor to even find the data to perform a brute force attack successfully. Overwriting is the process of writing a pattern of ones and zeros over the data. For especially sensitive data, it may be best to overwrite the data more than once. However, the way the cloud works to store data might not make this an option. If data is stored on a single drive, overwriting would work. For the cloud provider, this is definitely an option but not that likely for a customer. Shredding and degaussing are physical destruction of a drive. This is only possible for the cloud provider in a public cloud. Degaussing only works on magnetic drives. It alters the magnetic state in such a way that it renders the drive useless. That is great if you combine it with physical shredding of a drive.

Answer 61

D. Cryptographic erasure Explanation: Cryptographic erasure is a method of data sanitization. Cryptographic erasing is done using encryption and the destruction of the encryption key as a method of data destruction. It is the only standard option available to an IaaS customer. A side note: This is not possible for the customer to do if the customer is using Software as a Service (SaaS). Overwriting, degaussing, and shredding all require physical access to the drive. An IaaS customer would normally not have that. The customer could put in their contract (if the provider agrees) that they want the provider to take those actions when drives are taken out of service. Overwriting is literally overwriting the sectors on a drive many times (7x or 11x or 20x, etc.) in a particular pattern to render the data unrecoverable. It is not a perfect solution, but it does help. Degaussing takes the destruction of data further by altering the magnetic state of magnetic drives. This, too, is not perfect, but it is much better than overwriting. Shredding, or physical destruction, of the drive is probably the best solution. It does depend on the size of the remaining pieces after shredding. There are some good German standards that define that the drives should result in pieces 2 mm x 4 mm, or something similar, depending on the sensitivity of the data.

Answer 62

D. Sandboxing Explanation; Sandboxing is when applications are run in an isolated environment, often without access to the Internet or other external systems. Sandboxing can be used for testing application code without placing the rest of the environment at risk or evaluating whether a piece of software contains malicious functionality. Application virtualization creates a virtual interface between an application and the underlying operating system, making it possible to run the same app in various environments. One way to accomplish this is containerization, which combines an application and all of its dependencies into a container that can be run on an OS running the containerization software (Docker, etc.). Microservices and containerized applications commonly require orchestration solutions such as Kubernetes to manage resources and ensure that updates are properly applied.

Answer 63

C. Perform a vulnerability scan Explanation: Vulnerability scans are typically performed by an organization against their own systems. Vulnerability scans are relatively simple to perform and use known tests and signatures and can quickly output a report displaying the weaknesses. The vulnerability scan is the best choice out of the options listed to provide the requested outcome. A penetration test goes beyond the needs of the question by verifying the weaknesses. It is also dangerous and should not be performed without clear, written permission. Both static and dynamic application testing can reveal known weaknesses, but they address a single application at a time and are usually performed before release to production. The question says "systems," which implies more of a production environment.

Answer 64

B. Edge computing Explanation: Edge computing is where the data processing happens at or near the edge of the network rather than in a centralized location. The edge could be servers deployed closer to the edge or at the devices themselves. This is possible with smartphones, tablets, and IoT devices. It can also improve the security and privacy if the data is kept and processed locally. Fog computing extends the principles of edge computing to create a more hierarchical approach. Data processing and storage happens at the ends and also at intermediate network nodes such as routers, switches, and gateways. Software as a Service (SaaS) processes data at the servers in the cloud. This does not aid the company in the question nearly as well as edge computing. Quantum computing relies on qubits or quantum bits to store information as opposed to electrical bits in our current technology.

Answer 65

C. Provisioning Explanation: Information rights management (IRM) involves controlling access to data, including implementing access controls and managing what users can do with the data. The three main objectives of IRM are: Data Rights: Data rights define what users are permitted to do with data (read, write, execute, forward, etc.). It also deals with how those rights are defined, applied, changed, and revoked. Provisioning: Provisioning is when users are onboarded to a system and rights are assigned to them. Often, this uses roles and groups to improve the consistency and scalability of rights management, as rights can be defined granularly for a particular role or group and then applied to everyone that fits in that group. Access Models: Access models take the means by which data is accessed into account when defining rights. For example, data presented via a web application has different potential rights (read, copy-paste, etc.) than data provided in files (read, write, execute, delete, etc.). Enforcement is not a main objective of IRM.

Answer 66

C. Authentication Explanation: Authentication is the process of confirming an identity through the use of one or more of the factors of authentication. Authentication can be done with something you know, have, or are. Identification is the first piece of that puzzle, which should allow a user to uniquely state their identity to a system through something like a user id or email address. This is not the correct answer because of the word confirmation in the question. Identification is just a statement of the user's name, effectively. It does not prevent a user from lying or misstating an identity. Authorization is the process of granting access to resources. Common methods are Access Control Lists (ACL) and Role-Based Access Control (RBAC). Permissions, such as read or write, are granted at this point. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together.

Answer 67

C. TLS handshake protocol and TLS record protocol Explanation: Transport Layer Security (TLS) replaced Secure Socket Layer (SSL) as the standard method for encryption of traffic across a network. TLS is made up of two main layers. The first layer is the TLS handshake protocol. This protocol is what negotiates and establishes the actual TLS connection. The second layer is the TLS record protocol. The TLS record protocol is the actual secure communication method for transferring the data.

Answer 68

D. Container Security Explanation: Some important security considerations related to virtualization include: Hypervisor Security: The primary virtualization security concern is isolation or ensuring that different VMs can’t affect each other or read each other’s data. VM escape attacks occur when a malicious VM exploits a vulnerability in the hypervisor or virtualization platform to accomplish this. Container Security: Containers are self-contained packages that include an application and all of the dependencies that it needs to run. Containers improve portability but have security concerns around poor access control and container misconfigurations. Ephemeral Computing: Ephemeral computing is a major benefit of virtualization, where resources can be spun up and destroyed at need. This enables greater agility and reduces the risk that sensitive data or resources will be lying around abandoned. Serverless Technology: Serverless applications are deployed in environments managed by the cloud service provider. Outsourcing server management can make serverless systems more secure, but it also means that organizations can’t deploy traditional security solutions that require an underlying OS to operate.

Answer 69

A. Infrastructure as a Service (IaaS) Explanation: The CSP is fully responsible for patch management of the underlying physical infrastructure, but IaaS and PaaS customers commonly have patch management responsibilities. In PaaS, it is debatable if the customer will patch the operating system in a server-based PaaS. If it is server-less, the customer does not see the OS and therefore cannot patch it. In IaaS, the customer owns the OSs, so they must patch them. Since IaaS and PaaS are both possible answers, the better one to select is the definite one. So, IaaS is the better answer. In a SaaS and CaaS environments, the customer has no responsibility for patching.

Answer 70

A. Labeling Explanation: Labeling is the process of adding “labels” to data elements. These labels must be configured with consistency throughout the entire organization. Labels are used to group data elements together and provide information about them. The label would contain the classification level for that piece of data. The label is what is used to view what level of sensitivity (classification) a piece of data is so that the security levels can be verified. The metadata can include the classification level as well, but it is the word label that reflects the classification. The metadata would induce the data creator or owner, date of creation, and other things that are similar. Hashing is not involved here, but it could be a control used to verify the integrity of the data.

Answer 71

B. IAST Explanation: Some common tools for application security testing include: Static Application Security Testing (SAST): SAST tools inspect the source code of an application for vulnerable code patterns. It can be performed early in the software development lifecycle but can’t catch some vulnerabilities, such as those visible only at runtime. Dynamic Application Security Testing (DAST): DAST bombards a running application with anomalous inputs or attempted exploits for known vulnerabilities. It has no knowledge of the application’s internals, so it can miss vulnerabilities. However, it is capable of detecting runtime vulnerabilities and configuration errors (unlike SAST). Interactive Application Security Testing (IAST): IAST places an agent inside an application and monitors its internal state while it is running. This enables it to identify unknown vulnerabilities based on their effects on the application. Software Composition Analysis (SCA): SCA is used to identify the third-party dependencies included in an application and may generate a software bill of materials (SBOM). This enables the developer to identify vulnerabilities that exist in this third-party code.

Answer 72

A. Private Cloud Explanation: The physical environment where cloud resources are hosted depends on the cloud model in use: Public Cloud: Public cloud infrastructure will be hosted by the CSP within their own data centers. Private Cloud: Private clouds are usually hosted by an organization within its own data center. However, third-party CSPs can also offer virtual private cloud (VPC) services. Community Cloud: In a community cloud, one member of the community hosts the cloud infrastructure in their data center. Third-party CSPs can also host community clouds in an isolated part of their environment. Hybrid and multi-cloud environments will likely have infrastructure hosted by different organizations. A hybrid cloud combines public and private cloud environments, and a multi-cloud infrastructure uses multiple cloud providers' services.

Answer 73

A. Separation of System and User Functionality Explanation: NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations defines 51 security controls for systems and communication protection. Among these are: Policy and Procedures: Policies and procedures define requirements for system and communication protection and the roles, responsibilities, etc. needed to meet them. Separation of System and User Functionality: Separating administrative duties from end-user use of a system reduces the risk of a user accidentally or intentionally misconfiguring security settings. Security Function Isolation: Separating roles related to security (such as configuring encryption and logging) from other roles also implements separation of duties and helps to prevent errors. Denial-of-Service Prevention: Cloud resources are Internet-accessible, making them a prime target for DoS attacks. These resources should have protections in place to mitigate these attacks as well as allocate sufficient bandwidth and compute resources for various systems. Boundary Protection: Monitoring and filtering inbound and outbound traffic can help to block inbound threats and stop data exfiltration. Firewalls, routers, and gateways can also be used to isolate and protect critical systems. Cryptographic Key Establishment and Management: Cryptographic keys are used for various purposes, such as ensuring confidentiality, integrity, authentication, and non-repudiation. They must be securely generated and secured against unauthorized access.

Answer 74

C. Deployment phase Explanation: There are many different names that are used for the phases of the SSDLC. It is critical to be flexible. The (ISC)2 Common Body of Knowledge book lists the phases as: Requirements Design Development Testing Deployment Operations and Maintenance The question included planning, coding, and testing. This would correlate to the phases of requirements/design, development, and testing. So the next phase is deployment. Deployment is moving the software to the live production environment. The operations and maintenance phase includes pushing out continual updates, bug fixes, security patches, and anything else needed to keep the software running securely and operating as it should.

Answer 75

D. Unauthorized Provisioning Explanation: Data storage in the cloud faces various potential threats, including: Unauthorized Access: Cloud customers should implement access controls to prevent unauthorized users from accessing data. Also, a cloud service provider (CSP) should implement controls to prevent data leakage in multitenant environments. Unauthorized Provisioning: The ease of setting up cloud data storage may lead to shadow IT, where cloud resources are provisioned outside of the oversight of the IT department. This can incur additional costs to the organization and creates security and compliance challenges since the security team can’t secure data that they don’t know exists. Regulatory Non-Compliance: Various regulations mandate security controls and other requirements for certain types of data. A failure to comply with these requirements — by failing to protect data or allowing it to flow outside of jurisdictional boundaries — could result in fines, legal action, or a suspension of the business’s ability to operate. Jurisdictional Issues: Different jurisdictions have different laws and regulations regarding data security, usage, and transfer. Many CSPs have locations around the world, which can violate these laws if data is improperly protected or stored in an unauthorized location. Denial of Service: Cloud environments are publicly accessible and largely accessible via the Internet. This creates the risk of Denial of Service attacks if the CSP does not have adequate protections in place. Data Corruption or Destruction: Data stored in the cloud can be corrupted or destroyed by accident, malicious intent, or natural disasters. Theft or Media Loss: CSPs are responsible for the physical security of their data centers. If these security controls fail, an attacker may be able to steal the physical media storing an organization’s data. Malware: Ransomware and other malware increasingly target cloud environments as well as local storage. Access controls, secure backups, and anti-malware solutions are essential to protecting cloud data against theft or corruption. Improper Disposal: The CSP is responsible for ensuring that physical media is disposed of correctly at the end of life. Cloud customers can also protect their data by using encryption to make the data stored on a drive unreadable.

Answer 76

B. eXtensible Markup Language (XML) Explanation: The SOAP only permits the use of XML-formatted data, while REpresentational State Transfer (REST) allows for the use of a variety of data formats, including both XML and JSON. SOAP is most commonly used when the use of REST is not possible. XML, JSON, YAML, CSON are all data formats.

Answer 77

A. Health Insurance Portability and Accountability Act (HIPAA), USA Explanation: The Health Insurance Portability and Accountability Act (HIPAA) is concerned with the security controls and confidentiality of Protected Health Information (PHI). It's vital that anyone working in any healthcare facility be aware of HIPAA regulations. The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks. GDPR is an EU specific regulation that encompasses all organizations in all different industries. The privacy act of 1988 is an Australian law that requires the protection of personal data.

Answer 78

A. Discretionary Access Control (DAC) Explanation: The owner of a document is responsible for defining the limits on a per-document basis under a Discretionary Access Control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database. It is up to the owner's discretion to grant access to someone or not. MAC is a very secure environment that is commonly used around a country's sensitive documents (e.g., military top secret files). Access is controlled based on the classification of the data, the user's clearance level, and their need to know. NDAC is defined by the U.S. government as another name for MAC. RBAC is an access control model that defines access based on the user's role within the organization.

Brainscape's Knowledge GenomeTM

Pocket Prep 12 Flashcards

Brainscape's Knowledge Genome^TM