Pocket Prep 14 Flashcards

Question

Padma has deployed a technology that is a different switch technology than what they have been using for a very long time. With this new technology, it removes the decision-making process from the switch and moves it to a controller. This leaves the process of forwarding frames to the switch. What technology has been deployed? A. internet Small Computer System Interface (iSCSI) B. Fibre Channel C. Virtual Local Area Network (VLAN) D. Software Defined Networking (SDN)

Answer 1

D. Software Defined Networking (SDN) Explanation: Within a Software Defined Network (SDN), decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are completely separate from each other. A Virtual Local Private Network (VLAN) is used to expand a local area network beyond physical/geographical limitations. It does not remove the decision making from the switch. Fibre Channel (FC) and internet Small Computer System Interface iSCSI are technologies that are used in Storage Area Networks (SAN) so that the devices can communicate with the connected switch with a protocol more efficient than Ethernet IEEE 802.3

Answer 2

A. MSA Explanation: Two organizations working together may have various agreements and contracts in place to manage their risks. Some of the common types include: Master Service Agreement (MSA): An MSA is an over-arching contract for all the work performed between the two organizations. Statement of Work (SOW): Each new project under the MSA is defined using an SOW. Service Level Agreement (SLA): An SLA defines the conditions of service that the vendor guarantees to the customer. If the vendor fails to meet these terms, they may be forced to pay some penalty. Non-Disclosure Agreement (NDA): An NDA is designed to protect confidential information that one or both parties share with the other.

Answer 3

D. Testing must use limited information about the application Explanation: Correct answer: Testing must use limited information about the application Testing that must use limited information about the application is called grey box testing and occurs after functional testing and deployment. Functional testing is performed on an entire system, and the following are important considerations: Testing must be realistic, must exercise all requirements, and be bug free.

Answer 4

B. Cloud Service Provider (CSP) Explanation: The customer will not see the server or its operating system on the virtual machine that is running their function. They would not see the cloud storage setup either. Both would be handled by the CSP. The cloud auditor performs audits on the cloud environment to see if they are compliant with a law, regulation, or industry standard like ISO 27001. A cloud service broker negotiates the contracts and setup between the customer and the provider.

Answer 5

D. Unit Testing Explanation: Functional testing is used to verify that software meets the requirements defined in the first phase of the SDLC. Examples of functional testing include: Unit Testing: Unit tests verify that a single component (function, module, etc.) of the software works as intended. Integration Testing: Integration testing verifies that the individual components of the software fit together correctly and that their interfaces work as designed. Usability Testing: Usability testing verifies that the software meets users’ needs and provides a good user experience. Regression Testing: Regression testing is performed after changes are made to the software and verifies that the changes haven’t introduced bugs or broken functionality. Non-functional testing tests the quality of the software and verifies that it provides necessary functionality not explicitly listed in requirements. Load and stress testing or verifying that sensitive data is properly secured and encrypted are examples of non-functional testing.

Answer 6

B. Identification and authentication failures Explanation: The OWASP Top 10 is an up-to-date list of the most critical web application vulnerabilities and risks. Identification and authentication failures, formerly known as broken authentication, refers to the ability for an attacker to hijack a session token and use it to gain unauthorized access to an application. This risk can be mitigated by adding proper validation processes to ensure that session tokens are being submitted by the valid and original obtainer of the token. Insecure design is exactly what it says. We need to move left and build security into our software. This includes performing threat modeling and using reference architectures. Vulnerable and outdated components speak to our current problem of using objects, functions, libraries, APIs, and such from Git, GitHub, GitLab, and so on. Much of this code is abandoned or not kept up to date. Injection includes SQL and command injection. This is when a bad actor types in inappropriate commands from the user's interface. Input validation would help to minimize this further. It had been in position one on the Top 10 for well over a decade and has finally fallen to position three on the list.

Answer 7

B. Continuous auditing Explanation: Continuous auditing ensures that you can provide an in-depth report on usage and access history for all files that are protected by data rights management. Rights revocation is to take away the user's access to the Data Rights Management (DRM) protected data. Persistant protection is one of the features of DRM that means that the protection travels with the file. It is agnostic of the location of the data. For example, you can open a book you purchased on Amazon through Kindle for Mac, Windows, Mobile, or even an actual Kindle. But you should not have a copy of the book as a pdf that you can give to someone else. Replication restrictions prevent the ability to take the content and make any copies you want and share with whomever you want. It can also restrict your ability to move it to new devices after so many previous moves. NIST SP 800-137 Information Security Continuous Monitoring would be a good read for this info.

Answer 8

D. Vulnerability scanning Explanation: Vulnerability scanning is often run by organizations against their own systems. It uses known attacks and methodologies to ensure that systems are hardened against known vulnerabilities and threats. Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats. During the penetration tests, the tester will try to break into systems using the same techniques that an actual attacker would use. Static Application Security Testing (SAST) is a test in which the tester has special knowledge of and access to the source code to manually review it for vulnerabilities and weaknesses.

Answer 9

D. Data warehouse Explanation: A data warehouse is a type of data storage that is a result of pulling in relational data from transactional systems, operational databases, and business applications. A data mart is a small specialized collection of data. Data mining is digging through the data (mining) looking for valuable information. Big data technologies help to solve storage problems when the data a corporation has is not being managed well in databases anymore. It is characterized by volume, variety, velocity, veracity, and variability.

Answer 10

A. Asia-Pacific Economic Cooperation Privacy Framework, preventing harm Explanation: The Asia-Pacific Economic Cooperation(APEC) Privacy Framework has a few principles. The principle of preventing harm says that organizations should take measures to prevent harm to individuals resulting from the misuse of their personal information. The principle of Integrity of personal information says that organizations should ensure the accuracy and completeness of personal information and take measures to protect it against unauthorized access, alteration, or destruction. The General Data Protection Regulation (GDPR) does not apply here. GDPR protects natural persons in Europe. They must be in Europe for GDPR to apply. If there is a German citizen in the US, China, or Korea, they are not protected under the GDPR. They are protected under the laws of the country they are currently in.

Answer 11

A. The Gramm-Leach-Bliley Act Explanation: Although it is officially named the Financial Modernization Act of 1999, it is most commonly known as and referred to as the Gramm-Leach-Bliley Act, or GLBA. This name pays tribute to the lead sponsors and authors of the act. GLBA is focused on protecting Personally Identifiable Information (PII) as it relates to financial institutions. Those same financial institutions must comply with SOX. The Sarbanes-Oxley Act (SOX) requires publicly traded financial institutions to protect their financial statements. They must tell the truth about their financial status as publicly traded companies. It is a direct result of the Enron failure. General Data Protection Regulation (GDPR) is a European Union (EU) regulation. It requires member states to have a compliant law. That law must have the same or greater level of protection of personal data for natural persons in the EU. It protects people if they are in the EU. If a German citizen is in the US at some point in time and a company collects their personal data in the US, they are not protected under GDPR. Asian-Pacific Economic Cooperation (APEC) is headquartered in Singapore and has 21 economies participating. The purpose of APEC is to promote free trade around the Pacific rim by protecting personal data. At least, that is the piece we are concerned with here in CCSP.

Answer 12

D. Store Explanation: While security controls are implemented in the create phase in the form of Transport Layer Security (TLS), this only protects data in transit and not data at rest. The store phase is the first phase in which security controls are implemented to protect data at rest. The data lifecycle is Create, Store, Use, Share, Archive, Destroy.

Answer 13

A. Concurrently Maintainable Explanation: The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include: Tier I: Basic Capacity Tier II: Redundant Capacity Components Tier III: Concurrently Maintainable Tier IV: Fault Tolerance

Answer 14

A. Auditability Explanation: Auditability is the process of gathering and making available the evidence necessary to demonstrate the operation and use of the cloud. It's important to remember that a Cloud Service Provider (CSP) rarely allows a customer to perform an audit on their controls. However, a CSP usually does supply third-party attestations under NDA. Interoperability is the ability of two different systems to be able to exchange information and use it. For example, a picture created on a Mac and readable on a Windows box. Measured service is the ability of cloud service providers to bill the customer for the resources that they use. Resiliency is the ability of a system to withstand failures yet still be able to function. Reference:

Answer 15

A. Performing threat modeling Explanation: The four questions are the basic idea behind threat modeling. Threat modeling allows the team to identify, communicate, and understand threats and mitigations. There are several techniques, such as STRIDE, PASTA, TRIKE, and OCTAVE. STRIDE is one of the most prominent models used for threat modeling. Tampering with data is included in the STRIDE model. DREAD is another model, but it does not include tampering with data as a category. TOGAF and REST are not threat models. STRIDE includes the following six categories: Spoofing identify Tampering with data Repudiation Information disclosure Denial of service Elevation of privileges A quantitative risk assessment is when the Single Loss Expectency (SLE), Annual Rate of Occurrence (ARO), and Annualized Loss Expectency (ALE) are calculated based on the threat to a specific asset. Determining the MTD is a step in Business Continuity/Disaster Recovery/Continuity planning. It answers the question of how long an asset can be unavailable before it is a significant problem for the business. Evaluating the RPO is also a part of Business Continuity/Disaster Recovery/Continuity planning. The RPO is the value that represents how much data can be lost before it too is a problem for the business.

Answer 16

A. Nonrepudiation Explanation: Nonrepudiation is the ability to confirm the origin or authenticity of data to a high degree of certainty. Nonrepudiation is typically done through methods such as hashing and digital signatures. A hash, or hashing, provides information that the bits are correct. All the ones should be ones and all the zeros should be zeros. It does not provide authenticity. There is no way to confirm where the data came from or who created it with just the hash. A digital signature needs to be added by encrypting the hash with a private key. A digital signature is verified by decrypting it with a public key. This is not the correct answer to the question because the question is about what they will achieve. They will not achieve a public key. Encryption is altering data to an unreadable format. This does not achieve nonrepudiation unless we specifically talk about asymmetric public and private keys.

Answer 17

D. Problem Management Explanation: Standards such as the Information Technology Infrastructure Library (ITIL) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1 define operational controls and standards, including: Change Management: Change management defines a process for changes to software, processes, etc., reducing the risk that systems will break due to poorly managed changes. A formal change request should be submitted and approved or denied by a change control board after a cost-benefit analysis. If approved, the change will be implemented and tested. The team should also have a plan for how to roll back the change if something goes wrong. Continuity Management: Continuity management involves managing events that disrupt availability. After a business impact assessment (BIA) is performed, the organization should develop and document processes for prioritizing the recovery of affected systems and maintaining operations throughout the incident. Information Security Management: Information security management systems (ISMSs) define a consistent, company-wide method for managing cybersecurity risks and ensuring the confidentiality, integrity, and availability of corporate data and systems. Relevant frameworks include the ISO 27000 series, the NIST Risk Management Framework (RMF), and AICPA SOC 2. Continual Service Improvement Management: Continual service improvement management involves monitoring and measuring an organization’s security and IT services. This practice should be focused on continuous improvement, and an important aspect is ensuring that metrics accurately reflect the current state and potential process. Incident Management: Incident management refers to addressing unexpected events that have a harmful impact on the organization. Most incidents are managed by a corporate security team, which should have a defined and documented process in place for identifying and prioritizing incidents, notifying stakeholders, and remediating the incident. Problem Management: Problems are the root causes of incidents, and problem management involves identifying and addressing these issues to prevent or reduce the impact of future incidents. The organization should track known incidents and have steps documented to fix them or workarounds to provide a temporary fix. Release Management: Agile methodologies speed up the development cycle and leverage automated CI/CD pipelines to enable frequent releases. Release management processes ensure that software has passed required tests and manages the logistics of the release (scheduling, post-release testing, etc.). Deployment Management: Deployment management involves managing the process from code being committed to a repository to it being deployed to users. In automated CI/CD pipelines, the focus is on automating testing, integration, and deployment processes. Otherwise, an organization may have processes in place to perform periodic, manual deployments. Configuration Management: Configuration errors can render software insecure and place the organization at risk. Configuration management processes formalize the process of defining and updating the approved configuration to ensure that systems are configured to a secure state. Infrastructure as Code (IaC) provides a way to automate and standardize configuration management by building and configuring systems based on provided definition files. Service Level Management: Service level management deals with IT’s ability to provide services and meet service level agreements (SLAs). For example, IT may have SLAs for availability, performance, number of concurrent users, customer support response times, etc. Availability Management: Availability management ensures that services will be up and usable. Redundancy and resiliency are crucial to availability. Additionally, cloud customers will be partially responsible for the availability of their services (depending on the service model). Capacity Management: Capacity management refers to ensuring that a service provider has the necessary resources available to meet demand. With resource pooling, a cloud provider will have fewer resources than all of its users will use but relies on them not using all of the resources at once. Often, capacity guarantees are mandated in SLAs.

Answer 18

B. Security governance, Risk, and Compliance (GRC) Explanation: There is always a shared responsibility model that will exist between the Cloud Customer (CC) and the Cloud Service Provider (CSP). Always watch for this with your cloud providers because the division of responsibility is not always the same when you compare CSPs. For this exam, a good frame of reference is the one from (ISC)2. A corporation's GRC is always their own responsibility. That is a true statement for both the CC and the CSP. The shared responsibility models address the customer's responsibilities by separating them from the providers. The physical and environmental security is always the responsibility of the CSP. It is possible for a business to be it's own CSP in a private cloud, in which case they would be responsible for physical and environmental security. To arrive at the correct answer (GRC), there are two considerations to keep in mind: Most questions in this exam are from a customer's point of view when using a public cloud provider. The customer is always responsible for their own GRC and sometimes the physical. The always will be the correct answer to choose. The same (as the physical description above) would be true for the Operating System configuration. Sometimes the customer is responsible for this ]e.g., Infrastructure as a Service (IaaS)]. However, they are always responsible for GRC. The customer is responsible for setting up the accounts for their users in Software as a Service (SaaS). They are not always responsible for the accountability because that is the creation of the logs, which is a CSP responsibility. So, again, the customer is always responsible for GRC, and sometimes for IAAA.

Answer 19

A. Data dispersion Explanation: Cloud data dispersion, also known as data dispersal or data dispersal algorithms, is a technique used to enhance data security and reliability in cloud storage environments. It involves splitting data into multiple fragments and distributing it across different storage nodes or cloud providers. This dispersion of data fragments introduces an additional layer of protection against unauthorized access, data breaches, and service interruptions. Data dispersion algorithms break down the original data into smaller fragments or chunks. These fragments are typically created using various mathematical techniques, such as erasure coding, secret sharing, or data fragmentation algorithms. Redundant Array of Independent Disks (RAID) arrays are storage configurations that involve combining multiple physical disk drives into a single logical unit. RAID arrays provide various benefits, such as improved performance, data redundancy, and increased storage capacity. This does not match the question because a RAID array is within a single server. A server cluster, also known as a cluster server or a server farm, is a group of interconnected servers that work together to provide enhanced performance, high availability, and scalability for hosting applications, services, or websites. Server clustering is a common technique used in data centers and cloud computing environments to distribute workloads and improve overall system reliability. This does distribute the workload, but the data is not segmented and stored on different servers. Cryptographic erasure, also known as secure erasure or cryptographic shredding, is a technique used to securely and irreversibly erase sensitive or confidential data stored on storage devices. It involves applying cryptographic algorithms to overwrite the data with random or pseudo-random values, rendering it unreadable and unrecoverable by unauthorized parties. We are storing data in the question, not deleting it.

Answer 20

B. Database Activity Monitor (DAM) Explanation: Gartner defines DAMs as "a suite of tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behavior." These tools include Oracle's Enterprise Manager. These tools have evolved from monitoring user traffic in databases. They are useful for so many different uses to know what is going on with user traffic in and out of databases. A WAF is a layer 7 firewall that monitors web applications, HTML, and HTTP traffic. An API gateway is also a layer 7 device. However, this one monitors APIs. This would include SOAP and REpresentation State Transfer (REST). XML firewalls also exist at layer 7. This monitors XML traffic only. APIs would include XML and JavaScript Object Notation (JSON).

Answer 21

D. Privilege Access Explanation: Key components of an identity and access management (IAM) policy in the cloud include: User Access: User access refers to managing the access and permissions that individual users have within a cloud environment. This can use the cloud provider’s IAM system or a federated system that uses the customer’s IAM system to manage access to cloud services, systems, and other resources. Privilege Access: Privileged accounts have more access and control in the cloud, potentially including management of cloud security controls. These can be controlled in the same way as user accounts but should also include stronger access security controls, such as mandatory multi-factor authentication (MFA) and greater monitoring. Service Access: Service accounts are used by applications that need access to various resources. Cloud environments commonly rely heavily on microservices and APIs, making managing service access essential in the cloud. Physical access to cloud servers is the responsibility of the cloud service provider, not the customer.

Answer 22

C. Fault tolerance offers greater uptime than high availability Explanation: High availability makes use of shared and pooled resources to maintain a high level of availability and minimize downtime. High availability is common with products such as firewalls (hardware- or software-based). It is possible to configure an incoming path to pass through a firewall but have a path right next to it that also processes data. Then the two firewalls are in communication and if one fails, the other will take all the communication through it. The term high availability can also be used to describe the level of reliability of a system(s) and is described by nines, such as 99.9999% or six nines in this example. Fault tolerance is different in that it tries to ensure that the system can work even in the present of faults/failures, so it offers greater uptime than high availability.

Answer 23

C. Cloud-based applications and systems Explanation: The Pandemic Eleven is similar to the OWASP Top 10. However, unlike the OWASP Top 10, which lays out vulnerabilities and risks associated with all web applications (regardless of whether they are hosted in the cloud or in a traditional data center), the Pandemic Eleven lays out risks and vulnerabilities that are specific to cloud-based applications and systems.

Answer 24

C. Background checks, Non Discloser Agreement (NDA), exit interviews Explanation: A malicious insider is an individual who has been granted appropriate access to complete their job but then uses that access for unauthorized uses. The best choices for controls to prevent malicious insiders from selling secrets would be background checks, NDAs, and exit interviews. An NDA is probably a better choice than an NCA. The NDA says that corporate secrets must remain secret. The NCA says that you cannot work for a competitor. Secrets could be leaked there, but the NDA is specific to keeping the secrets secret. The corporate structure is not likely to prevent a malicious insider. A poorly structured environment could increase the likelihood of someone taking malicious actions because they are mad or aggravated. Exit interviews are a good time to remind the now former employee that they signed the NDA and must keep the corporation's secrets. Professional ethics agreements are good but less direct about selling secrets than an NDA. Annual reviews are useful to discover aggravated employees, hopefully before malicious actions are taken.

Answer 25

C. Simulation Explanation: Business continuity/disaster recovery plan (BCP/DRP) testing can be performed in various ways. Some of the main types of tests include: Tabletop Exercises: In a tabletop exercise, the participants talk through a provided scenario. They say what they would do in a situation but take no real actions. Simulation/Dry Run: A simulation involves working and talking through a scenario like a tabletop exercise. However, the participants may take limited, non-disruptive actions, such as spinning up backup cloud resources that would be used during a real incident. Parallel Test: In a parallel test, the full BC/DR process is carried out alongside production systems. In a parallel test, the BCP/DRP steps are actually performed. Full Test: In a full test, primary systems are taken down as they would be in the simulated event. This test ensures that the BCP/DRP systems and processes are capable of maintaining and restoring operations.

Answer 26

C. Business Impact Analysis (BIA) Explanation: Business Impact Analysis (BIA) is a process that organizations use to identify and assess the potential impact of disruptions or incidents on their business operations. BIA is a crucial component of business continuity planning and helps organizations prioritize their recovery efforts and allocate resources effectively. The first step of a BIA is to identify the critical business functions. Vulnerability assessment is a systematic process of identifying and evaluating vulnerabilities within a system, network, or application. It involves the use of various tools, techniques, and methodologies to discover and analyze potential weaknesses that could be exploited by attackers. Penetration testing, also known as ethical hacking or pen testing, is a proactive security assessment technique that involves simulating real-world attacks on a system, network, or application. The objective of penetration testing is to identify vulnerabilities and weaknesses in the target environment that could be exploited by malicious actors. Remediation recommendations is one of the key steps in a vulnerability assessment. Along with identifying vulnerabilities, a vulnerability assessment should provide recommendations for remediation. This may involve suggesting patches, configuration changes, security best practices, or other mitigation measures to reduce the risk associated with each vulnerability.

Answer 27

B. Reinforced walls Explanation: Reinforced walls may help to mitigate the risk of certain types of natural disasters. There is a building code in Florida for the quality of the controls in a building to be able to withstand the winds of a category 5 hurricane. If the walls are constructed properly, they could possibly withstand fire for a certain amount of time from a wildfire. That does make some assumption of the scale of the fire, but it is of possible assistance. Encryption is no help against natural disasters. After a disaster, if a drive ends up in the wrong hands, it is good to have the data encrypted. However, this is after the natural disaster so not specific to the actual question. Multitenancy if no assistance. It is commonly listed as a problem with clouds because virtual machines or data are on the same physical devices as other companies. Rapid elasticity is the core characteristic of a cloud, meaning that the systems expand and contract to customer needs. So, this answer is also not helpful regarding a natural disaster.

Answer 28

B. Encryption Explanation: Cloud customers can use various strategies to protect sensitive data against unauthorized access, including: Encryption: Encryption performs a reversible transformation on data that renders it unreadable without knowledge of the decryption key. If data is encrypted with a secure algorithm, the primary security concerns are generating random encryption keys and protecting them against unauthorized access. FIPS 140-3 is a US government standard used to evaluate cryptographic modules. Hashing: Hashing is a one-way function used to ensure the integrity of data. Hashing the same input will always produce the same output, but it is infeasible to derive the input to the hash function from the corresponding output. Applications of hash functions include file integrity monitoring and digital signatures. FIPS 140-4 is a US government standard for hash functions. Masking: Masking involves replacing sensitive data with non-sensitive characters. A common example of this is using asterisks to mask a password on a computer or all but the last four digits of a credit card number. Anonymization: Anonymization and de-identification involve destroying or replacing all parts of a record that can be used to uniquely identify an individual. While many regulations require anonymization for data use outside of certain contexts, it is very difficult to fully anonymize data. Tokenization: Tokenization replaces sensitive data with a non-sensitive token on untrusted systems that don’t require access to the original data. A table mapping tokens to the data is stored in a secure location to enable the original data to be looked up when needed.

Answer 29

A. Federated Identity Explanation: Identity and Access Management (IAM) is critical to application security. Some important concepts in IAM include: Federated Identity: Federated identity allows users to use the same identity across multiple organizations. The organizations set up their IAM systems to trust user credentials developed by the other organization. Single Sign-On (SSO): SSO allows users to use a single login credential for multiple applications and systems. The user authenticates to the SSO provider, and the SSO provider authenticates the user to the apps using it. Identity Providers (IdPs): IdPs manage a user’s identities for an organization. For example, Google, Facebook, and other organizations offer identity management and SSO services on the Web. Multi-Factor Authentication (MFA): MFA requires a user to provide multiple authentication factors to log into a system. For example, a user may need to provide a password and a one-time password (OTP) sent to a smartphone or generated by an authenticator app. Cloud Access Security Broker (CASB): A CASB sits between cloud applications and users and manages access and security enforcement for these applications. All requests go through the CASB, which can perform monitoring and logging and can block requests that violate corporate security policies. Secrets Management: Secrets include passwords, API keys, SSH keys, digital certificates, and anything that is used to authenticate identity and grant access to a system. Secrets management includes ensuring that secrets are randomly generated and stored securely.

Answer 30

C. Broken access control Explanation: Broken access control vulnerabilities may enable unauthenticated users to view unlawful and sensitive data, perform unauthorized functions, and modify access privileges. It is imperative that applications perform checks when each function is accessed to ensure the user is properly authorized to access it. Identification and authentication failures include susceptibility to brute force attacks and credential stuffing or permitting weak passwords and using weak recovery procedures, to name a few problems. Injection attacks include SQL injection and command injection. Cryptographic failure was formerly known as sensitive data exposure. This is when there is no encryption or weak encryption algorithms. Or when weak keys are used, default keys are used, or old keys are reused, to name a few of the problems.

Answer 31

C. Create Explanation: The cloud data lifecycle has six phases, including: Create: Data is created or generated. Data classification, labeling, and marking should occur in this phase. Store: Data is placed in cloud storage. Data should be encrypted in transit and at rest using encryption and access controls. Use: The data is retrieved from storage to be processed or used. Mapping and securing data flows becomes relevant in this stage. Share: Access to the data is shared with other users. This sharing should be managed by access controls and should include restrictions on sharing based on legal and jurisdictional requirements. For example, the GDPR limits the sharing of EU citizens’ data. Archive: Data no longer in active use is placed in long-term storage. Policies for data archiving should include considerations about legal data retention and deletion requirements and the rotation of encryption keys used to protect long-lived sensitive data. Destroy: Data is permanently deleted. This should be accomplished using secure methods such as cryptographic erasure/ crypto shredding.

Answer 32

C. Capacity management Explanation: Capacity management is a critical component of any IT system's overall operation. If a system is under-provisioned, services and performance will suffer, perhaps resulting in business or reputation damage. Capacity management focuses on the system resources required to meet the demand. Availability management is managing the environment to ensure the customers receive the agreed amount of availability. Configuration management is about Configuration Items (CI) or other resources that work together to deliver a product or service. This includes parameters. Release management is about making new or changed services and features available for use.

Answer 33

A. Framing risk Explanation: Framing risk refers to determining what risk and the levels that need to be evaluated. This is the context that describes the environment in which decisions are made based on risk. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations. Regarding risk treatment and the risk management process, the first stage is framing risk. NIST SP 800-30 is a good reference for this topic if you are looking to dig a little deeper.

Answer 34

D. Infrastructure as a Service Explanation: In the Infrastructure as a Service (IaaS) model, the cloud customer controls most of their infrastructure stack. However, some potential risks in an IaaS model include: Personnel Threats: The provider’s employees have access to the physical infrastructure hosting customers’ environments. Negligent or malicious employees could cause harm to the customer. External Threats: Malware, denial of service (DoS), and other attacks can impact an organization’s systems regardless of the cloud model. Lack of Required Expertise: With IaaS, an organization is remotely managing systems in an environment defined by the provider. Without sufficient expertise in system management or knowledge of the provider’s environment and relevant security settings, the organization may have misconfigurations or other issues that place it at risk. Other service offerings such as Platform, Software, and Function as a Service inherit all of these threats and add others.

Answer 35

C. Electrostatic discharge causing damage to the equipment Explanation: The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge, which may cause damage to systems.

Answer 36

C. Type 1 hypervisor Explanation: A type 1 hypervisor, also known as a bare-metal hypervisor, runs directly on the machine's physical hardware unlike type 2 hypervisors that are software-based. VMware ESXI is an example of a type 1 hypervisor. Vendor specific questions like this will not be in the test. This question is here in case you are unfamiliar with the two types of hypervisors. VMware ESXi is a type 1 and VMWare workstation is a type 2. Reading about these two can help make hypervisors more sense. (Or any other vendors). A type 1 hypervisor is essentially the operating system for the server it is loaded on. It is often called a bare-metal hypervisor because it is the OS that you load onto the physical server. A type 2 hypervisor is software based. It relies on a full operating system, such as Mac OS or Windows desktop, to load on top and is most likely found on users' desktop computers, not the servers in the data center. They could be nested hypervisors that are loaded on to the virtual server in a cloud environment though.

Answer 37

C. BIA Explanation: A business continuity plan (BCP) sustains operations during a disruptive event, such as a natural disaster or network outage. It can also be called a continuity of operations plan (COOP). A disaster recovery plan (DRP) works to restore the organization to normal operations after such an event has occurred. The decision of what needs to be included in a business continuity plan is determined by a business impact assessment (BIA), which determines what is necessary for the business to function vs. “nice to have."

Answer 38

D. Data Processing Agreement (DPA) negotiation

Answer 39

A. Public Cloud Explanation: Cloud services are available under a few different deployment models, including: Private Cloud: In private clouds, the cloud customer builds their own cloud in-house or has a provider do so for them. Private clouds have dedicated servers, making them more secure but also more expensive. Public Cloud: Public clouds are multi-tenant environments where multiple cloud customers share the same infrastructure managed by a third-party provider. Hybrid Cloud: Hybrid cloud deployments mix both public and private cloud infrastructure. This allows data and applications to be hosted on the cloud that makes the most sense for them. Multi-Cloud: Multi-cloud environments use cloud services from multiple different cloud providers. This enables customers to take advantage of price differences or optimizations offered by different providers. Community Cloud: A community cloud is essentially a private cloud used by a group of related organizations rather than a single organization. It could be operated by that group or a third party, such as FedRAMP-compliant cloud environments operated by cloud service providers.

Answer 40

B. Broken access control Explanation: According to OWASP, the broken access control threat is when access control does not enforce policy such that users cannot act outside of their intended permission. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Cross-Site Request Forgery (CSRF) is when a client can be tricked into making an unintentional request to the web server, and the web server does not authenticate the request. This is an access control issue. Server-side request forgery is a type of vulnerability in web applications that allows an attacker to send crafted requests from the server to other internal or external resources accessible to the server. The attacker typically manipulates the input parameters or URLs used by the server to make unintended requests to sensitive resources. Vulnerable and outdated components is an issue that we have when we do not know and track all the software and components that we use. When we do not know and track, we can end up with unpatched and unprotected software and data. Security misconfiguration is when we leave default accounts unchanged in a system or do not remove unnecessary ports, services, pages, accounts and privileges, or other features like these. It is critical to know these threats for the test and to be able to recognize a threat in a scenario or know what can be done to fix a scenario/threat (such as a second authentication for CSRF). For example, if you want to pay a bill or transfer money out of your bank account, it should reauthenticate you to ensure that it is you authentically making that request.

Answer 41

A. Firmware Explanation: The BIOS is a form of firmware. It is typically stored in read-only memory. The BIOS is crucial for secure booting processes, as it verifies the hardware and firmware configurations of a system before allowing the operating system or applications to execute. A computer disk, also known as a Hard Disk Drive (HDD) or a hard disk, is a non-volatile storage device used to store and retrieve digital data on a computer. It is a primary storage component that provides long-term storage for operating systems, software applications, and user files. Memory in a computer refers to the electronic components that store data and instructions temporarily for immediate access by the Central Processing Unit (CPU). It plays a critical role in the overall performance and functionality of a computer system. Random Access Memory (RAM) is the primary and volatile memory in a computer system. It provides temporary storage for data and instructions that are actively being used by the CPU. RAM allows for fast and random access to data, which enables efficient multitasking and quick retrieval of information. The size of RAM determines the system's ability to handle multiple tasks simultaneously and affects overall performance. A motherboard is the primary circuit board that serves as the central hub for connecting and integrating various hardware components in a computer system. It provides the foundation for communication and coordination between different components, allowing them to work together harmoniously.

Answer 42

C. Likelihood and impact Explanation: After risks to a system have been identified, the next step in risk management is analysis. Risks are typically quantified based on: Likelihood: Some risks are more likely to occur than others. For example, a short blip in network connectivity is much more likely than an extended outage of a critical service. Impact: Some risks have a greater impact on users than others. For example, a network blip has a low impact, while an extended outage by an ISP has a significant impact. A risk assessment of a CSP’s services should be based on the organization’s policies, SLAs, audit reports, and similar information. This will provide insight into the potential risks that the vendor has addressed and the controls that they have in place for doing so.

Answer 43

C. Lack of cloud security strategy and security architecture Explanation: This is what happened to a company called Kaseya. You can find more in the Pandemic Eleven document from the Cloud Security Alliance. Here is what they basically have to say: On July 2, 2021, Kaseya received reports from customers suggesting unusual behavior and malware executing on endpoints managed by Kaseya. Attackers could exploit zero-day vulnerabilities in the Virtual Storage Appliance (VSA) product to bypass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to the endpoints of Managed Service Provider (MSP) clients (i.e., clients of clients). This failure affected many customers due to a strategy of automated zero-touch updates to software deployed in different environments and a SaaS model of critical software change management; vendors and consumers can reconsider this strategy to limit similar attacks in the future. Application Programming Interfaces (API) is not an insecure interface. The problem is within the software as a zero-day exploit, not the API that it uses to communicate to other pieces of software. The threat exploited was not misconfiguration and inadequate change control because it was a flaw at the code level, not a setting that was improperly configured. This was not an accidental cloud data disclosure. This would be a misconfiguration on a cloud storage system that leaves the data exposed in some way.

Answer 44

C. eDiscovery Explanation: eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings. Chain of custody is the record of how the evidence was handled; who handled it; what they were doing with it; where it was or where it was stored; when it was collected/inspected/handled; and why it was handled, inspected, and analyzed. Investigation is the process of analyzing the data and pursuing the understanding of the evidence to comprehend who, what, where, why, when, and how something happened. Non-repudiation is when the evidence removes the ability for someone to deny that they did something like creating or sending an email, signing a contract, or creating data.

Answer 45

B. RPO Explanation: A business continuity and disaster recovery (BC/DR) plan uses various business requirements and metrics, including: Recovery Time Objective (RTO): The RTO is the amount of time that an organization is willing to have a particular system be down. This should be less than the maximum tolerable downtime (MTD), which is the maximum amount of time that a system can be down before causing significant harm to the business. Recovery Point Objective (RPO): The RPO measures the maximum amount of data that the company is willing to lose due to an event. Typically, this is based on the age of the last backup when the system is restored to normal operations. Recovery Service Level (RSL): The RSL measures the percentage of compute resources needed to keep production environments running while shutting down development, testing, etc. Reference:

Answer 46

B. Cloud Service Provider (CSP) Explanation: The Cloud Service Provider (CSP) is solely responsible for the security of the servers in the data center. The infrastructure would be shared between the provider and the customer in some way, specific to that cloud providers shared responsibility chart. The Cloud Service Customer (CSC) is responsible for the Operating Systems (OS) that they bring to their IaaS, which includes servers, routers, switches, firewalls, and so on. They are then responsible for everything above that. From NIST 500-292: "As cloud computing evolves, the integration of cloud services can be too complex for cloud consumers to manage. A cloud consumer may request cloud services from a cloud broker, instead of contacting a cloud provider directly. A cloud broker is an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers. In general, a cloud broker can provide services in three categories [9]: Service Intermediation: A cloud broker enhances a given service by improving some specific capability and providing value-added services to cloud consumers. The improvement can be managing access to cloud services, identity management, performance reporting, enhanced security, etc. Service Aggregation: A cloud broker combines and integrates multiple services into one or more new services. The broker provides data integration and ensures the secure data movement between the cloud consumer and multiple cloud providers. Service Arbitrage: Service arbitrage is similar to service aggregation except that the services being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score." From the CSA Guidance 4.0 a CASB: "CASB:Cloud Access and Security Brokers (also known as Cloud Security Gateways) discover internal use of cloud services using various mechanisms such as network monitoring, integrating with an existing network gateway or monitoring tool, or even by monitoring DNS queries. After discovering which services your users are connecting to, most of these products then offer monitoring of activity on approved services through API connections (when available) or inline interception (man in the middle of monitoring). Many support DLP and other security alerting and even offer controls to better manage the use of sensitive data in cloud services(SaaS/PaaS/and IaaS)."

Answer 47

D. Isle of Man Explanation: As of this writing (May 2023), the approved countries that the EU says that Europeans can store data in outside of the EU are: Andorra Argentina Canada (only commercial organizations) Faroe Islands Guernsey Israel Isle of Man Jersey New Zealand Switzerland Uruguay Japan The United Kingdom South Korea

Answer 48

A. Service Level Agreement (SLA) Explanation: Requirements such as uptime, customer service response time, and availability should be outlined in a Service Level Agreement (SLA). When a provider doesn't meet their SLA requirements, it could lead to termination of the contract or financial benefits to the cloud customer. PLAs, BAAs, and DPAs are all fundamentally the same. They are all agreements like an SLA but about the privacy requirements to protect the personal data or Personally Identifiable Information (PII) that will be stored and processed on the cloud provider's equipment. DPA is the term used in the European Union under the General Data Protection Regulation (GDPR). HIPAA in the USA requires a BAA. The PLA is a generic term for anywhere else.

Answer 49

A. The responsibility for the Operating Systems (OS) lies with the customer Explanation: In an IaaS environment, the customer can bring their own operating systems for the routes, switches, firewalls, Intrusion Detection Systems (IDS), Intrustion Prevention Systems (IPS), and servers, to name a few of the virtual machines. Since they own the OSs that are the servers, they have control over the applications and the data within. The cloud provider does not own the server and therefore is not responsible for them. The customer does have to pay for their usage, but that is not on the topic of the question. The question is about control over the applications and data. The responsibility for data organization lies with the customer, but that does not address the control over the applications. It might logically be connected to the organization, but the OS does control the application and the application controls the data.

Answer 50

A. If they are anticipating malware, it is necessary to consider the financial impact on their business, which is determined by the time of the day and year. This is further impacted by the system(s) that are affected. Explanation: Correct answer: If they are anticipating malware, it is necessary to consider the financial impact on their business, which is determined by the time of the day and year. This is further impacted by the system(s) that are affected. There are many factors that can impact how bad an incident could be for a business. The impact of the event and the urgency it needs to be treated with are critical aspects. The correct answer identifies those two elements. The impact is financial and the urgency is the day of the year and the time that certain systems would be offline. The answer "If they are anticipating that a bad actor could gain access to their system, they must take into consideration the legal impact it could have" Identifies the type of incident (the bad actor gaining access) and the impact is legal, but it does not identify any level of urgency. The answer "If they are anticipating that an event could have an impact on their business, it is critical to consider what time of the day the event could occur" identifies the urgency through the time of day, but it does not get to any level of urgency as neither the systems nor the type of impact is considered. The answer "If they are anticipating that a power outage could occur that would have an impact, it is necessary to take into consideration the time of the day it could occur" identifies the incident type and time of day, but it does not get to the systems or the impact it would have.

Answer 51

D. Water supply, high-speed internet connectivity, skilled Information Technology (IT) personnel, and the regulatory and legal frameworks in that location Explanation: Correct answer: Water supply, high-speed internet connectivity, skilled Information Technology (IT) personnel, and the regulatory and legal frameworks in that location Water supply, high-speed internet connectivity, skilled Information Technology (IT) personnel, and the regulatory and legal frameworks in that location are some of the additional considerations when picking a site. There are more, such as weather patterns/threats, the local crime rate, the potential of the site being expanded as the data center grows, the impact on the local community, and so on. Having enough fiber optic cable is not location specific. It is possible to have more shipped to that area if necessary (and likely). Regarding access control procedures, if the company is first selecting and then building a site, they will construct the access control that they require as they build the site. Generators are necessary for data centers but not critical in selecting sites. This is similar to having enough fiber optic cable—more will come in from elsewhere.

Answer 52

C. Testing Explanation: During the testing phase of the SLDC, the completed code is reviewed for problems. It's checked to ensure that it is functioning and operating as expected. This includes having quality assurance checking the software for defects and bugs. During testing, the code is also checked using security scans to ensure that it is secure. The development phase should include testing. As soon as there are lines of code, they can be analyzed with Static Application Security Testing. In the question, though, it says "completed software," implying this phase is over. Analysis is not a commonly used name for this phase, but it would be close. If testing was not here, it could have been the right answer. Maintenance means the software is in production, and testing will occur (or should occur) before patches or changes are deployed. But again, the key to the question is "completed software." It leaves room for the possibility that it has not been deployed yet, so we are in the testing phase.

Answer 53

B. MAC Address Explanation: An event is anything that happens on an IT system, and most IT systems are configured to record these events in various log files. When implementing logging and event monitoring, event logs should include the following attributes to identify the user: User Identity: A username, user ID, globally unique identifier (GUID), process ID, or other value that uniquely identifies the user, application, etc. that performed an action on a system. IP Address: The IP address of a system can help to identify the system associated with an event, especially if the address is a unique, internal one. With public-facing addresses, many systems may share the same address. Geolocation: Geolocation information can be useful to capture in event logs because it helps to identify anomalous events. For example, a company that doesn’t allow remote work should have few (if any) attempts to access corporate resources from locations outside the country or region. The CCSP doesn't identify the MAC address as an important attribute to include in event logs.

Answer 54

A. Anonymization Explanation: Cloud customers can use various strategies to protect sensitive data against unauthorized access, including: Encryption: Encryption performs a reversible transformation on data that renders it unreadable without knowledge of the decryption key. If data is encrypted with a secure algorithm, the primary security concerns are generating random encryption keys and protecting them against unauthorized access. FIPS 140-3 is a US government standard used to evaluate cryptographic modules. Hashing: Hashing is a one-way function used to ensure the integrity of data. Hashing the same input will always produce the same output, but it is infeasible to derive the input to the hash function from the corresponding output. Applications of hash functions include file integrity monitoring and digital signatures. FIPS 140-4 is a US government standard for hash functions. Masking: Masking involves replacing sensitive data with non-sensitive characters. A common example of this is using asterisks to mask a password on a computer or all but the last four digits of a credit card number. Anonymization: Anonymization and de-identification involve destroying or replacing all parts of a record that can be used to uniquely identify an individual. While many regulations require anonymization for data use outside of certain contexts, it is very difficult to fully anonymize data. Tokenization: Tokenization replaces sensitive data with a non-sensitive token on untrusted systems that don’t require access to the original data. A table mapping tokens to the data is stored in a secure location to enable the original data to be looked up when needed.

Answer 55

D. Transport Layer Security (TLS) Explanation: TLS is most commonly used for client-server use. It is possible to use SSH or IPSec, but they are not the most common. SSH is most commonly used by administrators and operators to configure, manage, and monitor virtual devices in the cloud. IPSec is most commonly used for site-to-site connections, for example, from an edge router at the on-prem data center to a router in the cloud. Sandboxing is used to isolate something, for example, a code object, an application, a virtual device, or a virtual network.

Answer 56

A. Federal Information Security Management Act (FISMA) Explanation: US government agencies must build risk-based policies for cost-effective security. Government agencies are not immune to bad actors attacking them. In the past, the security within government agencies was not very good, so this regulation demands that they do better. GLBA is an extension to Sarbanes-Oxley that demands that personal data be protected with the financial data. The HIPAA requires that Protected Health Information (PHI) be protected.

Answer 57

B. Management plane Explanation: The management plane is used to log in and control virtual machines and build virtual machines as well as configure virtual routers, switches, and firewalls. This is what the bad actor was using when they connected to the company's cloud account to delete all the assets. The hypervisor is the thin operating system on a server that allows virtual machines to be constructed, among so many other things. HTTPS is an encrypted web (HTTP) connection. Transport Layer Security (TLS) is used to establish and manage the encryption for the web session. It is possible to use HTTPS to connect to a cloud environment and manage it. It is possible that this was used, but since the bad actor deleted all the company's assets (their virtual machines), it is the actual management connection that is critical to this question. The same is true with SSH. It is the encryption that is commonly used to protect the administrator's connection. The connection is what is critical to the question. Not the encryption techniques (SSH, TLS, HTTP).

Answer 58

B. Fallen tree taking down network cables Explanation: Data centers require network connectivity, and many network outages are isolated to a single ISP. Data centers often have dual-provider, dual-entry network connectivity, where network cables from multiple service providers enter the building from different locations to minimize the chance that an outage or accident will take network connectivity down completely. In this scenario, a fallen tree may damage the cables of one ISP. However, a different ISP should have a different entry point, and their services may remain online.

Answer 59

D. Serverless Explanation: Some important security considerations related to virtualization include: Hypervisor Security: The primary virtualization security concern is isolation or ensuring that different VMs can’t affect each other or read each other’s data. VM escape attacks occur when a malicious VM exploits a vulnerability in the hypervisor or virtualization platform to accomplish this. Container Security: Containers are self-contained packages that include an application and all of the dependencies that it needs to run. Containers improve portability but have security concerns around poor access control and container misconfigurations. Ephemeral Computing: Ephemeral computing is a major benefit of virtualization, where resources can be spun up and destroyed at need. This enables greater agility and reduces the risk that sensitive data or resources will be vulnerable to attack when not in use. However, these systems can be difficult to monitor and secure since they only exist briefly when they are needed, so their security depends on correctly configuring them. Serverless Technology: Serverless applications are deployed in environments managed by the cloud service provider. Outsourcing server management can make serverless systems more secure, but it also means that organizations can’t deploy traditional security solutions that require an underlying OS to operate.

Answer 60

B. SOC 2 Type 1 Explanation: SOC 2 reports focus on the security controls within an organization based on the five trust principles of security, availability, processing integrity, confidentiality, and privacy. Type 1 reports show the appropriateness of controls at a specific moment in time. Type 2 shows the effectiveness of controls over time. A SOC 1 Type 1 report is focused on the impact security controls have on the customer's financial statements. Type 1 and 2 are the same as above. A SOC 3 is a summary report of the SOC 2 that is designed to be publicly disseminated.

Answer 61

A. Mitigation Explanation: Risk treatment refers to the ways that an organization manages potential risks. There are a few different risk treatment strategies, including: Avoidance: The organization chooses not to engage in risky activity. This creates potential opportunity costs for the organization. Mitigation: The organization places controls in place that reduce or eliminate the likelihood or impact of the risk. Any risk that is left over after the security controls are in place is called residual risk. Transference: The organization transfers the risk to a third party. Insurance is a prime example of risk transference. Acceptance: The organization takes no action to manage the risk. Risk acceptance depends on the organization’s risk appetite or the amount of risk that it is willing to accept.

Answer 62

A. Securing sensitive information such as API keys Explanation: The secrets manager is used to manage sensitive pieces of information such as passwords and API keys. Password and API keys should not be hard coded into the software source code nor the API. If they are, it is more likely that they will be compromised. Uber had a large breach because they had passwords in their source code. Access to the secrets manager should be strictly controlled. It is best if the application has access to a secrets server that then issues a secret to access the real secrets server. Then and only then does the application obtain the secret that it needs (password or API key) to be able to log in to the real server. Sounds convoluted? In a way, yes, but it is kind of like trying to get to a secured room in a building. You need your badge to get into the building, then you need a PIN to get into the secured room, except the PIN to get into the room is changed regularly and you need to speak to the guard for today's PIN. The secrets manager does not optimize resources. Something like Dynamic Optimization (DO) can do that. The secrets manager does not log API usage. It is a good idea to make sure the logging is turned on, and the logs are sent to the syslog server (or equivalent). The secrets manager does not manage access control policies for the API. That needs to be done by the cloud administrators and operators. All access to the secrets manager does need to be logged. Policies do need to be created, and somewhere someone needs to optimize resource use, but not here.

Answer 63

B. Retention Periods Explanation: Data retention policies define how long an organization stores particular types of data. Some of the key considerations for data retention policies include: Retention Periods: Defines how long data should be stored. This usually refers to archived data rather than data in active use. Regulatory Requirements: Various regulations have rules regarding data retention. These may mandate that data only be retained for a certain period of time or the minimum time that data should be saved. Typically, the first refers to personal data, while the second is business and financial data or security records. Data Classification: The classification level of data may impact its retention period or the means by which the data should be stored and secured. Retention Requirements: In some cases, specific requirements may exist for how data should be stored. For example, sensitive data should be encrypted at rest. Data retention may also be impacted by legal holds. Archiving and Retrieval Procedures and Mechanisms: Different types of data may have different requirements for storage and retrieval. For example, data used as backups as part of a BC/DR policy may need to be more readily accessible than long-term records. Monitoring, Maintenance, and Enforcement: Data retention policies should have rules regarding when and how the policies will be reviewed, updated, audited, and enforced.

Answer 64

D. Insufficient due diligence Explanation: When a security team or organization doesn't perform proper due diligence (such as performing risk assessments and ensuring that the new cloud provider has the proper security procedures in place), it creates threats and problems that could have been addressed before moving to the new environment. Through active due diligence, such as training and maintaining proper procedures, many common threats and risks can be avoided. The category insufficient identity, credential, access, and key management is the top threat according to the Cloud Security Alliance in their Pandemic 11, which is a highly recommended read. There is a lack of care around each of these items. Securing access to systems, files, applications, and buildings is necessary. Using good Identity and Access Management (IAM) tools is also critical. Ensuring that the principle of least privilege is followed is important among other similar concerns. This answer option is not about a lack of a risk assessment. The answer option misconfiguration and inadequate change control does not work as the correct answer because that is the actual setting within the servers, routers, firewalls, etc. Unsecure third-party resources might actually be what they would find when they needed to put more controls in place if they had done the risk assessment.

Answer 65

A. API Security Explanation: Some important considerations for secure software development in the cloud include: API Security: In the cloud, the use of microservices and APIs is common. API security best practices include identifying all APIs, performing regular vulnerability scanning, and implementing access controls to manage access to the APIs. Supply Chain Security: An attacker may be able to access an organization’s systems via access provided to a partner or vendor, or a failure of a provider’s systems may place an organization’s security at risk. Companies should assess their vendors’ security and ability to provide services via SOC2 and ISO 27001 certifications. Third-Party Software: Third-party software may contain vulnerabilities or malicious functionality introduced by an attacker. Also, the use of third-party software is often managed via licensing, with whose terms an organization must comply. Visibility into the use of third-party software is essential for security and legal compliance. Open Source Software: Most software uses third-party and open-source libraries and components, which can include malicious functionality or vulnerabilities. Developers should use software composition analysis (SCA) tools to build a software bill of materials (SBOM) to identify any potential vulnerabilities in components used by their applications.

Answer 66

B. Availability Explanation: With an uptime requirement of 99.9995%, they are addressing availability. That availability, or lack thereof, could be from bandwidth issues, CPU issues, memory issues, or others. So the trick (not meant to be tricky) with this question is that availability is the better answer because it includes the other three. This is how (ISC)2 does "all of the above" type of questions.

Answer 67

C. ITIL (formerly Information Technology Infrastructure Library) Explanation: Your organization is most likely using IT Infrastructure Library (ITIL) because it is an IT best practices framework. Its five core subjects are Service strategy, Service design, Service transition, Service operation, and Continual improvement. NIST CSF provides cybersecurity guidance, not IT best practices. This is advice for cybersecurity. It consists of standards, guidelines, and best practices to manage cybersecurity risk. ISOIEC 27001 provides requirements for an Information Security Management System (ISMS). This encompasses IT, but it is such a bigger topic. This is about managing information security throughout the entire business. So it is not specific to the topic of IT best practices. COBIT is a business framework for enterprise governance of IT. This is similar to ISO/IEC 27001. It is a much bigger topic than IT best practices. It is governance of IT.

Answer 68

D. ISO/IEC 27050 Explanation: ISO/IEC 27050 provides internationally accepted standards related to eDiscovery processes and best practices. ISO/IEC 27001 is used to create and audit Information Security Management Systems (ISMS). ISO/IEC 27002 contains descriptions of information security controls that can be used when an ISMS is created. ISO/IEC 27018 specifies how personal data should be protected by cloud providers acting as data processors. Data processor is a term defined by GDPR as companies that handle and process personal data on behalf of a certain company. It excludes employees of that company.

Answer 69

B. Anonymization Explanation: Anonymization is the removal of all personally identifiable pieces of information, both direct and indirect. Data de-identification is the removal of all direct identifiers. It leaves the indirect ones in place. Masking is to cover or hide information. This is commonly seen when a user types in their password, yet all that is seen on the screen are stars or dots. Obfuscation is to confuse. Encryption is one form of obfuscation, but it can be done with other techniques. For example, instead of transmitting data in base 16, it could be sent in base 64.

Answer 70

A. Service Level Agreements (SLA) Explanation: Levels of communication service from the CSP should be defined and agreed upon by both parties. This is why it is vital for customers to be accountable for setting SLA terms. SLAs may be adjusted to provide further flexibility, albeit at a significant expense. MSAs define the basic relationship between the two parties, the CSC and the CSP in this example. It defines what each party is responsible for in the relationship. PLAs are a generic form of the BAA found in HIPAA and the Data Processing Agreement (DPA) under the EU GDPR. IT defines and describes the personal data that will be stored within the cloud and how it needs to be protected.

Answer 71

D. BIA Explanation: A business continuity plan (BCP) sustains operations during a disruptive event, such as a natural disaster or network outage. It can also be called a continuity of operations plan (COOP). A disaster recovery plan (DRP) works to restore the organization to normal operations after such an event has occurred. The decision of what needs to be included in a business continuity plan is determined by a business impact assessment (BIA), which determines what is necessary for the business to function vs. “nice to have." Reference:

Answer 72

C. Infrastructure Explanation: The Cloud Service Provider (CSP) is always responsible for managing the infrastructure. The infrastructure includes the servers, routers, switches, firewalls, and so on that make a data center. The consumer is always responsible for their Governance, Risk management, and Compliance (GRC) and their data. The operating systems, virtual networking, and storage responsibilities change according to the cloud service model.

Answer 73

D. Consent Explanation: ISO/IEC 27018 is an international standard for security and privacy in cloud computing. The five key principles of ISO/IEC 27018 are communication, consent, control, transparency, and independent and yearly audits. Consent is critical with cookies. When the customer does not have the right to select their preferences for cookies and data collection, they can be fined. The corporation needs to be transparent with their privacy practices. That includes being clear about what data they are collecting, how long they will store it, and what they will do with it. The corporation needs to be in communication with their customers and possibly the regulators. They need to ensure that the customer is aware of any changes that the company is making regarding the handling of data. They need to be in communication with regulators and possibly the customers if any issues or breaches are found, and so on. Auditing the systems, policies, and handling of data should be done on a regular basis—perhaps at least on a yearly basis.

Answer 74

B. IaaS Explanation: Compute resources include the components that offer memory, CPU, disk, networking, and other services to the customer. In all cases, the cloud service provider (CSP) is responsible for the physical infrastructure providing these services. However, at the software level, responsibility depends on the cloud service model in use, including: Infrastructure as a Service (IaaS): In an IaaS environment, the CSP provides and manages the physical components, virtualization software, and networking infrastructure. The customer is responsible for configuring and securing their VMs and the software installed in them. Platform as a Service (PaaS): In a PaaS environment, the CSP’s responsibility extends to offering and securing the operating systems, database management systems (DBMSs), and other services made available to a customer’s applications. The customer is responsible for properly configuring and using these services and the security of any software that they install or use. Software as a Service (SaaS): In a SaaS environment, the CSP is responsible for everything except the custom settings made available to the cloud customer. For example, if a cloud storage drive can be set to be publicly accessible, that is the customer’s responsibility, not the CSP’s.

Answer 75

D. SANS Explanation: Several organizations provide resources designed to teach about the most common vulnerabilities in different environments. Some examples include: Cloud Security Alliance Top Threats to Cloud Computing: These lists name the most common threats, such as the Egregious 11. According to the CSA, the top cloud security threats include data breaches; misconfiguration and inadequate change control; lack of cloud security architecture and strategy; and insufficient identity, credential access, and key management. OWASP Top 10: The Open Web Application Security Project (OWASP) maintains multiple top 10 lists, but its web application list is the most famous and is updated every few years. The top four threats in the 2021 list were broken access control, cryptographic failures, injection, and insecure design. SANS CWE Top 25: SANS maintains a Common Weakness Enumeration (CWE) that describes all common security errors. Its Top 25 list highlights the most dangerous and impactful weaknesses each year. In 2021, the top four were out-of-bounds write, improper neutralization of input during web page generation (cross-site scripting), out-of-bounds read, and improper input validation. NIST doesn't publish regular lists of top vulnerabilities.

Answer 76

C. The customer corporation copies their files to drives within a new cloud provider and encrypts their old environment and destroys the key Explanation: Data sanitization is the process of destroying data so that it cannot be retrieved later off of those drives. In a PaaS environment, it is not possible for the cloud customer to take traditional actions like shredding the hard drive. It would be good to ensure that the contract has that as an action the provider will do once a drive is removed from service. However, the customer's data is not going to be on just a few drives as a result of data dispersion unless this is a private cloud, which there is no evidence of in the question or the answers. So crypto shredding is the best option, which is to encrypt the data and then destroy the key. A couple of rounds of this would be even more beneficial. Since this is not a private cloud, it is not reasonable to think that the provider would shred the drives when the customer leaves. Simply moving the files to new drives to change services (to PaaS) or to move the files on external drives for transport to the data center will not sanitize the files that were in the IaaS environment. Action must be taken to permanently remove the files from the previous locations.

Brainscape's Knowledge GenomeTM

Pocket Prep 14 Flashcards

Brainscape's Knowledge Genome^TM