Pocket Prep 17 Flashcards

Question

As part of the risk management process, an information security professional has been asked to perform an assessment of hard values. The values that the corporation is looking for involve understanding how much money a specific threat could cost the business. To understand that, they need to be clear about how many times each specific threat that they analyze could happen each year. Which type of assessment has this engineer been asked to perform? A. Bow tie analysis B. Quantitative assessment C. Cost-benefit analysis D. Qualitative assessment

Answer 1

B. Quantitative assessment Explanation: The two main types of assessment used in the risk management process are quantitative assessments and qualitative assessments. Quantitative assessments use values such as Single Loss Expectancy (SLE), Annual Loss Expectancy (ALE), and Annual Rate of Occurrence (ARO) for a numeric approach. The ARO is how many times they believe a specific threat could occur in a year. The SLE calculates how much a single incident would cost. Qualitative assessments are nonnumerical assessments. From that information, it is possible to do a cost-benefit analysis comparing the cost of the controls and the benefits gained by reducing the likelihood or impact of the threats. A bow tie analysis creates a visual display of proactive and reactive controls. Reference:

Answer 2

D. Protected Health Information (PHI) Explanation: You are safeguarding Protected Health Information (PHI) that may be contained within the medical records you are accountable for. These can be in the form of lab reports, visit summaries, or other types of medical records. Personally Identifiable Information (PII) is unique to an individual, such as a social security number or phone number. Personal data is effectively the same. It is the term used within the European Union's General Data Protection Regulation (EU GDPR). Credit and debit card data is just what it says—it is the data relevant to the cards in our wallets (the names, addresses, card numbers, expiration dates, and so on).

Answer 3

D. Quantum computing Explanation: Quantum computing is capable of solving problems that traditional computers are incapable of solving. When quantum computing becomes widely accessible to the general public, it will almost certainly be via the cloud due to the substantial processing resources necessary to do quantum calculations. A side note: The encryption we have today will likely be broken, especially algorithms such as RSA and Diffie-Hellman. NIST began a competition in 2016 to get ahead of this and design encryption algorithms that can be used in the age of quantum computers safely. For information about this, refer to NIST's website (csrc) and look for post quantum cryptoography and post quantum cryptography standardization. Machine learning is the ability we now have for computers to be able to process a lot of data and provide us with information. It could be that they aid us in verifying a hypothesis, or they determine the idea that we need to address, or can address. Machine learning is arguably a subset of Artificial Intelligence (AI). We keep making advances in technology that are getting us closer to true AI. We have robots that can navigate terrain all on their own, and we have chatGPT that can answer questions as if it is thinking on its own rather than just citing or quoting a source. Blockchains give us the ability to track something, such as cryptocurrency, with an immutable or unchangeable record.

Answer 4

A. Natural Language Processing (NLP) Explanation: Natural Language Processing (NLP) focuses on enabling computers to understand, interpret, and generate human language. NLP methods involve techniques such as text classification, sentiment analysis, named entity recognition, machine translation, and question-answering systems. AI methods, such as the one above (NLP) and the three below (the other answer options) refer to the various techniques and approaches used in the field of Artificial Intelligence to solve problems, make predictions, and perform tasks that typically require human intelligence. These methods encompass a broad range of algorithms, models, and methodologies that enable machines to learn, reason, and make decisions autonomously. Machine Learning (ML) is a subset of AI that focuses on designing algorithms and models that allow computers to learn from data without being explicitly programmed. ML methods include supervised learning, unsupervised learning, and reinforcement learning, where algorithms learn patterns and make predictions based on training examples or feedback. Deep Learning (DL) is a subfield of ML that involves training artificial neural networks with multiple layers to recognize patterns and extract complex representations from data. DL methods, such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), have been particularly successful in image recognition, natural language processing, and other complex tasks. Bayesian networks are probabilistic graphical models that represent relationships among variables using a directed acyclic graph. They apply Bayesian inference to update beliefs and make predictions based on observed evidence and prior knowledge.

Answer 5

D. Security Operations Center (SOC) Explanation: A Security Operations Center (SOC) is a group of individuals who focus solely on the monitoring, reporting, and handling of any security issues for an organization. SOC operators and administrators will typically be responsible for monitoring the logs within a SIEM if there is one in place. SOCs are usually staffed 24/7 to ensure that someone is available in the event of a security incident. A Network Operations Center (NOC) is responsible for managing the network. This includes temperature, humidity, hardware, operating systems, and software. They would take care of equipment that has broken, network connections that have dropped, users who cannot connect due to network issues, etc. Some of what they find might be passed to the Security Operations Center (SOC). Regulators are not going to monitor a company's network, logs, or SIEM. They might need to be contacted, though, depending on the actual incidents that the SOC is dealing with. Cloud providers have their own NOC and SOC. They would not normally manage an organization's environment. If the cloud is a private or community cloud, it would be possible that the cloud provider is monitoring and managing all that the NOC and SOC manage. However, the question does not specify either of those conditions, so the assumption to be made is that this is a customer of a public cloud provider.

Answer 6

C. Network Intrusion Detection System (NIDS) Explanation: A Network Intrusion Detection System (NIDS) analyzes all the traffic on the network and detects possible intrusions. It can send an alert out to administrators to investigate. A Host Intrusion Detection System (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. Since the question specifies a cluster of servers, the NIDS is a better choice. It is possible to add HIDS to all the clusters; it is just not what the question is driving at. A Network Intrusion Prevention System (NIPS) works in the same manner as an NIDS, but it also has the capability to prevent attacks rather than just detect them. This is not the best answer because the question is looking for information about intruders. A honeypot is an isolated system used to trick a bad actor into believing that it is a production system. This should distract them long enough for the Security Operations Center (SOC) to detect the bad actor's presence and take action to remove them from the systems and network. Reference:

Answer 7

C. Application Security Verification Standard (ASVS) Explanation: Application Security Verification Standard (ASVS) is from OWASP. It can be used in many different ways, one of which is as a driver for Agile Application Security. It can also be used to replace off-the-shelf secure coding checklists, for secure development training, as a guide for automated unit and integration tests as well as for its primary use of being a list of application security requirements or tests that can be used by anyone building, designing, developing, or buying secure applications. ISO/IEC 27034 provides guidelines and best practices for implementing and managing Application Security. It focuses specifically on the protection of applications throughout their lifecycle, from the design and development stages to deployment, operation, maintenance, and disposal. Closed box testing is a software testing approach where the tester evaluates the functionality of a software application without having access to its internal structure, code, or implementation details. The tester focuses solely on the inputs and outputs of the software, treating it as a "black box," where the internal workings are not known or visible. The term black box is falling out of favor, as it is insenitive. Included here only because it may still be in the (ISC)2 database of questions somewhere. Source code review, also known as code review or static code analysis, is a process of systematically examining the source code of a software application to identify and address potential issues, vulnerabilities, and areas for improvement. It involves manual or automated analysis of the codebase to ensure its quality, maintainability, security, and adherence to coding standards.

Answer 8

B. Community Cloud Explanation: Cloud services are available under a few different deployment models, including: Private Cloud: In private clouds, the cloud customer builds their own cloud in-house or has a provider do so for them. Private clouds have dedicated servers, making them more secure but also more expensive. Public Cloud: Public clouds are multi-tenant environments where multiple cloud customers share the same infrastructure managed by a third-party provider. Hybrid Cloud: Hybrid cloud deployments mix both public and private cloud infrastructure. This allows data and applications to be hosted on the cloud that makes the most sense for them. Multi-Cloud: Multi-cloud environments use cloud services from multiple different cloud providers. This enables customers to take advantage of price differences or optimizations offered by different providers. Community Cloud: A community cloud is essentially a private cloud used by a group of related organizations rather than a single organization. It could be operated by that group or a third party, such as FedRAMP-compliant cloud environments operated by cloud service providers.

Answer 9

B. Security misconfiguration Explanation: A security misconfiguration occurs whenever systems or applications are configured in a way that makes them insecure. Systems regularly come preconfigured with default administrative credentials. These default credentials are generally easy to find online, so the failure to change them makes it possible for an attacker to gain access. This is an example of a security misconfiguration. Insecure deserialization is a security vulnerability that arises when an application blindly trusts and processes data received in a serialized format without properly validating or sanitizing it. It can lead to serious consequences, including remote code execution, data tampering, or denial of service attacks. Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when a web application does not properly validate and sanitize user-supplied input, allowing malicious code to be injected into web pages viewed by other users. It is a prevalent attack vector that can have severe consequences if exploited. XML External Entity (XXE) refers to a security vulnerability that occurs when an application parses XML input without proper validation, allowing an attacker to include external entities and potentially exploit the system. It can lead to sensitive information disclosure, denial of service attacks, or even remote code execution.

Answer 10

B. Intrustion Prevention System (IPS) Explanation: An Intrusion Prevention System (IPS) is placed at the network level. It analyzes all traffic on the network in the same way as an IDS. However, rather than simply alerting administrators when an intrusion is detected, it can actually stop and block the malicious traffic and prevent an attack from occurring automatically. A firewall is used to allow wanted traffic and block everything else. A firewall should block by default. This would stop attacks, except the question is asking for a device that can see that the traffic is specifically an attack. That is an IPS. A DIM is used to monitor user activity within a DataBase (DB) but from outside. This would make it much harder for the bad actor to know that the device is there. A bad actor would know that there are logs within the DB and try to delete or alter them. The DIM logs would not be seen by the bad actor.

Answer 11

B. Statement of Standards for Attestation Encagement (SSAE) Explanation: The Statement on Standards for Attestation Engagements (SSAE) is a set of standards defined by the American Institute of Certified Public Accountants (AICPA) to be used when creating SOC reports. Statement on Auditing Standards (SAS) reports have been replaced by SSAE reports. This is the predecessor to SSAE. Generally Accepted Privacy Principles (GAPP) is not a reporting standard. This has been replaced by the Privacy Management Framework (PMF). The PMF states the things that a company should do to protect personal data. If you are familiar with the requirements of the EU's General Data Protection Regulation (GDPR) requirements, you would recognize those ideas in the PMF. ISO 27050 is a standard for eDiscovery. eDiscovery is critical once there has been an incident, and forensics must be performed.

Answer 12

D. eXtensible Markup Language (XML) Explanation: The SOAP only permits the use of XML-formatted data, while REpresentational State Transfer (REST) allows for the use of a variety of data formats, including both XML and JSON. SOAP is most commonly used when the use of REST is not possible. XML, JSON, YAML, CSON are all data formats.

Answer 13

D. I Explanation: Microsoft’s STRIDE threat model defines threats based on their effects, including: Spoofing: The attacker pretends to be someone else Tampering: The attacker damages data integrity Repudiation: The attacker can deny that they took some action that they did take Information Disclosure: The attacker gains unauthorized access to sensitive data, harming confidentiality Denial of Service: The attacker can harm the availability of a service Elevation of Privilege: The attacker can access resources that they shouldn’t be able to access

Answer 14

B. Archive Explanation: The archive phase fits the best because the question says "stored into the future," which implies archival. Store would be the second best answer and is something that needs to be done as soon as the data is created. That initial storage location could actually be where the data is when the bank is looking for it somewhere in the future, but again, into the future implies archival. The use phase is when a user is utilizing the data—just as you are right now reading this. Share is when it is passed from one user to another, inside or outside the business.

Answer 15

B. Web Application Security Explanation: A Software as a Service (SaaS) environment has all of the risks that IaaS and PaaS environments have, as well as new risks of its own. Some risks unique to SaaS include: Proprietary Formats: With SaaS, a customer is using a vendor-provided solution. This may use proprietary formats that are incompatible with other software or create a risk of vendor lock-in if the organization’s systems are built around these formats. Virtualization: SaaS uses even more virtualized environments than PaaS, increasing the potential for VM escapes, information bleed, and similar threats. Web Application Security: Most SaaS offerings are web applications with a provided application programming interface (API). Both web apps and APIs have potential vulnerabilities and security risks that could exist in these solutions.

Answer 16

D. Ephemeral Explanation: Cloud storage comes in many shapes and flavors. The storage used by virtual machines to temporarily store files and to use for swap files is called ephemeral. Ephemeral means temporal or fleeting. It will disappear when the virtual machine shuts down. It is not for persistent storage. Persistent storage includes structured, object, volume, unstructured, block, etc. Each cloud service model uses a different method of storage as shown below: Software as a Service (SaaS): content and file storage, information storage and management Platform as a Service (PaaS): structured, unstructured, or block and blob Infrastructure as a Service (IaaS): volume, object Structured is confusing because it is used to describe a type of data (databases) and a type of data storage. They are not the same thing. Structured storage is a specific allocation of storage space. Block storage is a type of structured storage. It allocates space in units of space (e.g., 16KB). A volume is analogous to a C:/ directory on a computer. It is often allocated using block storage. Objects are files. Object storage would be a flat file system. Objects could have metadata attached to them. Objects are stored in volumes or blocks.

Answer 17

B. Data integrity and quality Explanation: The PMF replaced GAPP in 2009. The ISC2 outline lists the GAPP document, but it would be good to either know the current one or both. Both of these documents are from the American Institute for Certified Public Accountants (AICPA). Input validation, sanitization, hashing, integrity check, syntactic and semantic checks, and more address this concern. The PMF has nine components: Management Agreement, notice, and communication Collection and creation Use, retention, and disposal Access Disclosure to third parties Security for privacy Data integrity and quality Monitoring and enforcement Generally Accepted Privacy Principles (GAPP) include 10 key privacy principles: Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement

Answer 18

C. Encryption Explanation: The create phase is an ideal time to implement technologies such as Transport Layer Security (TLS) when the data is inputted or imported. The client-server connection should be protected through encryption. DLP is a tool that is good if the user is sending data to an inappropriate place, such as sending a credit card number through email or storing information on an inappropriate server. It is not a great match when a user is creating a spreadsheet in SaaS. Firewalls are used to either block or allow traffic. It could be based on blocking or allowing a layer 7 command such as get or put in File Transfer Protocol (FTP) or a lower layer address or port number, for example. IDS devices are on the watch for intruders. This is a user doing their work. It would not detect and log events such as creating a spreadsheet.

Answer 19

D. Due to being tied to the physical hardware of the machine, there are fewer lines of code for an attacker to inject malicious code into than with a type 2 hypervisor Explanation: Correct answer: Due to being tied to the physical hardware of the machine, there are fewer lines of code for an attacker to inject malicious code into than with a type 2 hypervisor Type 1 hypervisors are known as bare-metal hypervisors because they run directly on the physical hardware of the machine, and they are not software based like type 2 hypervisors. Because they are tied to the hardware, they are considered the operating system of the server and should be designed as thinly as possible. That means fewer lines of code. With fewer lines, it is harder for a bad actor to inject malicious code. A type 2 is on top of a full operating system. There are many more opportunities to inject malicious code.

Answer 20

C. Transport Layer Security (TLS) Explanation: Data is at risk during the share phase of the data lifecycle. There are many tools that can be used in this phase, such as Data Leak Prevention (DLP), Secure Shell (SSH), and Transport Layer Security (TLS). The question does not tell us how they are sharing the data within the department, so from the list of possible answers, TLS is the best because it can be used in many different scenarios. SSH is most likely used by cloud administrators and operators to manage virtual machines or other activities. DAST is an application testing methodology. The question is about the share phase of data shared. There is no connection between those two topics. RASP is something that can be added to software to help it protect itself. In the question, we are trying to share data, not protect the application from attacks.

Answer 21

C. Tier I Explanation: Generators are added to the requirements from the lowest level, Tier I. Tier II and above also require those generators to be there. Tier I and II also require Uninterruptible Power Supply (UPS) units. Tier III requires a redundant distribution path for the data. Tier IV requires several independent and physically isolated power supplies.

Answer 22

D. Discovery Explanation: The discovery component or phase of DLP involves the categorization and classification of data so that the DLP tool will be able to identify the R&D formulas that are in storage or in transit. Without careful work in this phase, the DLP tool will not be able to monitor successfully. Monitoring involves the analysis of data or content to discover when that sensitive data is someplace it should not be (in storage or transit). Enforcement would then involve the tool taking the action of deleting the content, encrypting it, or another action as defined. Encryption is not a component or phase of DLP. It is the scrambling of data so that it cannot be read. The question is asking where the work is done to begin to protect content. The CSA SecaaS Category 2 document is a good read on DLP.

Answer 23

B. A parser is poorly configured, which allows a bad actor to gain access to sensitive data Explanation: XML external entities attacks occur when the application parses XML input. If the parser is weakly configured, it is possible that the bad actor can cause trouble if the XML input contains a reference to an external entity. An entity is a storage unit of some kind according to the standard. With this attack, they could do all kinds of different things, such as gaining access to the etc/shadow file that contains the users' passwords, which is sensitive data. A website not using proper input validation could be an SQL injection, command injection, or cross-site scripting. If the application is not performing validation on tokens, there is a broken access control problem. A malicious actor able to send entrusted data to the user's browser also could be a cross-site scripting attack.

Answer 24

D. Applistructure Explanation: The applistructure is the software in the cloud. That is where insecure software development is a particular concern. So the error that was log4j that called Log4Shell that resulted in a RCE simply through logging a certain string was a software development issue. The application is that layer. The infostructure is data storage (Info - Informatation - data). It is the storage area network, block storage, file storage, object storage, and any other storage types. The metastructure is the virtualization. It is the virtual machines, servers, routers, switches, firewalls, etc. It is the virtualized data center. The infrastructure is the physical environment—the servers, routers, switches, firewalls, etc., that make up the physical data center. There is not much in the official books about these. Okay, none. Please read the security guidance 4.0 document from the Cloud Security Alliance (4.0 as of May 2023).

Answer 25

D. Management plane Explanation: The management plane allows for cloud providers to manage all the hosts from a centralized location instead of needing to log into each individual server when needing to perform tasks. The management plane is sometimes called the control plane. Or you could say the control plane is sometimes called the management plane. Confusion comes from two sources: 1) The use of these terms in traditional networking/ data centers and 2) The use of control or controller plane in Software Defined Networking (SDN). A plane is effectively a way to distinguish what the bits that are flowing on the network interface are used for. The data plane is the bits/frames/packets that are user traffic. The management plane is the bits/frames/packets that are the traffic from the administrator to the GUI in the cloud that allows for the administrators to perform their tasks. These tasks include building virtual machines, configuring the firewalls, establishing or configuring Identity and Access Management (IAM) accounts, and so on. Virtual machines are constructed on or through a hypervisor. It is the software that enables the creation of the VMs. This is not the best answer because the question is about accessing. Secure Shell is an OSI model layer 5 protocol that encrypts traffic and is most commonly used by administrators for remote access to switches, routers, servers, and so on. This could be how Angela's connection is secured. However, the question is more than accessing. She is also creating virtual machines. which clarifies that we are talking about the cloud (it is a cloud exam, after all), but the management plane connects to the management console and the GUI (or command line) for configuring cloud services of all kinds. Reference:

Answer 26

A. Field work Explanation: Generally, an audit process consists of four stages. Doing walkthroughs and risk assessments, interviewing personnel about procedures, conducting audit test work, and checking that criteria are compatible with SLAs and contracts are all part of the audit process' field work phase. Field work is essentially the actual audit work. The planning phase involves the objective and scope definition. The reporting phase occurs after field work. This is the creation of the audit findings document that will be given to those who hired the auditors. Follow-up would occur after the reporting phase. Conversations about the findings and possible reassessment occur in follow-up.

Answer 27

B. Private Explanation: There are four types of blockchain: private, public, consortium, and hybrid. Private blockchains are restricted to a specific group of participants who are granted access and permission to the network. They are typically used within organizations or consortia where participants trust each other and require more control over the network. Private blockchains offer higher transaction speeds and privacy but sacrifice decentralization compared to public blockchains. Public blockchains, such as Bitcoin and Ethereum, are open to anyone and allow anyone to participate in the network, verify transactions, and create new blocks. They are decentralized and provide a high level of transparency and security. Public blockchains use consensus mechanisms, such as Proof of Work (PoW) or Proof of Stake (PoS), to validate transactions and secure the network. Consortium blockchains are a hybrid of public and private blockchains. They are operated by a consortium or a group of organizations that have a shared interest in a particular industry or use case. Consortium blockchains provide a controlled and permissioned environment, while still allowing multiple entities to participate in the consensus and decision-making process. Permissioned blockchains require users to have permission to join and participate in the network. They are typically used in enterprise settings where access control and governance are critical. Permissioned blockchains offer faster transaction speeds and are more scalable than public blockchains, but they sacrifice some decentralization and censorship resistance. The hybrid blockchain approach allows organizations to leverage the benefits of decentralization, transparency, and immutability from public blockchains while maintaining control, privacy, and scalability through private components. It offers a flexible solution that can cater to specific business requirements and regulatory considerations.

Answer 28

B. Generator and Uninterruptible Power Supply (UPS) Explanation: Cloud providers will need to have multiple independent power feeds in case a power feed goes down. In addition, they will also typically have a generator or battery backup (UPS) to serve in the meantime when a power feed goes out. The answers that contain "second power feed" are not correct because that already exists in the question with the word "multiple." It is not necessary to have a third power feed. It may not be a bad idea, but it is not required. Reference:

Answer 29

B. eXtensible Markup Langugue (XML) Explanation: eXtensible Markup Language (XML) is a standard information exchange format that employs tags to define data that is similar to Hyper Text Markup Language (HTML). JSON is a lightweight data exchange protocol that is commonly used today, but it is not similar in structure to HTML. BSON is a binary form of JSON. REST APIs typically use JSON, although it can use XML to request information and receive responses.

Answer 30

A. Cloud Service Broker Explanation: Some of the important roles and responsibilities in cloud computing include: Cloud Service Provider: The cloud service provider offers cloud services to a third party. They are responsible for operating their infrastructure and meeting service level agreements (SLAs). Cloud Customer: The cloud customer uses cloud services. They are responsible for the portion of the cloud infrastructure stack under their control. Cloud Service Partners: Cloud service partners are distinct from the cloud service provider but offer a related service. For example, a cloud service partner may offer add-on security services to secure an organization’s cloud infrastructure. Cloud Service Brokers: A cloud service broker may combine services from several different cloud providers and customize them into packages that meet a customer’s needs and integrate with their environment. Regulators: Regulators ensure that organizations — and their cloud infrastructures — are compliant with applicable laws and regulations. The global nature of the cloud can make regulatory and jurisdictional issues more complex.

Answer 31

B. Ensure auditability is in the contract Explanation: Before moving into cloud services, the contract should be created and analyzed. One of the critical elements within the contract is the auditability of the provider. ISO/IEC 17788 defines auditability as the capability of collecting and making available necessary evidential information related to the operation and use of a cloud service for the purpose of conducting an audit. Understanding the provider's views on audits can be helpful in this process but more important is to have something in the contract. Seeing the latest audit reports is good, but that is from the past. Before moving into the cloud, something needs to be in the contract for the future. Who the third part auditor is can be useful, but just because they have been used in the past, does not define who will be the auditor in the future.

Answer 32

A. The customer is responsible for configuring the virtual routers and switches, the cloud provider is responsible for the physical routers and switches Explanation: The shared responsibility model for the IaaS environment allows the customer to build a virtual data center, which means that the customer brings the operating systems with them that create the virtual routers, switches, servers, and all the security appliances, firewalls, intrusion detection systems, and so on. The cloud provider is responsible for the physical network, including the routers, switches, security appliances, and the servers with the hypervisors. With IaaS, the customer determines their data storage systems or Storage Area Networks (SAN) as well as the data structures of databases or data lakes and so on. Everything virtual is the customer's responsibility and the physical is the provider's responsibility. Reference:

Answer 33

B. Prepare, categorize, select, implement, assess, authorize, monitor Explanation: The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) lists the correct order of the risk management steps as the following: prepare, categorize, select, implement, assess, authorize, and monitor. The prepare phase is where Oya and her team are. They are getting into the process of analyzing the risks for the cloud data center. Then they will categorize the risks and threats based on the impact they could have on the organization. The select phase is when controls are selected to reduce the likelihood or impact of the threats. If there are new controls or simply new settings that need to be configured, this is done in the implement phase. When the assess phase is active, the team is looking to see if the controls are in place and working properly. The authorize phase is when senior management is informed of all that can be found, determined, chosen, and analyzed, and they authorize their business to have their production environments configured in this new way. Lastly, there is ongoing monitoring that is performed.

Answer 34

C. Ensure a reservation is made at the minimum level needed Explanation: A minimum resource that is granted to a cloud customer within a cloud environment is known as a reservation. With a reservation, the cloud customer should always have, at the minimum, the amount of resources needed to power and operate any of their services. On the flip side, limits are the opposite of reservations. A limit is the maximum utilization of memory or processing allowed for a cloud customer. It is a good idea to set to control costs, especially on a new service. The share space is what is available for any customer to utilize. The cloud works on a first come, first served approach.

Answer 35

A. Qualitative assessment Explanation: There are two main assessment types that can be done for assessing risk: qualitative assessments and quantitative assessments. While quantitative assessments are data driven, focusing on items such as Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annual Loss Expectancy (ALE), qualitative assessments are descriptive in nature and not data driven. Fault tree analysis is actually a combination of quantitative and qualitative assessments. The question is looking for something that is not financial and that would be the quantitative. So this is more than what the question is about. Root cause analysis is what is done in problem management from ITIL. Root cause analysis analyzes why some bad event has happened so that the root cause can be found and fixed so that it does not happen again.

Answer 36

A. XML external entities attack Explanation: XML external entities attacks occur when the application parses XML input. The question does not say XML because it cannot, according to the rules ISC2 must follow, since XML is in the actual name of the attack. If the parser is weakly configured, it is possible that the bad actor can cause trouble if the XML input contains a reference to an external entity. An entity is a storage unit of some kind according to the standard. Cross-site scripting occurs when a bad actor is able to inject a malicious script into a trusted website. It is usually a browser side script. This is a type of injection attack. Broken access control can be exploited in many ways. It could be a failure in setting up the account with least privilege. Or it could be a flaw that allows the access control mechanism to be bypassed. Injection attacks occur when the bad actor is able to send a command of some kind, unchecked, by the application. SQL or operating system commands are two of the most common.

Answer 37

B. Service Access Explanation: Key components of an identity and access management (IAM) policy in the cloud include: User Access: User access refers to managing the access and permissions that individual users have within a cloud environment. This can use the cloud provider’s IAM system or a federated system that uses the customer’s IAM system to manage access to cloud services, systems, and other resources. Privilege Access: Privileged accounts have more access and control in the cloud, potentially including management of cloud security controls. These can be controlled in the same way as user accounts but should also include stronger access security controls, such as mandatory multi-factor authentication (MFA) and greater monitoring. Service Access: Service accounts are used by applications that need access to various resources. Cloud environments commonly rely heavily on microservices and APIs, making managing service access essential in the cloud. Physical access to cloud servers is the responsibility of the cloud service provider, not the customer.

Answer 38

C. SOW Explanation: Two organizations working together may have various agreements and contracts in place to manage their risks. Some of the common types include: Master Service Agreement (MSA): An MSA is an over-arching contract for all the work performed between the two organizations. Statement of Work (SOW): Each new project under the MSA is defined using an SOW. Service Level Agreement (SLA): An SLA defines the conditions of service that the vendor guarantees to the customer. If the vendor fails to meet these terms, they may be forced to pay some penalty. Non-Disclosure Agreement (NDA): An NDA is designed to protect confidential information that one or both parties share with the other.

Answer 39

B. Web Application Firewall (WAF) Explanation: A Web Application Firewall (WAF) specifically addresses attacks on applications and external services. A WAF can assist in defending against SQL injection, cross-site scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks. API gateways analyze and monitor SOAP and ReST traffic. This includes XML and JavaScript Object Notation (JSON). XML gateways focus on XML traffic. IPS traffic watches for intrusions. It would not see XSS or CSRF attacks within the web traffic.

Answer 40

D. Acceptance Explanation: Risk treatment refers to the ways that an organization manages potential risks. There are a few different risk treatment strategies, including: Avoidance: The organization chooses not to engage in risky activity. This creates potential opportunity costs for the organization. Mitigation: The organization places controls in place that reduce or eliminate the likelihood or impact of the risk. Any risk that is left over after the security controls are in place is called residual risk. Transference: The organization transfers the risk to a third party. Insurance is a prime example of risk transference. Acceptance: The organization takes no action to manage the risk. Risk acceptance depends on the organization’s risk appetite or the amount of risk that it is willing to accept.

Answer 41

D. Data mapping Explanation: Data dispersion is when data is distributed across multiple locations to improve resiliency. Overlapping coverage makes it possible to reconstruct data if a portion of it is lost. A data flow diagram (DFD) maps how data flows between an organization’s various locations and applications. This helps to maintain data visibility and implement effective access controls and regulatory compliance. Data mapping identifies data requiring protection within an organization. This helps to ensure that the data is properly protected wherever it is used. Data labeling contains metadata describing important features of the data. For example, data labels could include information about ownership, classification, limitations on use or distribution, and when the data was created and should be disposed of.

Answer 42

B. Tokenization Explanation: Tokenization is a method used to protect data without needing to go through the process of encryption. In tokenization, an application is used to replace confidential data with an arbitrary value (known as a token). If the company stores only the token and the bank has the database to be able to convert the token back to the actual card number, it minimizes their exposure. If you do not have or store the credit card, it cannot be breached. Obfuscation includes a variety of techniques to hide/obscure/confuse the data. It is useful to protect source code from reverse engineering. If you are protecting data, encryption is probably a better choice. Encryption involves the ability to decrypt. So, if the credit cards are stored in an encrypted fashion and they are stolen, the bad actor can work on discovering the key and obtaining the data. This would be a good thing to do if the card numbers are being held or transmitted. Tokenization removes the card number so it minimizes exposure more. Anonymization would not work here. Anonymization is to permanently remove the personal data, and it is needed to be able to process credit card charges for a customer. Without this information, it is very difficult to track customer orders.

Answer 43

A. Development Explanation: During the development or coding phase of the SDLC, the plans and requirements are turned into an executable programming language. As this is the phase where coding takes place, it is most likely the place where technical mistakes would be made. Technical mistakes could be made in the planning or requirements phase, although more architectural problems are likely to occur. Testing is technical and mistakes can be made during testing, but it is more likely that the testing is not as complete as needed. Reference:

Answer 44

B. Share, Store, and Archive Explanation: DLP tools traditionally protected data in transit, which would be the share phase. However, today they can be used to protect data at rest, which will be the store and archive phases. They can be used to scan servers to look for data that should not be there as well as analyzing the data in transit out of the corporation. DLP tools are notoriously difficult to setup because it is hard to tell the tool what data is sensitive and should not be on a particular server or in a particular data stream. So, the first phase of DLP is discovery.

Answer 45

B. Proprietary requirements Explanation: Vendor lock-in occurs when an organization is unable to leave the vendor. The most common reason for vendor lock-in would be proprietary formats for how data is stored. It is possible that some consider contracts that prevent a customer from leaving to be vendor lock-in as well. The proprietary requirements make it very expensive, difficult, and burdensome to move to a new provider. Undocumented software occurs all the time. The biggest problem with that is that it is hard to understand how it works. Poorly written SLAs would not cause lock-in. They are a problem. The SLAs specify the level of service that the customer can and should expect to receive from the cloud provider. If they are not well defined, the customer may not get the service they need, such as enough bandwidth. Overly expensive hardware does not cause lock-in. It might lock money into the wrong products, but that is not vendor lock-in. That's poor financial management.

Answer 46

D. Data Center Location Explanation: Cloud computing risks can depend on the cloud service model used. Some risks common to all cloud services include: Data Center Location: The location of a CSP’s data center may impact its exposure to natural disasters or the risk of regulatory issues. Cloud customers should verify that a CSP’s locations are resilient against applicable natural disasters and consider potential regulatory issues. Downtime: If a CSP’s network provider is down, then its services are unavailable to its customers. CSPs should use multivendor network connectivity to improve network resiliency. Compliance: Certain types of data are protected by law and may have mandatory security controls or jurisdictional limitations. These restrictions may affect the choice of a cloud service model or CSP. General Technology Risks: CSPs are a big target for attackers, who might exploit vulnerabilities or design flaws to attack CSPs and their customers.

Answer 47

C. Capacity Management Explanation: Standards such as the Information Technology Infrastructure Library (ITIL) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1 define operational controls and standards, including: Change Management: Change management defines a process for changes to software, processes, etc., reducing the risk that systems will break due to poorly managed changes. A formal change request should be submitted and approved or denied by a change control board after a cost-benefit analysis. If approved, the change will be implemented and tested. The team should also have a plan for how to roll back the change if something goes wrong. Continuity Management: Continuity management involves managing events that disrupt availability. After a business impact assessment (BIA) is performed, the organization should develop and document processes for prioritizing the recovery of affected systems and maintaining operations throughout the incident. Information Security Management: Information security management systems (ISMSs) define a consistent, company-wide method for managing cybersecurity risks and ensuring the confidentiality, integrity, and availability of corporate data and systems. Relevant frameworks include the ISO 27000 series, the NIST Risk Management Framework (RMF), and AICPA SOC 2. Continual Service Improvement Management: Continual service improvement management involves monitoring and measuring an organization’s security and IT services. This practice should be focused on continuous improvement, and an important aspect is ensuring that metrics accurately reflect the current state and potential process. Incident Management: Incident management refers to addressing unexpected events that have a harmful impact on the organization. Most incidents are managed by a corporate security team, which should have a defined and documented process in place for identifying and prioritizing incidents, notifying stakeholders, and remediating the incident. Problem Management: Problems are the root causes of incidents, and problem management involves identifying and addressing these issues to prevent or reduce the impact of future incidents. The organization should track known incidents and have steps documented to fix them or workarounds to provide a temporary fix. Release Management: Agile methodologies speed up the development cycle and leverage automated CI/CD pipelines to enable frequent releases. Release management processes ensure that software has passed required tests and manages the logistics of the release (scheduling, post-release testing, etc.). Deployment Management: Deployment management involves managing the process from code being committed to a repository to it being deployed to users. In automated CI/CD pipelines, the focus is on automating testing, integration, and deployment processes. Otherwise, an organization may have processes in place to perform periodic, manual deployments. Configuration Management: Configuration errors can render software insecure and place the organization at risk. Configuration management processes formalize the process of defining and updating the approved configuration to ensure that systems are configured to a secure state. Infrastructure as Code (IaC) provides a way to automate and standardize configuration management by building and configuring systems based on provided definition files. Service Level Management: Service level management deals with IT’s ability to provide services and meet service level agreements (SLAs). For example, IT may have SLAs for availability, performance, number of concurrent users, customer support response times, etc. Availability Management: Availability management ensures that services will be up and usable. Redundancy and resiliency are crucial to availability. Additionally, cloud customers will be partially responsible for the availability of their services (depending on the service model). Capacity Management: Capacity management refers to ensuring that a service provider has the necessary resources available to meet demand. With resource pooling, a cloud provider will have fewer resources than all of its users will use but relies on them not using all of the resources at once. Often, capacity guarantees are mandated in SLAs.

Answer 48

D. Failover mechanism Explanation: A failover mechanism must be in place for there to be a seamless transition between the primary site and the DR site if there's a disaster. It may be necessary to have multiple internet providers to be able to access the public cloud, which is a good thing to include in the design of a corporation's network and cloud architecture. The question, though, points to a seamless transition, which is a closer match to a failover mechanism. Numerous hypervisors will not ensure a smooth transition to the DR site. It may be necessary to have different types of hypervisors in a cloud data center but that does not ensure the transition between sites. A Web API is a piece of software that enables functionality between websites.

Answer 49

B. Data in transit Explanation: The PCI DSS requires that data be encrypted when it is in transit across public networks. Data must be protected when it is being stored. PCI-DSS does not say that it must be encrypted within the 12 requirements. When it is at rest or in storage, it would be good to encrypt as well as establish and control anyone's access through Identity and Access Management (IAM). Encrypting data in use is just emerging as an option but is certainly not a requirement, as it is not available in almost all situations today. Reference:

Answer 50

A. Every piece of software in the environment Explanation: Any piece of software, from major software suites to small utility scripts, can have possible vulnerabilities. This means that every program and every piece of software in the environment carries an inherent amount of risk with it. Any software that is installed in a cloud environment should be properly vetted and regularly audited

Answer 51

B. Infinity Paradigm Explanation: The International Data Center Authority (IDCA)) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, cabling, security, connectivity, and much more. Risk Management Framework (RMF) is defined by NIST as "a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations." The Health Information Trust Alliance (HITRUST) is a non-profit organization. They are best known for developing the HITRUST Common Security Framework (CSF), in collaboration with healthcare, technology, and information security organizations around the world. It aligns standards from ISO, NIST, PCI, and regulations like HIPAA. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a software threat modeling technique by Carnegie Mellon University that was developed for the US Department of Defense (DoD).

Answer 52

C. Store Explanation: The cloud data lifecycle has six phases, including: Create: Data is created or generated. Data classification, labeling, and marking should occur in this phase. Store: Data is placed in cloud storage. Data should be encrypted in transit and at rest using encryption and access controls. Use: The data is retrieved from storage to be processed or used. Mapping and securing data flows becomes relevant in this stage. Share: Access to the data is shared with other users. This sharing should be managed by access controls and should include restrictions on sharing based on legal and jurisdictional requirements. For example, the GDPR limits the sharing of EU citizens’ data. Archive: Data no longer in active use is placed in long-term storage. Policies for data archiving should include considerations about legal data retention and deletion requirements and the rotation of encryption keys used to protect long-lived sensitive data. Destroy: Data is permanently deleted. This should be accomplished using secure methods such as cryptographic erasure/crypto shredding. Reference:

Answer 53

D. Create Explanation: Generating a new spreadsheet is the create phase of the data lifecycle. Create is the generation of new data/voice/video in any manner. The Cloud Security Alliance (CSA) also indicates that the create phase is when data is modified. Not everyone agrees with that last sentence, but this is an exam that is a joint venture between the CSA and (ISC)2, so it is good to know that is what they say in the guidance 4.0 document. As soon as the data is created, it needs to be moved to persistent storage (hard disk drive or solid state drive). If that spreadsheet is moved into long-term storage for future reference, then, if needed, that would be the archive phase. Sending the spreadsheet to the boss for their review (or to anyone else) would be the share phase.

Answer 54

B. Enforce "deny by default" firewall policies Explanation: This is a description of Server-Side Request Forgery (SSRF). There are a few things that can be done to prevent this, and the setting "deny by default" in the firewall policies or network access control rules help. Segmenting remote resources and validating client supplied input are two others. Enabling HTTP redirection is wrong because it needs to be disabled. Sending raw responses to clients is also backward. You do not want to send raw responses to clients. Identity and Access Management (IAM) does not help. This attack has the bad actor coercing the application, so this attack is not getting into the application. SSRF occurs once the bad actor has access to the application. The Open Web Application Security Project (OWASP) Top 10 is a regularly updated report of the top 10 vulnerabilities that affect web applications. It is good to be familiar with the top 10. Both the 2017 list and the 2021 list. Just because there is a new list, that does not mean that all old questions using the 2017 list have been removed from the database of questions at (ISC)2. It is good to recognize the threat in a scenario and know what the fixes or prevention techniques are for each. It is recommended to google OWASP Top 10 and dig into each to prepare for the test.

Answer 55

C. Obfuscation Explanation: The best answer to this question would be encryption, but that is not an option here. It is possible to say that encryption is actually a method of obfuscation. There are other ways to obfuscate data, such as transmitting or storing the data, like storing it base 64 rather than base 16. Obfuscation can also be used within the application to obfuscate the code and make it harder to reverse engineer. Tokenization is when data is replaced with a different value. The data can be returned to the original value. This is useful for storing a credit card number in your phone or watch but not so useful for storing data in a business. Anonymization is removing direct and indirect identifiers. There is no mention of Personally Identifiable Information (PII) in the question though. De-identification is removing the direct identifiers only. Again, there is no mention of PII in the question. So, both of these two options are not useful here.

Answer 56

D. It has been structurally tested Explanation: ISO 15408 is known as the common criteria. It is a testing criteria for security products to ensure fair and even testing when performed in different labs in different countries for similar products. The possible Evaluation Assurance Level (EAL) scores are as follows: EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4- Methodically designed, tested, and reviewed EAL5 - Semi-formally designed and tested EAL6 - Semi-formally verified design and tested EAL7 - Formally verified design and tested Although this is a very simple question, it is worth noting that this is information that could be useful to know for the test.

Answer 57

D. De-identification Explanation: Data de-identification is the process of removing direct identifiers. Bill 64 in Quebec, Canada, defines this quite clearly. Anonymization is removing the direct and indirect identifiers. Tokenization is to replace the data with another value. Commonly used for services like ApplePay, GooglePay, and PayPal. The token can be removed, and the original value put back in its place, unlike de-identification and anonymization, which are permanent removal methods. Encryption effectively obscures or obfuscates the data. This can also be undone with decryption

Answer 58

A. DRP Explanation: A business continuity plan (BCP) sustains operations during a disruptive event, such as a natural disaster or network outage. It can also be called a continuity of operations plan (COOP). A disaster recovery plan (DRP) works to restore the organization to normal operations after such an event has occurred. The decision of what needs to be included in a business continuity plan is determined by a business impact assessment (BIA), which determines what is necessary for the business to function vs. “nice to have."

Answer 59

A. OAuth (Open Authorization) Explanation: Open Authorization (OAuth) is an open standard protocol that allows secure authorization and delegation of user permissions between different applications or services. It provides a framework for users to grant limited access to their resources on one website or application to another website or application without sharing their login credentials. OpenID is an open standard and decentralized authentication protocol that allows users to authenticate themselves on multiple websites or applications using a single set of credentials. It provides a convenient and secure way for users to log in to various websites without the need to create and remember separate usernames and passwords for each site. Kerberos is a network authentication protocol that provides secure authentication for client-server communication over an insecure network. It was developed by MIT and has become an industry-standard protocol for authentication in many systems and applications. This is used, or has been used, for LAN environments, not the cloud. Web Services Federation (WS-Federation) is an industry-standard protocol that provides a framework for identity federation and Single Sign-On (SSO) across different web services and security domains. It is based on XML and relies on other web service standards, such as Simple Object Access Protocol (SOAP), to enable secure communication and identity exchange between participating entities.

Answer 60

D. Standalone host Explanation: A standalone host is essentially a virtual machine within the cloud provider's environment. It would not be connected to other hosts, as is both clustered and redundant hosts. A cluster of servers are all continuously working. If one of them fails, the others are already there processing data. The customer's connection could be transferred over, and the customer would never know that there was a failure. They are considered active-active. A redundant host has a backup. However, the backup does not process data actively until the primary host fails. They are considered active-passive. Since the question says that Sadi is not that worried with continuous uptime, both the cluster and the redundant hosts are more than is necessary. A bastion host is hardened. It is a host that has been properly setup and configured to limit any exposure to a bad actor. Bastion is from the French, meaning hardened and fortified. It is a very good idea to make this effort if the host is going to be accessible by the Internet, such as a webserver in the DeMilitarized Zone (DMZ).

Answer 61

B. Security Groups (SG) Explanation: Security groups are effectively port-based firewalls. They are added as an extra layer of security in front of virtual systems. It is good to add Operating System (OS)-based firewalls, but more layers are critical to protect systems and data. Micro-segmentation is a method of creating very small virtualized environments. This does not match the question because it does not specify a small, isolated environment for single systems. An SDN is a method of improving switch technology by adding a controller that makes the forwarding decisions, which can be configured to make policy-based decisions as well. Virtualization is the basic technology that enables the creation of virtual machines.

Answer 62

A. Protected Health Information (PHI) Explanation: PHI, which stands for Protected Health Information, includes a wide spectrum of data about an individual and their health. Medical history, treatment, lab results, demographic information, and health insurance information are all considered to be PHI. Personal data is information about a person and is fairly interchangeable with PII. Examples of PII are name, address, and phone number. Payment card data is the card number, expiration date, name, address, limit, etc. Reference:

Answer 63

A. Budgetary constraints applied by management Explanation: As with any new system or plan being implemented, it's important to assess the risks of the changes. Budgetary constraints are not a main risk when developing a DR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.

Answer 64

D. Risk transference Explanation: When an organization obtains an insurance policy to cover the financial burden of a successful risk exploit, this is known as risk transference or risk sharing. It's important to note that with risk transference, only the financial losses would be covered by the policy, but it would not do anything to cover the loss of reputation the organization might face. Risk avoidance is when a decision is made to not engage in, or to stop engaging in, risky behavior. Risk mitigation or risk reduction is when controls are put in place to reduce the chance of a threat being realized or to minimize the impact of it once it does happen. Risk acceptance always needs to be done because no matter how much of the other three options are done, risk cannot be eliminated. Who accepts the risk, though, is something that a business needs to carefully consider.

Answer 65

C. Black-box Explanation: Software testing can be classified as one of a few different types, including: White-box: In white-box or clear-box testing, the tester has full access to the software and its source code and documentation. Static application security testing (SAST) is an example of this technique. Gray-box: The tester has partial knowledge of and access to the software. For example, they may have access to user documentation and high-level architectural information. Black-box: In this test, the attacker has no specialized knowledge or access. Dynamic application security testing (DAST) is an example of this form of testing.

Answer 66

A. Log Collection Explanation: Three essential audit mechanisms in cloud environments include: Log Collection: Log files contain useful information about events that can be used for auditing and threat detection. In cloud environments, it is important to identify useful log files and collect this information for analysis. However, data overload is a common issue with log management, so it is important to collect only what is necessary and useful. Correlation: Individual log files provide a partial picture of what is going on in a system. Correlation looks at relationships between multiple log files and events to identify potential trends or anomalies that could point to a security incident. Packet Capture: Packet capture tools collect the traffic flowing over a network. This is often only possible in the cloud in an IaaS environment or using a vendor-provided network mirroring capability. Access controls are important but not one of the three core audit mechanisms in cloud environments.

Answer 67

B. ISO 27018 Explanation: ISO 27018 is part of the ISO 27000 suite of standards. It provides privacy protection built around five key principles: Consent: A cloud provider can only use a customer’s data for marketing with their explicit consent, and this consent can’t be required to use the service. Control: The cloud customer has full control over how their data is used by the cloud provider. Transparency: The cloud provider must inform cloud customers of where their data is stored and any subcontractors that have access to it. Communication: The cloud provider should perform auditing and report any potential incidents to their customers. Audit: Cloud providers should undergo annual external audits.

Answer 68

C. Cloud Access Security Broker (CASB) Explanation: CASBs were originally designed to determine where the users were connecting and using shadow IT. Shadow IT is technology that the users have signed up for (in the cloud) that did not go through the regular acquisition procedures. Today, they can do additional things like DLP. DLP is designed to determine if a user has just sent (or is trying to send) data someplace it should not go or in a format it should not be in (e.g., not encrypted). It is not designed to determine what web addresses the users are accessing. Cloud brokers are people/companies that help cloud customers and cloud providers in their negotiations. CPM tools are even newer. Sometimes called Cloud Security Posture Manager (CSPM), these tools are designed to determine all the paths a user can take to get access to particular resources. It is normal in the cloud that there can be multiple paths to a piece of data. Also, it is normal to assume the role of one of the devices or applications temporarily, which could give a user more access than they should have.

Answer 69

A. Cloud service broker Explanation: A cloud service broker is an individual or organization which serves as the go-between or intermediary between cloud customers and cloud service providers. Brokers can negotiate and manage the services between the customer and the provider. They do have some of their own software to help with this management. Cloud service auditors are the auditors who go into the cloud service provider’s datacenter as the third party to verify their controls. Cloud service users are the customers of the cloud provider. This would include the end user as well as the corporations that they work for. A cloud service partner is a company that helps either the customer or the partner. It is the more generic term that can include the brokers and the auditors.

Answer 70

D. Assurance Explanation: A contract between a customer and a vendor can have various terms. Some of the most common include: Right to Audit: CSPs rarely allow customers to perform their own audits, but contracts commonly include acceptance of a third-party audit in the form of a SOC 2 or ISO 27001 certification. Metrics: The contract may define metrics used to measure the service provided and assess compliance with service level agreements (SLAs). Definitions: Contracts will define various relevant terms (security, privacy, breach notification requirements, etc.) to ensure a common understanding between the two parties. Termination: The contract will define the terms by which it may be ended, including failure to provide service, failure to pay, a set duration, or with a certain amount of notice. Litigation: Contracts may include litigation terms such as requiring arbitration rather than a trial in court. Assurance: Assurance requirements set expectations for both parties. For example, the provider may be required to provide an annual SOC 2 audit report to demonstrate the effectiveness of its controls. Compliance: Cloud providers will need to have controls in place and undergo audits to ensure that their systems meet the compliance requirements of regulations and standards that apply to their customers. Access to Cloud/Data: Contracts may ensure access to services and data to protect a customer against vendor lock-in.

Answer 71

B. Data Loss Prevention (DLP) Explanation: Data loss prevention refers to a set of controls and practices put in place to ensure that data is only accessible to those authorized to access it. DLP also protects data from being lost or improperly used. IAM is used to control what someone has access to and with what permissions. It is not used to control where data is sent. TLS is used to encrypt data in transit so that it is not visible to someone who should not be able to see it. It does not control where data can be sent. Federated identification is another way to control who has access to something. It is not used to control where data is sent. So, the only tool here that does everything needed by the question is DLP. Reference:

Answer 72

D. Service Organization Control (SOC) 3 Explanation: SOC 3 reports are meant to be consumed and reviewed by the general public. SOC 3 allows for a much wider audience than the other reports listed. SOC 3 reports are meant to instill confidence that the organization's systems are secure. A SOC 3 report is the result of first doing a SOC 2 audit within the business. The SOC 3 is the public level document that indicates that the cloud auditor was there and is leaving some level of seal of approval. A SOC 2 Type II would be the preferred report to have as a customer, but the service provider does not have to release that. That is the point of the SOC 3. A SOC 2 Type i is a report that indicates the status of the controls and their design efficiency. A SOC 2 Type II shows that the controls are actually in use for a period of time of which there is no minimum. A SOC 2 audit looks at security controls. A SOC 1 audit looks at controls that can have a financial impact on the customer.

Answer 73

B. Hypervisor Security Explanation: Some important security considerations related to virtualization include: Hypervisor Security: The primary virtualization security concern is isolation or ensuring that different VMs can’t affect each other or read each other’s data. VM escape attacks occur when a malicious VM exploits a vulnerability in the hypervisor or virtualization platform to accomplish this. Container Security: Containers are self-contained packages that include an application and all of the dependencies that it needs to run. Containers improve portability but have security concerns around poor access control and container misconfigurations. Ephemeral Computing: Ephemeral computing is a major benefit of virtualization, where resources can be spun up and destroyed at need. This enables greater agility and reduces the risk that sensitive data or resources will be lying around abandoned. Serverless Technology: Serverless applications are deployed in environments managed by the cloud service provider. Outsourcing server management can make serverless systems more secure, but it also means that organizations can’t deploy traditional security solutions that require an underlying OS to operate.

Answer 74

D. RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5 Explanation: Correct answer: RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5 DREAD looks at the categories of damage potential, reproducibility, exploitability, affected users, and discoverability. Risk is given a value of 0 to 10 in each category, with 10 being the highest risk value. The algorithm used in DREAD is RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

Answer 75

C. Governance Explanation: When deploying cloud infrastructure, organizations must keep various security-related considerations in mind, including: Security: Data and applications hosted in the cloud must be secured just like in on-prem environments. Three key considerations are the CIA triad of confidentiality, integrity, and availability. Privacy: Data hosted in the cloud should be properly protected to ensure that unauthorized users can’t access the data of customers, employees, and other third parties. Governance: An organization’s cloud infrastructure is subject to various laws, regulations, corporate policies, and other requirements. Governance manages cloud operations in a way that ensures compliance with these various constraints. Auditability: Cloud computing outsources the management of a portion of an organization’s IT infrastructure to a third party. A key contractual clause is ensuring that the cloud customer can audit (directly or indirectly) the cloud provider to ensure compliance with contractual, legal, and regulatory obligations. Regulatory Oversight: An organization’s responsibility for complying with various regulations (PCI DSS, GDPR, etc.) also extends to its use of third-party services. Cloud customers need to be able to ensure that cloud providers are compliant with applicable laws and regulations.

Answer 76

B. Discretionary Access Control (DAC) Explanation: The owner of a document is responsible for defining the limits on a per-document basis under a Discretionary Access Control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database. It is up to the owner's discretion to grant access to someone or not. MAC is a very secure environment that is commonly used around a country's sensitive documents (e.g., military top secret files). Access is controlled based on the classification of the data, the user's clearance level, and their need to know. NDAC is defined by the U.S. government as another name for MAC. RBAC is an access control model that defines access based on the user's role within the organization.

Answer 77

A. Security Information and Event Manager (SIEM) Explanation: A Security Information and Event Manager (SIEM) system collects and correlates logs from various sources on the network (servers, firewalls, etc.). SIEM systems also provide a great way for administrators to troubleshoot incidents. A vulnerability assessment is used to assess deployed systems to determine if there are potential vulnerabilities that need to be patched, among other uses. A SOC 2 audit is usually performed by external auditors, in particular for cloud providers, so that cloud customers understand the level of security they can expect from the provider. A FIM is used to monitor user activity within file servers but external to the server so that it is more difficult for bad actors to compromise that information. Reference:

Answer 78

A. Audit scope restrictions Explanation: Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems. Carefully crafted scope constraints can help ensure that production systems are not harmed. Audit objectives would cover the reason for the audit and what they want to know as a result of the audit. Audit remediation could be the recommendations that the auditor provides after the audit assessment is complete. This would be based on any of the findings that the auditor has. A finding is something that the auditor finds that does not match the requirements based on the objectives of the audit. The policy would contain management's goals and objectives on the topic of audits.

Answer 79

B. IaC Explanation: Clustering is commonly used as part of high availability (HA) schemes for resiliency and redundancy. IaC is for configuration management.

Answer 80

D. SOX Explanation: A company may be subject to various regulations that mandate certain controls be in place to protect customers’ sensitive data or ensure regulatory transparency. Some examples of regulations that can affect cloud infrastructure include: General Data Protection Regulation (GDPR): GDPR is a regulation protecting the personal data of EU citizens. It defines required security controls for their data, export controls, and rights for data subjects. US CLOUD Act: The US CLOUD Act creates a framework for handling cross-border data requests from cloud providers. The US law enforcement and their counterparts in countries with similar laws can request data hosted in a data center in a different country. Privacy Shield: Privacy Shield is a program designed to bring the US into partial compliance with GDPR and allow US companies to transfer EU citizen data outside of the US. The main reason that the US is not GDPR compliant is that federal agencies have unrestricted access to non-citizens’ data. Gramm-Leach-Bliley Act (GLBA): GLBA requires financial services organizations to disclose to customers how they use those customers’ personal data. Stored Communications Act of 1986 (SCA): SCA provides privacy protection for the electronic communications (email, etc.) of US citizens. Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act: HIPAA and HITECH are US regulations that protect the protected health information (PHI) that patients give to medical providers. Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a standard defined by major payment card brands to secure payment data and protect against fraud. Sarbanes Oxley (SOX): SOX is a US regulation that applies to publicly-traded companies and requires annual disclosures to protect investors. North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP): NERC/CIP are regulations designed to protect the power grid in the US and Canada by ensuring that power providers have certain controls in place.

Answer 81

D. Third-Party Software Explanation: Some important considerations for secure software development in the cloud include: API Security: In the cloud, the use of microservices and APIs is common. API security best practices include identifying all APIs, performing regular vulnerability scanning, and implementing access controls to manage access to the APIs. Supply Chain Security: An attacker may be able to access an organization’s systems via access provided to a partner or vendor, or a failure of a provider’s systems may place an organization’s security at risk. Companies should assess their vendors’ security and ability to provide services via SOC2 and ISO 27001 certifications. Third-Party Software: Third-party software may contain vulnerabilities or malicious functionality introduced by an attacker. Also, the use of third-party software is often managed via licensing, with whose terms an organization must comply. Visibility into the use of third-party software is essential for security and legal compliance. Open Source Software: Most software uses third-party and open-source libraries and components, which can include malicious functionality or vulnerabilities. Developers should use software composition analysis (SCA) tools to build a software bill of materials (SBOM) to identify any potential vulnerabilities in components used by their applications.

Answer 82

B. Vendor lock-in Explanation: Vendor lock-in is a scenario in which a cloud customer is tied and dependent on one cloud provider without the ability to move to another provider. Cloud customers should ensure that anything done with the cloud provider will not cause this type of vendor lock-in. If there is anything in how the tokenization is performed that locks them into that format after they adapt their internal application, it could prevent them moving easily to a different vendor in the future if needed. Price changes are annoying but not a security risk. It is a financial risk. The focus here is information security. SLA modifications can be annoying or helpful. It depends on what is being modified, why, and how. So, it's not as critical a risk as vendor lock-in. File type changes could be a problem somewhere, but it is not a potential problem here. The lock-in potential problem is not the change of the data file type. The problem is how the data is converted to a token and then back again.