Pocket Prep 5 Flashcards
Laura has been tasked with setting up Information Rights Management (IRM) to protect some of the corporate data. IRM can be used as a means for:
A. Data classification and control
B. Data Loss Prevention and data deletion
C. Data control and data modification
D. Data modification and data deletion
A. Data classification and control
Explanation:
Information Rights Management (IRM) can be used as a means for data classification and control and deletion. It isn’t used as a means for data modification.
IRM is not the only way or reason to classify data, but it is a good reason to get that work done. It is definitely a way to control data. That is the point: to control content that a corporation wants to share with its customers or third parties. It does provide the ability to revoke access to data, which could be considered deletion.
The customer should not have the ability to modify the data though. This is for sharing content that a company wants to control. It could be for technical manuals, training guides, etc. That is not something the company is looking for its customers to modify.
Data Loss Prevention (DLP) is a different tool entirely. DLP is looking for data that is being sent to someone that is inappropriate or in an incorrect manner. It can also scan storage locations for data that should not be present.
Which of the following features of a SIEM enables analysts to query log files to collect information?
A. Investigative Monitoring
B. Automated Monitoring
C. Log Centralization
D. Alerting
A. Investigative Monitoring
Explanation:
Security information and event management (SIEM) solutions are useful tools for log analysis. Some of the key features that they provide include:
Log Centralization and Aggregation: Combining logs in a single location makes them more accessible and provides additional context by drawing information from multiple log sources. Data Integrity: The SIEM is on its own system, making it more difficult for attackers to access and tamper with SIEM log files (which should be write-only). Normalization: The SIEM can ensure that all data is in a consistent format, converting things like dates that can use multiple formats. Automated Monitoring or Correlation: SIEMs can analyze the data provided to them to identify anomalies or trends that could be indicative of a cybersecurity incident. Alerting: Based on their correlation and analysis, SIEMs can alert security personnel of potential security incidents, system failures, and other events of interest. Investigative Monitoring: SIEMs support active investigations by enabling investigators to query log files or correlate events across multiple sources.
Which of the following techniques does NOT allow the original data to be recovered if needed?
A. Encryption
B. Tokenization
C. Obfuscation
D. Hashing
D. Hashing
Explanation:
Cloud customers can use various strategies to protect sensitive data against unauthorized access, including:
Encryption: Encryption performs a reversible transformation on data that renders it unreadable without knowledge of the decryption key. If data is encrypted with a secure algorithm, the primary security concerns are generating random encryption keys and protecting them against unauthorized access. FIPS 140-3 is a US government standard used to evaluate cryptographic modules. Hashing: Hashing is a one-way function used to ensure the integrity of data. Hashing the same input will always produce the same output, but it is infeasible to derive the input to the hash function from the corresponding output. Applications of hash functions include file integrity monitoring and digital signatures. FIPS 140-4 is a US government standard for hash functions. Masking: Masking involves replacing sensitive data with non-sensitive characters. A common example of this is using asterisks to mask a password on a computer or all but the last four digits of a credit card number. Anonymization: Anonymization and de-identification involve destroying or replacing all parts of a record that can be used to uniquely identify an individual. While many regulations require anonymization for data use outside of certain contexts, it is very difficult to fully anonymize data. Tokenization: Tokenization replaces sensitive data with a non-sensitive token on untrusted systems that don’t require access to the original data. A table mapping tokens to the data is stored in a secure location to enable the original data to be looked up when needed.
Obfuscation is a general term covering masking, tokenization, and other techniques.
Which of the following attributes of evidence restricts the types of evidence that can be presented and how it can be collected?
A. Admissible
B. Convincing
C. Complete
D. Authentic
A. Admissible
Explanation:
Typically, digital forensics is performed as part of an investigation or to support a court case. The five attributes that define whether evidence is useful include:
Authentic: The evidence must be real and relevant to the incident being investigated. Accurate: The evidence should be unquestionably truthful and not tampered with (integrity). Complete: The evidence should be presented in its entirety without leaving out anything that is inconvenient or would harm the case. Convincing: The evidence supports a particular fact or conclusion (e.g., that a user did something). Admissible: The evidence should be admissible in court, which places restrictions on the types of evidence that can be used and how it can be collected (e.g., no illegally collected evidence).
Leonidas has been working through the process of assessing and evaluating potential cloud providers to host their needs within the Platform as a Service (PaaS) cloud model. One of the critical aspects that he has been trying to determine is if they will be able to remove their data from the cloud provider in the future should they determine that the cloud is not the right solution for them or if they need to change service providers.
What term matches their concern of removing their data from the cloud provider?
A. Portability
B. Availability
C. Reversibility
D. Interoperability
C. Reversibility
Explanation:
Reversibility is the ability to retrieve their data and artifacts and ensure the complete removal of that data and artifacts from the cloud provider.
Portability is the ability to move all data from one cloud provider to another without having to reenter that data.
Interoperability is the ability of two different systems to share and use a piece of data.
Availability means that the data and systems are there and usable when the user requires access.
A health care company has built an application for patients to use to communicate with their doctors and see their test results. It is important to control access to this application due to the Payment Card Industry - Data Security Standard (PCI-DSS). They want to utilize multi-factor authentication to verify the user logging in is the actual patient and not a bad actor.
Which of the following combinations of factors would be acceptable to use?
A. Fingerprint scan and retina scan
B. Software authenticator and smart card
C. Password and personally identifiable number
D. Password and software authenticator
D. Password and software authenticator
Explanation:
In Multi-Factor Authentication (MFA), users must have two separate and unique factor types. MFA factors include something you know (password, pin, passphrase), something you have (software authenticators, key card, smart card), and something you are or do (biometrics). Of the options given, the password and software authenticator combination is the only option that includes two unique types of factors.
Extra information: The three factors of authentication can be referred to by number. Something you know is factor 1. Something you have is factor 2. Something you are or do is factor 3.
In regard to data sanitization, which type of cloud service model requires special considerations as the data is often more interconnected throughout the platform?
A. Infrastructure as a Service (IaaS)
B. Database as a Service (DBaaS)
C. Platform as a Service (PaaS)
D. Software as a Service (SaaS)
D. Software as a Service (SaaS)
Explanation:
Data sanitization in cloud environments already differs from that of on-prem environments since physical destruction methods are not possible. However, of the three types of cloud service models (which include IaaS, PaaS, and Saas), SaaS requires special consideration because the data is often far more interconnected than in the other two service models.
Depending on who wrote the software and how it is designed to store data, it will possibly change how data sanitization needs to change with Software as a Service.
Platform and Infrastructure as a Service typically allocate real or virtual hard drives to specific virtual machines, making sanitization a bit easier. DBaaS is likely to handle data in a similar fashion to this.
A small bank has recently experienced a data breach. You have been working with the Incident Response team. They have discovered that the bad actor was able to copy a database out after having been able to do a man-in-the-middle (MitM) attack against the Diffie Hellman exchange that occurred on a user’s connection.
Which of the OWASP Top 10 security threats has been experienced by this company?
A. Cryptographic Failures
B. Identification and Authentication Failures
C. Software and Data Integrity Failures
D. Broken access control
A. Cryptographic Failures
Explanation:
When creating and managing a web application, it’s vital to keep sensitive user information private. Many web applications use data such as credit card information, authentication data, and other personally identifiable information. The OWASP Top 10 addresses the top threats that we have on this planet. Cryptographic failures occur in a few different ways. In this question, it is the failure to protect the DIffie Hellman (DH) key exchange. It is susceptible to MitM if RSA or something else like that is not added to it.
Cryptographic failures was called Sensitive data exposure on the 2017 OWASP list.
Identification and Authentication Failures was called Broken Authentication on the OWASP 2017 list. The bad actor gained access to the user’s account, but it is the MitM against DH that is the problem here.
Software and Data Integrity Failures was called Insecure Deserialization on the OWASP 2017 list. An example is a browser or application using untrusted plugins that then allows compromise of the integrity of the data.
Broken access control is not top of the OWASP top 10 list. Broken access control occurs in a variety of ways, such as failing to setup access based on the logic of least privilege, or if elevation of permissions is possible for the average user when it should not be.
Reference:
An attacker managed to gain access to the Industrial Control System (ICS) for a regional power plant. A piece of malware has been left behind that is slowly causing a failure with the turbines. The malware has been skillfully created, ensuring that it will take months before it is discovered.
What type of threat is being described here?
A. Denial of Service (DoS)
B. Malicious insider
C. Distributed Denial of Service (DDoS)
D. Advanced Persistent Threat (APT)
D. Advanced Persistent Threat (APT)
Explanation:
An APT is most commonly carried out by very skilled, state-sponsored hacking groups. So, an attack against a regional power plant is a likely attack point. Having written malware that will take a long time to discover is also an element of an APT—it is the persistence piece.
As this malware will eventually cause failure of the power plant, a DoS attack is a possible answer here. However, due to all of the elements in the question, an APT is more appropriate. The elements are skill level, length of time before discovery, and an attack against a piece of the national infrastructure. Missing from the question is how the malware did get into the power plant.
It could have been a malicious insider, but again, with all of the elements that are there, an APT is a better answer.
It is not a DDoS because such an attack originates from many points.
Kerry is working for a company that has just identified an Indication of Compromise (IoC) that they have been able to verify as a security incident. A bad actor has been able to access their database and copy the contents of the customer information table. Since Kerry is the information security manager, it is her responsibility to notify the appropriate parties.
Which of the five key principles of the ISO/IEC 27018 would this scenario fall into?
A. Consent
B. Communication
C. Yearly audits
D. Control
B. Communication
Explanation:
The ISO/IEC 27018 is focused on five key principles, which include communication, consent, control, transparency, and independent and yearly audits.
Communication refers to the need for any event that could impact the security of data within a cloud environment to be clearly documented as well as relayed to the cloud customers.
Consent is when the customer opts in to the information gathering. If they do not opt in, the personal data should not be collected and stored.
Transparency refers to being clear about what data the company is collecting and storing as well as the why and for how long.
The company should have control over the data that is in their possession. This incident shows that the company did lose control of the database.
Independent audits should be performed on a yearly basis by external auditors.
You work for a financial institution and have recently migrated from a private cloud to an Infrastructure as a Service (IaaS) deployment with a public Cloud Service Provider (CSP). As the technology director, you are concerned about the exposure of personal financial information. Which US federal legislation would be applicable?
A. Health Information Portability and Accountability Act (HIPAA)
B. Sarbanes Oxley (SOX)
C. Gramm - Leach - Bliley Act (GLBA)
D. Stored Communications Act (SCA)
C. Gramm - Leach - Bliley Act (GLBA)
Explanation:
The Gramm-Leach-Bliley Act (GLBA) would be most applicable. GLBA is a US federal law that requires financial institutions to disclose how they share and protect their customers’ private information. GLBA is widely regarded as the most comprehensive federal data privacy and security legislation.
Healthcare businesses are subject to the Health Insurance Portability and Accountability Act (HIPAA).
Sarbanes-OXley (SOX) protects individuals in publicly-traded firms against accounting errors and fraudulent practices.
The Stored Communications Act (SCA) guards against illegal access to and interception of electronic communications and computer services.
A software development team is working on building a new product that they will offer as a Software as a Service (SaaS) product to their customers. The application will handle Personally Identifiable Information (PII) and credit card data, so it is very important to the team to ensure the security and integrity of that information. They have followed the Secure Software Development LifeCycle (SSDLC) and are at the final stage.
What is the final stage of the SSDLC?
A. Analysis
B. Development
C. Maintenance
D. Testing
C. Maintenance
Explanation:
The Software Development LifeCycle (SDLC) is made up of six steps, which include:
requirement gathering and feasibility analysis design development/coding testing maintenance
The final step of the SDLC is maintenance, although this step is never quite finished. Maintenance is an ongoing process that must occur throughout the entire lifetime of the software or application.
Marcella works at a bank as the information security expert working with the Disaster Recovery Planning (DRP) team. They have done a Business Impact Analysis (BIA) on their critical business functions. They have been able to determine that the maximum amount of time that one of these services can be offline is two hours. As a result, they have planned to fail to a different region of their cloud provider if there is a failure that brings their Platform as a Service (PaaS) down. They are currently configuring the systems that they will fail over to. They need to ensure that it is configured correctly to provide the Recovery Service Level (RSL) needed.
RSL can BEST be described as which of the following?
A. The percentage of the performance level which must be restored to meet Disaster Recovery (DR) objectives
B. The average time it takes to recover services back to their normal production state
C. The length of time that is acceptable for services to be offline or unavailable during a disaster recovery scenario
D. The percentage of data needed to be restored to meet Disaster Recovery (DR) objectives
A. The percentage of the performance level which must be restored to meet Disaster Recovery (DR) objectives
Explanation:
Recovery Service Level (RSL or RSL%) is a term used to describe the percentage of the performance level which needs to be restored to meet Disaster Recovery (DR) objectives. For example, an RSL of 50% would specify that the DR system would need to operate at a minimum of 50% of the performance level of the normal production system.
The average time it takes to recover services would be a Mean Time To Recover (MTTR).
The percentage of data needed to be restored is just not accurate. There is a term, Recovery Point Objective (RPO), but that is the amount of data that can be lost, which is measured in a unit of time.
The length of time that is acceptable for services to be offline would be the Maximum Tolerable Downtime (MTD).
A marketing company wants to build a Software as a Service (SaaS) application that allows their customers to use their marketing tools for themselves. The marketing company utilizes social media sites to gain information about the end customer. If Open Authorization (OAuth) version 2.0 is being used, the whole process begins when the user initiates the interaction by accessing the company’s website. The company’s website requires the user to log in, and then the website requests access to the user’s social media profile.
What type of unit is used to carry the user’s request to the resource server?
A. Access tokens
B. Tickets
C. Refresh tokens
D. Identification tokens
A. Access tokens
Explanation:
An OAuth access token is a credential that is issued by an authorization server as part of the OAuth 2.0 authentication and authorization process. It is used by a client application to make authorized API requests on behalf of a user or an application.
An OAuth ID token is a JSON Web Token (JWT) that is issued by an authorization server as part of the OAuth 2.0 authentication and authorization process. Unlike an access token that is used for making authorized API requests, the ID token carries information about the authenticated user.
An OAuth refresh token is a credential that is issued alongside an access token during the OAuth 2.0 authentication and authorization process. It is used by a client application to obtain a new access token when the original access token expires without requiring the user to reauthenticate.
A ticket is a similar unit to these tokens but used in Kerberos and is a traditional Single Sign On (SSO) technology for the office Local Area Network (LAN), traditionally used by Microsoft.
For the test, this additional information might prove useful. According to Oauth.net, “An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.
An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client. The ID token may also contain information about the user such as their name or email address, although that is not a requirement of an ID token.
An OAuth Refresh Token is a string that the OAuth client can use to get a new access token without the user’s interaction. A refresh token must not allow the client to gain any access beyond the scope of the original grant. The refresh token exists to enable authorization servers to use short lifetimes for access tokens without needing to involve the user when the token expires.”
Foster and the Disaster Recovery (DR) team have been working to determine the technologies needed to recover a critical storage device should a failure occur. What the team has been able to determine is that the corporation cannot lose more than five hours worth of data. They have been working with the Information Technologies (IT) manager to ensure that the cloud solution that they choose can be integrated with the current cloud storage technologies already in place.
Which of the following statements regarding Recovery Time Objectives is true?
A. The technology chosen must be able to meet the five-hour requirement and be cost effective
B. The technology chosen must meet the time requirement for RTO, no matter the cost
C. The technology chosen to meet the RTO must be able to meet the corporate needs
D. The RTO technology must be able to recover the data storage within five hours
C. The technology chosen to meet the RTO must be able to meet the corporate needs
Explanation:
The RTO is the time it will take to do the work of recovery of the particular system, in this case data storage. The time of five hours in the question is actually the Recovery Point Objective (RPO), which is effectively how much data can be lost, which eliminates two of the answers.
The technology chosen must meet the corporate needs, but spending money, no matter the cost, is not wise. It is essential for security to spend money wisely. The money spent must be chosen based on a cost/benefit basis.
