Pocket Prep 7

Question 1

Sigrid works for a Cloud Service Provider and has been certified against ITIL. She knows that ITIL addresses the practices needed within a data center to provide the services that it needs for its customers. What is the name of the practice that ensures service will be there in the case of a horrible natural disaster that has affected the area?

A. Business continuity management
B. Incident management
C. Disaster recovery management
D. Continuity management

Answer 1

D. Continuity management

Explanation:
Continuity management is the term used by ITIL. They do not use the terms disaster or business continuity. Continuity management is the practice of ensuring that services are available and perform at a level sufficient in the event of a disaster.

According to NIST, disaster recovery would be the correct term. They define a disaster recovery plan as “a written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.”

Business continuity management is more inclusive. It is defined by NIST as “the documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”

ITIL does use the term incident management. That is the practice of minimizing the impact of unplanned interruptions or reductions in the quality of service.

Question 2

A software developer is looking for a way to avoid installing and running application software directly within the operating system. As an alternative, it is suggested they should begin storing applications and any associated library files in the cloud. Which cloud service is being discussed?

A. Virtual machines
B. Hypervisors
C. Containerization
D. Virtualization

Answer 2

C. Containerization

Explanation:
Containerization is the process of putting all objects into a container. Developers can accomplish this by packaging a program they have written along with all necessary components for the program’s execution. Application containers isolate application files and dependencies from the container’s host system. Containerization is a lightweight alternative to installing and running applications directly within an operating system.

Hypervisors, in particular type 1, are thin operating systems that allow for virtual machines to be built. Virtual machines include the operating system. This is the process of virtualization.

Arguably, containers are a type of virtualization, but containers directly matches the question.

Question 3

A cloud information security specialist needs to find out when a document was originally created. What could this engineer look at to find this information?

A. Data tags
B. Data labels
C. Data classification
D. Metadata

Answer 3

D. Metadata

Explanation:
Metadata is information about data, including the type of data, when the data was created, where the data is stored, and more.

Classification tells us the sensitivity of the document/file/etc., but it does not have information about when it was created. The classification can be found on the label (data labels) but usually no date information is given.

Data tags can be used to track the billing department or a project, but it is not about when the data was created.

Question 4

The lead information security specialist working with the team that is going to move their internal communications capability to a cloud provider with a Software as a Service (SaaS) solution is currently determining what their business will be responsible for managing.

Of the following, which list includes the responsibilities of the customer?

A. Data security, governance, risk management and compliance, setting up firewall security for the communications software
B. Data security, governance, risk management and compliance, software security as well as managing the security of the platform.
C. Governance, risk management and compliance, data security and defining the Service Level Agreements (SLA)
D. Governance, risk management and compliance, data security and hypervisor access control security

Answer 4

C. Governance, risk management and compliance, data security and defining the Service Level Agreements (SLA)

Explanation:
Correct answer: Governance, risk management and compliance, data security and defining the Service Level Agreements (SLA)

Governance, Risk management and Compliance (GRC) is the responsibility of the customer in the shared responsibility model. The cloud provider has their own GRC, but all the clues between the question and the answers point to the shared responsibility model, which is the customer’s responsibility. GRC is also in the remaining answer options.

Data security from the shared responsibility model is also the customer’s responsibility. The cloud provider has a responsibility to protect the data in their possession, but if something happens, the customer is ultimately responsible for their data. Their mistake could have been choosing the wrong cloud provider.

Defining the SLAs that are needed by the customer should be the customer’s responsibility. They may need help and guidance from a consultant or even the cloud provider, but it is the customer’s responsibility to communicate their needs.

Platform security is shared if this is Platform as a Service (PaaS), or the customer’s responsibility if it is Infrastructure as a Service (IaaS), but it is the cloud provider’s responsibility in SaaS.

Setting up firewall security for SaaS is the cloud provider’s responsibility. For PaaS and IaaS, it would be the customer’s responsibility; however, the question clearly states SaaS.

Hypervisor access control is always the responsibility of the cloud provider. The exception is if a business is building their own private cloud.

Question 5

Which of the following best practices supports vulnerability and patch management practices?

A. Configuration Management and Change Management
B. Isolated Network and Robust Access Controls
C. Scheduled Downtime and Maintenance
D. Logging and Monitoring

Answer 5

C. Scheduled Downtime and Maintenance

Explanation:
Some best practices for designing, configuring, and securing cloud environments include:

Redundancy: A cloud environment should not include single points of failure (SPOFs) where the outage of a single component brings down a service. High availability and duplicate systems are important to redundancy and resiliency.
Scheduled Downtime and Maintenance: Cloud systems should have scheduled maintenance windows to allow patching and other maintenance to be performed. This may require a rotating maintenance window to avoid downtime.
Isolated Network and Robust Access Controls: Access to the management plane should be isolated using access controls and other solutions. Ideally, this will involve the use of VPNs, encryption, and least privilege access controls.
Configuration Management and Change Management: Systems should have defined, hardened default configurations, ideally using infrastructure as code (IaC). Changes should only be made via a formal change management process.
Logging and Monitoring: Cloud environments should have continuous logging and monitoring, and vulnerability scans should be performed regularly.

Question 6

Emery has been tasked with finding a solution or tool for her company. The problem they are trying to solve is to find a way to share their training videos with their customers. The videos are related to products they sell. They need a way to control who sees the content with the ability to remove access to old videos as their product changes.

What kind of product should she be looking for?

A. Cloud Software as a Service
B. Cloud Data Loss Prevention
C. Cloud Digital Rights Management
D. Cloud Intrusion Detection System

Answer 6

C. Cloud Digital Rights Management

Explanation:
Cloud Digital Rights Management (DRM) implementations include auditing, expiration, policy control, protection, and support for applications and formats. This would allow her company to share the video files with their customers and have control over them so that old videos can be removed or rights can be taken away from a customer if necessary. DRM is sometimes referred to as Information Rights Management (IRM).

Cloud Data Loss Prevention (DLP) is a tool to help control where data flows but also looks for traffic that should not be sent. For example, a file classified as secret should not be sent in an email.

Cloud Software as a Service (SaaS) could be how the DRM tool is delivered to the customer. This is a more generic answer though, so DRM is a better answer because of the details in the question.

Cloud Intrusion Detection System (IDS) would be analyzing traffic looking for the transmissions from bad actors. It is not concerned with useful data flows or who should be able to see what traffic.

Question 7

When selecting a cloud service provider, what is the MOST preferred attestation report to receive from vendors providing cloud services?

A. SOC 2, Type 1
B. SOC 2, Type 2
C. SOC 1, Type 2
D. SOC 3

Answer 7

B. SOC 2, Type 2

Explanation:
A SOC 2, Type 2 attestation report is the most desirable attestation report to receive from vendors providing cloud services. A SOC for Service Organizations: Trust Services Criteria (SOC 2) provides information about the control objectives relating to the five trust principles: security, availability, processing integrity, confidentiality, and privacy. The scope of the Type 2 report is limited to a specified time period and includes information about the controls’ presentation, system and design suitability, and operational efficacy in achieving the related control objective.

The scope of a Type 1 report is determined by a single precise date rather than an extended time period as with a Type 2 report. So a Type 1 can only attest to the system’s design but not its operational efficacy.

A SOC 1 report has to do with an audit of “the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements,” as stated by the AICPA.

A SOC 3 is designed for public distribution. It is the likely report that a requestor would receive about a cloud service provider. However, the question is about the most preferred. The most preferred has the most information about security controls, their designs, and efficacy at the cloud provider. That is a SOC 2, Type 2.

Question 8

The cloud enables operations in geographically dispersed places and increases hardware and data redundancy. What is the end result of this in terms of disaster recovery and business continuity?

A. Lower Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
B. Lower Recovery Point Objectives (RPO) and Recovery Service Level (RSL)
C. Higher Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
D. Lower Recovery Time Objectives (RTO) and Higher Recovery Point Objectives (RPO)

Answer 8

A. Lower Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)

Explanation:
The capacity to operate in geographically remote locations and to provide increased hardware and data redundancy results in lower Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for disaster recovery and business continuity. It is easier to bring new/replacement systems up in other regions if there has been a major disaster. The RTO is the amount of time it takes to bring a system on line. With images, you just spin up a new image on a different server as long as you have a copy of that image. Backing up data can also be easier, which reduces the RPO. RPO is the amount of data that the business can tolerate losing.

The Recovery Service Level (RSL) measures the percentage of the total production service level that needs to be restored to meet BCDR objectives.
Reference:

Question 9

A bank has built a disaster recovery plan for their datacenter. Their plan is to fail from their traditional datacenter into the cloud. They have now contracted a cloud provider for an Infrastructure as a Service (IaaS) environment. They have constructed all the virtual machines that construct the virtual datacenter. Now they are going to test that those systems work and can operate for the business.

Which type of disaster recovery plan testing are they conducting?

A. Simulation
B. Full interruption
C. Tabletop
D. Parallel

Answer 9

D. Parallel

Explanation:
In a parallel test, team members replicate the procedures necessary if a disaster occurs without disrupting the operation of the running business and data center.

A full interruption test causes a fail over to the alternate processing site, which in this case is the IaaS cloud.

A tabletop exercise is where team members talk their way through the plan. This should be done before a parallel.

A simulation should actually be before parallel and after tabletop exercises. The best example of this would be a fire drill. There are actions taken, but a real fire is not started. This does not have much use in a cloud environment though.

Question 10

A real estate company is planning to move the services that they have built in an on-premises datacenter into the cloud. They have found that there are Software as a Service (SaaS) providers that have the capabilities that they need. One of their concerns is that it is possible that they will be attacked by bad actors because of the confidential information that they store regarding their customers and their loan applications. If there is an attack, they will need access to data that is vital to the Incident Response (IR) process.

Of the following, which is TRUE regarding eDiscovery?

A. Only log files can be recovered during eDiscovery in a traditional data center environment
B. Only log files can be recovered during eDiscovery in a cloud environment
C. eDiscovery in a cloud environment is typically easier and less complex than eDiscovery in a traditional data center
D. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment

Answer 10

D. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment

Explanation:
Within a traditional data center environment, any systems needed for an investigation can easily be physically isolated and preserved. In a cloud environment, most cloud customers do not own their own hardware but instead share physical hardware in the cloud. Due to this, eDiscovery is typically easier and less complex in a traditional data center than in a cloud environment. It is unlikely that a server can be seized in the cloud to support a company’s discovery in a SaaS deployment.

It is possible to obtain more than log files in both a cloud and a traditional data center. The on-prem data center would be owned by the cloud customer (in this question), and therefore they can obtain anything they need for eDiscovery and incident response. It is possible to get the log files and more, even in a SaaS environment, but that would need to be discussed and negotiated before the contract is signed.

Question 11

Which of the following is NOT listed by the CCSP as something that requires continuous monitoring?

A. Network Security Groups
B. Artificial Intelligence
C. Endpoint Security Tools
D. Honeypots

Answer 11

C. Endpoint Security Tools

Explanation:
Monitoring security controls is essential to detecting and remediating attacks. Some common controls to monitor include:

Network Security Controls: Network security solutions such as firewalls, intrusion detection/prevention systems (IDPS), network security groups, web application firewalls (WAFs), and other solutions should be continually monitored to identify any issues and potential signs of an attack.
Honeypots: A honeypot is a dummy system designed to attract an attacker’s attention and waste their time while allowing defenders to detect and observe the attack. Monitoring honeypots can provide advance warning of potential threats.
Artificial Intelligence (AI): AI is increasingly integrated into security tools to help identify events and trends of interest. AI-enabled systems can help to fight alert overload and security fatigue.

Endpoint security is an important part of a cybersecurity program, but it is not listed by the CCSP as a core control to model. For some cloud environments, such as Platform as a Service and Software as a Service, there is no endpoint for the customer to manage and secure.
Reference:

Question 12

Which of the following, published by the Cloud Security Alliance (CSA), provides a detailed framework and approach for handling controls that are pertinent and applicable in a cloud environment?

A. Consensus Assessment Initiative Questionnaire (CAIQ)
B. Cloud Controls Matrix (CCM)
C. National Institute of Standards & Technology (NIST) Special Publication 800-53
D. International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27017

Answer 12

B. Cloud Controls Matrix (CCM)

Explanation:
The Cloud Controls Matrix (CCM) outlines a detailed approach for handling controls in a cloud environment. The Cloud Controls Matrix was developed and published by the Cloud Security Alliance.

The CAIQ is a questionnaire that a Cloud Service Provider (CSP) can fill out and then register themselves with the Security, Trust, Assurance, and Risk (STAR) Registry.

NIST and ISO are different organizations than the CSA.

NIST SP 800-53 (the latest revision is 5, which is not something you need to worry about for the exam) is titled “Security and privacy controls for information systems and organizations.” Overly simplified, it is a list of security controls.

ISO/IEC 27017 is also overly simplified to a list of security controls. This document is specific to cloud controls. Its proper title is “Code of practice for information security controls based on ISO/IEC 27002 for cloud services.”

Neither (ISC)2 nor the CSA mention each other in their materials. It is unknown if this exam is still a joint venture between the two companies. However, that is how it started, so it would not hurt to know about the CCM and CAIQ before you take the exam. The CSA guidance document and their SecaaS documents are still good reads in preparation for the exam.

Question 13

Which of the following necessary attributes of evidence disallows selectively presenting evidence to support a case?

A. Accurate
B. Complete
C. Authentic
D. Convincing

Answer 13

B. Complete

Explanation:
Typically, digital forensics is performed as part of an investigation or to support a court case. The five attributes that define whether evidence is useful include:

Authentic: The evidence must be real and relevant to the incident being investigated.
Accurate: The evidence should be unquestionably truthful and not tampered with (integrity).
Complete: The evidence should be presented in its entirety without leaving out anything that is inconvenient or would harm the case.
Convincing: The evidence supports a particular fact or conclusion (e.g., that a user did something).
Admissible: The evidence should be admissible in court, which places restrictions on the types of evidence that can be used and how it can be collected (e.g., no illegally collected evidence).

Question 14

A public cloud provider that primarily sells Platform as a Service (PaaS) deployments, both server-based and server-less, recently had a breach. The source of the breach is related to a failure that was found too late. The hypervisor that they chose to use had a vulnerability in how it managed the Central Processing Unit (CPU) utilization among the customers.

What type of threat is this known as?

A. Malicious insiders
B. Advanced persistent threats
C. Shared technology issues
D. Insufficient logging and monitoring

Answer 14

C. Shared technology issues

Explanation:
Shared technology issues occur in the cloud when the cloud provider has not properly secured the CPU and memory utilization. Multitenancy and resource pooling is how the cloud works, and it is up to the cloud provider to add additional layers of security to ensure that each cloud customer has access to only their own data and not others’ who may be sharing the same environment.

Insufficient logging and monitoring is very common, and it has been since long before the prevalence of the cloud. Logging and monitoring is essential to know if any issues or threats have been exploited within a network of any kind.

Malicious insiders are coworkers who are up to no good. They could be trying to destroy the company because they are disgruntled or are selling corporate secrets to someone else, among many more issues.

Advanced Persistent Threats (APT) are particularly nasty and sophisticated attacks. They most commonly occur between countries as opposed to a bad actor attacking the average company.

Question 15

Generally Accepted Privacy Principles (GAPP) is a standard consisting of many privacy principles, one of which is regarding the utilization of information that is collected by an organization. What does the use principle say?

A. The organization can utilize the information for anything except offering it for sale. They must notify the customer of its imminent deletion, so the customer can opt back in if they choose.
B. The organization can utilize information for the purpose for which it was collected and within expected use beyond that. They are allowed to store the information in archival status for up to 50 years.
C. The organization can utilize the information for the original stated purpose and for the following seven years. At the end of that time, it must be disposed of appropriately and permanently.
D. The organization can utilize information for only the purpose for which it was collected and only for a limited amount of time. At the end of that time, it must be disposed of appropriately and permanently.

Answer 15

D. The organization can utilize information for only the purpose for which it was collected and only for a limited amount of time. At the end of that time, it must be disposed of appropriately and permanently.

Explanation:
Correct answer: The organization can utilize information for only the purpose for which it was collected and only for a limited amount of time. At the end of that time, it must be disposed of appropriately and permanently.

The Generally Accepted Privacy Principles (GAPP) is a standard that consists of 10 key principles. The use, retention, and disposal principle states that use of personal information is limited to the purposes for which it was collected in the notice the individual consented to. The organization can then retain that information only for as long as it is needed to fulfill that purpose. At the end of that time, it must be disposed of appropriately and permanently.

Question 16

Paige works for a Cloud Service Provider (CSP). She works on the deployment of new hardware to the data center. When new equipment is placed in the data center, it must be configured, and the operations team may need the ability to remotely manage the actual equipment and its operating system and configurations.

What is used to gain access?
A. Keyboard, Video, Mouse (KVM)
B. Uninterruptible Power Supply (UPS)
C. Internet Protocol Security (IPSec)
D. Transmission Control Protocol (TCP)

Answer 16

A. Keyboard, Video, Mouse (KVM)

Explanation:
When a piece of hardware is added to a data center, a physical keyboard and monitor is plugged in by way of a laptop for its initial configuration. Then a Keyboard, Video, Mouse (KVM) switch allows for remote administration. It allows administrators to access and control multiple servers from a single location, eliminating the need for physical proximity to each individual server.

Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol Suite (TCP/IP) and is widely used for reliable and connection-oriented communication between network devices. It operates at the transport layer of the TCP/IP model and provides a reliable, ordered, and error-checked delivery of data packets over IP networks. TCP/IP can carry Remote Desktop Protocol (RDP), Secure Shell (SSH), and other remote administration protocols, but that is not quite what the question is asking for.

Internet Protocol Security (IPSec) is a protocol suite used to secure Internet Protocol (IP) communications by providing authentication, integrity, and confidentiality for network traffic. It is commonly used in Virtual Private Networks (VPNs) and other secure network connections. IPsec operates at the network layer of the TCP/IP protocol stack and can be used to secure communication between two endpoints or between network gateways. IPSec is not used to connect to and configure equipment in the data center.

An Uninterruptible Power Supply (UPS) is an electrical device used to provide backup power to connected devices or systems in the event of a power outage or disruption. It serves as a bridge between the main power source and the devices it powers, ensuring uninterrupted operation and protecting against power-related issues.

Question 17

Which of the following is NOT considered one of the three main building blocks for a cloud environment’s management plan?

A. Orchestration
B. Rapid elasticity
C. Scheduling
D. Maintenance

Answer 17

B. Rapid elasticity

Explanation:
Rapid elasticity is a concept that exists in cloud computing referring to the ability to quickly add more resources when necessary. It is not one of the building blocks of the management plan.

The three main building blocks that make up a cloud environment’s management plan include orchestration, maintenance, and scheduling.

Question 18

Which of the following involves identifying how data is used to inform access controls and compliance efforts?

A. Data labeling
B. Data dispersion
C. Data flow diagram
D. Data mapping

Answer 18

C. Data flow diagram

Explanation:
Data dispersion is when data is distributed across multiple locations to improve resiliency. Overlapping coverage makes it possible to reconstruct data if a portion of it is lost.

A data flow diagram (DFD) maps how data flows between an organization’s various locations and applications. This helps to maintain data visibility and implement effective access controls and regulatory compliance.

Data mapping identifies data requiring protection within an organization. This helps to ensure that the data is properly protected wherever it is used.

Data labeling contains metadata describing important features of the data. For example, data labels could include information about ownership, classification, limitations on use or distribution, and when the data was created and should be disposed of.

Question 19

A university is looking to make its environment as green as possible. They want to move to solar and wind power to generate enough power for the entire university, including the student dormitories. They have installed smart thermostats throughout the classroom buildings. They have the ability to monitor the current temperature, both inside the classrooms and outside the building. This way, they can individually change based on the needs of the building.

What can enhance this Internet of Things capability?

A. Fog computing
B. Internet of Things
C. Edge computing
D. Cloud computing

Answer 19

C. Edge computing

Explanation:
Edge computing is the idea of moving the processing to the logical edge of the network as close to the user and their systems as possible. This manages bandwidth, enhances privacy controls, and if the internet is not accessible, they can continue to manage the temperature locally.

Fog computing is a term that Cisco created that is gaining traction. Fog computing moves the processing of data to a local fog node or IoT gateway.

Cloud computing is what this entire course and certification is about. In domain 1, the focus is understanding that the cloud, especially a public cloud, is using servers and services located in a data center somewhere, hopefully not too far away, but then again, it can be for redundancy purposes.

The Internet of Things is considered by some to just be the connecting of things such as manufacturing equipment to the internet. Others consider it to be anything connected to the internet. Neither is right. It is good to know both to be able to sort out questions.

Question 20

An administrator working in a data center noticed that the humidity level was 80% relative humidity. What threat could this cause to systems?

A. Condensation may form, causing water damage
B. Systems may overheat and fry internal components
C. 80% relative humidity is within the ideal range, so it does not pose any risk to systems
D. Excess electrostatic discharge could damage systems

Answer 20

A. Condensation may form, causing water damage

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge, which may cause damage to systems.

Question 21

Which of the following types of storage includes block and file storage?

A. Ephemeral
B. Raw
C. Volume
D. Object

Answer 21

C. Volume

Explanation:
Cloud-based infrastructure can use a few different forms of data storage, including:

Ephemeral: Ephemeral storage mimics RAM on a computer. It is intended for short-term storage that will be deleted when an instance is deleted.
Long-Term: Long-term storage solutions like Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive are designed for long-term data storage. Often, these provide durable, resilient storage with integrity protections.
Raw: Raw storage provides direct access to the underlying storage of the server rather than a storage service.
Volume: Volume storage behaves like a physical hard drive connected to the cloud customer’s virtual machine. It can either be file storage, which formats the space like a traditional file system, or block storage, which simply provides space for the user to store anything.
Object: Object storage stores data as objects with unique identifiers associated with metadata, which can be used for data labeling

Question 22

Which of the following operation controls and standards is MOST related to frameworks such as the ISO 27000 series or the NIST RMF?

A. Service Level Management
B. Information Security Management
C. Release Management
D. Problem Management

Answer 22

B. Information Security Management

Explanation:
Standards such as the Information Technology Infrastructure Library (ITIL) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1 define operational controls and standards, including:

Change Management: Change management defines a process for changes to software, processes, etc., reducing the risk that systems will break due to poorly managed changes. A formal change request should be submitted and approved or denied by a change control board after a cost-benefit analysis. If approved, the change will be implemented and tested. The team should also have a plan for how to roll back the change if something goes wrong.
Continuity Management: Continuity management involves managing events that disrupt availability. After a business impact assessment (BIA) is performed, the organization should develop and document processes for prioritizing the recovery of affected systems and maintaining operations throughout the incident.
Information Security Management: Information security management systems (ISMSs) define a consistent, company-wide method for managing cybersecurity risks and ensuring the confidentiality, integrity, and availability of corporate data and systems. Relevant frameworks include the ISO 27000 series, the NIST Risk Management Framework (RMF), and AICPA SOC 2.
Continual Service Improvement Management: Continual service improvement management involves monitoring and measuring an organization’s security and IT services. This practice should be focused on continuous improvement, and an important aspect is ensuring that metrics accurately reflect the current state and potential process.
Incident Management: Incident management refers to addressing unexpected events that have a harmful impact on the organization. Most incidents are managed by a corporate security team, which should have a defined and documented process in place for identifying and prioritizing incidents, notifying stakeholders, and remediating the incident.
Problem Management: Problems are the root causes of incidents, and problem management involves identifying and addressing these issues to prevent or reduce the impact of future incidents. The organization should track known incidents and have steps documented to fix them or workarounds to provide a temporary fix.
Release Management: Agile methodologies speed up the development cycle and leverage automated CI/CD pipelines to enable frequent releases. Release management processes ensure that software has passed required tests and manages the logistics of the release (scheduling, post-release testing, etc.).
Deployment Management: Deployment management involves managing the process from code being committed to a repository to it being deployed to users. In automated CI/CD pipelines, the focus is on automating testing, integration, and deployment processes. Otherwise, an organization may have processes in place to perform periodic, manual deployments.
Configuration Management: Configuration errors can render software insecure and place the organization at risk. Configuration management processes formalize the process of defining and updating the approved configuration to ensure that systems are configured to a secure state. Infrastructure as Code (IaC) provides a way to automate and standardize configuration management by building and configuring systems based on provided definition files.
Service Level Management: Service level management deals with IT’s ability to provide services and meet service level agreements (SLAs). For example, IT may have SLAs for availability, performance, number of concurrent users, customer support response times, etc.
Availability Management: Availability management ensures that services will be up and usable. Redundancy and resiliency are crucial to availability. Additionally, cloud customers will be partially responsible for the availability of their services (depending on the service model).
Capacity Management: Capacity management refers to ensuring that a service provider has the necessary resources available to meet demand. With resource pooling, a cloud provider will have fewer resources than all of its users will use but relies on them not using all of the resources at once. Often, capacity guarantees are mandated in SLAs.

Question 23

Estelle works as the information security manager in the Security Operations Center (SOC). The operators have begun to analyze the Indications of Compromise (IoC) that have begun to come in quite rapidly. They are seeing a flood of Transmission Control Protocol (TCP) synchronize SYN packets. What type of attack are they experiencing?

A. Broken authentication
B. Denial-of-service
C. Fraggle attack
D. Cross site scripting (XSS)

Answer 23

B. Denial-of-service

Explanation:
A denial-of-service attack occurs when a large amount of useless traffic is sent to a system, thereby overloading the system’s resources and making it unable to respond to legitimate requests. In a cloud environment, it’s possible for a denial-of-service attack to affect all clients of the affected cloud provider. This particular attack is likely a Syn flood attack.

The Fraggle attack uses the UDP to cause a DoS attack that is actually similar to a Smurf attack which uses ICMP.

An XSS attack is a web-based attack. XSS comes in two flavors: reflected and stored. An XSS attack injects incorrect information into the page that the user sees. This can result in a variety of problems, including getting redirected to a hacker’s web page without the user’s understanding.

Broken authentication occurs in a variety of ways. However, those threats are a problem with the mechanism to authenticate the user at the end of the connection. It could include storing passwords in the clear or failing to manage the session properly, such as timing out inactive sessions.

Question 24

The analysis of the data generated by a cloud feasibility study to identify areas where cloud solutions may fall short of meeting specific requirements is referred to as what type of assessment?

A. Vulnerability assessment
B. Risk assessment
C. Gap analysis
D. Feasibility study

Answer 24

C. Gap analysis

Explanation:
The current and future IT resource requirements of a business are diverse. To move forward, you must close the gap between where you are now and where you want to be. You can identify all areas in which gaps exist by means of a gap analysis. A gap analysis can be done in many places.

Risk assessments are performed when a quantitative and/or qualitative analysis of potential threats is performed. The threats are then assessed for likelihood and impact.

Vulnerability assessments are usually performed on live networks looking for un-patched systems, open ports, or a variety of different problems.

A feasibility study is usually performed before projects are fully taken on to see if it makes sense to continue with that specific project.

Question 25

Carlos is working as the information security specialist with the cloud architecture team. They are concerned about ensuring the continuity of services for their customers. Their corporation is in the southeastern part of the US, specifically southern Florida. They are utilizing a local cloud data center for its Platform as a Service (PaaS). As they are planning for disruptions, there are several events that they can think of and plan for.

Which of the following is likely to be their first concern?

A. Moving to a new office
B. Global warming
C. Acts of war
D. A major hurricane

Answer 25

D. A major hurricane

Explanation:
There are many incidents which can result in the initiation of a Business Continuity / Disaster Recovery (BC/DR) plan. Since they are in the southeastern part of the US and their cloud provider is nearby, their first concern is likely to be a major hurricane.

Moving to a new office should not cause a disruption that would require a BC/DR plan to be initiated. If they have planned for a hurricane and a move does cause a disruption, the plan should be able to help them.

Acts of war are possible just about anywhere on the planet. Some places are more likely than others. Southeastern Florida is not high on the list of likely places an act of war could occur. However, if they have planned for a major hurricane, it is possible that plan will help them if there is an act of war that they experience.

Global warming is a problem for the planet. It is a possible big problem for southern Florida as they are not that far above sea level at the moment. It is possible that southern Florida will be under water again in the future as the planet warms and the glaciers melt. It is not the more immediate concern, though. A major hurricane is likely the first concern.

Question 26

A small company is opening downtown, and they will be processing credit cards using Software as a Service (SaaS) technology. The security manager is learning that it is necessary to protect the credit card data that will be in their possession. The customer’s name and account information is considered what type of data?

A. Payment Card Industry (PCI)
B. Protected Health Information (PHI)
C. Application Programming Interface (API)
D. Personally Identifiable Information (PII)

Answer 26

D. Personally Identifiable Information (PII)

Explanation:
Personally Identifiable Information (PII) is a type of data that can either directly or indirectly identify an individual. The customer’s name and account information would be considered Cardholder Data (CD), which is a specific type of PII that relates to information such as credit/debit card numbers, security codes, expiration numbers, and any information that ties these items to the cardholder.

PCI is the industry. The requirement to protect any credit card data is a contractual agreement with the PCI. That agreement is known as the Payment Card Industry - Data Security Standard (PCI-DSS). This is not the right answer because the payment card industry isn’t the focus in the answer.

PHI is health data that must be protected in the US under the Health Information Portability and Accountability Act (HIPAA). The question is about credit cards, not health information.

APIs are request/response protocols such as Representational State Transfer (ReST) and SOAP. APIs may be used to communicate with SaaS, but that is not the focus of the question.

Question 27

Intellectual property (IP) protected under a non-disclosure agreement (NDA) is classified as which type of private data?

A. Personally Identifiable Information
B. Payment Data
C. Protected Health Information
D. Contractual Private Data

Answer 27

D. Contractual Private Data

Explanation:
Private data can be classified into a few different categories, including:

Personally Identifiable Information (PII): PII is data that can be used to uniquely identify an individual. Many laws, such as the GDPR and CCPA/CPRA, provide protection for PII.
Protected Health Information (PHI): PHI includes sensitive medical data collected regarding patients by healthcare providers. In the United States, HIPAA regulates the collection, use, and protection of PHI.
Payment Data: Payment data includes sensitive information used to make payments, including credit and debit card numbers, bank account numbers, etc. This information is protected under the Payment Card Industry Data Security Standard (PCI DSS).
Contractual Private Data: Contractual private data is sensitive data that is protected under a contract rather than a law or regulation. For example, intellectual property (IP) covered under a non-disclosure agreement (NDA) is contractual private data.

Question 28

Allison is looking for a technology that she can utilize to manage the network more effectively. What she would like is a way to centrally control the network and provision resources more effectively than traditional networking. What would you recommend?

A. Storage Area Network (SAN)
B. Software Defined Networking (SDN)
C. Domain Name System Security (DNSSec)
D. Transport Layer Security (TLS)

Answer 28

B. Software Defined Networking (SDN)

Explanation:
Software Defined Networking (SDN) allows central control of a virtual or physical network through a controller. The central controller allows for provisioning of resources, changing configuration settings, and controlling the network. This increases the security of the network as well.

DNSSec uses authentication to verify the distribution of DNS info throughout the DNS hierarchy. DNS is simply a mapping between a domain name, such as www.PocketPrep.com, to an IP address like 104.21.26.77 (random IP).

A SAN is a local area network of storage devices. It usually uses Fibre Channel (FC) or iSCSI.

TLS is a protocol for encrypting, among other things, web page transmissions.

Question 29

Data security comprises three core aspects. Of the following, which is NOT one of these three core aspects?

A. Availability
B. Encryptability
C. Integrity
D. Confidentiality

Answer 29

B. Encryptability

Explanation:
Encryptability is not one of the core aspects of security. Encryption is the technical altering of a piece of data to a point it cannot be read by a person or a computer. If something cannot be encrypted, that could be a challenge to security. But encryptability is not a core aspect. It is something we do to protect both the confidentiality and the integrity of data.

The three main concepts of data security are confidentiality, integrity, and availability. This is often known as the CIA triad. Although privacy is part of confidentiality, it is sometimes thought of, along with nonrepudiation, as the other core aspect of data security.

Question 30

The terms “protection profile” and “evaluation assurance level (EAL)” are associated with which of the following?

A. Common Criteria
B. FedRAMP
C. G-Cloud
D. FIPS 140-2

Answer 30

A. Common Criteria

Explanation:
Cloud providers’ systems may be subject to certification against standards that address a specific component, such as a cryptographic module. Examples of these system/subsystem product certifications include:

Common Criteria: Common Criteria (CC) are guidelines for comparing various security systems. A protection profile describes the security requirements of systems being compared, and the evaluation assurance level (EAL) describes the level of testing performed on the system, ranging from 1 (lowest) to 7 (highest).
FIPS 140-2: Federal Information Processing Standard (FIPS) 140-2 is a US government standard for cryptographic modules. FIPS compliance is necessary for organizations that want to work with the US government and mandates the use of secure cryptographic algorithms like AES.

FedRAMP and G-Cloud are standards used by the US and UK governments.

Question 31

Which of the following is NOT part of the DREAD acronym for cybersecurity threat modeling?

A. Denial of Service
B. Reproducibility
C. Damage
D. Exploitability

Answer 31

A. Denial of Service

Explanation:
Several different threat models can be used in the cloud. Common examples include:

STRIDE: STRIDE was developed by Microsoft and identifies threats based on their effects/attributes. Its acronym stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
DREAD: DREAD was also created by Microsoft but is no longer in common use. It classifies risk based on Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

Question 32

Which of the following cloud data encryption options is MOST likely to use keys controlled by the cloud provider?

A. Storage-Level Encryption
B. Volume-Level Encryption
C. File-Level Encryption
D. Application-Level Encryption

Answer 32

A. Storage-Level Encryption

Explanation:
Data can be encrypted in the cloud in a few different ways. The main encryption options available in the cloud are:

Storage-Level Encryption: Data is encrypted as it is written to storage using keys known to/controlled by the CSP.
Volume-Level Encryption: Data is encrypted when it is written to a volume connected to a VM using keys controlled by the cloud customer.
Object-Level Encryption: Data written to object storage is encrypted using keys that are most likely controlled by the CSP.
File-Level Encryption: Applications like Microsoft Word and Adobe Acrobat can encrypt files using a user-provided password or a key controlled by an IRM solution.
Application-Level Encryption: An application encrypts its own data using keys provided to it before storing the data (typically in object storage). Keys may be provided by the customer or CSP.
Database-Level Encryption: Databases can be encrypted at the file level or use transparent encryption, which is built into the database software and encrypts specific tables, rows, or columns. These keys are usually controlled by the cloud customer.

Question 33

Alia is working with the software developers through the devops process as an information security manager. She is focused on threat modeling for a specific software project. When should threat modeling be performed?

A. During the development phase as the code is being created
B. Early in the software development lifecycle, the requirements phase
C. Throughout the whole of the software development lifecycle
D. After the requirements are understood and before development

Answer 33

C. Throughout the whole of the software development lifecycle

Explanation:
Threat modeling should be performed throughout the whole of the lifecycle. It is critical to always be assessing what could happen and how to prevent those attacks, breaches, failures, etc.

The steps are as follows:

Define security requirements
Create an application overview
Identify threats
Mitigate threats
Validate threat mitigation

Good information about threat modeling can be found at OWASP’s website.

Question 34

Linnea is the cloud administrator and is now configuring the Platform as a Service (PaaS) server-based deployment for her company on a public cloud provider. She needs to know what the agreed upon Central Processing Unit (CPU) speed and bandwidth are to configure this appropriately. Where could Linnea find this information?

A. Service Level Agreement (SLA)
B. Master Services Agreement (MSA)
C. Privacy Level Agreement (PLA)
D. Memorandum of Understanding (MoU)

Answer 34

A. Service Level Agreement (SLA)

Explanation:
The SLA is a criterion that provides specific requirements that must be met by the cloud provider for contractual satisfaction between the cloud customer and the cloud provider. The requirements are usually measurable, such as bandwidth and CPU performance.

The MSA is the agreement between the Cloud Service Provider (CSP) and the Cloud Customer (CC). This defines their role in the relationship.

The PLA is a generic form of the Data Processing Agreement (DPA) for GDPR or the Business Associate Agreement (BAA) for HIPAA. This tells the cloud provider the type of personal data that is being stored and processed on their systems and the level of protection the CC expects from the CSP.

The MoU defines the broad agreement that the two parties, CSP and CC, have agreed to and is not as common with cloud services.

Question 35

Canh has been working with the Disaster Recovery (DR) planning team to build a plan that will have the cloud environment failing to another provider in the event of a disaster. They have been able to establish the needs of the plan and the configurations to enable a failover if the primary cloud provider has a massive failure.

The plan should not be considered valid until which of the following has been completed?

A. Revisions
B. Testing
C. Nothing extra
D. Reports

Answer 35

B. Testing

Explanation:
A Disaster Recovery (DR) plan can only be considered valid after it has gone through testing to ensure that it is accurate and works as expected. Testing should be done often and regularly. There are various types of tests that can be done against a BCDR plan, including walk-through tests (also called table top), simulations, and full-interruption tests.

Revisions would not happen until there is a plan that is in place and tested and functional. Reports happen at different stages of development, testing, and maintenance. Neither reports nor revisions validate a plan though.

Nothing extra is definitely not a valid answer since the plan must be tested.

Question 36

Which of the following is NOT a common type of MFA factor?

A. Something you have
B. Something you are
C. Somewhere you are
D. Something you know

Answer 36

C. Somewhere you are

Explanation:
Multi-factor authentication requires a user to provide multiple authentication factors to gain access to their account. These factors must come from two or more of the following categories:

Something You Know: Passwords, security questions, and PINs are examples of knowledge-based factors.
Something You Have: These factors include hardware tokens, smart cards, or smartphones that can receive or generate a one-time password (OTP).
Something You Are: Biometric factors include fingerprints, facial recognition, and similar technologies.

While these are the most common types of MFA factors, others can be used as well. For example, a “somewhere you are” factor could use an IP address or geolocation to determine the likelihood that a request is authentic.

Question 37

Which of the following is NOT an example of a functional security requirement in the cloud?

A. Availability
B. Portability
C. Interoperability
D. Vendor Lock-In

Answer 37

A. Availability

Explanation:
Functional requirements refer to aspects of a system, device, or user that are necessary for it to do its job. Common examples of functional security requirements in the cloud are portability, interoperability, and vendor lock-in.

Question 38

Dana has been developing a business case to propose to the Board of Directors (BoD). This proposal is about moving to the cloud. As she has been weighing the different options for cloud deployment, she and her team have been exploring public, private, and hybrid clouds. They currently have a moderate-sized datacenter that works with many traditional operating systems.

Which of the following could they have determined to be a benefit of using a public cloud deployment in particular?

A. Inexpensive
B. Security
C. Control over systems
D. Full ownership of data

Answer 38

A. Inexpensive

Explanation:
A public cloud is often considered the least expensive cloud deployment option. Public clouds are available to the general public, and customers only pay for the services that they use. All expenses ranging from the licensing, hardware, bandwidth, and operational costs are handled by the provider.

Public clouds do not offer full control over the systems in the way that private clouds do. If they move to an Infrastructure as a Service (IaaS), they will have control over all the virtual systems, including routers, switches, servers, and security appliances. However, the question does not say they are moving to IaaS, but even if they do, they do not have control over the physical systems.

They always, or should always, have full ownership of the data, so that is not a benefit of public versus private or hybrid.

The security of the environment cannot be determined by saying public versus private. Many consider public to be less secure. If that is the case, it is not a benefit of public clouds.

Question 39

A public Cloud Service Provider (CSP) has sold Platform as a Service (PaaS) services to a real estate company. They worked with Daniel, the lead cloud architect, to design how their data would flow across the systems and enable the users to do their jobs. The CSP then worked with a manufacturing company to build a virtual Data Center (vDC). They worked with Shana at the manufacturing company to ensure that they had everything they needed to build their Infrastructure as a Service (IaaS) environment.

What characteristic of the public cloud is the CSP responsible for securing for these companies?

A. Measured service
B. Encryption
C. Broad network access
D. Multi-tenancy

Answer 39

D. Multi-tenancy

Explanation:
Multi-tenancy is a characteristic of clouds, including private clouds. The tenants must be isolated from each other. In a private cloud, the tenants are different projects or departments. If this is not protected properly, there is a serious concern that data could leak between the two companies, or worse. A good document to read is ISO/IEC 17788. They consider this the sixth characteristic of the cloud.

Encryption is something that needs to be done by the CSP and each of the tenants. It is a good idea to encrypt storage, hard drives, files, file storage, block storage, images, and everything else. This is a concern that both the CSP and the tenants are responsible for ensuring.

Measured service simply means that the tenants will be billed for the services that they use. It is not a security concern, especially with multiple tenants.

Broad network access is a characteristic that if a user or customer has access to the network, then they can access the cloud services.

Question 40

River has been in the process of creating a golden image for the server installs in their Platform as a Service (PaaS) environment. She has been working to ensure that the user accounts and privileges are limited, that logging and auditing is enabled, and that the image has the latest patch levels. What activity has she been engaged in?

A. Controlling console-based access
B. Ensuring availability of the guest operating system
C. Operating System (OS) hardening
D. Securing the management plane

Answer 40

C. Operating System (OS) hardening

Explanation:
In computing, hardening is the process of securing a system by reducing its surface vulnerability. OS hardening is the process of hardening a system by removing all nonessential services and software from that host. Removing the services and software that are not needed reduces the opportunities for attackers to gain access using one of those unnecessary services or programs, in addition to applying patches, controlling user and privileged accounts, configuring firewalls, configuring intrusion detection and prevention systems, enabling logging and auditing, and enabling encryption.

The management plane is the API-based web-based user interface. It is how cloud resources are configured, controlled, and deleted. It is necessary for all companies to ensure protection of this connection. Two-factor authentication is highly recommended here. It is not just the cloud provider’s access, it is the customers’ access into their accounts.

Availability of a guest operating system is critical. That is actually what the golden image becomes: a guest OS on the physical server. So these activities do help, but overall the best answer is Operating System (OS) hardening.

Controlling console-based access is a physical activity. The console port is a physical port on a device for local configuration and management.