Pocket Prep 9 Flashcards
Silas is the new information security manager working with a multinational corporation’s Disaster Recovery (DR) team. They are working on gaining a better understanding of this business and its requirements in the face of disasters. They have been able to determine that a critical database server must be back online within five hours of failure. If it is offline for longer than that, the cost to the business would be extreme. The next step is to determine the cost of a server failing by performing a quantitative assessment. What is the name of that next value?
A. Annualized Loss Expectancy (ALE)
B. Recovery Time Objective (RTO)
C. Single Loss Expectancy (SLE)
D. Maximum Tolerable Downtime (MTD)
C. Single Loss Expectancy (SLE)
Explanation:
The Single Loss Expectancy (SLE) is calculated by multiplying the asset’s value with the Exposure Factor (EF). The EF is the expected percentage of loss of the asset. It may be 100% in extreme conditions, but it may be only a fraction of that for many of the incidents that could occur.
Annualized Loss Expectancy (ALE) is a risk management metric that helps organizations estimate the financial impact of a specific risk over a one-year period. It is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO).
Maximum Tolerable Downtime (MTD) is a business continuity metric that quantifies the maximum acceptable duration of a service or system outage without causing significant harm to an organization’s operations, reputation, or financial viability. It represents the time limit within which an organization must recover its critical functions or systems to avoid severe consequences. This value is in the question; the value is five hours.
Recovery Time Objective (RTO) is a critical metric used in business continuity planning to define the maximum acceptable downtime or duration within which a system, process, or service must be restored after an incident or disruption. RTO represents the target timeframe for recovery activities to be completed and operations to resume at an acceptable level.
An information security manager works at a hospital, and she is responsible for the upcoming audit. The hospital must be in compliance with the Health Insurance Portability and Accountability Act (HIPAA). So she has been working hard to ensure that the audit will go smoothly. Which of the following is the first step she started with?
A. Define audit program objectives
B. Gap analysis
C. Audit fieldwork
D. Identify scope and restrictions
A. Define audit program objectives
Explanation:
Audit planning is made up of the following main steps, which occur in the following order:
Define audit program objectives Gap analysis Define audit objective and deliverables Identify auditor and qualifications Identify scope and restrictions Audit fieldwork Audit reporting Audit follow-up
Defining the objectives must be the first step in the audit plan because it will lay the groundwork for the rest of the plan.
Padma has been working with her corporation to determine how to address the risk that they have uncovered in their annual review of the Business Continuity/Disaster Recovery (BC/DR) plan. Is there a scenario where it makes sense to simply accept the risk that has been discovered?
A. When there is a low chance the risk will actually occur, but if it did occur, it would be devastating to the organization
B. When the cost to mitigate the risk outweighs the cost to simply deal with the risk if it were to occur
C. When there is a low risk but moderate impact, and there are no protection measures in place
D. When the cost of mitigating the risk and the cost of dealing with the risk when it occurs are about the same
B. When the cost to mitigate the risk outweighs the cost to simply deal with the risk if it were to occur
Explanation:
There are some instances where organizations will choose to accept risk rather than to do anything to deal with it. This is typically done whenever the cost to mitigate the risk outweighs the cost to simply deal with the risk when or if it were to occur.
It is unlikely that a corporation would simply accept a risk if it could be overwhelming for an organization. That would be a low likelihood but high impact.
If there is a low risk and moderate impact, it is possible that the risk will just be accepted, but it is much more likely that some kind of control would be put in place.
If the cost of mitigation and the cost of the impact are about the same, this too may just be accepted, but it is more likely that some kind of control would be put in place.
So, out of all these scenarios, the most likely answer is a risk that costs much more to mitigate than to experience.
Raj is working on configuring the Infrastructure as a Service (IaaS) deployment for his corporation. He is looking for a virtual device that will be able to detect the presence of malicious actors within the virtual network. He also needs the virtual device to log the event and send alerts about the malicious activity as well as drop the packets that contain the malicious activity.
What type of virtual device would best meet these needs?
A. Database Activity Monitor (DAM)
B. Intrusion Detection System (IDS)
C. eXtensible Markup Language (XML) firewall
D. Intrusion Prevention System (IPS)
D. Intrusion Prevention System (IPS)
Explanation:
An IPS can perform all those operations, including the critical action of dropping the packets that contain malicious activity. An Intrusion Detection System (IDS) detects malicious traffic and potential intrusions. It can alert about the possible intrusion, but it isn’t able to block the intrusion.
An XML firewall is a firewall that focuses on XML traffic. A firewall has the ability to allow or block traffic. However, the focus of the device is different because it is looking for traffic to allow while blocking other traffic. It could be blocking specific traffic such as a specific protocol (e.g., telnet). It does not focus on looking for malicious actors. So, it is close to the right answer. However, IPS is a better fit for the scenario in the question.
A DAM sits in front of the database and monitors the users’ activities. It has become necessary to monitor the users’ activities inside the database, but there are many malicious actors that know about the internal log that is created, so they will work to destroy it. Therefore, another device is used in front of the database to monitor the users’ activities from the outside so that there is less of a chance a malicious actor will be able to destroy these logs. The DAM does not block activity, yet.
A cloud administrator needs to rapidly deploy an application package throughout a large cloud environment. Which of the following could this engineer use to accomplish this easily?
A. Key management
B. Hypervisor
C. Containers
D. Mobile Device Management (MDM)
C. Containers
Explanation:
A wrapper that contains all the configuration, code, and libraries needed for an application, which can be rapidly deployed across a cloud environment, is known as a container.
Virtual Machines (VMs) can be built on a hypervisor. On the virtual machine, the software can be loaded. This is not the best answer because of the word rapidly in the question. VMs are not as fast and easy to manage as containers.
Key management is for storing and protecting cryptographic keys. They are likely used somewhere in the application, but that is not the focus of the question. Deployment is the question.
MDM software is used to manage mobile devices. It gives the administrators the ability to contain corporate data on a personal phone. Data can be deleted and the phone can be wiped when needed, among other features
The storage technique that disperses data across multiple drives on different servers and then adds parity information that allows lost data to be recovered is referred to as which of the following?
A. Data encryption
B. Hashing
C. RAID
D. Redundant Array of Independent Drive (RAID)
D. Redundant Array of Independent Drive (RAID)
Explanation:
Erasure encoding is a technique employed by data dispersion to disperse data across many servers and then add parity information in a way that is similar to RAID 5. The main difference is that the drives are not within a single server as they are with RAID. On the chunks of data that are dispersed, a mathematical calculation is performed and the results are stored with the data. If chunks are lost, the parity bit enables the data to be reconstructed.
Hashing is a mathematical calculation that allows the integrity of data to be proven. Algorithms include MD5 and SHA 1/2/3.
Data encryption is the mathematical process that converts data from a readable format to unreadable but is reversible with decryption. The purpose is to protect the confidentiality of the data.
Samuel has been leading the incident response team in response to a bad actor’s actions within their network. They have started the investigation, and so far they have come to understand that they are missing a security control at the specific point of compromise. At which point during the incident response process are new security controls implemented?
A. Detect
B. Recover
C. Respond
D. Prepare
B. Recover
Explanation:
During the recovery phase of an incident response, the teams work to return everything to a normal status. This includes adding new countermeasures as needed based on the investigation of the incident. You must restore regular operation to your organization’s impacted systems.
The prepare phase is all the work done long before an incident occurs. It is necessary to prepare for many different incidents. Preparation is critical to being able to perform the right actions, in the right order, with the right team when needed.
Detection is arguably the first step in managing an actual incident. It is not possible to put any of those plans into use unless there is knowledge that something is actually happening.
The response phase includes containment of any ongoing incident. It also includes investigations and notifications to necessary parties.
Reference:
A cloud administrator is building the network in their company’s Infrastructure as a Service (IaaS) deployment. Currently, they are configuring the switches with their Virtual Local Area Networks (VLANs). The VLANs that they are constructing are for the different departments within the organization. There is one for marketing, one for Research and Development (R&D), and many more.
Which of the following statements regarding VLANs is TRUE?
A. VLANs work the best if implemented in the same geographical location
B. VLANs are used to allow remote access for employees working outside the office
C. VLANs can be used across multiple data centers without concern for geographical location
D. VLANs are dependent on the physical wiring and cabling infrastructure
C. VLANs can be used across multiple data centers without concern for geographical location
Explanation:
VLANs are not dependent on the physical infrastructure at all, so this makes them ideal for network segmentation across multiple data centers without the need to worry about the geographical location. Vendors offer a variety of different VLAN options today, such as Private VLAN (PVLAN), Private eXtensible VLAN (PXVLAN), and so on.
Virtual Private Networks (VPN) are used to allow users remote access if they are out of the office or connecting to the cloud resources.
Fundamentally, CCSP is a data center exam. It is highly recommended that you understand networking basics and then the virtualized options in the cloud.
Which of the following cloud service offerings has the most potential exposure to virtualization-related security risks?
A. FaaS
B. IaaS
C. PaaS
D. SaaS
D. SaaS
Explanation:
A Software as a Service (SaaS) environment has all of the risks that IaaS and PaaS environments have, as well as new risks of its own. Some risks unique to SaaS include:
Proprietary Formats: With SaaS, a customer is using a vendor-provided solution. This may use proprietary formats that are incompatible with other software or create a risk of vendor lock-in if the organization’s systems are built around these formats. Virtualization: SaaS uses even more virtualized environments than PaaS, increasing the potential for VM escapes, information bleed, and similar threats. Web Application Security: Most SaaS offerings are web applications with a provided application programming interface (API). Both web apps and APIs have potential vulnerabilities and security risks that could exist in these solutions.
Which of the following network security controls might require access to mirroring services provided by the cloud provider?
A. Geofencing
B. Zero Trust Network
C. Traffic Inspection
D. Network Security Groups
C. Traffic Inspection
Explanation:
Network security controls that are common in cloud environments include:
Network Security Groups: Network security groups (NSGs) limit access to certain resources, such as firewalls or sensitive VMs or databases. This makes it more difficult for an attacker to access these resources during their attacks. Traffic Inspection: In the cloud, traffic monitoring can be complex since traffic is often sent directly to virtual interfaces. Many cloud environments have traffic mirroring solutions that allow an organization to see and analyze all traffic to its cloud-based resources. Geofencing: Geofencing limits the locations from which a resource can be accessed. This is a helpful security control in the cloud, which is accessible from anywhere. Zero Trust Network: Zero trust networks apply the principle of least privilege, where users, applications, systems, etc., are only granted the access and permissions that they need for their jobs. All requests for access to resources are individually evaluated, so an entity can only access those resources for which they have the proper permissions.
An engineer needs to provision a new cloud service and is able to do so without ever interacting with the cloud provider. What is this known as?
A. On-demand self-service
B. Resource pooling
C. Interoperability
D. Reversibility
A. On-demand self-service
Explanation:
In cloud computing, on-demand self-service is the ability for cloud customers to add, configure, and provision a new cloud service without ever needing to interact with the cloud provider. This is usually done through a web portal and is an integral component of the pay-as-you-go cloud billing model.
Resource pooling is a part of the virtualization capability created by hypervisors. The hypervisor abstracts the hardware capabilities of the physical server so that it can be dynamically allocated to virtual machines. This includes CPU, memory, storage, and network capability.
Interoperability is defined in ISO 17788 as the ability for two different systems to exchange and then use a piece of data.
Reversibility is defined in ISO 17788 as the ability to retrieve all artifacts from the cloud provider and have them properly remove them from the cloud provider systems.
Amanda is working with the software development team as they build their software for their customers’ use. They will be using an Application Programming Interface (API) to enable communication from the client to the server. They have decided they want to use the API that relies on the Hyper Text Transfer Protocol (HTTP) protocol to support data formats such as eXtensible Markup Language (XML) or Java Script Object Notation (JSON)?
Which API did they choose?
A. SOAP
B. XML-RPC (Remote Procedure Call)
C. REpresentational State Transfer (ReST
D. JSON-RPC
C. REpresentational State Transfer (ReST
Explanation:
The REpresentational State Transfer (REST) API relies on the HTTP protocol and supports a variety of data formats, including both XML and JSON. It allows for caching, which increases performance and scalability.
SOAP is an XML-based API.
XML-RPC is an XML-based API.
JSON-RPC is a JSON-based API.
Only ReST offers both JSON and XML options.
A cloud provider would like to use information on one of their cloud customers for advertising purposes. Before they can do this, they must get explicit permission from the cloud customer to do so. Which key principle of International Standards Organization/International Electrotechnical Committee (ISO/IEC) 27018 does this scenario fall into?
A. Disclosure to Third Parties
B. Purpoes Limitation
C. Consent
D. Transparency
C. Consent
Explanation:
The ISO/IEC 27018 is a standard that is focused on the security of cloud computing. The five key principles of ISO/IEC 27018 include communication, consent, control, transparency, and independent and yearly audits. Consent refers to cloud providers getting explicit permission from a cloud customer before they can use their data or information in any way.
Purpose Limitation refers to personal information that should only be collected and used for specified purposes, and organizations should communicate these purposes to individuals.
Transparency refers to organizations that must provide clear and understandable information about their privacy practices, including how personal information is collected, used, and disclosed in the cloud environment.
Organizations that should have controls and agreements in place to ensure that personal information is not disclosed to third parties without the individual’s consent unless required by law is Disclosure to Third Parties.
AWS Lambda is BEST described by which of the following cloud service models?
A. PaaS
B. FaaS
C. SaaS
D. IaaS
B. FaaS
Explanation:
Cloud services are typically provided under three main service models:
Software as a Service (SaaS): Under the SaaS model, the cloud provider offers the customer access to a complete application developed by the cloud provider. Webmail services like Google Workspace and Microsoft 365 are examples of SaaS offerings. Platform as a Service (PaaS): In a PaaS model, the cloud provider offers the customer a managed environment where they can build and deploy applications. The cloud provider manages compute, data storage, and other services for the application. Infrastructure as a Service (IaaS): In IaaS, the cloud provider offers an environment where the customer has access to various infrastructure building blocks. AWS, which allows customers to deploy virtual machines (VMs) or use block data storage in the cloud, is an example of an IaaS platform.
Function as a Service (FaaS) is a form of PaaS in which the customer creates individual functions that can run in the cloud. Examples include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions.
Violet is working with the Incident Response Teams (IRT) as they build and test their Incident Response Plans (IRP). As the teams are building out their plans, they are determining the steps they need to take when an incident does occur—for example, if there is an Indication of Compromise (IoC) that causes the Security Operations Center (SOC) to initiate the response by the team.
If the team were to go through the analysis of the IoC and believe that it is a true IoC, what would be the next step?
A. Containment
B. Investigation
C. Triage
D. Recovery
C. Triage
Explanation:
Incident management exists to help organizations plan for incidents, identify when they occur, and restore normal operations as quickly as possible with minimum adverse impact. This is referred to as a capability, or the combination of procedures and resources needed to respond to incidents. It generally comprises of three key elements: Incident Response Plan (IRP), Incident Response Team (IRT), and root-cause analysis.
Triage ensures an incident is dealt with correctly. It is important to determine how critical an incident is and prioritize the response appropriately.
We may wish that as soon as we see an IoC that we could take steps to contain the incident, but triage must come first. It is necessary to prioritize the responses that we will take. In reality, if there is a trained team and SOC, then it is possible that the amount of time between IoC and containment could be mere minutes.
Once the incident is contained and it is no longer causing damage, the investigation can occur. Here it is necessary to capture snapshots of Virtual Machines (VM) by capturing the contents of memory in the VM using Virtual Machine Introspection (VMI) tools and so on.
With full knowledge of the incident, it is now possible to recover and return systems to full, normal functioning levels.
If your knowledge is weak in this area, a good book from (ISC)2’s list of reference books is Incident Response in the Age of Cloud by Dr. Erdal Ozkaya. One thing to know about their recommended reading list is that these books are likely the source books for many of the exam questions. (For it to be on the exam, the question must be backed up by two reputable references.)