Pocket Prep CCSP Flashcards

Question 1

Q

Recently, your organization has decided it will be using a third-party for its cloud migration. This third-party organization requires access to numerous of your organization’s file servers. You must ensure that the third-party has access to the necessary resources. What is the FIRST action your organization should take?

A. Provide minimal access for the third-party
B. Establish a written IT security policy for the third party
C. Monitor third-party access to resources
D. Conduct vendor due diligence on the third party

Answer

A

D. Conduct vendor due diligence on the third party

Explanation:
Before granting access to any resource, you should conduct vendor due diligence for the third-party organization. This diligence is very similar to a risk assessment, but it is usually in the form of a questionnaire completed by the vendor and analyzed by the organization.

All other options should occur after the due diligence has been conducted on the vendor.

Question 2

Q

As cloud customers will access the cloud environment over a network, the networking infrastructure plays a major role in a successful cloud environment. Which of the following is the MOST basic of physical network components?

A. Switches
B. Routers
C. Wiring and Cabling
D. Firewalls

Answer

A

C. Wiring and Cabling

Explanation:
The most basic aspect of networking in a cloud environment is the actual wiring that goes into the network.

Switches, routers, and firewalls would be the next step up from the wiring and cabling.

Question 3

Q

An emerging concept driven by the decentralized nature of cloud applications and services which have appended the traditional model of network with a perimeter is called:

A. SAN
B. SSL
C. SDP
D. SDS

Answer

A

C. SDP

Explanation:
The software-defined perimeter (SDP) is a security architecture that restricts access to resources based on user identity and a “need to know” access control methodology. Before granting access to applications and network services, this technique requires device authentication and user identity verification.

Question 4

Q

The purpose of labeling data is to accomplish which of the following?

A. Classify data based on where its located within the organization
B. Protect data that can be considered sensitive or classified
C. Know all of the locations within an organization where data could be stored
D. Group data elements together and provide information about those elements

Answer

A

D. Group data elements together and provide information about those elements

Explanation:
Labels are similar to metadata, but they are applied by users or processes and are more informal than metadata. Labels are used to group data elements together and provide information about those elements. However, labels can only be successful if they are applied consistently throughout the organization.

Question 5

Q

When is the MOST optimal time to determine if data is classified as secure?

A. Use Phase
B. Create Phase
C. Archive Phase
D. Store Phase

Answer

A

B. Create Phase

Explanation:
When data is created during the create phase, the sensitivity of the data is known. It should then be handled properly from the beginning, as all additional phases will build off of the create phase.

Question 6

Q

Data rights management (DRM) is a practice that is encapsulated within which concept?

A. Interoperability and Portability
B. Information Rights Management
C. Supply Chain Management
D. Mobile Security

Answer

A

B. Information Rights Management

Explanation:
Data rights management (DRM) is an extension of normal data protection where additional security measures and controls are placed upon sensitive data. It is an extension of the information rights management (IRM) concept.

Question 7

Q

Which is NOT a way to measure business requirements and capabilities for business continuity and disaster recovery in the cloud?

A. Computing Power for Systems?
B. How long are you down?
C. How much capacity for data?
D. How much data may you lose?

Answer

A

C. How much capacity for data?

Explanation:
How much data storage capacity is not a good indicator of business requirements and capabilities for continuity and disaster recovery in the cloud. Three metrics are used to assess business capabilities: RTO, which indicates how long systems are down, RPO, which indicates how much data may be lost, and recovery service level (RSL), which indicates how much processing power is required to maintain systems following a disaster.

Question 8

Q

Cloud security is a challenge. What aspect of cloud computing creates new complexities to security in the cloud?

A. Measured Service
B. Encryption
C. Broad network access
D. Multi-tenancy

Answer

A

D. Multi-tenancy

Explanation:
Multi-tenancy used in cloud computing creates new complexities to security in the cloud. Data transmissions between systems within the same cloud are potential security concerns and sources of vulnerability for data theft.

All other options are key cloud computing characteristics.

Question 9

Q

An organization has decided that the best course of action to handle a specific risk is to obtain an insurance policy. The insurance policy will cover any financial costs of a successful risk exploit.

Which type of risk response is this an example of?

A. Risk Mitigation
B. Risk Avoidance
C. Risk Transfer
D. Risk Acceptance

Answer

A

C. Risk Transfer

Explanation:
When an organization obtains an insurance policy to cover the financial burden of a successful risk exploit, this is known as risk transfer. It’s important to note that with risk transfer, only the financial losses would be covered by the policy, but it would not do anything to cover the loss of reputation the organization might face.

Question 10

Q

In a SaaS environment, if either SQL injection or cross-site scripting vulnerabilities exist within any SaaS implementation, every customer’s data becomes at risk. Of the following, what is the BEST method for preventing this type of security risk?

A. The provider should ensure that anti-virus software is up to date within their environment.
B. The provider should ensure that there is a patch scheduled in place and that it is adhered to
C. The provider should sign a contract stating that they are liable for any breaches
D. The provider should have different data stores for each customer and keep all customers as segregated as possible

Answer

A

D. The provider should have different data stores for each customer and keep all customers as segregated as possible

Explanation:
Without proper segmentation, all customers will be susceptible to vulnerabilities that exist anywhere in the environment. To mitigate this risk, the provider should have different data stores for each customer and keep all customers as segregated as possible.

Question 11

Q

As you are drafting your organization’s cloud data destruction policy, which of the following is NOT a consideration that may affect the policy?

A. Compliance and Governance
B. Data Discovery
C. Business Processes
D. Retention Requirements

Answer

A

B. Data Discovery

Explanation:
You should not consider data discovery when determining an organization ‘s data destruction policy. While you may discover data during other stages of the data lifecycle, this is irrelevant at the time of destruction. Compliance and governance standards, data retention requirements, and business processes should be considered while developing a data destruction policy.

Question 12

Q

WSUS and MDT can be used for maintaining which types of environments?

A. Windows
B. vSphere
C. Macintosh
D. Linux

Answer

A

A. Windows

Explanation:
WSUS (Windows server update service) and MDT (Microsoft deployment toolkit) can be used in conjunction to manage and maintain a Windows environment. WSUS is used to perform patch management. MDT is a collection of tools which can facilitate the automation of server and desktop deployments.

Question 13

Q

The OWASP Top 10 lists XML external entities (XXE) on their current list of security vulnerabilities. Which of the following is an example of XXE?

A. A developer has left sensitive data about the directory structure of the application inside their code
B. A malicious actor is able to send untrusted data to a user’s browser without going through any validation
C. An application is not performing any validation on the browser tokens used to access the application
D. A website is not using proper input validation on their data fields of their application

Answer

A

A. A developer has left sensitive data about the directory structure of the application inside their code

Explanation:
During development, it’s not uncommon for developers to leave comments or notes in their code. While this is not inherently an issue, it can become an issue when the comments and notes are not removed before the code is published. An XML external entity occurs when a developer leaves references to items such as the directory structure of the application, configuration about the hosting system, or any other information about the inner workings of the application itself, in the code.

Question 14

Q

In which security test does the tester try to actively attempt to attack or compromise a live system using the same types of tools that an actual attacker would use to simulate a real-life scenario?

A. RASP
B. Penetration test
C. Vulnerability Scan
D. SAST

Answer

A

B. Penetration test

Explanation:
During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario and, therefore, the tester will use the same type of tools that an actual attacker would use to compromise a system.

During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner. Vulnerability scans are usually done by an organization against their own systems to ensure that their systems are hardened against known vulnerabilities. Runtime application self-protection (RASP) is a security mechanism that helps applications protect themselves by blocking attacks in real time.

Question 15

Q

Which of the following is focused on providing the required system resources needed to meet SLA requirements in a cost-effective manner?

A. Continuity Management
B. Service Level Management
C. Capacity Management
D. Change Management

Answer

A

C. Capacity Management

Explanation:
Capacity management is concerned with having and providing the required system resources to meet SLA requirements of customers in a cost-effective and efficient manner. It’s important to ensure that systems are not under-provisioned, leading to service and performance issues, but also not over-provisioned, leading to higher costs to the organization.

Question 16

Q

Which of the following is NOT considered one of the three main building blocks for a cloud environment’s management plan?

A. Rapid Elasticity
B. Orchestration
C. Scheduling
D. Maintenance

Answer

A

A. Rapid Elasticity

Explanation:
The three main building blocks that make up a cloud environment’s management plan include orchestration, maintenance, and scheduling.

Rapid elasticity is a concept that exists in cloud computing referring to the ability to quickly add more resources when necessary. It is not one of the building blocks of the management plan.

Question 17

Q

A security engineer is implementing mechanisms that are used to allow and deny possible actions on the network. What are these mechanisms called?

A. Security regulations
B. Firewalls
C. BCDR Plans
D. Security Controls

Answer

A

D. Security Controls

Explanation:
Mechanisms put in place to allow or deny specific actions on a network are known as security controls. It is the cloud security engineer’s responsibility to ensure that the proper security controls are put in place to keep their organization safe.

Question 18

Q

Cloud service providers will have clear requirements for items such as uptime, customer service response time, and availability. Where would these requirements MOST LIKELY be outlined for the client?

A. RTO
B. NIST
C. SLA
D. RPO

Answer

A

C. SLA

Explanation:
Requirements such as uptime, customer service response time, and availability should be outlined in a service level agreement (SLA). When a provider doesn’t meet their SLA requirements, it could lead to termination of the contract or financial benefits to the cloud customer.

Question 19

Q

A cloud administrator would like to reduce the risk of vendor lock-in. What cloud shared consideration should the administrator be looking for?

A. Availability
B. Reversibility
C. Versioning
D. Interoperability

Answer

A

B. Reversibility

Explanation:
Reversibility is a metric that indicates the ease with which your cloud services can be migrated between cloud environments. Due to the fact that solutions must be able to migrate between CSPs and to and from the cloud, reversibility reduces vendor lock-in.

Question 20

Q

An engineer is performing threat modeling. She is using a model that has “tampering with data” listed as one of the categories. Which model is this engineering using?

A. REST
B. TOGAF
C. DREAD
D. STRIDE

Answer

A

D. STRIDE

Explanation:
STRIDE is one of the most prominent models used for threat modeling. Tampering with data is included in the STRIDE model. DREAD is another model, but it does not include tampering with data as a category. TOGAF and REST are not threat models. STRIDE includes the following six categories:

    Spoofing identify
    Tampering with data
    Repudiation
    Information disclosure
    Denial of service
    Elevation of privileges

Question 21

Q

Anyone who uses or consumes data which is owned by another data owner is considered which of the following?

A. Data custodian
B. Data steward
C. Data owner
D. Data Controller

Answer

A

A. Data custodian

Explanation:
A data custodian is anyone who uses or consumes data which is owned by someone else. The data custodians must adhere to any policies set forth by the data owner in regard to the use of the data.

Question 22

Q

In the cloud, data is frequently stored in order to be recovered later, if necessary. Which section of a data retention policy would outline the steps involved in this process?

A. Retention Formats
B. Retention Periods
C. Data Classification
D. Archiving and Retrieval Procedures

Answer

A

D. Archiving and Retrieval Procedures

Explanation:
The data retention policy’s archiving and retrieval procedures will detail how data should be stored in order to facilitate later recovery.

Question 23

Q

Violating the requirements of which type of PII is likely to result in criminal charges?

A. Regulated PII
B. Non-Disclosed PII
C. Contractual PII
D. Unrepresented PII

Answer

A

A. Regulated PII

Explanation:
There are two main types of PII (personally identifiable information) which include contractual PII and regulated PII. Failure to comply with requirements related to regulated PII could result in criminal charges in some jurisdictions, while violating contractual PII requirements is more likely to only result in a contractual penalty.

Non-disclosed PII and unrepresented PII are not recognized types of PII.

Question 24

Q

During which phase of the software development lifecycle should testing requirements be defined?

A. Requirement gathering and feasibility
B. Testing
C. Maintenance
D. Development/Coding

Answer

A

A. Requirement gathering and feasibility

Explanation:
During the first phase of the software development lifecycle, requirement gathering and feasibility, the risk and testing requirements are defined. Having these requirements in place before development and testing even begins helps to ensure the success of the project.

Question 25

Q

Which of the following types of security tests would be considered a “white-box” test?

A. Penetration testing
B. SAST
C. Vulnerability Scanning
D. DAST

Answer

A

B. SAST

Explanation:
Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code.

Both penetration testing and dynamic application security testing (DAST) are considered “black-box” tests because the individual performing these tests are not given any special knowledge of the environment. Vulnerability scanning is neither a “white-box” or “black-box” test. Vulnerability scans are run against systems using known attacks and methodologies to verify that systems are properly hardened against them.

Question 26

Q

What cloud development fundamental is supported by security being a part of every step of an application development program?

A. Security as a business objective
B. Training and awareness
C. Security by design
D. Shared security and responsibility

Answer

A

C. Security by design

Explanation:
Security by design refers to the inclusion of security at every stage of the development process, rather than after an application has been released or in reaction to a security exploit or vulnerability. From application feasibility to retirement, security is an integral element of the process.

Question 27

Q

Maxwell is developing a DLP strategy. Which of the following is NOT a component of DLP that Maxwell has to be concerned with?

A. Enforcement
B. Evidence and Custody
C. Monitoring
D. Discovery and classification

Answer

A

B. Evidence and Custody

Explanation:
The major components of a data loss prevention (DLP) implementation include discovery and classification, monitoring, and enforcement.

Evidence and custody is not a common component of DLP implementations.

Question 28

Q

E-mails, pictures, videos, and text files are all examples of which of the following?

A. Morphed Data
B. Structured Data
C. Unmorphed Data
D. Unstructured Data

Answer

A

D. Unstructured Data

Explanation:
Unstructured data refers to any data that cannot be qualified as structured data. Unstructured data doesn’t conform to any defined data structures or formats. Examples of unstructured data include emails, pictures, videos, and text files.

Unmorphed and morphed data are not actual types of data.

Question 29

Q

Which of the following BEST describes the “create” phase of the cloud data lifecycle?

A. Any time data is considered new
B. Only when data first enters a system
C. Only when data is newly created or newly imported into a system
D. Only when data is modified into a new form

Answer

A

A. Any time data is considered new

Explanation:
The create phase is the initial phase of the cloud data lifecycle. While it may sound like data must be newly created from scratch in this phase, that is not the case. Rather, any time data can be considered new, it is in the create phase. This encompasses data which is newly created, data that is being imported from elsewhere, and also data that already exists but has been modified into a new form.

Question 30

Q

An engineer has been placed in charge of patch management on all Windows servers in the environment. Which free tool, offered by Microsoft, can assist this engineer with patch management?

A. DRS
B. RDP
C. VUM
D. WSUS

Answer

A

D. WSUS

Explanation:
The WSUS (Windows Server Update Service) is a free toolset offered by Microsoft to help with patch management. WSUS downloads patches and allows the administrators of the servers to control the installation of the patches in a centralized and automated manner.

Question 31

Q

Which type of AI is purely cognitive-based?

A. Humanized
B. Human-Inspired
C. Enhanced
D. Analytical

Answer

A

D. Analytical

Explanation:
Analytical artificial intelligence (AI) is solely cognitive-based, focusing on a system’s ability to analyze past data and make future decisions.

Question 32

Q

Of the following, which is NOT a tool used to detect and alert administrators of suspicious activity?

A. WSUS
B. IDS
C. NIDS
D. HIDS

Answer

A

A. WSUS

Explanation:
An IDS is an intrusion detection system. It will capture traffic and detect possible attacks or intrusions. A NIDS is a network intrusion detection system that captures all network traffic, while HIDS is a host intrusion detection system that only captures traffic for one specific host.

WSUS is a tool available to help with patch management and not a tool to help detect intrusions.

Question 33

Q

Which of the following BEST defines ARO?

A. The estimated number of times a threat will successfully exploit a vulnerability in a given year
B. The estimated amount of revenue that will be lost due to a single successful exploit
C. The amount of time a system can be operational before it will need to be replaced
D. The estimated amount of revenue that will be list in a given year

Answer

A

A. The estimated number of times a threat will successfully exploit a vulnerability in a given year

Explanation:
ARO stands for annualized rate of occurrence, which is defined by the estimated number of times a threat will successfully exploit a vulnerability in a given year. By multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO), you are able to determine the annual loss expectancy (ALE).

Question 34

Q

The requirement that providers must restrict physical access to cardholder data falls under which regulatory standard?

A. FIPS 140-2
B. SOC 1
C. NIST SP 800-53
D. PCI DSS

Answer

A

D. PCI DSS

Explanation:
The PCI DSS (payment card industry data security standard) is a series of 12 compliance requirements, one of which being that physical access to cardholder data must be restricted.

Question 35

Q

Of the following, which is an example of a direct identifier within PII?

A. ZIP Code
B. Gender
C. National Identification Number
D. Birth Date

Answer

A

C. National Identification Number

Explanation:
PII (personally identifiable information) is broken up into direct identifiers and indirect identifiers. Birth date, gender, and zip code would all be indirect identifiers because they would require more information along with them to identify a specific person.

National identification numbers and social security numbers are direct identifiers because they can identify a specific person without the need for additional information.

Question 36

Q

Which of the following is NOT a protection technique for virtualization systems?

A. Privileged Access
B. Separation of Duty
C. Standard Configurations
D. Least Privilege

Answer

A

A. Privileged Access

Explanation:
Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism.

Standard configurations are agreed-upon baselines and aid in managing change, which provides protection for virtualization systems.

Question 37

Q

In the event of an ISP failure, the customer is responsible for ensuring communication with the CSP. Which of the following would be the BEST strategy for ensuring that a means of communication with the cloud vendor is always available?

A. Boundary Protection
B. Redundant ISP
C. Cloud to site VPN
D. Security Function Isolation

Answer

A

B. Redundant ISP

Explanation:
The best strategy for ensuring that a means of communication with a cloud vendor is always available when an interruption occurs would be to implement a redundant ISP.

All the other options are aspects that should be used in cloud access.

Question 38

Q

Cloud providers must have multiple and independent power feeds to ensure redundancy. What else is needed in case of a power failure on one of the power feeds?

A. Backup Router
B. Backup Internet
C. Generator
D. Firewall

Answer

A

C. Generator

Explanation:
Cloud providers will need to have multiple independent power feeds in case a power feed goes down. In addition, they will also typically have a generator or battery backup to serve in the meantime when a power feed goes out.

Cloud providers will likely have a backup internet provider for redundancy, but it will not help in the case of a power outage, nor will additional firewalls or routers.

Question 39

Q

An organization is considering implementing a new business continuity and disaster recovery (BCDR) strategy. Before moving forward with this, which of the following should the organization perform?

A. Onsite Technical Analysis
B. Vulnerability Scan
C. Cost-Benefit Analysis
D. Penetration Test

Answer

A

C. Cost-Benefit Analysis

Explanation:
When considering implementing a new BCDR strategy, organizations should first perform a cost-benefit analysis. This will provide insight to the stakeholders if the BCDR strategy is worth implementing. The cost-benefit analysis will compare the costs of a disaster and the impact of downtime against the cost of implementing the BCDR solution.

Question 40

Q

Data archiving and retention as it relates to official judicial or law enforcement requests is known as:

A. Law Retention
B. Regulatory Hold
C. Court Archiving
D. Legal Hold

Answer

A

D. Legal Hold

Explanation:
Organizations or individuals may need to archive and retain data that meets specific requirements to be used in legal court proceedings. This type of data retention is known as legal hold.

Question 41

Q

Members of your organization’s software development team are geographically dispersed and will work in a variety of time zones. Multiple developers will modify the configuration and source code files. How does your organization ensure that software code modifications are current and accurate?

A. Functional testing
B. Identity and Access management
C. Software Assurance Validation
D. Software Configuration Management

Answer

A

C. Software Configuration Management

Explanation:
Software configuration management (SCM) technologies are used to manage software assets and to ensure that changes are made in a timely and accurate manner. SCM enables changes to be rolled back. At the time of deployment, as well as during updates and patches, SCM tools are employed. Configuration management software enables auditing and reviewing configurations to ensure processes are being followed.

Question 42

Q

Which of the following is NOT classified as a physical or environmental control?

A. Locks
B. Intrusion Prevention System
C. UPSs
D. Biometrics

Answer

A

B. Intrusion Prevention System

Explanation:
An intrusion prevention system helps protect a network from malicious activity and intrusions, and therefore, is NOT considered a physical or environmental control.

Question 43

Q

In cloud environments, redundancy can be broken up into two areas: internal and external. Which of the following is an example of an internal redundancy?

A. Network circuits
B. Power substations
C. Power distribution units
D. Generator Fuel Tanks

Answer

A

C. Power distribution units

Explanation:
Internal redundancy includes power distribution units, power feeds to racks, cooling units, networking, storage units, and physical access points.

External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure.

Question 44

Q

Which emerging technology, that is still in the early phases of development, would allow for the manipulation of encrypted data without the need to unencrypt it?

A. Labeling
B. Tokenization
C. Homomorphic Encryption
D. Data De-Identification

Answer

A

C. Homomorphic Encryption

Explanation:
Encryption technologies are rapidly evolving. One new technology, which is still in the early phases of development and testing, is homomorphic encryption. Homomorphic encryption would allow for the manipulation of encrypted files without needing to unencrypt them.

Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data. Labeling is a technology which can be used to group data elements together.

Question 45

Q

Your organization would like to automate a process that involves two applications. The data that moves between the applications must be synched in real time as well as one system that needs to boot up before the other. What can be used to synchronize the operations of these applications?

A. Orchestration
B. API Gateways
C. Tokenization
D. Sandboxing

Answer

A

A. Orchestration

Explanation:
Orchestration is a technique for synchronizing and orchestrating the operations of multiple apps that work together to complete a business activity. These are managed groups of applications, and their actions are choreographed based on the rules you establish.

Question 46

Q

Which term BEST describes the process of granting access to resources?

A. Federation
B. Identification
C. Authorization
D. Auditing

Answer

A

C. Authorization

Explanation:
Authorization is the process of granting access to resources.

Identification is the process of pinpointing either a system or individual in a way where they are distinct from any other identity. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Question 47

Q

Obfuscation is a method of which of the following?

A. Hashing
B. Key Management
C. Encryption
D. Data De-Identification

Answer

A

D. Data De-Identification

Explanation:
Methods of data de-identification include obfuscation, anonymization, and masking.

Question 48

Q

Your company has invested in a PaaS (platform as a service) development platform. What would the organization’s new role be?

A. Cloud Service Broker
B. Cloud Service Customer (CSC)
C. Cloud Service Provider (CSP)
D. Cloud Service Partner

Answer

A

B. Cloud Service Customer (CSC)

Explanation:
An organization or individual who purchases a cloud service is known as a cloud service customer (CSC).

Question 49

Q

Which of the following is NOT one of the four key areas of the physical cloud environment?

A. Network
B. CPU
C. Cabling
D. Disk

Answer

A

C. Cabling

Explanation:
The four key physical components of a cloud environment include CPU, disk, memory, and network. These components are the aspects that a cloud provider must ensure they have adequate resources for. There should be resources in these categories for both the current needs of cloud customers and future needs for the foreseeable future.

Cabling is not considered one of the key physical aspects of the cloud environment.

Question 50

Q

Your organization is conducting a test of its disaster recovery plan. The team members describe how they would carry out their responsibilities in a certain BC/DR scenario. Which type of disaster recovery plan testing are they conducting?

A. Parallel
B. Full Cutover
C. Simulation
D. Tabletop

Answer

A

D. Tabletop

Explanation:
In a tabletop exercise, participants are provided with scenarios and asked to describe how they will carry out their assigned activities in a certain business continuity/disaster recovery scenario. This enables members to comprehend their roles amid disaster.

All other options are types of business continuity and disaster recovery plan tests.

Question 51

Q

Which built-in VMware tool can be used to automate patches of both the vSphere hosts and the virtual machines running under them?

A. VUM
B. RDP
C. MDT
D. WSUS

Answer

A

A. VUM

Explanation:
VUM (vSphere Update Manager) is a utility which is built into VMware. VUM is able to automate patches of both the vSphere hosts as well as the virtual machines running under them. VUM also provides a dashboard which gives administrators a glimpse into their patching status across the environment.

Question 52

Q

Cloud environments call for high-availability and resiliency. What can be done to ensure that there is no downtime?

A. Ensure that there are no single point of failure
B. Only perform maintenance a couple of times a year
C. Create backups of the most important servers in the environment
D. Only perform updates and upgrades during non-business hours

Answer

A

A. Ensure that there are no single point of failure

Explanation:
Many cloud customers expect their systems to be available at all times. In order to maintain high-availability, it’s critical to ensure that there are not any single points of failure. While its good practice to perform updates and upgrades outside a business’ normal operating hours, many organizations today have locations across the globe and operate 24 hours a day. This means, that downtown at any time is going to be unacceptable. Cloud providers must find a way to perform updates and upgrades without causing any downtime.

Backing up systems is very important, but all systems must be backed up, not just a select few. Maintenance can’t be scheduled only a few times a year. It must be done whenever necessary so it’s important to be able to do the maintenance without causing any downtime to the customer.

Question 53

Q

Which major piece of 1996 legislation focused on the security controls and confidentiality of medical records?

A. GPDR
B. GLBA
C. HIPAA
D. SOX

Answer

A

C. HIPAA

Explanation:
HIPAA, also known as the Health Information Portability and Accountability Act of 1996, is a major piece of legislation which focused on protecting PHI (protected health information). HIPAA focuses on the security controls and confidentiality of medical records, rather than on specific technologies being used.

Question 54

Q

Where is the BIOS stored?

A. Disk
B. Firmware
C. Memory
D. System Board

Answer

A

B. Firmware

Explanation:
The BIOS is a form of firmware. It is typically stored in read-only memory. The BIOS is crucial for secure booting processes, as it verifies the hardware and firmware configurations of a system before allowing the operating system or applications to execute.

All other selections are components of the system.

Question 55

Q

Within a relational database, data is put into specific fields that have known structure and possible data values. The data in these databases is very easy to search and analyze.

What is this type of data called?

A. Unstructured Data
B. Unmappted Data
C. Structured Data
D. Sensitive Data

Answer

A

C. Structured Data

Explanation:
Structured data is data that has a known format and content type. One example of structured data is the data that is housed in relational databases. This data is housed in specific fields that have a known structure and potential values of data. Having the data organized in these fields makes it easy to search and analyze.

Question 56

Q

Which cloud computing role delivers value by aggregating services from many vendors, integrating them with an organization’s current infrastructure, and customizing services that a CSP cannot provide?

A. Cloud Service Customer
B. Cloud Service Provider (CSP)
C. Cloud Service Broker
D. Cloud Service Partner

Answer

A

C. Cloud Service Broker

Explanation:
Businesses will work with a cloud service broker to identify solutions that meet their cloud computing requirements. The broker will package services in the customer’s best interest. This may entail the use of multiple CSP services.

Question 57

Q

For which of the cloud service models does the cloud customer commonly have responsibility for patch management?

A. SaaS and PaaS
B. PaaS
C. SaaS
D. IaaS
E. IaaS and PaaS

Answer

A

E. IaaS and PaaS

Explanation:
The CSP is fully responsible for patch management of the underlying physical infrastructure, but IaaS and PaaS customers commonly have patch management responsibilities.

In a SaaS environment, the customer has no responsibility for patching.

Question 58

Q

A web application is using browser cookies for sessions and state. However, when the user logged out, the cookies were not properly destroyed. Another user had access to the same browser as the previous user and was able to log in using the same cookies from the previous session.

What is this an example of?

A. Security Misconfigurations
B. Sensitive Data Exposure
C. Broken Authentication
D. Broken Access Control

Answer

A

C. Broken Authentication

Explanation:
Broken authentication is one of the OWASP Top 10 vulnerabilities. Broken authentication occurs when an issue with a session token or cookie makes it possible for an attacker to gain unauthorized access to a web application. This can occur when session tokens are not properly validated, making it possible for an attacker to hijack the token and gain access. Another example of this can occur when cookies are not properly destroyed after a user logs out, making it possible for the next user to gain access with their cookies.

Question 59

Q

An organization would like to plan a test of a their business continuity and disaster recovery (BCDR) in which a real-world scenario is simulated as realistically as possible.

What type of BCDR test should they carry out?

A. Parallel Test
B. Walk through test
C. Paper Test
D. Full-Interruption

Answer

A

D. Full-Interruption

Explanation:
In a full-interruption BCDR test, a real life scenario is carried out as realistically as possible. During a full-interruption test, all of the production systems are shut down at the primary site, and operations are shifted to the backup site according to the disaster recovery plan.

Question 60

Q

Which of the following is NOT a type of blockchain?

A. Consortium
B. Semi-Open
C. Private
D. Hybrid

Answer

A

B. Semi-Open

Explanation:
There are four types of blockchain: private, public, consortium, and hybrid.

Semi-open is not a type of blockchain.

Question 61

Q

Your organization has tasked you with updating the IT best practices for your organization which includes updating the service strategy to include cloud practices. Which framework is your organization most likely using?

A. NIST CSF
B. COBIT 5
C. ITIL
D. ISO 27001

Answer

A

C. ITIL

Explanation:
Your organization is most likely using IT Infrastructure Library (ITIL) because it is an IT best practices framework. Its five core subjects are: Service strategy, Service design, Service transition, Service operation, and Continual improvement.

NIST CSF provides cybersecurity guidance, not IT best practices. ISO 27001 provides requirements for an information security management system (ISMS). COBIT 5 is a business framework for governance of IT.

Question 62

Q

An engineer just purchased a software suite for his organization. The software is hosted by a cloud provider and that cloud provider maintains and manages the application itself, as well the entire infrastructure and platform. The software is accessed over the Internet and is not installed locally on any employee’s machine.

What type of cloud service is being described here?

A. CaaS
B. PaaS
C. IaaS
D. SaaS

Answer

A

D. SaaS

Explanation:
Software as a Service (SaaS) is a cloud service in which the cloud provider manages and maintains everything from the application/software itself, to the servers they run on and the platform they were built on. The cloud client is not responsible for anything to do with managing the program; they can simply access it over the Internet.

Question 63

Q

An engineer needs to find out when a document was originally created. What could this engineer look at to find this information?

A. Data Maps
B. Data Tags
C. Metadata
D. Sanitized Data

Answer

A

C. Metadata

Explanation:
Metadata is information about data, including the type of data, when the data was created, where the data is stored, and more.

Question 64

Q

What toolset can provide assistance in database compliance, contractual, or regulatory requirements such as PCI-DSS, HIPAA and GDPR?

A. WAF
B. XML Firewall
C. API Gateways
D. DAM

Answer

A

D. DAM

Explanation:
Those who provide database activity monitor (DAM) services, as well as CSPs who provide services that are customized for their database offers, can do much more than monitor database consumption and usage patterns. Data discovery, data classification, and privileged use are all features that can be monitored in databases. Database compliance, contractual requirements, and regulatory requirements such as PCI-DSS, HIPAA, and GDPR needs can be addressed by database activity monitors.

Answer 65

A

A. To prevent log manipulation

Explanation:
Log manipulation occurs when a malicious actor is able to delete or modify the logs on a system. Sending or copying the logs to a centralized location such as a SIEM prevents this since the attacker may be able to delete them on the system itself, but will likely not have gotten access to the SIEM to change them there as well.

Answer 66

A

C. High costs for the environment

Explanation:
The organization should be cautious due to the fact that standalone hosting will cost more than pooled resources and multi-tenancy. The organization will need to gather and analyze their requirements to identify if the costs of standalone hosting are justifiable.

All the other options are characteristics of standalone hosting.

Answer 67

A

C. Sensitive Data Exposure

Explanation:
When creating and managing a web application it’s vital to keep sensitive user information private. Many web applications use data such as credit card information, authentication data, and other personally identifiable information. The OWASP Top 10 addresses these items under the sensitive data exposure vulnerability and states that applications should implement various security controls to protect sensitive user data.

Answer 68

A

B. Technology Provided

Explanation:
The cloud service provider (CSP) is responsible for providing the technology, but the customer is accountable for its use. Additionally, the client is accountable for setting up the environment and enforcing organizational policies.

Answer 69

A

B. CDN

Explanation:
A content delivery network (CDN) is a form of load balancing specifically designed for web servers. Its major purpose is to accelerate users’ access to web resources that are geographically dispersed. CDNs enable users in remote places to access web data via servers located closer to their location than the original web server.

Software defined storage (SDS), software defined networking (SDN) and raw device mapping (RDM) are incorrect options.

Answer 70

A

B. Network Security Group

Explanation:
A network security group (NSG) protects a group of cloud resources. It provides a set of security rules or virtual firewall for those resources. This gives the customer additional control over security.

A cloud gateway adds an additional layer of security by transferring data between the customer and the CSP away from the public internet. Contextual-based security leverages contextual information such as identification to assist in securing cloud resources. External access attempts from the public internet can be blocked by ingress controls. Egress controls are a technique for preventing internal resources from connecting to unauthorized and potentially harmful websites.

Answer 71

A

D. Web Application Firewall

Explanation:
By filtering HTTP/HTTPS traffic, a web application firewall (WAF) specifically addresses attacks on applications and external services. A WAF can assist in defending against SQL injection, cross-site scripting, and cross-site request forgery attacks.

Answer 72

A

C. Tenant

Explanation:
Any cloud customer who is sharing access to a pool of resources is known as a tenant.

Answer 73

A

B.Erasure Coding

Explanation:
Erasure encoding is a technique employed by data dispersion to encrypt data with parity bits added. This is quite similar to the concept of RAID storage parity bit calculation. On the segments, a mathematical calculation is performed and the results are stored with the data. If segments are lost, the parity bit enables the data to be recovered.

All other options are toolsets and technologies commonly used as data security strategies.

Answer 74

A

A. Availability

Explanation:
The organization is currently experiencing service availability issues. Due to the fact that this failure is not covered by the SLA’s requirements, the organization may file a claim against the service provider.

Answer 75

A

D. Level 4

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 standard defines four levels of security. Level 1 is the lowest level of security and level 4 provides the highest level of security and tamper protection. Levels 2 and 3 are in between.

Answer 76

A

C. Cloud Auditor

Explanation:
A cloud auditor is uniquely tasked with the responsibility of auditing cloud systems and cloud-based applications. The cloud auditor is responsible for evaluating the cloud service’s efficiency and finding control gaps between the cloud customer and the cloud service provider, as well as the cloud broker, if one is utilized.

All the other options are types of auditors.

Answer 77

A

D. Abuse or nefarious use of cloud services

Explanation:
Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service. Often times, when using a free trial, the attacker will configure everything using a fake identity so attacks can’t be traced back to him.

Answer 78

A

A. Federation

Explanation:
Federation is a set of base policies and technologies which allow systems to accept credentials without requiring an established user base to be present. This works by establishing policies and guidelines that each member of the federation must adhere to.

Answer 79

A

D. Continuity Management

Explanation:
Continuity management, sometimes known as business continuity management, is concerned with restoring systems and devices after a disaster or unexpected outage has occurred. Business continuity and disaster recovery (BCDR) plans are a part of continuity management.

Answer 80

A

B. All Applications

Explanation:
A denial of service attack occurs when a system is flooded with useless data from an attacker in an attempt to overload the system resources, making the system unavailable to valid users. All applications are possible targets for denial of service attacks. In order to help prevent denial of service attacks, developers should limit how many operations can be performed by non-authenticated users.

Answer 81

A

C. Cloud Service Integrator

Explanation:
A cloud service integrator is someone who connects (or integrates) existing systems and services to the cloud for a cloud customer.

Answer 82

A

D. SQL Injection

Explanation:
A SQL injection attack occurs when an attacker is able to send a properly formatted SQL SELECT statement through one of the input fields in the web applications. This malicious query can return information about the database that should not be publicly available. In order to prevent injection attacks, it’s important to ensure that any data sent through an input field is properly sanitized and validated.

Answer 83

A

A. It has been structurally tested

Explanation:
The possible EAL (evaluation assurance level) scores are as follows:

EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4- Methodically designed, tested, and reviewed
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested

Answer 84

A

C. Patching

Explanation:
Patching is used to fix bugs found in software, apply security vulnerability fixes, introduce new software features, and much more. Regardless of the types of applications and systems involved, all software will require regular patching. Before patches are applied, they should be properly tested and validated. There should be a process in place for patch management in each organization.

Answer 85

A

D. Maintenance

Explanation:
The management plan for operations in a cloud environment includes scheduling, orchestration, and maintenance. In a cloud environment it’s vital to ensure that careful planning and management are put in place to operate systems.

Answer 86

A

C. Cloud Service Partner

Explanation:
A cloud service partner is a third-party provider of cloud-based services (infrastructure, storage and application, and platform services) through the CSP with which it is associated. The third-party cloud service partner makes use of the cloud service provider’s service in this scenario.

Answer 87

A

D. NIST RMF

Explanation:
The NIST Risk Management Framework acts as a guide for risk management practices used by United States federal agencies.

NIST developed the NIST CSF to assist commercial enterprises in developing and executing security strategies. FedRAMP is a cloud-specific version of NIST 800-53 that contains policies and procedures to assist cloud service providers in adopting security controls and risk assessment.

ISO 31000 are “Risk Management - Guidelines,” to be used during the risk management process.

Answer 88

A

C. Information Security Management System

Explanation:
ISO/IEC 27001 provides guidelines for creating and managing an ISMS.

All other options would not use ISO/IEC 27001 as a guideline.

Answer 89

A

A. SaaS

Explanation:
Data sanitization in cloud environments already differs from that of on-prem environments since physical destruction methods are not possible. However, of the three types of cloud service models (which include IaaS, PaaS, and Saas), SaaS requires special consideration because the data is often far more interconnected than in the other two service models.

DaaS is not an accepted cloud service model.

Answer 90

A

D. Structured Data

Explanation:

Answer 91

A

C. Generators

Explanation:
External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure.

Internal redundancy includes power distribution units, power feeds to rack, cooling units, networking, storage units, and physical access points.

Answer 92

A

A. A healthcare organization that needs to keep all of its patients data secure, no matter the cost

Explanation:
Private clouds are the most expensive of the cloud deployments, but they are also the most secure. This is because the owner of the private cloud controls and retains ownership of all the data in that cloud. Healthcare organizations have to meet HIPAA requirements and, therefore, patient data must be kept extremely safe.

Answer 93

A

B. Implement the plan

Explanation:
The steps of developing a BCDR plan are as follows: Define scope, gather requirements, analyze, assess risk, design, implement, test, report, and finally, revise. Once an organization has completed all of the design phase, they are ready to implement their BCDR plan. Even though the plan has already gone through design, it will likely require some changes (both technical and policy-wise) during implementation.

Answer 94

A

B. Continuous Auditing

Explanation:
Continuous auditing ensures that you can provide an in-depth report on usage and access history for all files that are protected by data rights management.

Answer 95

A

D. An organizations that only requires certain items are kept very secure, but cant afford a full private cloud

Explanation:
Hybrid clouds are the best solution for any organization that requires the security of a private cloud for some, but not all, of their data. By only needing some of the data to be kept in a private cloud, the expense of building a full private cloud can be greatly reduced.

Answer 96

A

B. Anonymization

Explanation:
Anonymization is a method used in data de-identification. Unlike masking or obfuscation, in which the data is replaced, hidden, or removed entirely, anonymization is the process of removing any identifiable characteristics from data. It is often used in conjunction with another method such as masking.

Answer 97

A

D. Advanced Persistent Threat

Explanation:
Many types of malware and malicious programs are loud and aim to disrupt a system or network. Advanced persistent threats are the opposite. Advanced persistent threats (APTs) are attacks which attempt to steal data and stay hidden on the system or network for as long as possible. The longer the APT can stay in the system, the more data it is able to collect.

Answer 98

A

A. IaaS

Explanation:
Infrastructure as a Service (IaaS) providers will provide cloud customers with everything they need from a hardware standpoint, including routers, switches, firewalls, and servers. The customer will still be responsible for managing all of the software and operating systems, but will not need to manage any hardware.

Answer 99

A

C. Parallel

Explanation:
In a parallel test, team members replicate the procedures necessary in the event of a disaster. Their objective is to ensure that critical business operations can continue to function in parallel if existing systems are affected by a disaster.

All other options are types of business continuity and disaster recovery plan tests.

Answer 100

A

A. Portability

Explanation:
Portability is the feature that allows data to move between multiple cloud providers without any issues.

Interoperability is a term used to describe the ease with which components of an application can be moved or reused. Resiliency is the ability to recover quickly after an issue has occurred. Auditability is the ease with which a cloud environment can be audited.

Answer 101

A

D. Multi-tenancy

Explanation:
Resource pooling is one of the many benefits of cloud computing. Multiple clients share a set of resources, such as servers, storage, and application services, and each customer pays only for the resources they consume. This can create a problem when resources are pooled, since multi-tenancy may result, and a competitor or rival may share physical hardware with you. If the system is compromised, particularly the hypervisor, sensitive data may be exposed.

Answer 102

A

D. Data Breach

Explanation:
A data breach occurs when data is leaked or stolen, either intentionally or unintentionally.

Answer 103

A

D. There is never an appropriate scenario in which to accept a risk

Explanation:
There are times when a company may choose to simply accept a risk rather than do anything to deal with it. This is often done when the cost of mitigating the risk outweighs the cost of simply dealing with the consequences if the risk was to occur.

Answer 104

A

A. Reversibility

Explanation:
Reversibility is the ability of a cloud customer to quickly remove all data, applications, and anything else that may reside in the cloud provider’s environment, and move to a different cloud provider with minimal impact on operations.

Answer 105

A

B. Ensuring the confidentiality and integrity of their data

Explanation:
While things like uptime, cost, and preventing vendor lock-in are all important concerns, the primary concern when reviewing cloud providers should always be ensuring the confidentiality and integrity of data. Because of this, it’s vital that cloud customers know where and how their data is going to be stored at all times.

Answer 106

A

D. PHI

Explanation:
You are safeguarding protected health information that may be contained within the medical records you are accountable for. These can be in the form of lap reports, visit summaries or other types of medical records.

Personally identifiable information (PII) is unique to an individual, such as a Social Security number or phone number. Payment card industry (PCI) is not a data type. Personal data (PD) is not a known acronym.

Answer 107

A

C. Ownership Retention

Explanation:
Private clouds are a must for organizations that need to retain complete ownership of their entire cloud environment. Public, hybrid, and community clouds can’t offer this.

Answer 108

A

C. Public Cloud

Explanation:
A public cloud would be the best option for this student because it is the least expensive and will allow her to pay only for the resources that she uses. Since she is planning to use the server as a lab environment, it’s unlikely that security will be a large concern for this student.

Answer 109

A

C. Quanitative Assessment

Explanation:
The two main types of assessments used in the risk management process are quantitative assessments and qualitative assessments. Qualitative assessments are nonnumerical assessments. Quantitative assessments use values such as single loss expectancy (SLE), annual loss expectancy (ALE), and annual rate of occurrence (ARO) for a numeric approach.

Answer 110

A

C. Object

Explanation:
Object storage is a storage type used in IaaS cloud environments which operates as an API or a web service call. In object file storage, files are stored in an independent system and given a value for retrieval and reference.

Answer 111

A

D. TLS Handshake Protocol

Explanation:
TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established.

During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

Answer 112

A

B. Requirement Gathering and Feasibility

Explanation:
The initial step of the software development lifecycle (SDLC) is to gather all of the requirements and determine their feasibility. This is determined through setting goals, reviewing the timeline for the project, performing cost analysis, and reviewing possible risks of the project.

Answer 113

A

B. Cluster

Explanation:
A cluster is a group of hosts that are combined together to achieve the same purpose, such as redundancy, configuration synchronization, fail over, or to minimize downtime. Clusters can be groups of hosts that are physically or logically grouped together. Clusters are handled as one unit, meaning that resources are pooled and shared between the hosts within the group.

Answer 114

A

D. Content and File Storage

Explanation:
Each cloud service model uses a different method of storage as shown below:

Software as a Service (SaaS) - content and file storage, information storage and management
Platform as a Service (PaaS) - structured, unstructured
Infrastructure as a Service (IaaS) - volume, object

Answer 115

A

B. Excess electrostatic discharge

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

Answer 116

A

C. Regression Testing

Explanation:
Regression testing is carried out during the maintenance phase of the software development lifecycle to ensure that changes to the software program do not break existing functionality, introduce new vulnerabilities, or resurface previously addressed problems.

Answer 117

A

B. GLBA

Explanation:
The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks.

HIPAA is concerned with the privacy of protected healthcare information and healthcare facilities. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

Answer 118

A

B. When the cost to mitigate the risk outweights the cost to simply deal with the risk if it were to occur

Explanation:
There are some instances where organizations will choose to accept risk rather than to do anything to deal with it. This is typically done whenever the cost to mitigate the risk outweighs the cost to simply deal with the risk when or if it were to occur.

Accepting the risk would never be a good option if the risk being realized could financially overwhelm an organization.

Answer 119

A

C. Clipping Level

Explanation:
Many systems and apps allow you to customize what data is written to log files based on the importance of the data. The clipping level determines which events, such as user authentication events, informational system messages, and system restarts, are written in the logs and which are ignored. Clipping levels are used to ensure that the correct logs are being accounted for.

Answer 120

A

B. Cost-benefit analysis

Explanation:
Any organization that is considering a move from an on-premises solution to the cloud should first perform a cost-benefit analysis to ensure that the decision makes sense for its company.

Answer 121

A

B. Threat Modeling

Explanation:
Threat modeling is the processing of finding threats and risks that face an application or system once it has gone live. This is an ongoing process that will change as the risk landscape changes and is, therefore, an activity that is never fully completed. DREAD and STRIDE, which were both conceptualized by Microsoft, are two prominent models recommend by OWASP.

Answer 122

A

B. TLS Record Protocol

Explanation:
TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established. During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

Answer 123

A

D. GDPR

Explanation:
The European Union implemented GDPR (general data protection regulation), which covers the entire European Union and the European Economic Area. GDPR focuses on the protection of private and personal user data for all EU citizens, regardless of where the data was created, collected, processed, or stored. Any organization that has a data breach where protected or private user information is viewed or stolen by an attacker must report it to the applicable government agencies within 72 hours.

Answer 124

A

C. It has been methodically designed, tested and reviewed

Explanation:
The possible EAL (evaluation assurance level) scores are as follows:

EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4- Methodically designed, tested, and reviewed
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested

Answer 125

A

C. Policy and Procedures

Explanation:
Policies and procedures are a primary control in protecting systems and communications. Defining the objective, scope, roles, and responsibilities of all security actions, policies and procedures establishes a codified framework for all security actions.

Answer 126

A

C. RPO

Explanation:
The recovery point objective (RPO) is defined as the amount of data and information which must be restored and recovered after a disaster to meet business continuity and disaster recovery objectives.

Answer 127

A

B. Multitenancy

Explanation:
In an IaaS environment, resources are hosted on a cloud system which is often shared by other cloud customers. Therefore, the cloud provider must take precautions to ensure that the data between the multiple clients is not accessible by the others. This can pose a risk if the cloud provider doesn’t take great care in keeping that separation.

Answer 128

A

D. TPMs

Explanation:
TPMs (Trusted Platform Modules) and virtualization hosts have BIOS settings in place that control hardware configurations and security technologies to prevent unauthorized access to the BIOS. It’s important to ensure that access to the BIOS is locked down for all systems to prevent unauthorized changes to the systems at the BIOS-level.

Answer 129

A

A. RAID and SANs

Explanation:
Storage in the cloud is very similar to storage used in a traditional datacenter. The storage consists of RAID (redundant array of inexpensive disks) an SANs (storage area networks). These are connected to the virtualized server structure.

Answer 130

A

B. Secure API calls and web services

Explanation:
Data in use is protected through secure API calls and web services, which make use of technologies such as digital signatures.

Data in transit is best protected through encrypted transport methods like TLS. To protect data at rest, encryption methods such as AES should be used.

Answer 131

A

D. Denial of Service

Explanation:
A denial of service attack occurs when an attacker (or attackers) flood systems with so much useless traffic that the resources are unable to respond to legitimate traffic. Denial of service is listed as one of the Cloud Security Alliance’s Treacherous Twelve, but is not on the OWASP Top 10 list.

XML external entities, injection, and broken access control are all listed on the OWASP Top 10 list and not the Cloud Security Alliance’s Treacherous Twelve list.

Answer 132

A

B. Network traffic logs

Explanation:
The OWASP data event logging cheat sheet does not recommend network traffic logs. However, other logging recommendations by OWASP include:

    Synchronize time across all servers and devices
    Differing classification schemes
    Identity attribution
    Application-specific logs
    Integrity of log files

The full logging cheat sheet is available here: cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

Answer 133

A

B. LUN

Explanation:
In a volume storage system, the main storage is sliced into smaller segments, called LUNs (logical units) that are then assigned to a virtual machine by a hypervisor and mounted to that machine.

A SAN is a storage area network, and not a small segment of storage. The terms LAN and VLAN refer to types of networks and are not applicable to this question.

Answer 134

A

C. Legal Hold

Explanation:
When an organization is told that a regulatory body is commencing an inquiry against it, a legal hold should be immediately imposed. The organization must pause all data deletion actions relevant to the investigation until the matter is resolved. A legal hold has significant ramifications for data retention.

Answer 135

A

D. Management Plane

Explanation:
The management plane in a cloud environment can be used to create, stop and start virtual machines, as well as provision the virtual machines with the needed resources. Because the management plane has access to all the virtual machines from a high level it’s very important that security measures are taken to prevent unauthorized access to the management plane.

Answer 136

A

A. MFA

Explanation:
Multi-factor authentication (MFA) is an authentication method in which a user is required to provide two or more types of factors proving they are who they claim to be. For example, a user would need both a password and a randomly generated code sent to their smartphone to access an application. MFA factors are broken up into categories such as something you know (passwords, pin), something you are (biometrics), something you have (key card, smartphone), and something you do (behavioral).

Answer 137

A

D. Physical, logical or virtual boundaries around network resources

Explanation:
A trust zone is a physical, logical, or virtual boundary around network resources. Before a cloud provider can implement trust zones, they must undergo threat and vulnerability assessments to determine where their weaknesses are within the environment. This will help to determine where trust zones would be most useful.

Answer 138

A

D. Encryption

Explanation:
The main method for protecting data at rest is to use encryption methods such as AES.

Data in transport is protected by encrypted transport methods such as TLS. To protect data in use, secure API calls and web services must be used.

Answer 139

A

B. Governance

Explanation:

Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance will put a framework in place to ensure compliance with regulatory obligations.

All other options are shared cloud considerations.

Answer 140

A

C. Machine Learning

Explanation:
Artificial intelligence relies heavily on machine learning. Machine learning enables a solution to learn and develop on its own without the need for extra programming. Intrusion detection, email filtering, and virus scanning are all examples of current machine learning usage.

Blockchain, quantum computing and artificial intelligence are other related technologies.

Answer 141

A

A. Testing must use limited information about the application

Explanation:
Testing that must use limited information about the application is called grey-box testing and occurs after functional testing and deployment.

Functional testing is performed on an entire system and the following are important considerations: Testing must be realistic, must exercise all requirements, and be bug free.

Answer 142

A

B. Gather requirements

Explanation:
After defining the scope, the next step of developing a BCDR plan is to gather requirements. This stages determines what should be included in the plan and looks at items such as the recovery time objective (RTO) and recovery point objective (RPO). It will be necessary during this stage to identify critical systems within the environment.

Answer 143

A

A. Monitoring the risk

Explanation:
After a risk has been responded to, whether by accepting, transferring, avoiding, or mitigating the risk, it must still be monitored. Monitoring the risk is an ongoing process to determine if the same threats and risk still exist in the same form. Monitoring risk serves as a way to ensure that current risk evaluations and mitigation meet current regulatory requirements.

Answer 144

A

D. Broken Authentication

Explanation:
The OWASP Top 10 is an up to date list of the most critical web application vulnerabilities and risks. Broken authentication refers to the ability for an attacker to hijack a session token and use it to gain unauthorized access to an application. This risk can be mitigated by adding proper validation processes to ensure that session tokens are being submitted by the valid and original obtainer of the token.

Answer 145

A

B. Inventory of critical parties

Explanation:
The first step in communicating with vendors is to compile a list of all key third parties on which the business relies. This inventory will serve as the basis for risk management operations with third parties or vendors. Additionally, contact with vendors will be nearly entirely driven by contract and service level agreement obligations.

All other options are not steps in establishing communications with vendors.

Answer 146

A

A. Unit Testing

Explanation:
The coding phase of the SSDLC covers the generation of software components as well as integrations and the build of the overall solution. Unit testing is part of the coding process. This is a developer’s test of the modules that are being developed as part of a larger architecture. All of the module’s pathways must be tested.

Answer 147

A

A. HIPAA

Explanation:
In the United States, any protected health information (PHI) must be kept secure and confidential. The Health Insurance Portability and Accountability Act (HIPAA) places controls on how PHI must be handled and protected.

Answer 148

A

D. Broken Access Control

Explanation:
Broken access control vulnerabilities may enable authenticated users to view unlawful and sensitive data, perform unauthorized functions, and modify access privileges. It is imperative that applications perform checks when each function is accessed to ensure the user is properly authorized to access it.

Answer 149

A

A. Resiliency

Explanation:
Resilience is the ability to continue operating under adverse or unexpected conditions. Many organizations plan a resiliency strategy that includes internal resources and the capabilities of the cloud. A cloud strategy allows the company to continue to operate during and after an event such as a natural disaster or severe weather event.

Performance, governance and privacy are other shared cloud considerations.

Answer 150

A

A. Regulators

Explanation:
CSPs are likely to have contracts or some form of agreement with vendors, partners, and customers, but rarely (if ever) with a regulator.

The CCSP is responsible for ensuring their cloud environment is in compliance with all regulatory obligations applicable to their organization.

Answer 151

A

A. REST

Explanation
Representational State Transfer (REST) is a software architectural scheme which support multiple data types, including both JSON and XML.

Simple Object Access Protocol (SOAP) supports only the use of XML-formatted data types, so it would not work for the organization. DAST and SAST are testing methodologies and are not API types.

Answer 152

A

B. Management Plane

Explanation:
The management plane allows for cloud providers to manage all the hosts from a centralized location instead of needing to log into each individual server when needing to perform tasks. The management plane is typically hosted on its own dedicated server.

Answer 153

A

A. Hashing

Explanation:
If multiple files contain the exact same data, they will produce the same hash value as long as the same hashing algorithm is used. In this way, hashing can verify integrity. In order to do this, a hash value must be created for the original data. Next time the data is accessed, the same hashing algorithm can be used to verify integrity. If the hash value is different from the first hash value, then the data has changed in some way.

Answer 154

A

B. Non-repudiation

Explanation:
Nonrepudiation is the ability to confirm the origin or authenticity of data to a high degree of certainly. Nonrepudiation is typically done through methods such as hashing and digital signatures.

Answer 155

A

D. RISK_DREAD = (Damage + Reproductibility + Exploitability + Affected Users + DIscoverability) /5

Explanation:
DREAD looks at the categories of damage potential, reproducibility, exploitability, affected users, and discoverability. Risk is given a value of 0 to 10 in each category, with 10 being the highest risk value. The algorithm used in DREAD is RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

Answer 156

A

B. 64.4 - 80.6 degrees F

Explanation:
Due to the amount of systems running, data centers produce a lot of heat. If the systems in the data center overheat, it could fry the systems and make them unusable. In order to protect the systems, adequate and redundant cooling systems are needed. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that the ideal temperature for a data center is 64.4 - 80.6 degrees F.

Answer 157

A

C. VLANs can be used across multiple datacenters without concerns for geographical location

Explanation:
VLANs are not dependent on the physical infrastructure at all, so this makes them ideal for network segmentation across multiple datacenters without the need to worry about the geographical location.

Answer 158

A

A. Defining SLA terms

Explanation:
Receiving communications from CSPs doesn’t imply much responsibility. However, cloud customers have a critical accountability to define SLA terms. This will ensure that the CSC receives the proper level of communication, and through the correct channels from the CSP.

All other options support communications with relevant parties.

Answer 159

A

C. Containers

Explanation:
A wrapper that contains all of the configuration, code, and libraries needed for an application, which can be rapidly deployed across a cloud environment, is known as a container.

Answer 160

A

D. A smart refrigerator that can send a grocery list to the owner via a push notification to their mobile phone

Explanation:
The Internet of Things (IoT) refers to non-traditional devices (such as lamps, refrigerators, and other home devices) having access to the Internet to perform various processes.

Answer 161

A

D. DNS

Explanation:
The Domain Name Service (DNS) is how computers translate IP addresses to domain names. When a user wants to communicate with another machine, the user’s machine queries a device within the DNS table to get the correct address.

All other options are other basic networking practices or protocols.

Answer 162

A

D. Cloud Application Portability

Explanation:
The ability to move an application between multiple cloud providers is known as cloud application portability, while cloud data portability refers, instead, to the ability to move data between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within an environment.

Answer 163

A

C. Aggregation

Explanation:
Security information and event management (SIEM) systems are able to take data and logs from a large number of sources and house it in one single indexed system. This process is known as aggregation.

Answer 164

A

A. Chain of Custody

Explanation:
During an investigation, it’s important that there is a paper trail which can document where evidence was and who was handling it at any given time. This process is known as chain of custody. Chain of custody is crucial in investigations so that evidence is usable in court.

Answer 165

A

B. NIST

Explanation:
The National Institute of Standards and Technology (NIST) is a part of the United States government which is responsible for publishing security standards applicable to any systems used by the federal government and its contractors.

Answer 166

A

D. Broken Authentication

Explanation:
Broken authentication occurs when applications do not have the proper controls or processes in place to secure their authentication and session tokens. This type of vulnerability allows for attackers to hijack session tokens and use them for their own nefarious purposes.

Answer 167

A

C. Vendor Lock-In

Explanation:
Vendor lock-in is the term used to describe the scenario in which a cloud customer is stuck using one cloud provider for one reason or another. Vendor lock-in can occur when the cloud provider has implemented technologies that make it difficult for the customer to move their data without hassle to another provider.

Answer 168

A

D. Change Management

Explanation:
The change management process is concerned with the impact of change on the organization. This change can include the implementation of new systems or simply configuration changes to already existing systems. Change management allows for changes in the organization to only be made by following a strict and structured procedure.

Answer 169

A

D. Asset Inventory and Risk Assessment

Explanation:
Identification and mapping of data locations within an organization is crucial for asset inventory and risk assessment tasks. According to a common adage, you cannot secure your assets if you are unaware they exist. Mapping enables a business to keep track of its assets, which is crucial for risk assessment and asset protection.

All other options are important activities within an organization. However, they are not reliant on mapping the location of data within the organization.

Answer 170

A

B. Indirect Identifier

Explanation:
PII (personally identifiable information) is broken up into direct and indirect identifiers. Because a birth date is not enough information to identify just one single person, it is an indirect identifier.

An example of a direct identifier would be a social security number. Nondescript and descript identifiers are not real types of PII.

Answer 171

A

C. Cloud Application

Explanation:
When an application resides in the cloud and is accessed via the network, instead of being locally installed on a user’s computer, it is known as a cloud application.

A measured service is a method for billing for cloud services. A tenant is the term used to describe one or more cloud customers sharing the same pool of resources. IaaS stands for infrastructure as a service and is a cloud service category in which the provider supplies infrastructure devices such as servers, network devices, etc.

Answer 172

A

D. Identity Providers

Explanation:
Identity providers create and manage security principals (users, devices, and software). On-premises and cloud-based identity providers can be synchronized so that users can access on-premises and cloud-based applications using their existing on-premises credentials. Identity providers support identity federation. Identity federation allows multiple parties to trust the use of a central identity provider. This eliminates the requirement for each application to create its own user credentials.

Answer 173

A

A. Application Virtualization

Explanation:
Sandboxing can be done with application virtualization by employing containers, which allow applications to be bundled with all dependencies and rigorous configuration management. While testing code or apps, sandboxing isolates components while protecting the operating system and other applications.

Encryption, Tokenization and Orchestration are other ways to protect components such as operating systems and applications.

Answer 174

A

D. Data classification and control

Explanation:
Information rights management (IRM) can be used as a means for data classification and control. It isn’t used as a means for data modification or data deletion.

Answer 175

A

B. Permissions can be modified after a document has been shared

Explanation:
Dynamic policy controls allow data owners to modify the permissions for their protected data even after it has been shared with others.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 176

A

B. DHCP

Explanation:
The Dynamic Host Configuration Protocol (DHCP) assigns an IP address and other networking information to devices in the network automatically. This facilitates the creation of a centralized management system. New hosts can be activated with DHCP, as well as hosts that need to be auto-scaled, dynamically optimized, or relocated between physical hardware programmatically. DHCP allows network information to be readily updated and changed as needed.

IPSEC, DNS and SSL are other networking protocols that work together with DHCP.

Answer 177

A

C. All options are correct

Explanation:
Privacy concerns are present during and after a contract, as well as during data erasure or destruction.

Answer 178

A

C. Crypto-shredding

Explanation:
The optimal solution would be cryptographic shredding. Crypto-shredding encrypts the data and then destroys the encryption key, rendering the data unrecoverable.

All other options are data security methods. However, there is a possibility that data can be recovered after it has been destroyed.

Answer 179

A

D. Problem management

Explanation:
Problem management is focused on preventing potential issues from occurring within a system or process.

All other options are types of management strategies.

Answer 180

A

D. Internet Service Capability

Explanation:
The three main cloud service categories are infrastructure service capability, platform service capability, and software service capability.

Answer 181

A

A. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims

Answer 182

A

D. Artificial Intelligence

Explanation:
Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

Answer 183

A

B. Data at rest

Explanation:
In order to protect data at rest (DAR), data loss prevention (DLP) solutions must be deployed on each of the systems that house data, including any servers, workstations, and mobile devices. This is the simplest of DLP solutions but, in order to be most effective, it may also require network integration.

Answer 184

A

A. SIEM

Explanation:
An organization’s logs are valuable only if the organization makes use of them to identify activity that is unauthorized or compromising. Due to the volume of log data generated by systems, the organization can implement a System Information and Event Monitoring (SIEM) system to overcome these challenges. The SIEM system provides the following:

    Log centralization and aggregation
    Data integrity
    Normalization
    Automated or continuous monitoring
    Alerting
    Investigative monitoring

All other options are security solutions implemented within an organization.

Answer 185

A

A. Management plane

Explanation:
The management plane is used by cloud providers to manage all of the hosts from one centralized location. If the management plane were to be compromised, the attacker would have complete control over the entire cloud environment.

Answer 186

A

A. LUNs

Explanation:
Volume storage is where storage is allocated to a virtual machine and configured as a typical hard drive and file system on that server. In a volume storage system, the main storage system is sliced into pieces called LUNs (logical units) and then allocated to a particular virtual machine by the hypervisor.

Answer 187

A

D. Store

Explanation:
While security controls are implemented in the create phase in the form of SSL/TLS, this only protects data in transit and not data at rest. The store phase is the first phase in which security controls are implemented to protect data at rest.

Answer 188

A

D. Data classification

Explanation:
In any cloud deployment model, IaaS, PaaS, or SaaS, the cloud consumer will be responsible for any control over the data they store in the cloud. This includes its classification.

All other options are functions in the cloud. However, the cloud deployment model being used will determine who is responsible.

Answer 189

A

B. Data can be distributed across many data centers in different geographical locations

Explanation:
Data dispersion is the concept that data can be distributed across many data centers in different geographical locations. This is a key benefit in cloud environments because it provides disaster recovery. Having data in numerous geographical locations reduces the risk of traditional problems posed by disaster scenarios.

Answer 190

A

C. Due to being software-based, they are more vulnerable to flaws and exploits than type 1 hypervisors.

Explanation:
Since type 1 hypervisors are tied into the physical hardware of the machine, it can be more difficult to inject malicious code. However, type 2 hypervisors are software-based and operate independent of the hardware. This can make type 2 hypervisors more susceptible and vulnerable to flaws and software exploits than type 1 hypervisors.

Answer 191

A

C. Create, Store, Use, Share, Archive, Destroy

Explanation:
Create, Store, Use, Share, Archive, Destroy are the phases in the cloud data lifecycle, in order.

All other options are in the incorrect order.

Answer 192

A

C. SOAP does not allow for caching, making it less scalable and having lower performance than REST.

Explanation:
SOAP does not allow for caching, making it less scalable and having lower performance than REST. Because of this, SOAP is typically used only when there are restrictions which prevent the use of REST in the environment.

REST is more flexible and supports a variety of data formats, including both JSON and XML, while SOAP only allows the use of XML-formatted data.

Answer 193

A

B. HIDS

Explanation:
A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions.

A network intrusion detection system (NIDS) is similar to a HIDS, but rather than running on a single host, it analyzes all of the traffic on the network. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

Answer 194

A

C. PHI

Explanation:
PHI, which stands for protected health information, includes a wide spectrum of data about an individual and their health. Medical history, treatment, lab results, demographic information, and health insurance information is all considered to be PHI.

Answer 195

A

B. TLS 1.3

Explanation:
TLS (transport layer security) has replaced SSL (secure sockets layer) as the best encryption of network traffic. Currently TLS 1.3 is the latest form of TLS and should be used, as it provides maximum security and high performance.

Answer 196

A

A. eDiscovery

Explanation:
eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

Answer 197

A

C. A centralized group in an organization that handles security issues

Explanation:
A SOC (security operations center) is a centralized group within an organization that handles security issues.

A NOC (network operations center) is a centralized group within an organization that handles network configurations. SOC engineers are not likely to handle general help desk tickets or collect evidence for a forensics investigation.

Answer 198

A

D. ISO/IEC 27001

Explanation:
The ISO/IEC 27001, with its newest update of 27001:2013 is widely considered to be the gold standard in regard to the security of information systems and their data.

Answer 199

A

A, Availability and bandwidth

Explanation:
In the cloud, the primary performance issues are network availability and bandwidth. A network is a critical component of cloud services. If the network is down, the service will be unavailable. If the service is unavailable, performance will be impacted.

All other options are minor cloud performance concerns.

Answer 200

A

A. Cloud service provider

Explanation:
In a shared security model, the cloud service provider controls the hypervisor. If the hypervisor is compromised, all virtual machines running on it may be vulnerable as well. As a result, the CSP’s role in securing the hypervisor is important.

All other options are roles related to the cloud.

Answer 201

A

A. Tokenization

Explanation:
Tokenization is a method used to protect data without needing to go through the process of encryption. In tokenization, an application is used to replace confidential data with an arbitrary value (known as a token). The application has the ability to map the token back to the original data when needed.

Answer 202

A

A. Spoofing identity

Explanation:
The STRIDE threat model has six threat categories, including spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. When a user is able to gain access to something they shouldn’t by using another user’s account, this is known as spoofing identity. It’s important to have controls in place to prevent users from leveraging another user’s account to gain additional permissions.

Answer 203

A

B. User education

Explanation:
Due diligence on vendors, a trusted cloud service provider, security built into system design, encryption, and CSP security configuration management tools are all risk mitigation strategies in the cloud environment. User education is critical, but it is not as successful as the countermeasures outlined above

Answer 204

A

D. Create

Explanation:
Any time data can be considered new, it is in the create phase. Data can be considered new whenever it is newly created, moved from one system to another, or modified into a new form.

Answer 205

A

B. SOX

Explanation:
SOX (Sarbanes-Oxley Act) regulates accounting and financial practices within an organization. IT engineers need to be aware of SOX, as it can affect which type of data needs to be stored/retained, and for how long.

Answer 206

A

C. Clustered storage

Explanation:
A cluster is taking two or more systems and treating them as one entity. Clustered storage is the process of taking two or more storage servers and combining them to increase performance, capacity, and reliability. Storage clusters are used in cloud environments because high availability is extremely important.

Answer 207

A

D. REST

Explanation:
The REST (representational state transfer) API relies on the HTTP protocol and supports a variety of data formats including both XML and JSON. It allows for caching, which increases performance and scalability.

Answer 208

A

D. Discovery and classification

Explanation:
DLP is made up of three common stages which include discovery and classification, monitoring and, finally, enforcement. Discovery and classification is the first phase, as the security requirements of the data must be addressed.

Answer 209

A

B. Incident classification

Explanation:
Incident management exists to help organizations plan for incidents, identify when they occur, and restore normal operations as quickly as possible with minimum adverse impact. This is referred to as a capability, or the combination of procedures and resources needed to respond to incidents. It generally comprises of three key elements: incident response plan (IRP), incident response team (IRT), and root-cause analysis.

Incident classification ensures an incident is dealt with correctly. It is important to determine how critical an incident is and prioritize the response appropriately.

Answer 210

A

C. Ignoring risk

Explanation:
After risk has been identified and evaluated, either through qualitative or quantitative assessments, the decision must be made on how to respond to risk. There are four main categories for responding to risk, which include accepting risk, avoiding risk, transferring risk, and mitigating risk.

Ignoring the risk is not one of the four categories.

Answer 211

A

D. Destroy

Explanation:
As the name suggests, the destroy phase is where data is removed completely from a system (or “destroyed”) and should be unable to be recovered. In cloud environments, methods such as degassing and shredding can’t be used because they require physical access to the hardware. Instead, in cloud environments, techniques like overwriting and cryptographic erasure are used to destroy the data.

Answer 212

A

B. Management

Explanation:
The management principle of the Generally Accepted Privacy Principles (GAPP) focuses on ensuring that organizations have well documented privacy policies and procedures. In addition, this information is communicated to necessary parties, and official measures are taken to ensure accountability.

Answer 213

A

D. Private cloud, cloud service backup

Explanation:
The organization is using their own private data center with backups being replicated to the cloud.

Answer 214

A

A. Users

Explanation:
The individuals using the public internet are responsible for security. Security is a shared responsibility.

The CSP, CSC or ISP would not be responsible.

Answer 215

A

A. ISO/IEC 27050

Explanation:
ISO/IEC 27050 provides internationally accepted standards related to eDiscovery processes and best practices.

All other options are technology standards set forth by the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

Answer 216

A

B. Design

Explanation:
Security is extremely important to consider when implementing a cloud data center. Due to its importance, security should be taken into consideration in the design phase so that it doesn’t have to be added as an afterthought later on.

Answer 217

A

D. Vulnerability Scan

Explanation:
By running a vulnerability scan, the organization can easily identify a server responding to FTP requests. This vulnerability indicates a system that does not conform to the baseline configuration and that requires immediate remediation action.

Answer 218

A

A. IT-related Risk

Explanation:
Supply chain management entails a plethora of dangers, one of which is cloud computing. By protecting supply-chain management software in the cloud and securely linking providers globally via cloud services, risk associated with information technology is reduced.

Answer 219

A

B. BCDR

Explanation:
A business continuity and disaster recovery (BCDR) plan lays out the steps for what an organization must do immediately following a disaster or critical failure. BCDR plans should be regularly tested to ensure that they will work in the event of a real situation. BCDR plans cover what to do in the event of scenarios such as natural disasters, acts of war, equipment failures, and utility failures.

Answer 220

A

B. eDiscovery

Explanation:
eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

Answer 221

A

D. PaaS

Explanation:
Each cloud service model uses a different method of storage as shown below:

Platform as a Service (PaaS) - structured, unstructured
Infrastructure as a Service (IaaS) - volume, object
Software as a Service (SaaS) - content and file storage, information storage and management

DaaS is not a real type of cloud service model.

Answer 222

A

B. The location where the data is stored and the local laws and jurisdictions that apply to it

Explanation:
When using a cloud environment as a BCDR solution, it’s likely that data will be housed in numerous cloud datacenters in various geographical locations. It’s important to take into consideration what types of regulations and jurisdictions are applicable to the locations where your data is being stored.

Answer 223

A

C. Hosted eDiscovery

Explanation:
With Hosted eDiscovery, your cloud service provider incorporates eDiscovery into contractual responsibilities that can be executed as needed. However, a list of pre-selected forensic solutions may have limitations.

SaaS-based eDiscovery is hosted on the cloud and is used to collect, store, and evaluate evidence by investigators and law firms. Third-party eDiscovery is not bound by contract and can be engaged to undertake eDiscovery operations on an as-needed basis. On-premises eDiscovery is a distractor.

Answer 224

A

B. DHCP

Explanation:
DHCP (dynamic host configuration protocol) runs on a centralized server and is able to dynamically assign network configurations such as IP address, DNS server address, and other settings to systems on the network. This removes the need for administrators to go around to each computer and statically assign network information.

Answer 225

A

C. PCI DSS

Explanation:
PCI DSS (Payment Card Industry Data Security Standard) is a regulatory requirement that applies to financial and retail environments, specifically those that accept payment cards.

Answer 226

A

C. Sensitive data exposure

Explanation:
Even with proper encryption methods put in place, sensitive data is still at risk if the client’s browser is insecure. In order to help mitigate this vulnerability, web applications can perform checks against client browsers to ensure they meet security standards. If the browser doesn’t meet the security standards, it will not be granted access to the web application.

Answer 227

A

A. Lower RPOs and RTOs

Explanation:
The capacity to operate in geographically remote locations and to provide increased hardware and data redundancy results in lower recovery time objectives (RTOs) and recovery point objectives (RPOs) for disaster recovery and business continuity.

The recovery service level (RSL) measures the percentage of the total production service level that needs to be restored to meet BCDR objectives.

Answer 228

A

A. Hashing

Explanation:
Hashing is a process that can be used to verify the integrity of data. This is because if you use the same hashing algorithm on the same data time and time again, the hash value that is generated will be the same. If the data is changed, the hash value will be different, confirming that the integrity of the data is not intact.

While encryption, key management, and tokenization can help you to protect data, they can’t guarantee the integrity of the data.

Answer 229

A

D. SSDLC

Explanation:
Including security in the Software Development Lifecycle (SDLC) aids in the creation of secure software. The Secure Software Development Lifecycle (SSDLC) is expected to yield software solutions that are more secure against attack, minimizing the risk of important business and consumer data being exposed.

Answer 230

A

A. IPS

Explanation:
An intrusion prevention system (IPS) is placed at the network level. It analyzes all traffic on the network in the same way as an IDS. However, rather than simply alerting administrators when an intrusion is detected, it can actually stop and block the malicious traffic and prevent an attack from occurring automatically.

Answer 231

A

C. RTOs are an IT decision.

Explanation:
Recovery time objectives are a business decision and not an IT decision. IT’s responsibility is to assist the organization with RTO options and costs. To make the best decision, the organization requires complete information on RTO solutions and associated expenses. Once a decision is reached, it is up to IT to implement it and make all attempts to adhere to the business RTO.

Answer 232

A

B. CASB

Explanation:
One of the services provided by a Cloud Access Security Broker (CASB) is the monitoring of Identity and Access Management (IAM) in your cloud. A CASB does not provide any other services. A cloud access security broker (CASB) sits between the cloud application and the customer. This service keeps track of all activities and ensures that corporate security requirements are followed.

Answer 233

A

B. Overwriting

Explanation:
Michael will not be able to perform incineration, shredding, or degaussing because these require physical access, which is not available in a public cloud.

Overwriting is the process of writing a pattern of ones and zeros over the data. For especially sensitive data, it may be best to overwrite the data more than once.

Answer 234

A

D. APIs

Explanation:
Cloud environments rely heavily on APIs (application programming interfaces) for both access and function. SOAP (simple object access protocol) and REST (representation state transfer) are two examples of commonly used APIs.

Answer 235

A

D. The percentage of the performance level which must be restored to meet BCDR objectives

Explanation:
Recovery service level (RSL or RSL%) is a newer term used to describe the percentage of the performance level which needs to be restored to meet BCDR objectives. For example, an RSL of 50% would specify that the DR system would need to operate at a minimum of 50% of the performance level of the normal production system.

Answer 236

A

C. RPO

Explanation:
RPO stands for recovery point objective, and it is the minimum amount of data that would be needed to be retained and recovered for an organization to function at a level which is acceptable to stakeholders. The RPO does not mean that the organization has to be operating at full capacity, just at an acceptable level where crucial systems are online.

Answer 237

A

D. European Union

Explanation:
The General Data Protection Regulation, or GDPR, is a regulation and law which affects all countries in the European Union (EU) and the European Economic Area. The purpose of the GDPR is to protect data on all citizens of the EU, regardless of where the data is created, stored, or processed.

While similar legislation has and will be implemented in other parts of the world, GDPR specifically covers the EU.

Answer 238

A

B. An earthquake

Explanation:
Business continuity and disaster recovery (BCDR) plans are likely to be initiated as a result of the following: natural diaster (earthquakes, floods, tornadoes, etc.), terrorist attacks or acts of war, equipment failures, utility failures or disruptions, and service provider failures.

The other items listed should not result in the initiation of a BCDR plan.

Answer 239

A

A. Configuration management

Explanation:
Configuration management is required. Configuration management technologies aid in cloud deployment management by centrally storing and archiving cloud configurations. It enables the tracking of configuration changes and the identification of the individuals who made the changes. These provisions enable you to guarantee that your cloud conforms with applicable regulations.

All other selections are operational controls and standards within an organization.

Answer 240

A

A. Reproducibility

Explanation:
The DREAD threat model looks at five categories, including damage potential, reproducibility, exploitability, affected users, and discoverability. Reproducibility is the measure of how easy an exploit is to reproduce.

Answer 241

A

A. MTR

Explanation:
When performing a quantitative assessment, the values needed are the single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

MTR stands for mean time to recovery, which is not used when performing a quantitative assessment.

Answer 242

A

C. APIs

Explanation:
In a cloud environment, the key functionality of applications and the management of the cloud are based on APIs (application programming interfaces). It’s very important that APIs are implemented in a secure and appropriate manner. When possible, TLS (transport layer security) should be used for API communication.

Answer 243

A

A. Redirecting legitimate users to compromised or spoofed systems

Explanation:
A DHCP (dynamic host configuration protocol) is used to automatically configure network settings on systems without the need for admins to do this manually on each computer. DHCP servers must be kept secure. If a DHCP server were to be compromised, the attacker would have access to change network settings that are given out by the DHCP server. This would allow them to redirect legitimate users to compromised or spoofed systems.

Answer 244

A

A. Security

Explanation:
The private cloud deployment model is the most secure cloud deployment model. However, private clouds do not offer an easier setup, less expense, or more scalability than the other cloud deployment methods.

Answer 245

A

C. Open-source software has less risk because it’s inexpensive.

Explanation:
The widespread idea that open-source software carries fewer risks due to its low cost is false. Risk is defined by the asset being protected, not by the cost of the software being employed. Losing your data to low-priced software does not mitigate the expense of a data breach and exfiltration

Answer 246

A

B. Cross-site scripting

Explanation:
A cross-site scripting attack is a type of injection attack. It occurs when an attacker is able to inject malicious code into a web application. While this type of attack is mainly used to execute scripts and hijack a user’s session, it can also be used to deface or edit a web page without going through any authentication processes. The web application runs the scripts injected without validating them.

Answer 247

A

A. Systems aren’t able to be simply physically isolated and preserved in a cloud environment

Explanation:
When eDiscovery must be done within a traditional data center, it’s possible to physically isolate the system and preserve the data. In a cloud environment, however, many cloud customers are using the same hardware, so it’s not possible to physically isolate a system and preserve it. Instead, special measures must be taken to achieve eDiscovery in a cloud environment.

Answer 248

A

C. Virtual images are susceptible to attacks whether they are running or not

Explanation:
Virtual images are susceptible to attacks, even when they are not running. Due to this, it’s extremely important to ensure the security of where the images are housed.

Ensuring that the management plane and the hypervisor are secured is the first step to ensuring the virtual images are secure. The management plane is the most important component to secure first because a compromise of the management plane would lead to a compromise of the entire environment.

Answer 249

A

A. Data retention

Explanation:
OS baselines establish and enforce known good states of system configuration, and focus on ensuring least privilege and other security OS and application best practices. Each configuration option should match a risk mitigation (security control objective).

Data retention and other data-specific requirements are not commonly part of an OS baseline

Answer 250

A

B. 72 hours

Explanation:
Under GDPR, data controllers must notify the applicable government agencies within 72 hours of a data breach or leak of personal or private information; however, there are some exemptions for law enforcement and national security agencies. GDPR is mostly focused on scenarios where the data is viewable by a malicious party, rather than instances where the data is erased or encrypted.

Answer 251

A

D. To avoid one row of racks pushing hot air directly into another row

Explanation:
Heating and cooling within a data center is a very important component. Servers and network equipment use a lot of energy which, in turn, produces a lot of hot air. In order to avoid one row of racks pushing hot air directly into another row, many data centers will use the concept of hot/cold aisles. This practice includes alternating rows of physical racks in order to have hot and cold rows for optimal air flow.

Answer 252

A

A. Obfuscation

Explanation:
Obfuscation is the process of replacing, concealing, or erasing sensitive data from a data set. By substituting random or replaced data for sensitive data fields, it can be swiftly employed without exposing sensitive information to systems. Substitution, shuffling, value variance, nullification, and encryption are all methods for concealing data.

Answer 253

A

D. GAPP

Explanation:
GAPP (Generally Accepted Privacy Principles) is a privacy standard developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. GAPP contains ten main privacy principles and is focused on managing and preventing threats to privacy.

Answer 254

A

A. Bastion host

Explanation:
A bastion host is a method for remote access to a secure environment. The bastion host is an extremely hardened device that is typically focused on providing access to one application or for one particular usage. Having the device set up in this focused manner makes hardening it more effective. Bastion hosts are made publicly available on the Internet

Answer 255

A

C. The Gramm-Leach-Bliley Act

Explanation:
Although it is officially named the Financial Modernization Act of 1999, it is most commonly known as and referred to as the Gramm-Leach-Bliley Act, or GLBA. This name pays tribute to the lead sponsors and authors of the act. GLBA is focused on protecting personally identifiable information (PII) as it related to financial institutions.

Answer 256

A

A. Hashing algorithm

Explanation:
The three basic components of an encryption system include the data itself, the encryption engine, and the encryption keys.

Hashing is a separate technology from encryption used to verify the integrity of data. Hashing algorithms are used in hashing and are not a part of encryption.

Answer 257

A

A. Create phase

Explanation:
The create phase is an ideal time to implement technologies such as SSL/TLS technologies with the data that is inputted or imported. It should be done in the create phase so that the data is protected initially before any further phases.

Answer 258

A

A. Database

Explanation:
Databases store data in fields, following a related pattern.

All other options are cloud storage architectures.

Answer 259

A

B. SDN

Explanation:
Within a software defined network (SDN), decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are completely separate from each other.

A VLAN (virtual local private network) is used to expand a local area network beyond physical/geographical limitations. A VPN (virtual private network) securely provides access to a private network over a public network. A SAN (storage area network) is used for mass storage.

Answer 260

A

D. Jump servers

Explanation:
A jump server, sometimes called a jump box, is a hardened and monitored system on the network that has one purpose, which is to be used as a means to access and manage devices in a separate security zone. The jump server will span two different security zones, which makes this possible

Answer 261

A

D. Virtualization

Explanation:
Sometimes, the terms virtualization and cloud computing are used interchangeably. However, they are two very separate concepts. Cloud computing is defined by NIST as “enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.” Virtualization is the underlying technology that makes cloud computing possible.

Answer 262

A

D. Encrypt and authenticate packets during transmission between two servers

Explanation:
IPsec can be used to encrypt and authenticate packets during transmission between two systems. Examples of this include between two servers, between two network devices, and between network devices and servers.

DNSSEC is used to add an additional layer of security to the DNS protocol. A VPN is used as a way to extend a private network over public network. A VLAN is used to create a logical isolation and separation within a network.

Answer 263

A

B. Identification

Explanation:
Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify.

Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines and regulations.

Answer 264

A

D. Full ownership of hardware

Explanation:
Using a cloud provider for a business continuity and disaster recovery (BCDR) solution comes with many benefits, including cost benefits, scalability, and access from anywhere.

Full ownership of hardware is not an advantage of a cloud BCDR solution as the cloud customer doesn’t typically have ownership of the hardware. The hardware will belong to the cloud provider.

Answer 265

A

C. Each level of the virtualization infrastructure, as well as wherever the client accesses the management plane

Explanation:
Logging is imperative for a cloud environment. Role-based access should be implemented, and logging should be done at each and every level of the virtualization infrastructure, as well as wherever the client accesses the management plane (such as web portal).

Answer 266

A

D. Budget

Explanation:
The risks associated with a business continuity and disaster recovery (BCDR) plan include changes in location, maintaining redundancy, having proper failover mechanisms, having the ability to bring services online quickly, and having functionality with external services.

Budget is something that should already be factored in and accounted for and, therefore, should not pose any risks to your BCDR plan.

Answer 267

A

A. DNSSEC

Explanation: 
DNS security (DNSSEC) extensions is a set of specifications primarily aimed at reinforcing the integrity of DNS. It provides cryptographic authentication of DNS data using digital signatures.

Software defined permitter (SDP), Public Key Infrastructure (PKI), and Fully Qualified Domain Name (FQDN) are distractors.

Answer 268

A

B. Centralized logs

Explanation:
Logging is the process of documenting events or activities that occur against an asset. Logging is crucial for any business since it serves as the primary repository of information about previous events. Security information and event management (SIEM) technology is used to centralize these logs. A SIEM technology enables the collection, analysis, aggregation, correlation and reporting of suspected security incidents in a centralized manner. SIEM solutions can ingest a variety of different forms of log data from hardware, software, and data sources. Logging and a SIEM solution operate in tandem to centralize data and make it visible where it is needed.

Answer 269

A

C. Identity Provider

Explanation:
The organization would act as the identity provider, while the relying party would act as the service provider. The identity provider is the organization that generates tokens for users.

Answer 270

A

B. Agentless

Explanation:
Agentless backups generally interact directly with your hypervisor to snapshot and backup your VMs.

All other options do not apply.

Answer 271

A

C. The ease with which components of an application or service can be moved or reused

Explanation:
Interoperability is the ease with which components of an application or service can be moved or reused.

The ability for two customers to share the same pool of resources while being isolated from each other is known as multitenancy. The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider is known as on-demand self-service. The ease with which resources can be rapidly expanded as needed by a cloud customer is called rapid elasticity.

Answer 272

A

B. External auditor

Explanation:
An external auditor is not employed by the company being audited. An external auditor may be necessary to ensure compliance with information security regulations. Because the external auditor’s primary objective is to ensure compliance, they do not act as a trusted counsel, but rather as a regulator with enforcement authority.

All other options are types of auditors.

Answer 273

A

D. iSCSI

Explanation:
iSCSI allows for the transmission of SCSI commands over a TCP-based network. SCSI allows systems to use block-level storage that behaves like a SAN would on physical servers, but leverages the TCP network within a virtualized environment. iSCSI is the most commonly used communications protocol for network-based storage.

Answer 274

A

D. Secure means of remotely accessing machines

Explanation:
RDP is considered an insecure protocol and should be used only with a private network.

If used over the internet, a VPN should be considered a strict requirement. Additionally, filtering should be applied on the firewall to allow only those with permitted access to connect. RDP is GUI accessible, available for Linux, Mac and Windows devices and uses a client-server operation.

Answer 275

A

C. Multitenancy

Explanation:
Multitenancy is the main factor, from a legal perspective, which differentiates a cloud environment from a traditional data center. Multitenancy is a concept in cloud computing in which multiple cloud customers may be housed in the same cloud environment and share the same resources. Because of this, the cloud provider has legal obligations to all cloud customers housed on its hardware.

Answer 276

A

C. The pricing for cloud computing may be less predictable than that of a traditional data center.

Explanation:
In a traditional data center, it is fairly easy to map out costs for the year, including necessary equipment upgrades and licensing. In a cloud environment with metered pricing, resources are added right as they are needed and, therefore, the cost can change over time, making it unpredictable.

Answer 277

A

A. Privacy

Explanation:
Confidentiality, integrity, and availability are the three core aspects of security. This is often known as the CIA triad. In recent years, as mobile and cloud computing have increased, privacy has become the fourth major aspect of security. While privacy could technically be consolidated within confidentiality, it’s often thought of as its own aspect due to its importance.

Answer 278

A

A. Framing risk

Explanation:
In regard to risk treatment and the risk management process, the first stage is framing risk. Framing risk refers to determining what risk and levels are to be evaluated.

Answer 279

A

A. Every piece of software in the environment

Explanation:
Any piece of software, from major software suites to small utility scripts, can have possible vulnerabilities. This means that every program and every piece of software in the environment carries an inherent amount of risk with it. Any software that is installed in a cloud environment should be properly vetted and regularly audited.

Answer 280

A

C. SOAP is unable to use the FTP protocol for transmission.

Explanation:
While the simple object access protocol (SOAP) most commonly uses the HTTP protocol for transmission, it is possible for it to use the FTP protocol and other communication protocols as well.

Answer 281

A

A .OpenID

Explanation:
OpenID is an authentication protocol based on OAuth 2.0 specifications. OpenID provides an easy and flexible way for developers to support authentication across an organization. It provides web-based applications with a method for authentication that is not dependent on particular devices or clients to access it.

Answer 282

A

B. Cluster

Explanation:
Clusters are a collection of resources linked together by a software agent that enables communication, resource sharing, and task routing inside the cluster. Clusters are an important aspect of resource pooling, which is fundamental to cloud computing. They are used to provide most of the resources required in modern computing systems, such as processing, storage, network traffic handling, and application hosting.

All other options are logical infrastructure found in the cloud.

Answer 283

A

C. Privileged access

Explanation:
Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism.

Standard configurations, commonly referred to as baselines, can be used to safeguard virtualization systems. All other options are protection techniques for virtualized systems.

Answer 284

A

B. RTO

Explanation:
The recovery time objective (RTO) is a time measurement of the speed in which each system must be brought back up and running after a disaster occurs in order to meet business continuity and disaster recovery (BCDR) objectives.

Answer 285

A

C. Masking

Explanation:
The organization is trying to deploy masking. Masking obscures data by displaying only the last four digits of a Social Security or credit card number. As a result, the data is incomplete in the absence of the blocked/removed content.

All other options are data security strategies.

Answer 286

A

B. Correlation

Explanation:
Security information and event management (SIEM) systems are very useful because they are able to correlate data. This means that not only can the data be stored in one place through aggregation, but it can also be searched using specific items such as an IP address or timestamp.

Answer 287

A

A. SAN

Explanation:
iSCSI, Fibre Channel, and Fiber channel over Ethernet (FCoE) are storage area network technologies that create dedicated networks for data storage and retrieval.

Answer 288

A

B. Redundant

Explanation:
Cloud customers have high expectations for availability and resiliency. In order to meet these expectations, all systems must be redundant to ensure there is no downtime for the customer.

Answer 289

A

A. Honeypot

Explanation:
A honeypot consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored and that seems to contain information or a resource of value to attackers.

All other options are incorrect.

Answer 290

A

C. Analysis

Explanation:
The analysis phase of the SDLC is when requirements of the project are put into a project plan. This plan will outline the specifications for the features and functionality of the software or application to be created. At the end of the analysis phase of the SDLC, there will be formal requirements and specifications ready for the development team to turn into actual software.

Answer 291

A

C. SSAE

Explanation:
The statement on standards for attestation engagements (SSAE) is a set of standards defined by the AICPA to be used when creating SOC reports. SOC 1 reports assist with compliance with regulations.

Statement on Auditing Standards (SAS) reports have been replaced by SSAE reports. The International Standard on Assurance Engagements (ISAE) is similar to SOC Type 2 reports. Generally Accepted Privacy Principles (GAPP) is not a reporting standard.

Answer 292

A

D. Any capability which is offered by a cloud provider

Explanation:
A cloud service is any capability which is offered by a cloud provider and it’s not limited to just software or applications, but also full platforms and infrastructure.

Answer 293

A

B. Virtualization

Explanation:
Without virtualization, cloud environments as we know them would not be possible. This is because cloud environments are built on virtualization technology. It is virtualization which allows for cloud providers to leverage a pool of resources for various customers and the ability to offer such scalability and on-demand self-service.

Answer 294

A

B. OWASP

Explanation:
Popular SIEM products include Splunk, LogRhythm, and ArcSight. OWASP stands for the Open Web Application Security Project, and it is not a SIEM product.

Answer 295

A

D. Fault tolerance does not provide any support against software failures.

Explanation:
The majority of system availability issues are software related rather than hardware related. Unfortunately, fault tolerance is solely used to help with hardware failures and doesn’t do anything to mitigate software failures. This is a major disadvantage to using fault tolerance.

Answer 296

A

B. Cost

Explanation:
Modern applications rely on sophisticated systems comprised of a variety of components and technologies, and may be located throughout the world. Cloud computing has exacerbated these complexities, as users increasingly rely on consumable services rather than owned and maintained equipment. The distributed IT model has made creating and scaling considerably more affordable and simple than ever before.

However, that being said, common challenges caused by the distributed IT model include communications, coordination of activities, and governance.

Answer 297

A

B. Relocation of data

Explanation:
Segment dispersion can create complications in cloud environments. If data is distributed to regions with varying legal and regulatory requirements, the organization may become subject to unforeseen laws and regulations.

All other options are cloud data concepts.

Answer 298

A

B. Location

Explanation:
Location is the major and primary concern when building a data center. It’s important to understand the jurisdiction where the data center will be located. This means understanding the local laws and regulations under that jurisdiction. Additionally, the physical location of the data center will also drive requirements for protecting data during threats such as natural disasters.

Answer 299

A

C. Network segmentation

Explanation:
Network segmentation is the process of separating different parts of the network and/or restricting access to certain areas of the network. Network segmentation can be done using physical separation methods or software/virtual separation methods.

Answer 300

A

B. Budgetary restraints

Explanation:
As with any new system or plan being implemented, it’s important to assess the risks of the changes. Budgetary restraints are not a main risk when developing a BCDR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.

Answer 301

A

B. DLP

Explanation:
Data is at a greater risk during the share phase of the lifecycle because it is leaving the system in which it is created on or for. To help mitigate some of that risk, DLP (Data Loss Prevention) technologies can be implemented to prevent modification.

Answer 302

A

C. An IDS can only detect intrusions, while an IPS can prevent intrusions

Explanation: 
An IDS (intrusion detection system) detects malicious traffic and potential intrusions. It can alert about the possible intrusion, but it isn't able to prevent the intrusion. An IPS (intrusion prevention system) is able to both detect and prevent the intrusion by blocking the malicious traffic in real time.

Answer 303

A

A.Recover

Explanation:
During the recovery and eradication phases of an incident response, new countermeasures are implemented. You must restore regular operation to your organization’s impacted systems.

All other options are phases of incident response.

Answer 304

A

A. To collect logs and store them in a centralized location

Explanation:
SIEM (security information and event management) systems are used to collect logs and store them in a centralized location. Having logs in one centralized location can make it easier to troubleshoot events as they occur. In addition, having the logs in a centralized location and not just on the device they originate from can prevent the risk of log manipulation.

Answer 305

A

D. Design

Explanation:
While the requirements for risk mitigation and minimization may be determined during the requirement gathering and feasibility stage of the software development lifecycle (SDLC), they are not integrated with the programming designs until the design phase of the SDLC.

Answer 306

A

B. Injection

Explanation:
An injection attack occurs when an attacker sends (injects) malicious code or commands to an application’s input or data fields. The goal of the attacker is to get the application to execute the code as part of its normal processing. The best way to prevent injection attacks is by ensuring that all data and input fields include proper input validation.

Answer 307

A

B. Social engineering

Explanation:
The Open Web Application Security Project (OWASP) Top 10 is a regularly updated report of the current top 10 vulnerabilities that affect web applications. The current top 10 include:

    Injection
    Broken authentication
    Sensitive data exposure
    XML external entities
    Broken access control
    Security misconfigurations
    Cross-site scripting
    Insecure deserialization
    Using components with known vulnerabilities
    Insufficient logging and monitoring

Answer 308

A

C. TLS

Explanation:
Transport layer security (TLS) has replaced Secure Socket Layer (SSL) as the preferred encryption method for traffic across a network. TLS has two layers: TLS handshake protocol and TLS record protocol. TLS is used to secure everything from web traffic to email.

Answer 309

A

D. SLE x ARO = ALE

Explanation:
In order to find the annual loss expectancy, you must first know the single loss expectancy and the annual rate of occurrence. In order to determine the annual loss of expectancy, multiply the single loss expectancy value by the annual rate of occurrence.

Answer 310

A

B. Role-based access controls

Explanation:
Both the management plane and virtualized infrastructure are high priority targets for attackers. It’s very important to implement role-based access controls so that only those individuals who truly need access to these will have it. If too many people have access to the management plane without needing it, there is more of a chance it will become compromised.

Answer 311

A

B. Archive

Explanation:
The data retention policy will have an effect on the data lifecycle’s archive phase.

The remaining options correspond to stages of the cloud data lifecycle that are unaffected by the data retention policy.

Answer 312

A

D. SOC-2 Type-2

Explanation:
A SOC-2 Type-2 attestation report is the most desirable attestation report to receive from vendors providing cloud services. A SOC for Service Organizations: Trust Services Criteria (SOC-2) provides information about the control objectives relating to security, availability, processing, integrity, confidentiality, and/or privacy. The scope of the Type-2 report is limited to a specified time period and includes information about the controls’ presentation, system and design suitability, and operational efficacy in achieving the related control objective. The scope of a Type 1 report is determined by a single precise date, rather than an extended time period, as with a Type 2 report.

The other options are acceptable attestation reports. However, the SOC-2 Type-2 is the most preferred and may require an NDA.

Answer 313

A

B. Input and involvement from the cloud provider

Explanation:
Because the border routers in a cloud environment are used by more than just one cloud customer, any packet capture done on the border routers will require the involvement of the cloud provider. This is true for all cloud types such as IaaS, PaaS, and SaaS.

Answer 314

A

A. Government agency

Explanation:
Your organization is a government agency. Government agencies are affected by the Federal Information Security Management Act (FISMA). The law defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. It requires that government agencies conduct vulnerability scans.

None of the other organizations are affected by FISMA.

Answer 315

A

A. Regulatory requirements

Explanation:
While there are many factors that come into play when setting encryption levels and retention timelines, the most important will be whether there are regulatory requirements that must be adhered to. The regulatory requirements will likely set the minimum encryption levels and retention timelines.

Answer 316

A

D. Account sharing

Explanation:
Account sharing is never permitted. Each user on a network should have their own account. Having shared accounts reduces accountability for those using the account and makes it harder to audit who access which devices and when.

Answer 317

A

B. Archive

Explanation:
Step 5 of the cloud secure data life cycle is archive. At this step, the data is taken from a location of active access and moved to a static repository. Here, the data can be preserved for a long period of time in case it is needed in the future.

Answer 318

A

A. Virtualization

Explanation:
Virtualization is the key driver and base technology used in cloud computing. Without virtualization, cloud computing is not possible.

Multitenancy, resource pooling, and rapid elasticity are all features of cloud computing; they are not the key aspects that make cloud computing possible.

Answer 319

A

A. IDCA

Explanation: 
The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, security, connectivity, and much more.

Answer 320

A

C. HTTP

Explanation:
The simple object access protocol (SOAP) is used to exchange information between web services. SOAP works by encapsulating its data in a SOAP envelope, then uses common communication protocols to transmit the data. SOAP most commonly leverages HTTP as its communication protocol, but other protocols may also be used.

Answer 321

A

D. Requirements

Explanation:
Threat modeling should be performed early in the requirements phase of the SSDLC. The steps are as follows:

    Define security requirements.
    Create an application overview.
    Identify threats.
    Mitigate threats.
    Validate threat mitigation.

Answer 322

A

B. Gap analysis

Explanation:
The current and future IT resource requirements of a business are diverse. To move forward, you must close the gap between where you are now and where you want to be. You can identify all areas in which gaps exist by means of a gap analysis.

A feasibility study’s output will include data that can be used to conduct a gap analysis. You can supplement that report with additional information to generate your own data for identifying and tracking progress toward closing the gap. Risk and vulnerability assessments are incorrect.

Answer 323

A

A. VLAN

Explanation:
VLANs (virtual local area networks) can be used to segment the network without needing to use physical segmentation methods. Because VLANs are not dependent on physical network devices, they can be used across multiple datacenters without concern for geographical location.

Answer 324

A

D. Insecure deserialization

Explanation:
Insecure deserialization is listed as on the OWASP Top 10, but it is not one of the CSA’s Treacherous Twelve. The twelve included are:

    Data breaches
    Insufficient identity, credentials, and access management
    Insecure interfaces and APIs
    System vulnerabilities
    Account hijacking
    Malicious insiders
    Advanced persistent threats
    Data loss
    Insufficient due diligence
    Abuse and nefarious use of cloud services
    Denial of service
    Shared technology issues

Answer 325

A

A. Reversibility

Explanation:
Reversibility refers to the process by which customers can retrieve their data and applications and providers can remove data after an agreed-upon period. Reversibility would be critical if a customer switched cloud providers.

Auditiability, resiliency and interoperability are other shared cloud considerations.

Answer 326

A

B. Honeypot

Explanation:
A honeypot is a system used to trick attackers into thinking it is an actual production system. The honeypot is kept separated and isolated from all other systems on the network. When an attack gains access to a honeypot, it allows administrators to monitor the behavior of the attack and see what they are trying to accomplish on the network.

Answer 327

A

A. Cloud deployment model

Explanation:
A cloud deployment model is the way in which a cloud environment is delivered. The four cloud deployment models are public, private, hybrid, and community.

Answer 328

A

D. IaaS does not provide much scalability

Explanation:
One pro of IaaS is that, since the cloud customer doesn’t have to manage the physical hardware, it offers excellent scalability.

Answer 329

A

A. Containers

Explanation:
Containers are a type of virtualized storage that does not present significant compliance concerns on its own.

For regulated customers, data location and multitenancy are frequently the primary compliance concerns. GDPR and other privacy requirements place a premium on data custodianship.

Answer 330

A

B. DNSSEC

Explanation:
DNSSEC (domain name system security) is a protocol that works as a security addition to the standard DNS (domain name system) protocol. DNSSEC works by ensuring all FQDN (fully qualified domain name) responses are validated.

Answer 331

A

D. Snapshot

Explanation:
CSPs and virtualization technologies offer snapshots as a form of backup. A snapshot will capture all the data on a drive at a point in time and freeze it. The snapshot can be used for a number of reasons including: rolling back or restoring a virtual machine to its snapshot state, creating a new virtual machine from the snapshot which serves as an exact replica of the original server and, lastly, copying the snapshot to object storage for eventual recovery.

The other options are incorrect.

Answer 332

A

B. Perform a clean install of the OS

Explanation:
The first step in creating a baseline image is to perform a clean install of the operating system. This ensures that changes from other images won’t be applied to the new image. Once the image is installed, then the other tasks can be performed.

Answer 333

A

C. Deletion

Explanation:The typical attributes of information rights management (IRM) implementations include auditing, expiration, policy control, protection, and support for applications and formats.

Deletion is not a typical attribute of an IRM implementation.

Answer 334

A

C. Security professionals

Explanation:
It is the security professionals’ responsibility to protect their organizations from the threats to cloud computing and mitigate the risks where feasible.

Answer 335

A

B. Cloud Service Provider (CSP)

Explanation:
A company or other entity offering cloud services is known as a cloud service provider (CSP).

Answer 336

A

C. Unauthorized access to data

Explanation:
Individuals who gain unauthorized access to data are the most common and well understood threat to storage. The unauthorized access can be from an outside attacker, a malicious insider, or a user who may not be malicious but still has access to something they shouldn’t.

Answer 337

A

C. Create

Explanation:
Data should be classified during the create phase of the data lifecycle. This is the best time to classify data because its value and sensitivity are known by the creator.

Answer 338

A

C. Cloud Service Customer (CSC)

Explanation:
In a shared responsibility continuum, the customer takes the larger security role in an IaaS model and the smaller security role in a SaaS model. The cloud service customer would take a balanced role in the PaaS model.

Answer 339

A

D. ISO/IEC 27018

Explanation:
ISO/IEC 27018 is a standard privacy requirement for cloud service providers to adhere to. It is focused on five key principals: communication, consent, control, transparency, and independent and yearly audits.

All other options are other standard privacy requirements.

Answer 340

A

B. Jurisdiction

Explanation:
When determining a location for a cloud data center, jurisdiction is a major concern. There will most likely be jurisdictional requirements, which could affect the design of the data center. It’s vital to note the laws and regulations for the jurisdiction, as well.

Encryption, storage, and the management plane are not physical aspects of a cloud data center.

Answer 341

A

B. RTO

Explanation:
RTO refers to the recovery time objective. This is not used in a quantitative assessment. ALE (annual loss expectancy), SLE (single loss expectancy), and ARO (annual rate of occurrence) make up the basis for a quantitative assessment.

Answer 342

A

D. Requirement gathering and feasibility, analysis, design, development/coding, testing, maintenance

Explanation:
The software development lifecycle (SDLC) is a process/framework for development and coding. The SDLC is made up of six phases to be carried out in the following order:

    Requirement gathering and feasibility
    Analysis
    Design
    Development/coding
    Testing
    Maintenance

Answer 343

A

D. SLA

Explanation:
Levels of communication service from the CSP should be defined and agreed upon by both parties. This is why it is vital for customers to be accountable for setting SLA terms. SLAs may be adjusted to provide further flexibility, albeit at a significant expense.

All other options are various documents that are not applicable to communications.

Answer 344

A

A. Framework for how to develop, alter, and maintain software

Explanation:
SDLC stands for the software development lifecycle. It is a framework for how to develop, alter, and maintain software. The framework outlines the software development process from beginning (requirement gathering and feasibility) to end (maintenance).

Answer 345

A

C. The cloud service customer retains ultimate responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.

Explanation:
Regardless of whether cloud or non-cloud services are utilized, the data owner (the cloud service customer (CSC)) is ultimately responsible for the data’s security. Cloud security encompasses more than data protection; it also encompasses applications and infrastructure.

Answer 346

A

A.Electric utilities

Explanation:
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a not-for-profit organization that collaborates with industry stakeholders to set standards for the operations and monitoring of the power system and its enforcement.

All other options are types of organizations.

Answer 347

A

A. HIPAA

Explanation:
HIPAA (The Health Insurance Portability and Accountability Act) is an industry specific regulatory requirement for U.S. health care organizations.

Answer 348

A

B. Cloud Controls Matrix

Explanation:
The Cloud Controls Matrix (CCM) outlines a detailed approach for handling controls in a cloud environment. The Cloud Controls Matrix was developed and published by the Cloud Security Alliance.

Answer 349

A

C. Shares

Explanation:
In the event that there are not enough resources to serve all hosts, cloud providers must prioritize and weigh which systems will receive the limited resources available. This concept is known as shares.

Reservations refer to the minimum amount of resources that each cloud customer will receive, and limits refer to the maximum that they will receive.

Answer 350

A

D. Cryptographic erasing

Explanation:
Cryptographic erasing is a method of data sanitation. Cryptographic erasing is performed using encryption and the destruction of the encryption keys as a method of data destruction.

Answer 351

A

D. DREAD

Explanation:
DREAD is a model that was conceptualized by Microsoft and recommended by OWASP. DREAD focuses on coming up with a quantitative value for assessing risk.

SDLC, REST, and TOGAF are not threat models.

Answer 352

A

D. Quality Assurance

Explanation:
Quality assurance (QA) is centered on service delivery of the application service built in the modern DevOps / DevSecOps process, and it occurs at all phases to assure continuous improvement and quality tracking. When more functional and requirements testing is done, QA is most effective. Testing may be automated to make it even more efficient.

Answer 353

A

C. ITIL

Explanation:
Uptime Institute, National Fire Protection Association (NFPA), and International Data Center Authority (IDCA) are all institutions which create standards used to govern the design and building of data centers.

ITIL (formerly an acronym for Information Technology Infrastructure Library), provides detailed practices for IT service management. These practices focus on aligning IT services with the needs of business instead of creating data center design and building standards.

Answer 354

A

D. Orchestration

Explanation:
Orchestration is the term used to describe the large use of automation a cloud environment. The automation is used for tasks such as provisions, scaling, allocating resources, and much more. Orchestration must be used in a way that it doesn’t violate a cloud customer’s SLA requirements.

Answer 355

A

B.Data sanitation

Explanation:
There are many types of data sanitation but not all of them are applicable to cloud environments. For example, physical methods of data destruction, such as incineration, are not available in cloud environments. Cryptographic erasure and overwriting are two examples of data sanitation for cloud environments.

Answer 356

A

B. Private cloud

Explanation:
A private cloud is owned, managed, and controlled by a single organization. Unlike a public cloud, hybrid cloud, or community cloud, there is no chance that resources will be shared with another organization on a private cloud.

Answer 357

A

A. 10

Explanation:
The Generally Accepted Privacy Principles (GAPP) is a standard that consists of the 10 key principles listed below. In addition, GAPP is also made up of over 70 privacy objectives and associated methods for measuring and evaluating criteria.

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement

Answer 358

A

A. Security

Explanation:
The Trust Service Criteria is made up of 5 key principles: Availability, Confidentiality, Process integrity, Privacy, and Security. Security is always required as part of a SOC 2 audit. The other four principles are optional.

The security principle is made up of seven categories: Change management, Communications, Logical and physical access controls, Monitoring of controls, Organization and management, Risk management, and Design and implementation controls.

Answer 359

A

B. Transparency

Explanation:
GAPP was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. It includes ten key privacy principles as listed below:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement

Answer 360

A

C. Data de-identification

Explanation:
The three types of data discovery include metadata, labels, and content analysis. Data de-identification refers to processes such as masking, obfuscation, and anonymization of data and not to a method of data discovery.

Answer 361

A

B. Immutable architecture

Explanation:
Due to the immutability of cloud infrastructure, it is feasible to easily decommission all virtual infrastructure components utilized by an older version of software and deploy a new virtual infrastructure in cloud settings. Immutable infrastructure is a solution to the problem of systems deviating from baseline settings over time.

Answer 362

A

A. Cloud service customer

Explanation:
The consumer will always be responsible for configuring resiliency functions such as automated data replication, failover between CSP availability zones, and network load balancing.

The CSP’s response is to preserve the capabilities that provide these solutions, but the consumer must construct their cloud system to suit their own resiliency requirements.

All other options are roles that support cloud services.

Answer 363

A

D. RAM and CPU

Explanation:
Computing and processing capabilities are defined as memory (RAM) and the CPU of the system and environment. This is the same in both cloud environments and traditional datacenters, however, the management of these items are different depending on whether it’s a cloud environment or a traditional datacenter.

Answer 364

A

B. IoT

Explanation:
The Internet of Things (IoT) refers to the ability of non-traditional computing devices (such as lamps, thermostats, and other smart devices) to access the Internet.

Answer 365

A

B. Building

Explanation:
Organizations that are able to build their own data centers will have the most input into everything from physical security to all other aspects of the setup. However, buying or leasing space in an already built data center is a much quicker and easier option for many organizations.

Answer 366

A

B. Create, store, use, share, archive, destroy

Explanation:
The phases of the cloud data lifecycle are as follows:

Create: Any time data is considered new (this can be brand new data, data migrated from another system, or existing data which is modified), it is in the create phase.
Store: Data is stored immediately after it is created. Storing methods include files residing on a file server, remote object storage, and data written to a database.
Use: When data is consumed or processed by an application or user, it is in the use phase.
Share: When data is made available for use outside of the system it was created in, this is known as the share phase.
Archive: The final stage is archive, in which data is moved to long-term storage and no longer considered active.
Destroy: As the name suggests, the destroy phase is where data is removed completely. In cloud environments, this is done using methods such as overwriting and cryptographic erasure.

Answer 367

A

D. VMware

Explanation:
VUM (virtual update manager) was developed by VMware. It is used to update both the vSphere hosts and the virtual machines which are running under them.

Answer 368

A

C. Vulnerability scanning

Explanation:
Vulnerability scanning is often run by organizations against their own systems. It uses known attacks and methodologies to ensure that systems are hardened against known vulnerabilities and threats.

Runtime application self-protection (RASP) is a security mechanism that is allows an application to protect itself by responding and reacting to ongoing events and threats. Penetration tests are typically done by a third-party. During a penetration test, the tester will try to break into systems using the same techniques that an actual attacker would use. Static application security testing (SAST) is a test in which the tester has special knowledge of and access to the source code to manually review it for vulnerabilities and weaknesses.

Answer 369

A

A. Unstructured data

Explanation:
Unstructured data is all data that doesn’t fall into the structured data category. This means that the data doesn’t conform to a defined data structure or format. Unstructured data can be binary data or text, and it can be entered via human input or machine generated.

Answer 370

A

C. Labeling

Explanation:
Labeling is the process of adding “labels” to data elements. These labels are more informal than metadata and, in order for them to work, they must be configured with consistency throughout the entire organization. Labels are used to group data elements together and provide information about them.

Answer 371

A

D. Reinforced walls

Explanation:
Reinforced walls may help to mitigate the risk of certain types of natural disasters.

Encryption, multitenancy, and rapid elasticity will not help in the event of a natural disaster.

Answer 372

A

A. Cross-site scripting

Explanation:
Cross-site scripting is a type of injection attack in which a malicious actor can send data to a user’s browser without going through proper validation. This is listed on the OWASP Top 10, which is an up to date report of the most critical risks and vulnerabilities that affect web applications.

Insecure interfaces and APIs, malicious insiders, and advanced persistent threats are not listed on the OWASP Top 10; however, they are listed on the Cloud Security Alliance’s Treacherous Twelve, a list similar to the OWASP Top 10 that covers risks and vulnerabilities specifically associated with cloud-based applications and systems.

Answer 373

A

D. Change management

Explanation:
The change management process, one of the most well-known components of IT operations, includes all of the processes and procedures needed to make configuration changes to IT systems or to implement any new IT systems into the environment.

Answer 374

A

D. Thousands

Explanation:
A traditional data center will likely house thousands of computers for a large enterprise corporation. This means that they will have incredible cooling and utility requirements. On the other hand, a major cloud environment may house hundreds of thousands of servers across many physical locations with their own cooling and utility requirements. In the cloud environment, however, the concern for these requirements is moved away from the cloud customer to the cloud provider.

Answer 375

A

A. A reservation

Explanation:
A minimum resource that is granted to a cloud customer within a cloud environment is known as a reservation. With a reservation, the cloud customer should always have, at the minimum, the amount of resources needed to power and operate any of their services. On the flip side, limits are the opposite of reservations. A limit is the maximum utilization of memory or processing allowed for a cloud customer.

Answer 376

A

D. Testing

Explanation:
During the testing phase of the SLDC, the completed code is reviewed for problems. It’s checked to ensure that it is functioning and operating as expected. This includes having quality assurance check the software for defects and bugs. During testing, the code is also checked using security scans to ensure that it is secure.

Answer 377

A

D. SaaS

Explanation:
Software as a Service (SaaS) is a type of cloud service in which the cloud provider maintains and manages everything on the back-end (including the infrastructure, platform, and server OS), and the cloud customer can simply access the software without needing to do any maintenance on it.

Answer 378

A

D. Canadian Institute for Chartered Accountants

Explanation:
The Generally Accepted Privacy Principles (GAPP) standard was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. The standard includes ten key privacy principles to manage and prevent threats to privacy.

Answer 379

A

A. DAM

Explanation:
It is possible to detect malicious commands being executed on your organization’s database and to prevent them from being executed with the help of a database activity monitor (DAM). In addition, suspicious activity is monitored, and alerts are sent out when anomalies are discovered.

Answer 380

A

D. Parallel test

Explanation:
A parallel test is a type of test for business continuity and disaster recovery (BCDR) plans in which the recovery site is brought online to a state of operational readiness, but operations at the primary site are also maintained and active.

Answer 381

A

D. Archive

Explanation:
The data archiving policy will have an effect on the cloud data lifecycle’s archive phase.

The remaining options correspond to phases of the data lifecycle that are unaffected by the data archive policy.

Answer 382

A

A. Malicious insider

Explanation:
A malicious insider is an individual who has been granted appropriate access to complete their job, but then uses that access for unauthorized uses.

Answer 383

A

B. 4

Explanation:
The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include:

Tier I: Basic Capacity
Tier II: Redundant Capacity Components
Tier III: Concurrently Maintainable
Tier IV: Fault Tolerance

Answer 384

A

A. Operational impact

Explanation:
Typically, collecting forensic evidence in the cloud has no operational impact.

When it comes to collecting forensic evidence, data ownership, multitenancy, and jurisdiction are key considerations for both cloud providers and cloud clients

Answer 385

A

A. SQL injection

Explanation:
An SQL injection attack occurs when an attacker sends malicious SQL statements to the application via data input fields. In order to prevent these types of attacks, developers can use techniques such as whitelist input validation, using prepared statements, and escaping all user supplied input.

Answer 386

A

A. XML external entities

Explanation:
During development, it’s not uncommon for developers to leave comments or notes in their code. While this is not inherently an issue, it can become an issue when the comments and notes are not removed before the code is published. An XML external entity occurs when a developer leaves references to items such as the directory structure of the application, configuration about the hosting system, or any other information about the inner workings of the application itself, in the code. This information can be used by an attacker, if found, to gain unauthorized access to the application.

Answer 387

A

A. Responsibility is shared between the cloud customer and the cloud provider

Explanation:
In a Platform as a Service (PaaS) model, platform security is a responsibility that is shared between both the cloud provider and the cloud customer.

In an SaaS model, platform security is solely the responsibility of the cloud provider and in an IaaS model, platform security is solely the responsibility of the cloud customer.

Answer 388

A

C. Cloud service operations manager

Explanation:
A cloud service operations manager is a role within a cloud service provider. The cloud service operations manager will provide audit data when requested or required, manage inventory and assets, prepare systems for the cloud, and also manage and maintain services.

Answer 389

A

D. Data at rest

Explanation:
Data at rest (DAR) refers to data that is in an idle state. This means that the data isn’t currently being moved between systems and it’s not currently being used by an application. The best way to protect data at rest is by using file level and storage level encryption methods. The encryption methods will vary depending on how the data is stored.

Answer 390

A

A. NIDS

Explanation:
A network intrusion detection system (NIDS) analyzes all of the traffic on the network and detects possible intrusions. It can send an alert out to administrators to investigate.

A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

Answer 391

A

D. XML external entities

Explanation:
XML external entities refer to references, such as the application directory structure or the configuration of the hosting system, that should be removed from the code, but are left in by accident. These items can provide information to an attacker that may allow them to circumvent authentication measures to gain access.

Answer 392

A

C. It is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment.

Explanation:
Many believe that moving from a traditional data center model to a cloud environment is a completely simple, easy, and seamless process. This is not the case in most situations. In fact, it is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment without requiring any code changes.

Many data centers use legacy systems that are not programmed to work in a rapidly changing cloud environment. In most cases, controls and configurations that have been in place at a traditional data center will need to be reworked and reengineered to function in a cloud environment.

Answer 393

A

B. After replacing a hard drive, a user smashed the old hard drive with a hammer so that data couldn’t be recovered from it

Explanation:
Data sanitation means that data is removed (or sanitized) from old equipment or an old environment. In this scenario, destroying a hard drive prevents the data from being recovered; therefore, this data has been sanitized. In a cloud environment, sanitizing data becomes more difficult, since methods such as destruction, shredding, and incineration are not options in the cloud.

Answer 394

A

D. Documentation

Explanation:
Monitoring your security controls should begin with documentation that details the purpose and implementation of each control. Additionally, you should have process documentation on how to monitor each security control.

A vulnerability assessment is an effective method of determining the efficiency of your controls indirectly, while SIEM tools and a Security Operations Center are critical components of security monitoring.

Answer 395

A

D. Reporting

Explanation:
Security and information event management (SIEM) systems provide a great number of functions, including reporting, compliance, dashboards, alerting, aggregation, and correlation. Despite all of these functions, SIEMs are not able to block malware, encrypt data, or backup data.

Answer 396

A

A. Availability

Explanation:
Resource pooling allows a cloud customer to quickly scale resources up or down as needed. The CSP ensures that resources are available when the cloud customer needs them. Resource pooling occurs when a cloud service provider groups its resources for shared use between multiple cloud customers. This also allows the CSP to scale resources up and down on a per-customer basis.

All other options are security principles.

Answer 397

A

B. Password and fingerprint scan

Explanation:
In multi-factor authentication (MFA), users must have two separate and unique factor types. MFA factors include something you know (password, pin, passphrase), something you have (key card, smart card), and something you are (biometrics). Of the options given, the password and fingerprint scan combination is the only option which includes two unique types of factors.

Answer 398

A

D. Approved Application Programming Interface

Explanation:
An approved API is critical for ensuring the security of system components we are interacting with. Enforcing the usage of APIs to reduce the number of ways for accessing application services simplifies their monitoring and protection.

Answer 399

A

C. Qualitative assessment

Explanation:
There are two main assessment types that can be done for assessing risk: qualitative assessments and quantitative assessments. While quantitative assessments are data driven, focusing on items such as single loss expectancy, annual rate of occurrences, and annual loss expectancy, qualitative assessments are descriptive in nature and not data driven.

Answer 400

A

D. Something the user is

Explanation:
In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

Answer 401

A

C. Single sign-on

Explanation:
Through the usage of single sign-on (SSO), an organization’s users can authenticate once and share their identity attributes across numerous cloud services. This enables users to submit their credentials only once, rather than each time an application is accessed. Configuration of single sign-on occurs at two levels: the identity provider and the application. Applications are configured to have a high level of trust in identity providers. A successful authentication results in the issuance of a digital security token signed with the identity provider’s private key. This means that the application does not receive the user’s actual credentials. Instead, apps will use the public key of the identity provider to authenticate the digitally signed token.

Answer 402

A

A. Political borders

Explanation:
When it comes to evaluating cloud providers’ services, customers are not constrained by political borders. The opportunity to expand into new locations introduces a new set of risks for organizations. Having data stored in many foreign jurisdictions creates legal and regulatory challenges. Customers of cloud computing are impacted by a variety of legal requirements, varying legal systems and frameworks between countries, and the complexities of conflicting law.

Answer 403

A

A. Hypervisor

Explanation:
In an IaaS environment, the cloud customer will likely have access to logs from the operating system, the virtual devices, and the applications that they are using. However, it’s unlikely that the cloud customer will have access to any logs from the hypervisor itself. If the cloud customer wanted logs from the hypervisor, they would need to work with the cloud provider and have something written into their contract. Even though the cloud customer has access to the logs from the operating systems, virtual servers and devices, and the applications, they will still likely need some method to aggregate all of these logs.

Answer 404

A

B. Two layers

Explanation:
Database storage systems are generally encrypted with two layers of encryption. First, the files on the database can be protected through a file system level encryption. Second, encryption can be used within the application itself.

Answer 405

A

A. Infrastructure as Code (IaC)

Explanation:
The use of Infrastructure as Code, in which the system architecture is defined in a definition file that the CSP uses to spin up a virtual infrastructure. The definition files are frequently used to establish virtual infrastructure in PaaS setups.

All other options are incorrect.

Answer 406

A

B. SOC 1 Type 1

Explanation:
A SOC 1 Type 1 report is focused on the effectiveness of controls during a set point in time. A SOC 1 Type 2 report is focused on the effectiveness of controls over a period of at least six months rather than a finite period in time.

SOC 1 Type 3 and 4 do not exist.

Answer 407

A

C. Insufficient due diligence

Explanation:
When a security team or organization doesn’t perform proper due diligence (such as performing risk assessments and ensuring that the new cloud provider has the proper security procedures in place) it creates threats and problems that could have been addressed before moving to the new environment. Through active due diligence, such as training and maintaining proper procedures, many common threats and risks can be avoided.

Answer 408

A

D. SOC 3

Explanation:
SOC 3 reports are meant to be consumed and reviewed by the general public. SOC 3 allows for a much wider audience than the other reports listed. SOC 3 reports are meant to be consumed by a large audience to instill confidence that the organization’s systems are secure.

Answer 409

A

D. Unstructured data

Explanation:
Unstructured data is a data type that can’t be easily used (or used at all) in a structured, rigid, or formatted database.

Answer 410

A

C. Define objectives

Explanation:
Audit planning is made up of four main steps which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis

Defining the objectives must be the first step of the audit plan because it will lay the groundwork for the rest of the plan.

Answer 411

A

B. Data is secure no matter where it is stored.

Explanation:
Persistent protection ensures that data is preserved or protected regardless of the location of the data, including reproduction of the data.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 412

A

A. Confidentiality

Explanation:
Customers often select standalone hosts because they ensure that their data will not be commingled with other tenants. This is helpful for compliance purposes and also supports data confidentiality.

Standalone hosts are not well-known for ensuring data integrity and availability. However they do help support other technologies.

Answer 413

A

B. PHI

Explanation:
PHI (protected health information) is a subset of PII (personally identifiable information). PHI applies to any entity defined under the U.S. HIPAA (health information portability and accountability act) laws. Any information that can be tied to a unique individual as it related to their past, current, or future health status is considered PHI.

Answer 414

A

A. Undergo a SOC 2 audit

Explanation:
A SOC 2 (Service Organization Control 2) audit reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. A cloud provider may choose to have a SOC 2 audit done and make the report available to the public. This allows for potential customers to have a sense of confidence that the environment is secure without needing to do an audit of their own.

Answer 415

A

A. GDPR

Explanation:
The General Data Protection Regulation (GDPR) was officially implemented by the European Union (EU) on May 25, 2018. GDPR is a massive undertaking to give users full control over their personal data and how it is used.

Answer 416

A

C. Restriction

Explanation:
The Generally Accepted Privacy Principles (GAPP) includes 10 key privacy principles and over 70 privacy objectives and methods for measuring and evaluating criteria. The 10 key privacy principles are listed below:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement

Answer 417

A

A. Availability

Explanation:
A host cluster is a pool of hosts connected together to operate as a single host. The cluster helps protect against failures of a single machine, through redundancy. This provides availability assurance.

A clustered host is not well known for ensuring data integrity and confidentiality. However, they do help support other technologies.

Answer 418

A

B. Community cloud

Explanation:
A community cloud is a type of cloud that exists between public and private clouds. The community cloud was designed to meet the requirements of multiple organizations operating in the same industry. Universities frequently form research consortiums, which can be supported by a community cloud.

Answer 419

A

D. Virtualization

Explanation:
The cloud service provider (CSP) is always responsible for managing the virtualized environment. Virtualization enables server sharing, and the CSP allocates resources to a diverse set of services and clients. While the consumer is always responsible for their data, the operating system, networking, and storage responsibilities change according to the cloud service model.

Storage, networking, databases and orchestration are other cloud building block technologies.

Answer 420

A

D. Elasticity

Explanation:
Elasticity increases and decreases resources as needed, but unlike scalability, elasticity is done automatically. Elastic resources are based on the current needs and resources are added and removed dynamically to meet those needs from a variety of geographical locations.

Answer 421

A

D. BICSI

Explanation:
BICSI (Building Industry Consulting Service International) has been around since 1977. Of the all the standards that BICSI has developed, the ANSI/BICSI 002-2014 is the most prominent. This standard is “Data Center Design and Implementation Best Practices.” In this standard, items such as hot/cold aisle setups, power specifications, and energy efficiency are all covered.

Answer 422

A

A. BIA

Explanation:
A BIA (business impact analysis) can be done to identify the most important systems to an organization. The BIA can help to identify which services and systems need to be prioritized and which can endure a longer outage.

Answer 423

A

B. RDP

Explanation:
RDP (remote desktop protocol) is a proprietary technology, developed by Microsoft, that allows a user to connect to another remote computer over the network and utilize a GUI to control the remote computer. Microsoft has also created clients so that Linux and UNIX systems can utilize RDP to connect Microsoft systems.

Answer 424

A

C. Vendor lock-in

Explanation:
Cloud customers should avoid vendor-lock in. Vendor lock-in occurs when an organization is unable to easily move from one cloud provider to another without incurring extremely high costs. Vendor lock-in can occur when a specific cloud provider requires the cloud customers to purchase expensive proprietary systems.

Answer 425

A

A. United States

Explanation:
Of this list, the United States is the only locale that does not have a unified privacy law at the federal level. However, some states do have privacy laws, such as the California Consumer Privacy Act (CCPA).

All other options have national or regional data privacy regulations.

Answer 426

A

D. Dynamic

Explanation:
Obfuscation of data can be done statically or dynamically. The static technique creates a new data set as a copy of the original data and uses only the concealed copy. When the customer support agent accesses the data via the dynamic method, the data is masked as it is used.

All other options are incorrect.

Answer 427

A

C. Multiple cloud customers sharing the same computing resources of a cloud provider

Explanation:
Multitenancy refers to when multiple cloud customers share the same computing resources of the cloud provider. With multitenancy, it’s very important that the cloud provider has security measures put in place so that confidential data is not visible to the other organizations that share the same resources.

Answer 428

A

A. RASP

Explanation:
Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time.

Dynamic application security testing (DAST) is a “black-box” type of security test, meaning that the tester is not given any special information about the systems they are testing. Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities in the system.

Answer 429

A

C. ARO and SLE

Explanation:
In order to find annual loss expectancy, you must first know the values for annual rate of occurrence (ARO) and single loss expectancy (SLE). The equation used to find annual loss expectancy (ALE) is SLE X ARO = ALE.

Answer 430

A

A. Repudiation

Explanation:
The STRIDE threat model has six threat categories, which include spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. Logs being erased or wiped is a type of repudiation threat. Keeping accurate and comprehensive logs is vital to an organization, as it can prevent a user from denying that they made a change when they actually did.

Answer 431

A

B. Single sign-on

Explanation:
Single sign-on (SSO) allows an individual to authenticate once using a single set of authentication credentials and be given access to other independent systems. SSO is beneficial for many reasons, one being that it allows users to create one strong set of credentials that they will remember, rather than having them create many weaker passwords that they are likely to forget.

Answer 432

A

B. take the level of concern away from the cloud customer and place it onto the cloud provider.

Explanation:
While it may seem that a cloud infrastructure is completely different from that of a traditional data center, all the components that exist in a traditional data center are still needed in the cloud. The main difference is that within a cloud environment, the responsibility and level of concern is moved away from the cloud customer to the cloud provider.

Answer 433

A

D. Governance, risk, and compliance

Explanation:
Whichever deployment approach is adopted, the organization is ultimately responsible for governance, risk, and compliance.

All other options may be under the organization’s control depending on the cloud model used.

Answer 434

A

A. Testing

Explanation:
During the testing phase, security scans are run against the actual code and the completed application as it runs. This is also the phase in which the code is checked for syntax errors and problems. The output of the testing phase is a report which outlines the deficiencies and successes found during the testing phase.

Answer 435

A

B. Consent

Explanation:
The ISO/IEC 27018 is a standard which is focused on the security of cloud computing. The five key principles of ISO/IEC 27018 include communication, consent, control, transparency, and independent and yearly audits. Consent refers to cloud providers getting explicit permission from a cloud customer before they can use their data or information in any way.

Answer 436

A

A. TLS handshake protocol and TLS record protocol

Explanation:
TLS (transport layer security) replaced SSL (secure socket layer) as the standard method for encryption of traffic across a network. TLS is made up of two main layers. The first layer is the TLS handshake protocol. This protocol is what negotiates and establishes the actual TLS connection. The second layer is the TLS record protocol. The TLS record protocol is the actual secure communication method for transferring the data.

Answer 437

A

B. Compute parameters

Explanation:
The compute parameters and processing power of a cloud environment is made up by the number of CPUs and the amount of RAM in the system or environment. In a cloud environment, compute parameters can be more difficult to manage and plan due to resource pooling and multitenancy.

Answer 438

A

D. Backup methods

Explanation:
As soon as the data enters the store phase, it’s important to immediately employ the use of backup methods on top of security controls to prevent data loss.

Answer 439

A

C. Ephermeral

Explanation:
Temporary storage and data are stored in ephemeral storage solely for processing purposes. Ephemeral storage is not intended to provide long-term data storage. Ephemeral storage is similar to random access memory (RAM) and other non-permanent storage technologies.

All other options are different forms of storage that are utilized for different purposes.

Answer 440

A

A. Federation

Explanation:
Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity systems while keeping their autonomy.

Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Answer 441

A

A. Data steward

Explanation:
While the data owner maintains sole responsibility for the data and the controls surrounding that data, there is sometimes the additional role of data steward, who will oversee data access requests and the utilization of the data.

Answer 442

A

B. A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors.

Explanation:
A compromised hypervisor can have serious consequences. If an attacker can compromise a hypervisor, they will then have access to all the virtual machines that are hosted on that hypervisor. In addition, the attacker could use the hypervisor as a launching pad for additional attacks on other hypervisors, since each hypervisor plays a central role in the cloud environment.

Answer 443

A

A. Accept the risk

Explanation:
For some risks, the cost to mitigate the risk would outweigh the cost of accepting the risk and dealing with any potential fall out that would come if the risk was realized. In these scenarios, the organization will often simply accept the risk and deal with the exploit when or if it were to occur.

Answer 444

A

C. Problem management

Explanation:
The focus of problem management is to identify and analyze potential issues in an organization to determine the root cause of that issue. Problem management is responsible for implementing processes to prevent the issues from occurring in the future.

Answer 445

A

A. Dynamic optimization

Explanation:
Dynamic optimization is the process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn’t become overloaded.

Distributed resource scheduling is a method for providing high availability, workload distribution, and balancing of jobs in a cluster. When a host is in maintenance mode, no virtual machines can run under that physical host. High availability is the concept that systems experience little to no downtime.

Answer 446

A

C. SOX

Explanation:
The Sarbanes-Oxley Act (SOX) regulates how long financial records must be kept. SOX is enforced by the Securities and Exchange Commission (SEC). SOX was passed as a way to protect stakeholders and shareholders from improper practices and errors.

Answer 447

A

B. MDM

Explanation:
MDM (mobile device management) is the term used to describe the management and maintenance of mobile devices (such as tablets and mobile phones) that have access to corporate resources. Usually, MDM software will be installed on the devices so that the IT staff can manage the devices remotely in the case of a lost or stolen device.

Answer 448

A

C. Data lake

Explanation:
A data lake is an unstructured data storage mechanism with data often stored in files or blobs.

All other options are data storage mechanisms.

Answer 449

A

C. Define objectives, define scope, conduct the audit, lessons learned

Explanation:
There are four main steps in audit planning as listed below in the correct order:

Define objectives
Define scope
Conduct the audit
Lessons learned (and analysis)

Answer 450

A

A. Object storage

Explanation:
Object storage utilizes a flat system and assigns files and objects a key value (ID) that can be used to retrieve the files later. This differs from traditional storage, which uses a directory and tree structure.

Answer 451

A

C. Management plane

Explanation:
The management plane provides access to manage all the hosts within a cloud environment. If the management plane were to be compromised, the attacker would then have full control over the cloud environment. The severity of a compromised management plane outweighs that of a compromised hypervisor, virtual machine, or router. For this reason, only a limited and highly vetted group of administrators should have access to the management plane, and access should be audited regularly.

Answer 452

A

B. NIST

Explanation:
The National Institute of Standards and Technology (NIST) defines cloud computing in the Special Publication (SP) 800-145 as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Answer 453

A

C. Backups

Explanation:
The management plane can be used to allow administrators to quickly make changes across all of the hypervisors and hosted systems in an environment. If the management plane were to be compromised, it would give the attacker full control of all hypervisors and hosted systems in the environment. This means that protecting the management plane from attackers is of the utmost importance. In order to protect the management plane from attackers, special considerations should be made to ensure the use of secure communications, network separation, and access control.

Answer 454

A

B. Type 1 hypervisor

Explanation:
A type 1 hypervisor, also known as a bare-metal hypervisor, runs directly on the machine’s physical hardware, unlike type 2 hypervisors that are software-based. VMware ESXI is an example of a type 1 hypervisor.

Answer 455

A

B. Auditability

Explanation:
Auditability is the process of gathering and making available the evidence necessary to demonstrate the operation and use of the cloud. It is good to keep in mind that a CSP will rarely allow a customer to perform an audit on their controls. However, a CSP usually does supply third-party attestations under NDA.

All other options are shared cloud considerations.

Answer 456

A

B. VLAN

Explanation:
A VLAN (virtual local area network) is a network concept which allows for logical network segregation and isolation of systems. This is done by establishing virtual network segments with their own IP ranges and firewall settings that are separate from other segments of the network.

Answer 457

A

B. Authentication

Explanation:
Data masking does not provide any form of authentication.

All the others are good examples of data masking in action.

Answer 458

A

C. ISO/IEC 27050

Explanation:
The ISO/IEC 27050 standard provides guidelines for eDiscovery processes and best practices. ISO/IEC 27050 covers all steps of eDiscovery processes including identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive.

Answer 459

A

C. IPsec can provide end-to-end encryption of all communications and traffic because it operates at the Internet level

Explanation:
The IPsec (IP Security) and TLS (Transport Layer Security) protocols are both protocols to encrypt traffic as it moves through a network. The main difference between the two (which causes IPsec to stand out), is that IPsec operates at the Internet network layer rather than the application layer (like TLS). Because IPsec operates at the network layer, it is able to provide complete end-to-end encryption of all communications and traffic.

Answer 460

A

B. A set of controls and practices put in place to ensure that data is only accessible to those authorized to access it

Explanation:
Data loss prevention refers to a set of controls and practices put in place to ensure that data is only accessible to those authorized to access it.

Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Key management is the practice of safeguarding encryption keys. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data.

Answer 461

A

C. Maintenance

Explanation:
The maintenance phase of the software development lifecycle is the final stage, and it will go on through the entire lifetime of the software or application. The maintenance phase includes pushing out continual updates, bug fixes, security patches, and anything else needed to keep the software running securely and operating as it should.

Answer 462

A

D. Impact and urgency

Explanation:
To ensure an incident is dealt with correctly, it is important to determine how critical it is and prioritize the response appropriately. Urgency and impact are assigned values from Low, Medium, or High, and incidents that are high priority are handled first.

Answer 463

A

A. Multitenancy

Explanation:
Cloud providers will often have numerous customers sharing the same environment. However, it falls to the cloud provider to ensure that all the data between these customers is not visible to the others and is isolated from one another.

Answer 464

A

D. The illicit or unauthorized copying of data is prohibited.

Explanation:
Replication restrictions ensure that no unauthorized or unlawful copying of protected data occurs.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 465

A

D. Non-repudiation

Explanation:
The capacity to affirm the origin or authenticity of data with a high degree of assurance is referred to as non-repudiation. This is accomplished through the use of digital signatures and hashing to ensure that data has not been altered in any way.

This idea is complementary to chain of custody in terms of maintaining the legitimacy and integrity of data.

Answer 466

A

D. Volume

Explanation:
Used in IaaS cloud environments, volume storage involves a virtual hard drive which is attached to the virtual host. The host is able to access the virtual hard drive in the same way a computer accesses a traditional hard drive.

Answer 467

A

A. IaaS

Explanation:
IaaS (infrastructure as a service) is often also referred to as “data center as a service.” This is because the cloud provider is the one to provide and maintain all of the infrastructure devices. However, the cloud customer is responsible for the management of everything on the devices, from the storage to the operating systems to the applications installed.

Answer 468

A

A. Auditing

Explanation:
Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join identity systems while maintaining their autonomy.

Answer 469

A

D. Firewall

Explanation:
The firewall is the main device that is used to manage the flow of traffic in and out of the network based on rules configured on the firewall. Firewalls can be virtual devices or physical devices.

Answer 470

A

D. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

Answer 471

A

D. All phases of the cloud data lifecycle.

Explanation:
Data destruction policies encompass all phases of the data lifecycle. This is because data destruction may occur at all phases of the cloud data lifecycle.

Answer 472

A

D. Restrict

Explanation:
ISO/IEC 27018 is an international standard for security and privacy in cloud computing. The five key principles of ISO/IEC 27018 are communication, consent, control, transparency, and independent and yearly audits.

Restrict is not one of the key principles.

Answer 473

A

A. PCI DSS

Explanation:
Due to the merchant’s involvement with debit or credit cards, they must conform to the Payment Card Industry Data Security Standard (PCI DSS) framework. PCI DSS compliance is a contractual requirement. This is true regardless of local rules and regulations regarding cardholder data. Much of the PCI DSS is comprised of generic suggestions regarding the most effective security controls to implement in order to limit risk.

All other options are compliance standards.

Answer 474

A

A. Reservations

Explanation:
Reservations refer to the minimum guaranteed amount of resources that a cloud customer will receive, regardless of the resources being used by other cloud customers. This guarantees that the cloud customer will always have, at the very least, the minimum amount of resources needed to power and operate their services. Because of ideas such as multitenancy, in which many cloud customers are utilizing the same pool of resources, reservations protect cloud customers in the event that a neighboring cloud customer experiences an attack which causes them to overuse resources, making them limited.

Answer 475

A

D. The Cloud Service Customer (CSC) is responsible for the maintenance and versioning of the apps they acquire and develop in a PaaS solution. The Cloud Service Provider (CSP) is responsible for the platform, tools, and underlying infrastructure.

Explanation:
In the PaaS cloud service model, the CSC is in charge of maintaining and versioning the apps they acquire and develop.

The CSP is responsible for the platform and tools supplied by the PaaS solution, as well as the underlying infrastructure. SaaS and IaaS are other cloud service models.

Answer 476

A

C. DLP

Explanation:
DLP stands for data loss prevention or data leakage prevention. As the name suggests, DLP is a set of controls that is used to ensure that data is only accessible to those who should have access to it. DLP control sets, practices, and measures will vary from organization to organization.

Answer 477

A

C. Encryption

Explanation:
In order to secure data in a multitenancy and resource pooling cloud environment, encryption is required. There are different types of encryption for data at rest, data in use, and data in transit.

Answer 478

A

A. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

Answer 479

A

B. 64.4 - 80.6 degrees F

Explanation:
According to ASHRAE (American Society of Heating, Refrigeration, and Air Conditioning Engineers), the recommended temperature for a data center is a minimum of 64.4 degrees F, and a maximum of 80.6 degrees F. This is 18 - 27 degrees C.

Answer 480

A

C. Development

Explanation:
The development phase entails the coding of software components as well as the integration and construction of the overall solution.

Answer 481

A

B. Information storage and management

Explanation:
Information storage and management is the classic form of storing data within databases that the application uses and maintains. This storage method is used in software as a service (SaaS) offerings.

The other type of SaaS storage is content and file storage in which the SaaS application allows for data to be uploaded that is not part of the underlying database. Volume and object storage are used in IaaS environments rather than SaaS.

Answer 482

A

A. Any systems that will interact with federal agencies

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

Answer 483

A

A. SOC

Explanation:
A SOC (security operations center) is a group of individuals who focus solely on the monitoring, reporting, and handling of any security issues for an organization. SOC engineers will typically be responsible for monitoring the logs within a SIEM if there is one in place. SOCs are usually staffed 24/7 to ensure that someone is available in the event of a security incident.

Answer 484

A

B. CDN

Explanation:
A content delivery network (CDN) provides globally-distributed object storage, allowing an organization to keep data as close to users as possible. As a result, end users benefit from reduced bandwidth consumption and decreased latency because they can pull from a server closer to their geographic location.

Software defined storage (SDS), Software defined networking (SDN) and storage area network (SAN) are incorrect options.

Answer 485

A

C. Hash values

Explanation:
It’s very important to ensure that security patches that are downloaded are actually from the vendor and have not been modified by an attacker. In many cases, vendors will provide a hash value that can be used to check and validate the download of the patch file. When these hash values are available, they should be used to validate and ensure that the patch file matches what the vendor has provided.

Answer 486

A

A. Capacity management

Explanation:
Capacity management is a critical component of any IT system’s overall operation. If a system is under-provisioned, services and performance will suffer, perhaps resulting in business or reputation damage. Capacity management focuses on the system resources required to offer acceptable performance in order to meet SLA criteria while remaining cost-effective.

All other options do not support capacity management.

Answer 487

A

D. Management plane

Explanation:
In virtual environments, the management plane has access to all of the hypervisors and hosted systems. While this creates ease of use for administrators, it can also lead to security risks. If an attacker were able to compromise the management plane, they would be able to compromise all of the hypervisors and hosted systems in the environment.

Answer 488

A

A. GLBA

Explanation:
The Gramm-Leach-Bliley Act (GLBA) would be most applicable. GLBA is a U.S. federal law that requires financial institutions to disclose how they share and protect their customers’ private information. GLBA is widely regarded as the most comprehensive federal data privacy and security legislation.

Health care businesses are subject to the Health Insurance Portability and Accountability Act (HIPAA). Sarbanes-Oxley (SOX) protects individuals in publicly-traded firms against accounting errors and fraudulent practices. The Stored Communications Act (SCA) guards against illegal access to and interception of electronic communications and computer services.

Answer 489

A

A. Monitoring

Explanation:
Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

Answer 490

A

E. Measure of RTO disaster recovery activities should systems need restoration after a successful exploitation

Explanation:
The measure of RTO disaster recovery activities should systems need restoration after a successful exploit is not checked when using the DREAD threat model.

The DREAD threat model focuses on the quantification of risk and threat evaluation. DREAD is based on the equation below, which calculates the value based on risk quantification in specific categories, with a value ranging from 0 to 10:

Risk DREAD = (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5

Answer 491

A

D. Separation of system and user functionality

Explanation:
Separating system and user functions is critical for system and communication security. Separation of duties is a key security concept that protects users from modifying or incorrectly configuring systems and communication processes.

Answer 492

A

A. XML

Explanation:
Software components process and send data in a variety of ways between themselves and storage media. Extensible Markup Language (XML) is a standard information exchange format that employs tags to define data and is transmitted using the HTTP/S or SMTP protocols.

All other options are incorrect.

Answer 493

A

B. Software-defined networking

Explanation:
In software defined networking, decisions regarding where traffic is filtered and sent are separate from the actual forwarding of the traffic. This separation allows network administrators to quickly and dynamically adjust network flows based on the needs of customers. Software defined networking is often shortened as SDN.

Answer 494

A

A. ISO/IEC 11889

Explanation:
ISO/IEC 11889 specifies how various cryptographic techniques and architectural elements are to be implemented. It consists of four parts including an overview of architectures of the TPN, design principles, commands, and supporting code.

All other options are ISO/IEC standards that apply to other types of technologies.

Answer 495

A

D. Data owner

Explanation:
A data owner is the party that maintains full responsibility and ownership of data. Data owners determine the appropriate controls that are necessary to protect that data. The data owner also determines appropriate use of the data.

Answer 496

A

C. 60 percent relative humidity

Explanation:
The recommended maximum moisture level in a data center is 60 percent relative humidity. The recommended minimum is 40 percent relative humidity. When there is too much moisture in the air, it can cause condensation to form, which may damage the systems. In addition, having the humidity levels too low may cause an excess of electrostatic discharge.

Answer 497

A

D. CSA

Explanation:
The cloud security alliance (CSA) is an organization that offers guidance to organizations deploying a cloud environment.

OWASP, IANA and IEEE are other guidance organizations.

Answer 498

A

D. Cross-site scripting

Explanation:
Cross-site scripting (XSS) is a type of injection attack. XSS attacks occur when an attacker is able to send data to a user’s browser without having to go through any validation process. Essentially, the victim visits a website or web application which delivers and executes the malicious code to the user’s browser. Web forums and message boards are common locations to find XSS attacks.

Answer 499

A

C. Development

Explanation:
As each portion of code is created and completed, functional testing is done on it by the development team. This testing is done to ensure that it compiles correctly and operates as intended.

Answer 500

A

D. Formal patch management

Explanation:
When using a vendor or proprietary API, it is unlikely that you will have access to review or make changes to the source code. It’s also unlikely that a vendor or proprietary API will be free to use. These are all generally features of using an open source API.

One benefit of using a proprietary or vendor API is that it will likely include formal patch management.

Answer 501

A

C. Direct identifier

Explanation:
PII (personally identifiable information) is broken up into direct and indirect identifiers. A social security number is enough to identify a person without requiring more information, making it a direct identifier.

An example of an indirect identifier would be a zip code. Nondescript and descript identifiers are not real types of PII.

Answer 502

A

A. Metered usage that changes based upon resource utilization

Explanation:
In an IaaS environment, the customer can expect to only pay for the resources that they are using. This is far more cost effective and allows for greater scalability. However, this type of billing does mean that the price is not locked-in and it could change as the need for resources either increases or decreases from month to month.

Answer 503

A

A. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment.

Explanation:
Within a traditional data center environment, any systems needed for an investigation can easily be physically isolated and preserved. In a cloud environment, most cloud customers do not own their own hardware, but instead share physical hardware in a multi-tenant cloud. Due to this, eDiscovery is typically easier and less complex in a traditional data center than in a cloud environment.

Answer 504

A

C. GDPR has no impact on organizations operating outside of the EU.

Explanation:
The General Data Protection Regulation (GDPR) is a regulation which focuses on protecting the data of EU citizens regardless of where the data was created, collected, processed, or stored. This means that if a citizen of the EU utilizes a website that is run by an organization outside of the EU, that organization is still required by law to adhere to GDPR.

Answer 505

A

A. PaaS

Explanation:
Platform as a Service (PaaS) provides organizations with a place to develop and maintain software and applications without needing to maintain the infrastructure or the server operating systems. This allows the developers and programmers to focus strictly on the tasks that they excel at, such as creating new applications.

Answer 506

A

C. IaaS

Explanation:
In the Infrastructure as a Service cloud service model, the cloud customer shares responsibility with the cloud provider for infrastructure security.

In both PaaS and Saas models, the cloud provider is solely responsible for security at the infrastructure level.

Answer 507

A

A. Multitenancy

Explanation:
Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

Answer 508

A

B. Regulator

Explanation:
As a CCSP, you are responsible for ensuring that your organization’s cloud environments adhere to all applicable regulatory requirements. By staying current on regulatory communications surrounding cloud computing and maintaining contact with approved advisors and, most crucially, regulators, you should be able to assure compliance with legal jurisdictions.

All other options are roles within the organization.

Answer 509

A

B. Type 2 hypervisor

Explanation:
Type 2 hypervisors are dependent and run off of the host operating system rather than being tied directly into the hypervisor hardware in the way Type 1 hypervisors are.

Bare metal hypervisors are another name used for type 1 hypervisors. Full service hypervisors are not an actual type of hypervisor.

Answer 510

A

D. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

Answer 511

A

B. CMDB

Explanation:
The organization’s configuration management database (CMDB) should capture all configuration items (CI’s) that have been placed under configuration management. This database can be used for manual audits as well as automated scanning to identify systems that have drifted out of their secure state.

Answer 512

A

C. Cloud platforms offer increased scalability and performance.

Explanation:
Cloud environments are attractive to organizations because they offer increased scalability and performance.

While it’s possible that moving to the cloud can be less expensive than traditional data centers, that is not always the case. Sometimes cloud platforms can come with hidden costs that weren’t initially expected. Cloud platforms come with their own set of security risks and, while some are the same as the risks you’d see in a traditional data center, some are different as well.

Answer 513

A

C. Monitoring

Explanation:
Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

Answer 514

A

B. Define scope, gather requirements, analyze, assess risk, design, implement, test, report and revise

Explanation:
When developing a business continuity and disaster recovery (BCDR) plan, the following order should be followed:

    Define scope
    Gather requirements
    Analyze
    Assess risk
    Design
    Implement the plan
    Test the plan
    Report and revise

Answer 515

A

B. Data dispersion

Explanation:
When a customer’s data is distributed (or dispersed) throughout numerous geographic locations, this is known as data dispersion. Data dispersion can be used for disaster recovery purposes as it mitigates the risk of permanently losing data due to a disaster that occurs in one location.

Answer 516

A

C. Shared technology issues

Explanation:
Shared technology issues occur in the cloud whenever there is a multitenancy and resource pooling environment that the cloud provider has not properly secured. Multitenancy and resource pooling are both very common practices in cloud computing; but, when they are being used, it is up to the cloud provider to add additional layers of security to ensure that each cloud customer has access to only their own data and not others’ who may be sharing the same environment.

Answer 517

A

A. IaaS

Explanation:
Each cloud service model uses different types of storage as shown below.

Infrastructure as a Service (IaaS): Volume, Object
Platform as a Service (PaaS): Structured, Unstructured
Software as a Service (SaaS): Content and file storage, information storage and management

DaaS is not a real type of cloud service model.

Answer 518

A

C. Multitenancy

Explanation:
Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

Answer 519

A

A. Limits

Explanation:
Limits and reservations are both terms referring to how resources are allocated in a cloud environment. Reservations refer to the minimum amount of resources that a cloud customer is guaranteed to receive. The opposite of reservations are limits. Limits refer to the maximum of resources that a cloud customer may utilize.

Shares refer to the prioritization of systems in the even of high utilization periods. Multitenancy refers to multiple cloud customers sharing the same cloud environment. Authentication is the granting of access to resources.

Answer 520

A

C. BYOD

Explanation:
BYOD stands for Bring Your Own Device and it is the act of allowing employees to bring their own equipment such as laptops, smartphones, and tablets on to the company network. This has become specifically popular with the onset of cloud computing.

Answer 521

A

B. Enforcement|

Explanation:
DLP is made up of three main stages including discovery and classification, monitoring, and enforcement. Enforcement is the final stage of DLP implementation. During the final stage, DLP policies are enforced and violations which were observed during the monitoring stage are addressed.

Answer 522

A

C. Data in transit

Explanation:
In order to protect data in transit (DIT), data loss prevention (DLP) methods are put in place on the network perimeter. They will capture traffic as it leaves the network through various protocols such HTTP and SMTP. These DLP solutions check to ensure that data leaving the network meets the security requirements.

Answer 523

A

E. None of the options are correct

Explanation:
Since the user removed all networking access from the VM, the user will be unable to use console access, RDP, or a jump box. Unfortunately, Microsoft cannot reconfigure that VM, because allowing that level of access to consumer resources is incredibly risky.

Answer 524

A

D. PHI

Explanation:
PHI stand for protected health information. All data that pertains to an individual and their health care is classified as PHI. This includes mental health information, physical health information, medical history, test and lab results, as well as a number of other items.

Answer 525

A

D. Hashing

Explanation:
Hashing feeds data into a one-way cryptographic algorithm that generates a unique value called a hash or message digest. Generating another hash of the same file in the future will produce the exact same value only if the data has not been modified; this protects data integrity. If the data has been altered, the new hash will differ from the original.

All other options are data security technologies and strategies.

Answer 526

A

A. SDN

Explanation:
Software-Defined Networking (SDN) enables the creation of virtual networks that do not require any hardware much like a virtual machine. SDNs are theoretically a software layer that sits between user interfaces and the underlying networking devices. When configuring cloud-based network resources, users are not required to have device-specific technical knowledge.

Software defined storage (SDS) and content delivery network (CDN) are other networking technologies in the cloud. SSH is an invalid choice.

Answer 527

A

B. RSL

Explanation:
The recovery service level (RSL) identifies the operations that you anticipate from your cloud service provider (CSP) during the restoration of a cloud resource. RSL agreements outline the parameters of the CSPs recovery process.

Answer 528

A

A. Advanced persistent threat

Explanation:
As the name suggests, an advanced persistent threat is done by an advanced attacker who has managed to gain unauthorized access and is carrying out the attack (usually the act of data theft) over a long (persistent) period of time. Unlike some attacks which cause chaos and make themselves very well known, advanced persistent threats try to stay undetected for as long as possible.

Answer 529

A

B. Requirement gathering and feasibility

Explanation:
Security engineers should be a part of every single phase of the SDLC, including the first stage: requirement gathering and feasibility. It is much more efficient to add security into an application as it’s being developed, than to attempt to add in security features later on (after it’s in production). During the requirement gather and feasibility stage of the SDLC, security engineers look at the risks associated with the project.

Answer 530

A

C. To connect a keyboard, mouse, and monitor to a physical server

Explanation:
A KVM is used to connect a keyboard, mouse and monitor to physical servers in a data center to provide access. KVM stands for keyboard, video, mouse. It’s important in a data center, that security measures are put in place to prevent unauthorized access using the KVM.

Answer 531

A

C. VM escape

Explanation:
In a VM escape attack, a guest on a virtual machine uses an exploit to break outside the limits of the virtual machine and interact directly with the hypervisor. VM escape attacks allow the attacker to access the host operating system and all virtual machines running on that host.

Answer 532

A

A. FISMA

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

Answer 533

A

D. The practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data

Explanation:
Tokenization is the practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data.

Data loss prevention (DLP) is a set of controls and practices put in place to ensure that data is only accessible to individuals who are authorized to access it. Hashing is a method which involves transforming a string of characters into a fixed-length value or key that represents the original string. Key management is the practice of safeguarding encryption keys.

Answer 534

A

D. On-demand self service

Explanation:
In cloud computing, on-demand self service is the ability for cloud customers to add, configure, and provision a new cloud service without ever needing to interact with the cloud provider. This is usually done through a web portal and is an integral component of the pay-as-you-go cloud billing model.

Answer 535

A

C. Under some regulations, risk cannot be transferred

Explanation:
Under some regulations, risk cannot be transferred because the data owner bears the responsibility for any exploits resulting in loss of privacy or confidential data. This is especially true in regard to personal data.

Answer 536

A

C. Confidentiality

Explanation:
The main goal of confidentiality is to ensure that individuals who should not have access to sensitive data and systems are not given access to them. However, it’s important that preventing access to unauthorized parties does not impact access to those who are authorized.

Answer 537

A

A. Development/coding

Explanation:
During the development/coding phase of the SLDC, the plans and requirements are turned into executable programming language. This is the heart of the software development process. Some functional testing is also completed during this stage. Development/coding is the bulk of the SDLC and will typically take the longest.

Answer 538

A

C. 526-FZ

Explanation:
Russian law 526-FZ was enacted in September of 2015. The law states that any collecting, processing, or storing of personal or private data that pertains to Russian citizens must be done from systems and databases which are physically located within the Russian Federation.

Answer 539

A

C. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims.

Answer 540

A

D. The destruction of data

Explanation:
The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

Answer 541

A

A. Partner

Explanation:
Partners frequently have the same amount of access to an organization’s systems as employees do, but they are not directly under the organization’s authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer’s security needs.

All other options are roles within an organization using cloud services.

Answer 542

A

D. Transparent encryption

Explanation:
Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user.

Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

Answer 543

A

C. The nation where the data is collected

Explanation:
Data sovereignty refers to the concept that data is subject to a nation’s laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria.

All other options are incorrect.

Answer 544

A

C. Federated identity management

Explanation:
Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation.

Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn’t provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

Answer 545

A

C. Hybrid cloud

Explanation:
The four main cloud deployment models include public, private, community, and hybrid.

Metropolitan, expanded, and mixed cloud do not exist.

Answer 546

A

B. Reliability

Explanation:
The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP.

The ten privacy principles are:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third-parties
    Security for privacy
    Quality
    Monitoring and enforcement

Answer 547

A

C. Cloud data portability

Explanation:
The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

Answer 548

A

C. Data at rest

Explanation:
Data that is stored on a device but not being used by an application is known as data at rest.

Data that is being used by an application is known as data in transit. Unstructured and structured data are not applicable answers to this question.

Answer 549

A

C. Internal auditor

Explanation:
Internal auditors serve as an organization’s trusted counsel. Internal auditors collaborate with information technology (IT) to provide a proactive strategy that balances advisory and assurance services. Internal auditors are an independent entity that is not affiliated with either the cloud customer or the cloud provider. In most cases, an internal auditor will conduct audits in the conventional sense, ensuring that cloud systems comply with contractual and regulatory obligations.

All other options are types of auditors.

Answer 550

A

C. IoT

Explanation:
The Internet of Things (IoT) refers to the use of non-traditional computing devices (such as lamps, thermostats, and other home appliances) by accessing the Internet.

Answer 551

A

D. Audit scope restrictions

Explanation:
Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems. Carefully crafted scope constraints can help ensure that production systems are not harmed.

Answer 552

A

B. Partner

Explanation:
Partners frequently have the same amount of access to an organization’s systems as employees do, but they are not directly under the organization’s authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer’s security needs.

All other options are roles within an organization using cloud services.

Answer 553

A

B. Define scope

Explanation:
The first step of developing a business continuity and disaster recovery (BCDR) plan is to define the scope. While it will be important to define testing procedures, assess risks, and gather requirements later on, nothing can be done before the scope has been defined. This ensures that all security concerns are a part of the plan from the start and not added retroactively later on.

Answer 554

A

A. Cloud customer

Explanation:
In all cloud service types (IaaS, PaaS, SaaS), the roles and responsibility of governance fall solely to the cloud customer and not the cloud provider.

Answer 555

A

A. IaaS

Explanation:
Two special security considerations that are applicable to IaaS cloud environments are virtual switch attacks and virtual machine attacks.

Answer 556

A

D. Change management

Explanation:
Change management is a critical component of configuration management and, more broadly, business. The process of committing to a change that will influence production workload is known as change management. In the case of any change that will have an impact on production, change management is the last stage and approval process.

All other options are management strategies.

Answer 557

A

D. BCP

Explanation:
A business continuity plan (BCP) is designed to keep an organization operating in the event of a disaster. The BCP may prioritize important business procedures necessary to maintain operations during disaster recovery. The business continuity plan identifies the events and incidents that will trigger the plan’s execution, as well as the severity levels associated with such events and incidents.

Incident response plan (IRP), disaster recovery plan (DRP) and acceptable use policy (AUP) are other types of organizational documents.

Answer 558

A

C. Data rights management

Explanation:
Data rights management (DRM) is an extension of normal data protection which is encapsulated within the concept of information rights management (IRM). In DRM, advanced security controls such as extra ACLs and permission requirements are placed onto the data.

Answer 559

A

B. Format

Explanation:
It is crucial that format is taken into consideration when developing a cloud data archiving strategy. If format is not thought about during the strategy, then the archived data may become very difficult to retrieve if needed in the long run. Other important considerations include technologies used to create and maintain the archives, regulatory requirements, and testing procedures.

Answer 560

A

A. Host hardening

Explanation:
In computing, hardening is the process of securing a system by reducing its vulnerability surface. Host hardening is the processing of hardening a host system by removing all nonessential services and software from that host. Removing the services and software that are not needed reduces the opportunities for attackers to gain access using one of those unnecessary services or programs.

Answer 561

A

C. Respond

Explanation:
Isolation and containment are the initial response steps in an incident response. The purpose of containment is to protect an organization from further damage caused by a known incident. Disconnecting affected systems, disabling hardware, and disconnecting storage are only a few of the responsibilities.

All other options are phases of incident response.

Answer 562

A

D. Creating a physical copy of the encryption keys and storing them in a physical safe

Explanation:
There are three main methods of key storage in a cloud environment. The first and simplest is to have the keys stored and accessed from the same virtual machine that is hosting the encryption service or engine. Alternatively, the keys can be stored on a separate device from the virtual machine that is hosting the encryption service or engine. The final option is to have an external and independent service or system to host the key storage.

Creating a physical copy of the encryption keys and storing them in a physical safe is not one of the methods used for key storage.

Answer 563

A

D. Portability issues

Explanation:
Many people believe that moving from a traditional data center to a cloud environment is a simple, easy, and seamless transition, but this is a common misconception. There is a lot of work and reworking that must go into moving systems the cloud. Not all applications will be easy to pick up and move into a cloud environment, and they may require some code changes to be made.

Answer 564

A

D. Cloud-based applications and systems

Explanation:
The Treacherous Twelve is similar to the OWASP Top 10. However, unlike the OWASP Top 10, which lays out vulnerabilities and risks associated with all web applications (regardless of whether they are hosted in the cloud or in a traditional data center), the Treacherous Twelve lays out risks and vulnerabilities that are specific to cloud-based applications and systems.

Answer 565

A

D. Data in encryption

Explanation:
The three data states include data in use, data in motion (also called data in transit), and data at rest. Data in encryption is not one of these three data states.

Data in use refers to when the data is being actively used by a system. Data in motion, or data in transit, refers to when the data is in active transmission across the network. Data at rest refers to data being stored in an idle state.

Answer 566

A

C. Federated identity management

Explanation:
Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation.

Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn’t provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

Answer 567

A

B. Non-disclosed PII

Explanation:
The two main types of PII (personally identifiable information) include contractual PII and regulated PII. Another type of PII is PHI or protected health information, which is a special type of PII pertaining to healthcare data.

Non-disclosed PII is not a recognized type of PII.

Answer 568

A

A. Delegation of all security to CSP

Explanation:
While an organization may delegate operational responsibilities to a cloud service provider (CSP) and the CSP may, in some situations, share responsibility with the organization, an organization cannot delegate all compliance responsibilities to a CSP.

All other options address regulatory compliance challenges in the cloud.

Answer 569

A

B. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims.

Answer 570

A

A. Measured service

Explanation:
Measured service use enables CSPs to bill for resources consumed. With a measured service, everyone pays their share of the cost. Rather than maintaining the maximum service level at all times, an organization might pay for the metered service at peak periods. As a result, costly utilization and resource waste are avoided.

Answer 571

A

D. Fault tolerance involves the use of specialized hardware that can detect faults and automatically switch to redundant systems.

Explanation:
High availability makes use of shared and pooled resources to maintain a high level of availability and minimize downtime. Fault tolerance is different, in that it utilizes a specialized hardware which can detect faults and automatically switch to redundant systems based on the type of failure.

Answer 572

A

A. SAML

Explanation:
SAML is an XML-based standard used to exchange information in the authorization and authentication process. SAML 2.0, which was adopted in 2005, is the latest standard put out by the nonprofit OASIS consortium and its Security Services Technical Committee.

Answer 573

A

D. Cloud provider

Explanation:
In an Infrastructure as a Service (IaaS ) environment, the cloud provider is responsible for allocating and maintaining storage which comes in the form of volume and object storage.

Answer 574

A

B. The difference between the original value of an asset and the remaining value of an asset after a single successful exploitation

Explanation:
SLE refers to single loss expectancy. The SLE is the difference between the original value of an asset and the remaining value of an asset after a single successful exploitation. The SLE is used alongside the ALE and ARO to perform a quantitative assessment.

Answer 575

A

C. Interoperability

Explanation:
Cloud interoperability refers to a customer’s capacity to interact with cloud services in any way they desire. Interoperability enables communication and data sharing across many platforms provided by various providers. Interoperability enables customers to prioritize services needed rather than the vendor providing the service, which lessens the concern of vendor lock-in.

All other options are other shared cloud considerations.

Answer 576

A

A. Urgent

Explanation:
The correct names for risk ratings are (in order) minimal, low, moderate, high, and critical.

Urgent is not a commonly accepted risk rating.

Answer 577

A

A. A highly vetted and limited set of administrators

Explanation:
If compromised, the management plane would provide full control of the cloud environment to an attacker. Due to this, only a highly vetted and limited set of administrators should have access to the management plane. However, you will want more than a single administrator, in case the single administrator leaves or is no longer able to perform management duties.

Answer 578

A

C. Shared responsibility

Explanation:
The shared responsibility model places the obligation for cloud security, which includes both services and infrastructure such as computing and storage, on the CSP. Cloud consumers are responsible for ensuring that the security of the cloud is maintained, such as managing operating systems, enforcing access control policies, and protecting client data.

All other options are unrelated technologies used in the cloud.

Answer 579

A

C. 9.4 zettabytes

Explanation:
The correct answer is 9.4 zettabytes.

Answer 580

A

A. Failover

Explanation:
The recovery point objective (RPO) is defined as the period of time during which an organization is willing to accept the risk of missing transactions. With seamless failover in a cloud environment, the RPO for all but the most catastrophic incidents can practically be zero seconds of lost transactions. This is facilitated by maintaining a copy of data in another region or availability zone.

Answer 581

A

D. Artificial intelligence

Explanation:
Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

Answer 582

A

B. First line of defense

Explanation:
Your Information Security department is your organization’s first line of defense.

Your Risk Management team is your second line of defense. Internal Audit is your third line of defense.

Answer 583

A

A. APEC

Explanation:
Both the United States and the European Union (EU) have established data privacy regulations such as HIPAA and GDPR. In addition, the Asian-Pacific Economic Cooperation (APEC) is another influential body that has established regulations regarding data privacy. APEC developed the APEC Privacy Framework.

Answer 584

A

C. Multitenancy

Explanation:
Multitenancy is a cloud function in which multiple cloud customers (tenants) are hosted by the same cloud provider using the same cloud environment. Because the cloud customers are sharing resources and may be running off the same hardware, a breach to one system may lead to a data breach of all the other tenants in the cloud environment.

Answer 585

A

B. Evidence management

Explanation:
Evidence management is concerned with maintaining the chain of custody in a forensics investigation.

Capacity management is focused on maintaining the required resources needed to meet SLAs. Incident management is focused on limiting the impact of incidents on an organization. Continuity management is concerned with developing a business continuity and disaster recovery plan.

Answer 586

A

D. ISMS

Explanation:
An Information security management system (ISMS) is intended to protect the confidentiality, availability, and integrity of an organization’s data. The most effective ISMSs are those that are aligned with the organization’s standards and include specific information on compliance requirements.

Answer 587

A

B. Kerberos, CHAP, IPSec

Explanation:
Secure authentication protocols such as CHAP and Kerberos can be utilized, while encrypted communications can use IPsec protocol.

SAML is an authentication markup language, although it is not especially effective for securing storage controllers.

Answer 588

A

C. The destruction of data

Explanation:
The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

Answer 589

A

D. Security budget

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 standard is divided into 11 sections that define security requirements, which include:

    Cryptographic Module Specification
    Cryptographic Module Ports and Interfaces
    Roles, Services, Authentication
    Finite State Model
    Physical Security
    Operational Environment
    Cryptographic Key Management
    EMI/EMC
    Self-tests
    Design Assurance
    Mitigation of Other Attacks

Answer 590

A

C. When records are listed and linked together using cryptography

Explanation:
Blockchain is a list of records that are linked together in a chain using a cryptography method.

Answer 591

A

A. SOX

Explanation:
Some post-incident communication policies are mandated by legislation or regulation. Sarbanes-Oxley (SOX) is the most frequently mentioned standard when discussing obligatory reporting and communications. SOX requires the disclosure or reporting of events applying exclusively to financial records.

HIPAA, GDPR and PCI DSS are not applicable.

Answer 592

A

A. HIPAA

Explanation:
HIPAA (Health Insurance Portability and Accountability Act) is concerned with the security controls and confidentiality of protected health information (PHI). It’s vital that anyone working in any healthcare facility be aware of HIPAA regulations.

The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

Answer 593

A

D. Performance monitoring

Explanation:
Performance monitoring is a continual process in which the CSP ensures that systems operate reliably and that customer service level agreements are met.

All other options are types of monitoring.

Answer 594

A

D. Data de-identification

Explanation:
Data de-identification is the process of removing, hiding, covering, or replacing sensitive data. Masking, obfuscations, and anonymization are all techniques used in data de-identification.

Answer 595

A

A. Retention formats

Explanation:
The retention format section of the data retention policy specifies the media on which the various data classifications should be stored, as well as any associated handling processes.

Answer 596

A

D. Vendor Risk Management

Explanation:
The CSPs reliance on other third-party vendors to provide services used by their customers is a form of vendor risk management.

Answer 597

A

B. Encryptability

Explanation:
The three main concepts of data security are confidentiality, integrity, and availability. This is often known as the CIA triad. Although privacy is part of confidentiality, it is sometimes thought of, along with nonrepudiation, as the other core aspect of data security.

Encryptability is not one of the core aspects of security.

Answer 598

A

B. Resource pooling

Explanation:
Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

Answer 599

A

C. Flash drive

Explanation:
KVM (keyboard, video, mouse) are used to connect input devices into multiple servers. This allows for easy access and management. However, usb storage devices, such as a flash drive, should not be permitted to connect to the KVM for security reasons.

Answer 600

A

D. Data discovery

Explanation:
Data discovery is a unique type of data analysis process because it relies heavily on the data user to interpret the data in a meaningful way. Data discovery is a user-driven business intelligence process where data is visually represented and analyzed to look for specific attributes and patterns within the data.

Answer 601

A

D. Moving to a new office

Explanation:
There are many incidents which can result in the initiation of a business continuity and disaster recovery (BCDR) plan. These include a natural disaster, terrorist attacks or acts of war, equipment failure, utility disruptions or failures and, finally, data center or service provider failures, and neglect.

Moving to a new office location is unlikely to result in the initiation of a BCDR plan.

Answer 602

A

D. Maintenance

Explanation:
The software development lifecycle (SDLC) is made up of six steps which include requirement gathering and feasibility, analysis, design, development/coding, testing, and maintenance. The final step of the SDLC is maintenance, although this step is never quite finished. Maintenance is ongoing process that must occur throughout the entire lifetime of the software or application.

Answer 603

A

B. The nation where the data is collected

Explanation:
Data sovereignty refers to the concept that data is subject to a nation’s laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria.

All other options are incorrect.

Answer 604

A

B. Overwriting

Explanation:
In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

Answer 605

A

D.Quickly ensure the integrity of data which is spread throughout multiple storage locations

Explanation:
Hashing creates a fingerprint or checksum value of a fixed size (known as the hash value) of the original data object. If the same hashing algorithm is used and the data remains unchanged, the hash value will always be the same. This makes it possible to quickly ensure the integrity of data that may be stored in various storage locations.

Answer 606

A

A. Hybrid cloud

Explanation:
The four main cloud deployment models include public, private, community, and hybrid.

Metropolitan, expanded, and mixed cloud do not exist.

Answer 607

A

B. Physical segregation is not possible

Explanation:
Multitenancy is an aspect of cloud computing in which many different cloud customers are able to share the same cloud environment. This raises security concerns because, in a cloud environment, physical segregation is not possible. Multitenancy relies on the cloud provider to implement virtual network segregation and isolation to ensure that one cloud customer is only able to see their own data and not the data and resources of the other tenants in the environment.

Answer 608

A

D. ISO/IEC 27018

Explanation:
ISO/IEC 27018 is a standard for providing security and privacy within cloud computing. The ISO/IEC 27018 focuses on five key principles which include communication (relaying information to cloud customers), consent (receiving permission before using customer data for any reason), control (cloud customers retain full control over their own data in the cloud), transparency (cloud providers inform customers of any potential exposure to support staff and contractors), and independent and yearly audits (cloud providers must undergo yearly audits performed by a third party).

Answer 609

A

C. Use

Explanation:
Due to the nature of data being actively used, viewed, and processed in the use phase, it is more likely to be leaked in this phase than in others, such as the store, archive, and destroy phases.

Answer 610

A

B. Resource pooling

Explanation:
Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

Answer 611

A

A. Perform a vulnerability scan

Explanation:
Vulnerability scans are typically performed by an organization against their own systems. Vulnerability scans are relatively simple to perform. They use known attacks and methodologies to verify that systems are hardened against them. Vulnerability scans use known tests and signatures and can quickly output a report displaying the weaknesses. The vulnerability scan is the best choice out of the options listed to provide the requested outcome.

Answer 612

A

D. CSA

Explanation:
Cloud Security Alliance (CSA) Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery provides guidance on contract negotiations with cloud service providers about eDiscovery search ability and data preservation.

ISO/IEC 27037: Provides guidelines for handling digital evidence. ISO/IEC 27041: Provides guidance for methods and processes used in investigations to make sure they are “fit for purpose”. ISO/IEC 27042: Provides guidance on analysis and interpretation of digital evidence.

Answer 613

A

B. Images may not be patched and up to date with production system baselines and configurations

Explanation:
It isn’t uncommon for organizations to leave their images offline at the BCDR site when not in use; however, this does cause some risks. If the images are left offline, they might not be up to date on patches or up to date with the latest configurations and systems baselines of the production environment. This could lead to serious issues in the event of a disaster when these images are needed. If the images are kept offline, engineers must take special care to ensure that there are processes in place to patch and update the images at the BCDR site.

Answer 614

A

A. SIEM

Explanation:
A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location.

Answer 615

A

A. Many proprietary requirements from the cloud provider

Explanation:
Vendor lock-in occurs when an organization is unable to move from one cloud provider to another without incurring major burdens or expenses. The most likely and common scenario for this is that the current cloud provider has many proprietary requirements. The proprietary requirements make it very expensive, difficult, and burdensome to move to a new provider.

Answer 616

A

B. The temperature is ideal, but the humidity level is too low

Explanation:
It’s very important to ensure that both temperature and humidity levels are ideal within a data center. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that data centers have a temperature between 64.4-80.6 degrees Fahrenheit and a humidity level of between 40-60 percent relative humidity. A humidity level of 35 percent is too low and could lead to an excess of electrostatic discharge.

Answer 617

A

A. Logical network separation

Explanation:
In a cloud environment, physical network segregation is not possible. However, it’s important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

Answer 618

A

D. Fourth party risk

Explanation:
The term “fourth party” refers to a third-party’s third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

Answer 619

A

B. Type 1 hypervisor

Explanation:
There are only two types of hypervisors: type 1 hypervisors and type 2 hypervisors. Type 1 hypervisors are also called bare metal, embedded, or native hypervisors. This is because type 1 hypervisors run directly on the physical hardware, while type 2 hypervisors are dependent upon the host operating systems.

Answer 620

A

C. SIEM

Explanation:
A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location.

Answer 621

A

B. Overwriting

Explanation:
In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

Answer 622

A

A. Block storage

Explanation:
Block storage is a type of storage in which all information is stored in equal-sized blocks on disks. It is more efficient and effective than file storage in general and is utilized in databases and virtual machines. The above-mentioned characteristics are those of block storage.

All other options are types of storage.

Answer 623

A

D. Shares

Explanation:
The concept of shares works by prioritizing hosts within the environment using a scoring system. When resources are limited, hosts with a higher score value will have access to the limited resources that are available.

Answer 624

A

A. Logical network separation

Explanation:
In a cloud environment, physical network segregation is not possible. However, it’s important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

Answer 625

A

B. Fourth party risk

Explanation:
The term “fourth party” refers to a third-party’s third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

Answer 626

A

B. Due to being tied to the physical hardware of the machine, it would be harder for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.

Explanation:
Type 1 hypervisors are known as bare-metal hypervisors because they run directly on the physical hardware of the machine and they are not software-based like type 2 hypervisors. Because they are tied to the hardware, it is more difficult for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.

Answer 627

A

B. Key management

Explanation:
Key management is the process of safeguarding encryption keys and access to those keys. Key management is complex and of extreme importance. This is because encryption is only as strong as the protection of the encryption keys.

Answer 628

A

B. Security misconfiguration

Explanation:
A security misconfiguration occurs whenever systems or applications are configured in a way that makes them insecure. Systems regularly come preconfigured with default administrative credentials. These default credentials are generally easy to find online, so the failure to change them makes it possible for an attacker to gain access. This is an example of a security misconfiguration.

Answer 629

A

A. Identity management

Explanation:
Identity management is the process of identifying, provisioning, and deprovisioning accounts (or identities). Most organizations will use an identity system such as LDAP to assist with the process of identity management.

Answer 630

A

D. Envelope

Explanation:
The Simple Object Access Protocol (SOAP) is used to exchange information between web services. It does this by encapsulating its data in what is called a SOAP envelope and then using common communication protocols such as HTTP for transmission.

Answer 631

A

D. Quantum computing

Explanation:
Quantum computing is capable of solving problems that traditional computers are incapable of solving. When quantum computing becomes widely accessible to the general public, it will almost certainly be via the cloud, due to the substantial processing resources necessary to do quantum calculations.

Answer 632

A

B. Requirement gathering and feasibility

Explanation:
During the requirement gathering and feasibility stage of the SDLC, overall goals as well as desired outcomes should be documented. Timing and duration of the project should also be defined. During this phase, a cost-benefit analysis should be done to determine the feasibility of the project.

Answer 633

A

D. Integrity

Explanation:
DNSSEC addresses DNS integrity, but does nothing for availability.

Confidentiality is not generally a concern for DNS.

Answer 634

A

C. OWASP Top 10

Explanation:
The Open Web Application Security Project (OWASP) Top 10 list identifies the 10 most critical web application security risks as a given time. The project is regularly updated to ensure that their list is up to date. The current top 10 are as follows:

    Injection
    Broken authentication
    Sensitive data exposure
    XML external entities
    Broken access control
    Security misconfigurations
    Cross-site scripting
    Insecure deserialization
    Using components with known vulnerabilities
    Insufficient logging and monitoring

Answer 635

A

C. Common Criteria

Explanation:
The terms EAL, PP, and SARs are all applicable within the Common Criteria standard, which is set forth by ISO/IEC.

Answer 636

A

A. Something the user knows

Explanation:
In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

Answer 637

A

D. Infinity Paradigm

Explanation:
The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, cabling, security, connectivity, and much more.

Answer 638

A

D. Share

Explanation:
When data is used in an application where it is viewable to users, customers, and administrators, this is known as the share stage of the cloud secure data life cycle.

Answer 639

A

B. Release management

Explanation:
Cloud release management includes the planning, coordination, execution, and validation of updates and rollouts to the production environment. The primary focus is on accurately mapping out all of the procedures necessary for a release and then setting and loading them correctly.

All other selections are operational controls and standards within an organization.

Answer 640

A

C. Tenant

Explanation:
When one or more cloud customers share access to the same pool of resources, each customer is known as a tenant.

Answer 641

A

C. Data about data

Explanation:
Metadata is information regarding data such as the type of data, how the data is stored, and when the data was created.

Answer 642

A

B. Uptime Institute

Explanation:
The Uptime Institute publishes the most widely used standard for data center topologies. The standard is based on a series of four tiers. The standard also incorporates compliance tests.

ITIL (formerly the Information Technology Infrastructure Library), publishes best practices for implementing technology into business practices. The National Fire Protection Association (NFPA) publishes standards regarding fire protection. SOAP is not an institution, but a type of API.

Answer 643

A

A. Handshake Protocol and Record Protocol

Explanation:
Transport Layer Security (TLS) is a set of cryptographic protocols that provide encryption for data in transit. TLS specifies a handshake protocol when two parties establish an encrypted communications channel and TLS record protocol uses keys created during the handshake.

Answer 644

A

D. Abuse and nefarious use of cloud services

Explanation:
The Cloud Security Alliances (CSA) Egregious 11 includes the following:

Data breaches
Misconfigurations and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credentials, access and key management
Account hijacking
Insider threat
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services

Answer 645

A

A. Verify that the image has not been modified and is from the source that it claims to be

Explanation:
If a container image is not verified, then it could have been modified to allow an attacker to gain access to an organization’s data after it’s been deployed. Verification can be done via checksums or signing by the vendor, which is verified by the organization after downloading.

Answer 646

A

D. Cloud provider

Explanation:
The cloud provider is solely responsible for the security of the physical environment for all cloud types, which includes IaaS, SaaS, and PaaS.

Answer 647

A

A. Reliability

Explanation:
The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP.

The ten privacy principles are:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third-parties
    Security for privacy
    Quality
    Monitoring and enforcement

Answer 648

A

D. Archive phase

Explanation:
The archive phase is when data is removed from the system and moved to long term storage. In many cases, archived data is stored offsite for disaster recovery purposes.

Answer 649

A

C. VPN

Explanation:
A VPN (virtual private network) facilities the extension of a private network over a public network as the name suggests. When a user is connected a VPN, they are able to work as if they were sitting within the physical boundaries of the private network.

Answer 650

A

A. Encrypted transport methods such as TLS

Explanation:
Data in transport is protected by encrypted transport methods such as TLS.

To protect data in use, secure API calls and web services must be used. The main method for protecting data at rest is to use encryption methods such as AES.

Answer 651

A

A. Data in transit

Explanation:
HTTPS, IPSec, TLS/SSL and vpn technologies are used to secure data in transit.

In order to protect data at rest, it’s best to encrypt the full hard drive of the device where the data is being stored.

Answer 652

A

C. Cloud service broker

Explanation:
A cloud service broker is an individual or organization which serves as the go-between or intermediary between cloud customers and cloud service providers.

Answer 653

A

D. Zeroing

Explanation:
Zeroing is another term for overwriting. In this process, erased data is overwritten with arbitrary data and zero values as a means of data sanitation.

Answer 654

A

B. Containerization

Explanation:
Containerization is the process of putting all objects into a container. Developers can accomplish this by packaging a program they have written along with all necessary components for the program’s execution. Application containers isolate application files and dependencies from the container’s host system. Containerization is a lightweight alternative to installing and running applications directly within an operating system.

All other options are related technologies.

Answer 655

A

B. Advanced persistent threat

Explanation:
An advanced persistent threat (APT) is an attack which aims to gain access to the network and systems while staying undetected. APTs will try not to do anything that could be disruptive, as their goal is to maintain access for as long as possible without raising any red flags. During an APT’s stay on the network, the attackers will often create more back-doors for re-entry in case the original way in gets patched. APTs are generally looking for ways to steal data from the network and systems.

Answer 656

A

B. RPO

Explanation:
A Recovery point objective (RPO) is defined in terms of data loss, not time period; it defines the maximum quantity of data that may be tolerated during a disaster recovery incident. Increasing scheduled backups can decrease the value.

RTO, MTD and ALE are other disaster recovery and business continuity criteria.

Answer 657

A

C. DAST

Explanation:
Dynamic application security testing (DAST) is a “black-box” type of security test, meaning that the tester is not given any special information about the systems they are testing. DAST is performed on live systems.

Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code. SAST is performed in an offline manner. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities on the system. Penetration testing is a type of test in which the tester attempts to break into systems using the same tools that an attacker would to discovery vulnerabilities.

Answer 658

A

D. Define scope

Explanation:
Audit planning is made up of four main steps, which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis

Answer 659

A

D. RTO

Explanation:
The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management’s BCDR (business continuity and disaster recovery) objectives are met.

Answer 660

A

A. Web content filtering

Explanation:
SIEM (Security and Information Event Management) solutions include features such as aggregation, correlation, alerting, reporting, compliance, and dashboards.

A SIEM solution will not provide web content filtering. Firewalls are often used as a way to accomplish web content filtering.

Answer 661

A

B. The cloud provider may not be willing to allow auditors the level of access needed to certify their environment

Explanation:
In many cases, to meet regulatory requirements, the underlying infrastructure and hosting environment of an application must undergo auditing before the application residing there can be certified. This can be a problem for applications hosted in the cloud, especially those in a public cloud. The cloud provider may not be willing to allow auditors the access needed to certify their environment. The cloud provider may also be unwilling or unable to meet the requirements necessary to be certified, anyway.

Answer 662

A

A. Incident management

Explanation:
Any event that causes disruptions within an organization is known as an incident; this includes security events as well. Processes and procedures put in place to limit the effects of these incidents are known as incident management.

Answer 663

A

A. Object storage

Explanation:
While block storage is ideal for big, organized data sets that require frequent access and updates, it struggles with metadata, which is required to make sense of unstructured data. The best option for unstructured data is object storage. Each storage unit in object storage is an object, which may or may not be connected with metadata describing the item. This simplifies the organization and retrieval of data. A business can simplify the categorization and retrieval of unstructured data by utilizing object storage.

Block, Blob, and Volume are other storage types.

Answer 664

A

D. DN

Explanation:
A DN (distinguished name) acts as the primary key for an object in LDAP (lightweight directory access protocol).

Answer 665

A

B. Authorization

Explanation;
OAuth is a framework used for authorization. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

Answer 666

A

D. Limits

Explanation:
The maximum amount of memory and processing utilization allowed by a cloud customer is known as a limit. Limits are the opposite of reservations. Reservations are used to ensure that cloud customers have the minimum amount of resources needed to run their services.

Answer 667

A

D. Data in transit

Explanation:
When data is being used by an application, it is referred to as data in transit.

When data is not being used by an application, it is known as data at rest. Structured and unstructured data are not applicable answers to this question.

Answer 668

A

B. FIPS 140-2

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 is divided into 11 sections used to define security requirements. Finite State Model is one of the 11 standards

Answer 669

A

C. Software-based

Explanation:
VMware Workstation is a type 2 hypervisor, also known as a software-based hypervisor. It is not tied directly to the hardware infrastructure and can run within an operating system as software.

Answer 670

A

A. Auditability

Explanation:
CSPs rarely permit CSC to audit their service controls. CSC engages third parties to conduct independent examinations of cloud service controls and to offer an opinion on their function in relation to their purpose. SOC reports, vulnerability scans, and penetration testing are all examples of these types of assessments.

Regulatory, governance and resiliency are other shared cloud considerations.

Answer 671

A

A. Denial-of-service

Explanation:
A denial-of-service attack occurs when a large amount of useless traffic is sent to a system, thereby overloading the system’s resources and making it unable to respond to legitimate requests. In a cloud environment, it’s possible for a denial-of-service attack to affect all clients of the affected cloud provider.

Answer 672

A

B. Inexpensive

Explanation:
A public cloud is the least expensive cloud deployment option, but also the least secure. Public clouds are available to the general public and customers only pay for the services that they use. All expenses ranging from the licensing, hardware, bandwidth and operational costs are handled by the provider.

Public clouds do not offer full control over the systems in the way that private clouds do, nor do they offer the control over data the way that private clouds do.

Answer 673

A

C. Communication

Explanation:
The ISO/IEC 27018 is focused on five key principles, which include communication, consent, control, transparency, and independent and yearly audits. Communication refers to the need for any event that could impact the security of data within a cloud environment to be clearly documented as well as relayed to the cloud customers.

Answer 674

A

B. All cloud service models

Explanation:
The security and privacy of the actual data itself is the sole responsibility of the cloud customer in all cloud service models, including SaaS, PaaS, and IaaS.

Answer 675

A

E. Clear communication

Explanation:
Clear communication is one of the variables affecting the distributed IT model. Traditional IT model deployments have a line of sight, which means they have physical access to the systems and are aware of what is happening. Now that you have distributed offices, you must maintain clear communication with them. Collaboration and information sharing are vital. Thus, there must be clear, effective communication.

All other options are drivers of the distributed IT model.

Answer 676

A

A. SLA

Explanation:
The service level agreement (SLA) is a criterion that provides specific requirements that must be met by the cloud provider for contractual satisfaction between the cloud customer and the cloud provider.

Answer 677

A

A. Penetration test

Explanation:
During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario and therefore, the tester will use the same techniques, methodologies, and toolsets that an actual attacker would use to compromise a system.

During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner. Vulnerability scans are usually done by an organization against their own systems to ensure that their systems are hardened against known vulnerabilities. Runtime application self-protection (RASP) is a security mechanism that helps applications protect themselves by blocking attacks in real time.

Answer 678

A

D. IAST

Explanation:
Interactive Application Security Testing (IAST) is a gray-box testing technique. An agent is placed in an application to undertake real-time analysis of the program’s traffic performance in order to uncover any security vulnerabilities. IAST can be used at any point during the SSDLC.

Static application security testing (SAST), Dynamic application security testing (DAST) and Runtime application self-protection (RASP) are other security testing types.

Answer 679

A

C. User education

Explanation:
In any sort of identity and access management (IAM) system, whether through a SaaS provider solution or through federation with the organization’s on-premise IAM manager, there are risks. In either case, user education is an important component to the organization’s cloud IAM strategy.

All other options are incorrect.

Answer 680

A

A. Denial-of-service

Explanation:
Denial-of-service (DoS) attacks flood a network with useless traffic in order to consume all the available resources. This eventually makes it impossible for the resources to be used for legitimate traffic, rendering the services useless. Without reservations in place to guarantee that all customers have the minimum needed resources to operate, a DoS attack on one customer could prevent other customers from operating as well.

Answer 681

A

B. 40-60 percent relative humidity

Explanation:
It is important to ensure that both temperature and humidity are at ideal levels within a data center. Whenever humidity levels are too high, condensation can form and cause water damage to systems. Whenever humidity levels are too low, electrostatic discharge is more likely to occur and cause damage to systems. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends data centers to have a level of 40-60 percent relative humidity.

Answer 682

A

A. Input validation

Explanation:
An injection attack occurs when malicious code is sent via input fields to a web application. In order to prevent this type of attack, all data that goes through an input field should require input validation and be properly sanitized.

Answer 683

A

B. CMDB

Explanation:
Software configuration management (SCM) and versioning are commonly utilized in all types of software development environments and are facilitated by the use of configuration management databases (CMDBs). The CMDB can be federated and synchronized across many systems, and the database can be stored on-premises or in the cloud.

Answer 684

A

B. Transparent encryption

Explanation:
Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user.

Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

Answer 685

A

A. Vendor lock-in

Explanation:
Vendor lock-in is a scenario in which a cloud customer is tied and dependent on one cloud provider without the ability to move to another provider. Cloud customers should ensure that anything done with the cloud provider will not cause this type of vendor lock-in.

Answer 686

A

C. Passport number

Explanation:
Protected health information (PHI) covers items such as a medical history, physical and mental health information, demographic information, lab results, physician notes, and other health related items.

Passport numbers would be considered personally identifiable information (PII) rather than PHI.

Answer 687

A

C. OLAs

Explanation:
OLAs (operational level agreements) are similar to SLAs, but rather than existing between a customer and an external provider, OLAs exist between to two units within the same organization. Service level management is concerned with the oversight of SLAs, UCs, and OLAs.

Answer 688

A

A. SAST tools in conjunction with IAST tools

Explanation:
Given that you are utilizing a well-known and well-supported Open-Source Software (OSS), performing Static Application Security Testing (SAST) to identify vulnerabilities and then implementing Interactive Application Security Testing (IAST) to detect additional security issues in real time would be sufficient for validation.

Answer 689

A

D. Know all of the locations where data is present within its application

Explanation:
In order to implement security controls and policies, an organization must first know where and what type of data is present in the system. Having a proper mapping strategy enables an organization to know all of the locations where data is present within its application and within other storage. Having this knowledge goes a long way in creating effective security policies.

Answer 690

A

B. Functional

Explanation:
Network services and acceptable use policies are examples of functional policies. Functional policies set guiding principles for individual business functions and activities.

All other options are policy type categories.

Answer 691

A

B. Define scope

Explanation:
Audit planning is made up of four main steps, which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis

Answer 692

A

D. RTO

Explanation:
The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management’s BCDR (business continuity and disaster recovery) objectives are met.

Answer 693

A

A. Abuse or nefarious use of cloud services

Explanation:
Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service.

Answer 694

A

C. Mandatory Access Control

Explanation:
In a mandatory access control (MAC) model, the owner is responsible for specifying metadata like classification rating or user role. The IRM system utilizes this metadata to enforce access control decisions.

All other options are access control models.

Answer 695

A

B. FISMA

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government. An engineer working on a system that will be used by a federal government agency must be aware of FISMA.

Answer 696

A

D. Condensation may form causing water damage

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

Answer 697

A

D. IPsec

Explanation:
IPsec is a protocol for encrypting and authenticating packets between two parties. Examples of this include a pair of servers, a pair of network devices, or between network devices and servers.

DNSSEC is a security extension of the DNS protocol and couldn’t be used in the described scenario. DHCP is used to dynamically configure network information on hosts. RDP is a technology developed by Microsoft to allow users to connect into a remote device.

Answer 698

A

C. Cloud data portability

Explanation:
The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

Answer 699

A

C. PII

Explanation:
Personally identifiable data (PII) is a type of data that can either directly or indirectly identify an individual. Cardholder data (CD) is a specific type of PII that relates to information such as credit/debit card numbers, security codes, expiration numbers, and any information that ties these items to the cardholder.

Answer 700

A

A. Redundant maintainability

Explanation:
The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include:

Tier I: Basic Capacity
Tier II: Redundant Capacity Components
Tier III: Concurrently Maintainable
Tier IV: Fault Tolerance

Brainscape's Knowledge GenomeTM

Pocket Prep CCSP Flashcards

Brainscape's Knowledge Genome^TM