Pocket Prep CCSP Flashcards

1
Q

Recently, your organization has decided it will be using a third-party for its cloud migration. This third-party organization requires access to numerous of your organization’s file servers. You must ensure that the third-party has access to the necessary resources. What is the FIRST action your organization should take?

A. Provide minimal access for the third-party
B. Establish a written IT security policy for the third party
C. Monitor third-party access to resources
D. Conduct vendor due diligence on the third party

A

D. Conduct vendor due diligence on the third party

Explanation:
Before granting access to any resource, you should conduct vendor due diligence for the third-party organization. This diligence is very similar to a risk assessment, but it is usually in the form of a questionnaire completed by the vendor and analyzed by the organization.

All other options should occur after the due diligence has been conducted on the vendor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

As cloud customers will access the cloud environment over a network, the networking infrastructure plays a major role in a successful cloud environment. Which of the following is the MOST basic of physical network components?

A. Switches
B. Routers
C. Wiring and Cabling
D. Firewalls

A

C. Wiring and Cabling

Explanation:
The most basic aspect of networking in a cloud environment is the actual wiring that goes into the network.

Switches, routers, and firewalls would be the next step up from the wiring and cabling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An emerging concept driven by the decentralized nature of cloud applications and services which have appended the traditional model of network with a perimeter is called:

A. SAN
B. SSL
C. SDP
D. SDS

A

C. SDP

Explanation:
The software-defined perimeter (SDP) is a security architecture that restricts access to resources based on user identity and a “need to know” access control methodology. Before granting access to applications and network services, this technique requires device authentication and user identity verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The purpose of labeling data is to accomplish which of the following?

A. Classify data based on where its located within the organization
B. Protect data that can be considered sensitive or classified
C. Know all of the locations within an organization where data could be stored
D. Group data elements together and provide information about those elements

A

D. Group data elements together and provide information about those elements

Explanation:
Labels are similar to metadata, but they are applied by users or processes and are more informal than metadata. Labels are used to group data elements together and provide information about those elements. However, labels can only be successful if they are applied consistently throughout the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is the MOST optimal time to determine if data is classified as secure?

A. Use Phase
B. Create Phase
C. Archive Phase
D. Store Phase

A

B. Create Phase

Explanation:
When data is created during the create phase, the sensitivity of the data is known. It should then be handled properly from the beginning, as all additional phases will build off of the create phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data rights management (DRM) is a practice that is encapsulated within which concept?

A. Interoperability and Portability
B. Information Rights Management
C. Supply Chain Management
D. Mobile Security

A

B. Information Rights Management

Explanation:
Data rights management (DRM) is an extension of normal data protection where additional security measures and controls are placed upon sensitive data. It is an extension of the information rights management (IRM) concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which is NOT a way to measure business requirements and capabilities for business continuity and disaster recovery in the cloud?

A. Computing Power for Systems?
B. How long are you down?
C. How much capacity for data?
D. How much data may you lose?

A

C. How much capacity for data?

Explanation:
How much data storage capacity is not a good indicator of business requirements and capabilities for continuity and disaster recovery in the cloud. Three metrics are used to assess business capabilities: RTO, which indicates how long systems are down, RPO, which indicates how much data may be lost, and recovery service level (RSL), which indicates how much processing power is required to maintain systems following a disaster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cloud security is a challenge. What aspect of cloud computing creates new complexities to security in the cloud?

A. Measured Service
B. Encryption
C. Broad network access
D. Multi-tenancy

A

D. Multi-tenancy

Explanation:
Multi-tenancy used in cloud computing creates new complexities to security in the cloud. Data transmissions between systems within the same cloud are potential security concerns and sources of vulnerability for data theft.

All other options are key cloud computing characteristics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An organization has decided that the best course of action to handle a specific risk is to obtain an insurance policy. The insurance policy will cover any financial costs of a successful risk exploit.

Which type of risk response is this an example of?

A. Risk Mitigation
B. Risk Avoidance
C. Risk Transfer
D. Risk Acceptance

A

C. Risk Transfer

Explanation:
When an organization obtains an insurance policy to cover the financial burden of a successful risk exploit, this is known as risk transfer. It’s important to note that with risk transfer, only the financial losses would be covered by the policy, but it would not do anything to cover the loss of reputation the organization might face.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In a SaaS environment, if either SQL injection or cross-site scripting vulnerabilities exist within any SaaS implementation, every customer’s data becomes at risk. Of the following, what is the BEST method for preventing this type of security risk?

A. The provider should ensure that anti-virus software is up to date within their environment.
B. The provider should ensure that there is a patch scheduled in place and that it is adhered to
C. The provider should sign a contract stating that they are liable for any breaches
D. The provider should have different data stores for each customer and keep all customers as segregated as possible

A

D. The provider should have different data stores for each customer and keep all customers as segregated as possible

Explanation:
Without proper segmentation, all customers will be susceptible to vulnerabilities that exist anywhere in the environment. To mitigate this risk, the provider should have different data stores for each customer and keep all customers as segregated as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

As you are drafting your organization’s cloud data destruction policy, which of the following is NOT a consideration that may affect the policy?

A. Compliance and Governance
B. Data Discovery
C. Business Processes
D. Retention Requirements

A

B. Data Discovery

Explanation:
You should not consider data discovery when determining an organization ‘s data destruction policy. While you may discover data during other stages of the data lifecycle, this is irrelevant at the time of destruction. Compliance and governance standards, data retention requirements, and business processes should be considered while developing a data destruction policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

WSUS and MDT can be used for maintaining which types of environments?

A. Windows
B. vSphere
C. Macintosh
D. Linux

A

A. Windows

Explanation:
WSUS (Windows server update service) and MDT (Microsoft deployment toolkit) can be used in conjunction to manage and maintain a Windows environment. WSUS is used to perform patch management. MDT is a collection of tools which can facilitate the automation of server and desktop deployments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The OWASP Top 10 lists XML external entities (XXE) on their current list of security vulnerabilities. Which of the following is an example of XXE?

A. A developer has left sensitive data about the directory structure of the application inside their code
B. A malicious actor is able to send untrusted data to a user’s browser without going through any validation
C. An application is not performing any validation on the browser tokens used to access the application
D. A website is not using proper input validation on their data fields of their application

A

A. A developer has left sensitive data about the directory structure of the application inside their code

Explanation:
During development, it’s not uncommon for developers to leave comments or notes in their code. While this is not inherently an issue, it can become an issue when the comments and notes are not removed before the code is published. An XML external entity occurs when a developer leaves references to items such as the directory structure of the application, configuration about the hosting system, or any other information about the inner workings of the application itself, in the code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In which security test does the tester try to actively attempt to attack or compromise a live system using the same types of tools that an actual attacker would use to simulate a real-life scenario?

A. RASP
B. Penetration test
C. Vulnerability Scan
D. SAST

A

B. Penetration test

Explanation:
During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario and, therefore, the tester will use the same type of tools that an actual attacker would use to compromise a system.

During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner. Vulnerability scans are usually done by an organization against their own systems to ensure that their systems are hardened against known vulnerabilities. Runtime application self-protection (RASP) is a security mechanism that helps applications protect themselves by blocking attacks in real time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is focused on providing the required system resources needed to meet SLA requirements in a cost-effective manner?

A. Continuity Management
B. Service Level Management
C. Capacity Management
D. Change Management

A

C. Capacity Management

Explanation:
Capacity management is concerned with having and providing the required system resources to meet SLA requirements of customers in a cost-effective and efficient manner. It’s important to ensure that systems are not under-provisioned, leading to service and performance issues, but also not over-provisioned, leading to higher costs to the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is NOT considered one of the three main building blocks for a cloud environment’s management plan?

A. Rapid Elasticity
B. Orchestration
C. Scheduling
D. Maintenance

A

A. Rapid Elasticity

Explanation:
The three main building blocks that make up a cloud environment’s management plan include orchestration, maintenance, and scheduling.

Rapid elasticity is a concept that exists in cloud computing referring to the ability to quickly add more resources when necessary. It is not one of the building blocks of the management plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A security engineer is implementing mechanisms that are used to allow and deny possible actions on the network. What are these mechanisms called?

A. Security regulations
B. Firewalls
C. BCDR Plans
D. Security Controls

A

D. Security Controls

Explanation:
Mechanisms put in place to allow or deny specific actions on a network are known as security controls. It is the cloud security engineer’s responsibility to ensure that the proper security controls are put in place to keep their organization safe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Cloud service providers will have clear requirements for items such as uptime, customer service response time, and availability. Where would these requirements MOST LIKELY be outlined for the client?

A. RTO
B. NIST
C. SLA
D. RPO

A

C. SLA

Explanation:
Requirements such as uptime, customer service response time, and availability should be outlined in a service level agreement (SLA). When a provider doesn’t meet their SLA requirements, it could lead to termination of the contract or financial benefits to the cloud customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A cloud administrator would like to reduce the risk of vendor lock-in. What cloud shared consideration should the administrator be looking for?

A. Availability
B. Reversibility
C. Versioning
D. Interoperability

A

B. Reversibility

Explanation:
Reversibility is a metric that indicates the ease with which your cloud services can be migrated between cloud environments. Due to the fact that solutions must be able to migrate between CSPs and to and from the cloud, reversibility reduces vendor lock-in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An engineer is performing threat modeling. She is using a model that has “tampering with data” listed as one of the categories. Which model is this engineering using?

A. REST
B. TOGAF
C. DREAD
D. STRIDE

A

D. STRIDE

Explanation:
STRIDE is one of the most prominent models used for threat modeling. Tampering with data is included in the STRIDE model. DREAD is another model, but it does not include tampering with data as a category. TOGAF and REST are not threat models. STRIDE includes the following six categories:

    Spoofing identify
    Tampering with data
    Repudiation
    Information disclosure
    Denial of service
    Elevation of privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Anyone who uses or consumes data which is owned by another data owner is considered which of the following?

A. Data custodian
B. Data steward
C. Data owner
D. Data Controller

A

A. Data custodian

Explanation:
A data custodian is anyone who uses or consumes data which is owned by someone else. The data custodians must adhere to any policies set forth by the data owner in regard to the use of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In the cloud, data is frequently stored in order to be recovered later, if necessary. Which section of a data retention policy would outline the steps involved in this process?

A. Retention Formats
B. Retention Periods
C. Data Classification
D. Archiving and Retrieval Procedures

A

D. Archiving and Retrieval Procedures

Explanation:
The data retention policy’s archiving and retrieval procedures will detail how data should be stored in order to facilitate later recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Violating the requirements of which type of PII is likely to result in criminal charges?

A. Regulated PII
B. Non-Disclosed PII
C. Contractual PII
D. Unrepresented PII

A

A. Regulated PII

Explanation:
There are two main types of PII (personally identifiable information) which include contractual PII and regulated PII. Failure to comply with requirements related to regulated PII could result in criminal charges in some jurisdictions, while violating contractual PII requirements is more likely to only result in a contractual penalty.

Non-disclosed PII and unrepresented PII are not recognized types of PII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

During which phase of the software development lifecycle should testing requirements be defined?

A. Requirement gathering and feasibility
B. Testing
C. Maintenance
D. Development/Coding

A

A. Requirement gathering and feasibility

Explanation:
During the first phase of the software development lifecycle, requirement gathering and feasibility, the risk and testing requirements are defined. Having these requirements in place before development and testing even begins helps to ensure the success of the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following types of security tests would be considered a “white-box” test?

A. Penetration testing
B. SAST
C. Vulnerability Scanning
D. DAST

A

B. SAST

Explanation:
Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code.

Both penetration testing and dynamic application security testing (DAST) are considered “black-box” tests because the individual performing these tests are not given any special knowledge of the environment. Vulnerability scanning is neither a “white-box” or “black-box” test. Vulnerability scans are run against systems using known attacks and methodologies to verify that systems are properly hardened against them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What cloud development fundamental is supported by security being a part of every step of an application development program?

A. Security as a business objective
B. Training and awareness
C. Security by design
D. Shared security and responsibility

A

C. Security by design

Explanation:
Security by design refers to the inclusion of security at every stage of the development process, rather than after an application has been released or in reaction to a security exploit or vulnerability. From application feasibility to retirement, security is an integral element of the process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Maxwell is developing a DLP strategy. Which of the following is NOT a component of DLP that Maxwell has to be concerned with?

A. Enforcement
B. Evidence and Custody
C. Monitoring
D. Discovery and classification

A

B. Evidence and Custody

Explanation:
The major components of a data loss prevention (DLP) implementation include discovery and classification, monitoring, and enforcement.

Evidence and custody is not a common component of DLP implementations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

E-mails, pictures, videos, and text files are all examples of which of the following?

A. Morphed Data
B. Structured Data
C. Unmorphed Data
D. Unstructured Data

A

D. Unstructured Data

Explanation:
Unstructured data refers to any data that cannot be qualified as structured data. Unstructured data doesn’t conform to any defined data structures or formats. Examples of unstructured data include emails, pictures, videos, and text files.

Unmorphed and morphed data are not actual types of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following BEST describes the “create” phase of the cloud data lifecycle?

A. Any time data is considered new
B. Only when data first enters a system
C. Only when data is newly created or newly imported into a system
D. Only when data is modified into a new form

A

A. Any time data is considered new

Explanation:
The create phase is the initial phase of the cloud data lifecycle. While it may sound like data must be newly created from scratch in this phase, that is not the case. Rather, any time data can be considered new, it is in the create phase. This encompasses data which is newly created, data that is being imported from elsewhere, and also data that already exists but has been modified into a new form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An engineer has been placed in charge of patch management on all Windows servers in the environment. Which free tool, offered by Microsoft, can assist this engineer with patch management?

A. DRS
B. RDP
C. VUM
D. WSUS

A

D. WSUS

Explanation:
The WSUS (Windows Server Update Service) is a free toolset offered by Microsoft to help with patch management. WSUS downloads patches and allows the administrators of the servers to control the installation of the patches in a centralized and automated manner.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which type of AI is purely cognitive-based?

A. Humanized
B. Human-Inspired
C. Enhanced
D. Analytical

A

D. Analytical

Explanation:
Analytical artificial intelligence (AI) is solely cognitive-based, focusing on a system’s ability to analyze past data and make future decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Of the following, which is NOT a tool used to detect and alert administrators of suspicious activity?

A. WSUS
B. IDS
C. NIDS
D. HIDS

A

A. WSUS

Explanation:
An IDS is an intrusion detection system. It will capture traffic and detect possible attacks or intrusions. A NIDS is a network intrusion detection system that captures all network traffic, while HIDS is a host intrusion detection system that only captures traffic for one specific host.

WSUS is a tool available to help with patch management and not a tool to help detect intrusions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following BEST defines ARO?

A. The estimated number of times a threat will successfully exploit a vulnerability in a given year
B. The estimated amount of revenue that will be lost due to a single successful exploit
C. The amount of time a system can be operational before it will need to be replaced
D. The estimated amount of revenue that will be list in a given year

A

A. The estimated number of times a threat will successfully exploit a vulnerability in a given year

Explanation:
ARO stands for annualized rate of occurrence, which is defined by the estimated number of times a threat will successfully exploit a vulnerability in a given year. By multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO), you are able to determine the annual loss expectancy (ALE).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The requirement that providers must restrict physical access to cardholder data falls under which regulatory standard?

A. FIPS 140-2
B. SOC 1
C. NIST SP 800-53
D. PCI DSS

A

D. PCI DSS

Explanation:
The PCI DSS (payment card industry data security standard) is a series of 12 compliance requirements, one of which being that physical access to cardholder data must be restricted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Of the following, which is an example of a direct identifier within PII?

A. ZIP Code
B. Gender
C. National Identification Number
D. Birth Date

A

C. National Identification Number

Explanation:
PII (personally identifiable information) is broken up into direct identifiers and indirect identifiers. Birth date, gender, and zip code would all be indirect identifiers because they would require more information along with them to identify a specific person.

National identification numbers and social security numbers are direct identifiers because they can identify a specific person without the need for additional information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following is NOT a protection technique for virtualization systems?

A. Privileged Access
B. Separation of Duty
C. Standard Configurations
D. Least Privilege

A

A. Privileged Access

Explanation:
Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism.

Standard configurations are agreed-upon baselines and aid in managing change, which provides protection for virtualization systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

In the event of an ISP failure, the customer is responsible for ensuring communication with the CSP. Which of the following would be the BEST strategy for ensuring that a means of communication with the cloud vendor is always available?

A. Boundary Protection
B. Redundant ISP
C. Cloud to site VPN
D. Security Function Isolation

A

B. Redundant ISP

Explanation:
The best strategy for ensuring that a means of communication with a cloud vendor is always available when an interruption occurs would be to implement a redundant ISP.

All the other options are aspects that should be used in cloud access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Cloud providers must have multiple and independent power feeds to ensure redundancy. What else is needed in case of a power failure on one of the power feeds?

A. Backup Router
B. Backup Internet
C. Generator
D. Firewall

A

C. Generator

Explanation:
Cloud providers will need to have multiple independent power feeds in case a power feed goes down. In addition, they will also typically have a generator or battery backup to serve in the meantime when a power feed goes out.

Cloud providers will likely have a backup internet provider for redundancy, but it will not help in the case of a power outage, nor will additional firewalls or routers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

An organization is considering implementing a new business continuity and disaster recovery (BCDR) strategy. Before moving forward with this, which of the following should the organization perform?

A. Onsite Technical Analysis
B. Vulnerability Scan
C. Cost-Benefit Analysis
D. Penetration Test

A

C. Cost-Benefit Analysis

Explanation:
When considering implementing a new BCDR strategy, organizations should first perform a cost-benefit analysis. This will provide insight to the stakeholders if the BCDR strategy is worth implementing. The cost-benefit analysis will compare the costs of a disaster and the impact of downtime against the cost of implementing the BCDR solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Data archiving and retention as it relates to official judicial or law enforcement requests is known as:

A. Law Retention
B. Regulatory Hold
C. Court Archiving
D. Legal Hold

A

D. Legal Hold

Explanation:
Organizations or individuals may need to archive and retain data that meets specific requirements to be used in legal court proceedings. This type of data retention is known as legal hold.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Members of your organization’s software development team are geographically dispersed and will work in a variety of time zones. Multiple developers will modify the configuration and source code files. How does your organization ensure that software code modifications are current and accurate?

A. Functional testing
B. Identity and Access management
C. Software Assurance Validation
D. Software Configuration Management

A

C. Software Configuration Management

Explanation:
Software configuration management (SCM) technologies are used to manage software assets and to ensure that changes are made in a timely and accurate manner. SCM enables changes to be rolled back. At the time of deployment, as well as during updates and patches, SCM tools are employed. Configuration management software enables auditing and reviewing configurations to ensure processes are being followed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of the following is NOT classified as a physical or environmental control?

A. Locks
B. Intrusion Prevention System
C. UPSs
D. Biometrics

A

B. Intrusion Prevention System

Explanation:
An intrusion prevention system helps protect a network from malicious activity and intrusions, and therefore, is NOT considered a physical or environmental control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

In cloud environments, redundancy can be broken up into two areas: internal and external. Which of the following is an example of an internal redundancy?

A. Network circuits
B. Power substations
C. Power distribution units
D. Generator Fuel Tanks

A

C. Power distribution units

Explanation:
Internal redundancy includes power distribution units, power feeds to racks, cooling units, networking, storage units, and physical access points.

External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which emerging technology, that is still in the early phases of development, would allow for the manipulation of encrypted data without the need to unencrypt it?

A. Labeling
B. Tokenization
C. Homomorphic Encryption
D. Data De-Identification

A

C. Homomorphic Encryption

Explanation:
Encryption technologies are rapidly evolving. One new technology, which is still in the early phases of development and testing, is homomorphic encryption. Homomorphic encryption would allow for the manipulation of encrypted files without needing to unencrypt them.

Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data. Labeling is a technology which can be used to group data elements together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Your organization would like to automate a process that involves two applications. The data that moves between the applications must be synched in real time as well as one system that needs to boot up before the other. What can be used to synchronize the operations of these applications?

A. Orchestration
B. API Gateways
C. Tokenization
D. Sandboxing

A

A. Orchestration

Explanation:
Orchestration is a technique for synchronizing and orchestrating the operations of multiple apps that work together to complete a business activity. These are managed groups of applications, and their actions are choreographed based on the rules you establish.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which term BEST describes the process of granting access to resources?

A. Federation
B. Identification
C. Authorization
D. Auditing

A

C. Authorization

Explanation:
Authorization is the process of granting access to resources.

Identification is the process of pinpointing either a system or individual in a way where they are distinct from any other identity. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Obfuscation is a method of which of the following?

A. Hashing
B. Key Management
C. Encryption
D. Data De-Identification

A

D. Data De-Identification

Explanation:
Methods of data de-identification include obfuscation, anonymization, and masking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Your company has invested in a PaaS (platform as a service) development platform. What would the organization’s new role be?

A. Cloud Service Broker
B. Cloud Service Customer (CSC)
C. Cloud Service Provider (CSP)
D. Cloud Service Partner

A

B. Cloud Service Customer (CSC)

Explanation:
An organization or individual who purchases a cloud service is known as a cloud service customer (CSC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which of the following is NOT one of the four key areas of the physical cloud environment?

A. Network
B. CPU
C. Cabling
D. Disk

A

C. Cabling

Explanation:
The four key physical components of a cloud environment include CPU, disk, memory, and network. These components are the aspects that a cloud provider must ensure they have adequate resources for. There should be resources in these categories for both the current needs of cloud customers and future needs for the foreseeable future.

Cabling is not considered one of the key physical aspects of the cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Your organization is conducting a test of its disaster recovery plan. The team members describe how they would carry out their responsibilities in a certain BC/DR scenario. Which type of disaster recovery plan testing are they conducting?

A. Parallel
B. Full Cutover
C. Simulation
D. Tabletop

A

D. Tabletop

Explanation:
In a tabletop exercise, participants are provided with scenarios and asked to describe how they will carry out their assigned activities in a certain business continuity/disaster recovery scenario. This enables members to comprehend their roles amid disaster.

All other options are types of business continuity and disaster recovery plan tests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which built-in VMware tool can be used to automate patches of both the vSphere hosts and the virtual machines running under them?

A. VUM
B. RDP
C. MDT
D. WSUS

A

A. VUM

Explanation:
VUM (vSphere Update Manager) is a utility which is built into VMware. VUM is able to automate patches of both the vSphere hosts as well as the virtual machines running under them. VUM also provides a dashboard which gives administrators a glimpse into their patching status across the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Cloud environments call for high-availability and resiliency. What can be done to ensure that there is no downtime?

A. Ensure that there are no single point of failure
B. Only perform maintenance a couple of times a year
C. Create backups of the most important servers in the environment
D. Only perform updates and upgrades during non-business hours

A

A. Ensure that there are no single point of failure

Explanation:
Many cloud customers expect their systems to be available at all times. In order to maintain high-availability, it’s critical to ensure that there are not any single points of failure. While its good practice to perform updates and upgrades outside a business’ normal operating hours, many organizations today have locations across the globe and operate 24 hours a day. This means, that downtown at any time is going to be unacceptable. Cloud providers must find a way to perform updates and upgrades without causing any downtime.

Backing up systems is very important, but all systems must be backed up, not just a select few. Maintenance can’t be scheduled only a few times a year. It must be done whenever necessary so it’s important to be able to do the maintenance without causing any downtime to the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which major piece of 1996 legislation focused on the security controls and confidentiality of medical records?

A. GPDR
B. GLBA
C. HIPAA
D. SOX

A

C. HIPAA

Explanation:
HIPAA, also known as the Health Information Portability and Accountability Act of 1996, is a major piece of legislation which focused on protecting PHI (protected health information). HIPAA focuses on the security controls and confidentiality of medical records, rather than on specific technologies being used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Where is the BIOS stored?

A. Disk
B. Firmware
C. Memory
D. System Board

A

B. Firmware

Explanation:
The BIOS is a form of firmware. It is typically stored in read-only memory. The BIOS is crucial for secure booting processes, as it verifies the hardware and firmware configurations of a system before allowing the operating system or applications to execute.

All other selections are components of the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Within a relational database, data is put into specific fields that have known structure and possible data values. The data in these databases is very easy to search and analyze.

What is this type of data called?

A. Unstructured Data
B. Unmappted Data
C. Structured Data
D. Sensitive Data

A

C. Structured Data

Explanation:
Structured data is data that has a known format and content type. One example of structured data is the data that is housed in relational databases. This data is housed in specific fields that have a known structure and potential values of data. Having the data organized in these fields makes it easy to search and analyze.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which cloud computing role delivers value by aggregating services from many vendors, integrating them with an organization’s current infrastructure, and customizing services that a CSP cannot provide?

A. Cloud Service Customer
B. Cloud Service Provider (CSP)
C. Cloud Service Broker
D. Cloud Service Partner

A

C. Cloud Service Broker

Explanation:
Businesses will work with a cloud service broker to identify solutions that meet their cloud computing requirements. The broker will package services in the customer’s best interest. This may entail the use of multiple CSP services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

For which of the cloud service models does the cloud customer commonly have responsibility for patch management?

A. SaaS and PaaS
B. PaaS
C. SaaS
D. IaaS
E. IaaS and PaaS
A

E. IaaS and PaaS

Explanation:
The CSP is fully responsible for patch management of the underlying physical infrastructure, but IaaS and PaaS customers commonly have patch management responsibilities.

In a SaaS environment, the customer has no responsibility for patching.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A web application is using browser cookies for sessions and state. However, when the user logged out, the cookies were not properly destroyed. Another user had access to the same browser as the previous user and was able to log in using the same cookies from the previous session.

What is this an example of?

A. Security Misconfigurations
B. Sensitive Data Exposure
C. Broken Authentication
D. Broken Access Control

A

C. Broken Authentication

Explanation:
Broken authentication is one of the OWASP Top 10 vulnerabilities. Broken authentication occurs when an issue with a session token or cookie makes it possible for an attacker to gain unauthorized access to a web application. This can occur when session tokens are not properly validated, making it possible for an attacker to hijack the token and gain access. Another example of this can occur when cookies are not properly destroyed after a user logs out, making it possible for the next user to gain access with their cookies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

An organization would like to plan a test of a their business continuity and disaster recovery (BCDR) in which a real-world scenario is simulated as realistically as possible.

What type of BCDR test should they carry out?

A. Parallel Test
B. Walk through test
C. Paper Test
D. Full-Interruption

A

D. Full-Interruption

Explanation:
In a full-interruption BCDR test, a real life scenario is carried out as realistically as possible. During a full-interruption test, all of the production systems are shut down at the primary site, and operations are shifted to the backup site according to the disaster recovery plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Which of the following is NOT a type of blockchain?

A. Consortium
B. Semi-Open
C. Private
D. Hybrid

A

B. Semi-Open

Explanation:
There are four types of blockchain: private, public, consortium, and hybrid.

Semi-open is not a type of blockchain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Your organization has tasked you with updating the IT best practices for your organization which includes updating the service strategy to include cloud practices. Which framework is your organization most likely using?

A. NIST CSF
B. COBIT 5
C. ITIL
D. ISO 27001

A

C. ITIL

Explanation:
Your organization is most likely using IT Infrastructure Library (ITIL) because it is an IT best practices framework. Its five core subjects are: Service strategy, Service design, Service transition, Service operation, and Continual improvement.

NIST CSF provides cybersecurity guidance, not IT best practices. ISO 27001 provides requirements for an information security management system (ISMS). COBIT 5 is a business framework for governance of IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

An engineer just purchased a software suite for his organization. The software is hosted by a cloud provider and that cloud provider maintains and manages the application itself, as well the entire infrastructure and platform. The software is accessed over the Internet and is not installed locally on any employee’s machine.

What type of cloud service is being described here?

A. CaaS
B. PaaS
C. IaaS
D. SaaS

A

D. SaaS

Explanation:
Software as a Service (SaaS) is a cloud service in which the cloud provider manages and maintains everything from the application/software itself, to the servers they run on and the platform they were built on. The cloud client is not responsible for anything to do with managing the program; they can simply access it over the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

An engineer needs to find out when a document was originally created. What could this engineer look at to find this information?

A. Data Maps
B. Data Tags
C. Metadata
D. Sanitized Data

A

C. Metadata

Explanation:
Metadata is information about data, including the type of data, when the data was created, where the data is stored, and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What toolset can provide assistance in database compliance, contractual, or regulatory requirements such as PCI-DSS, HIPAA and GDPR?

A. WAF
B. XML Firewall
C. API Gateways
D. DAM

A

D. DAM

Explanation:
Those who provide database activity monitor (DAM) services, as well as CSPs who provide services that are customized for their database offers, can do much more than monitor database consumption and usage patterns. Data discovery, data classification, and privileged use are all features that can be monitored in databases. Database compliance, contractual requirements, and regulatory requirements such as PCI-DSS, HIPAA, and GDPR needs can be addressed by database activity monitors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

An organization has implemented a SIEM solution to collect logs from various sources and store them in a centralized location. What is the main security benefit of having the logs in a centralized location?

A. To prevent log manipulation
B. To encrypt all of the logs from the servers
C. To automatically block traffic that appears suspicious
D. To send alerts to administrators about suspicious activity

A

A. To prevent log manipulation

Explanation:
Log manipulation occurs when a malicious actor is able to delete or modify the logs on a system. Sending or copying the logs to a centralized location such as a SIEM prevents this since the attacker may be able to delete them on the system itself, but will likely not have gotten access to the SIEM to change them there as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

To protect sensitive data, an organization must implement non-shared resources like a stand-alone host. What should the organization be cautious of when justifying the new stand-alone host?

A. More control over governance of the environment
B. Greater administrative control of the environment
C. High costs for the environment
D. Higher overall security of the environment

A

C. High costs for the environment

Explanation:
The organization should be cautious due to the fact that standalone hosting will cost more than pooled resources and multi-tenancy. The organization will need to gather and analyze their requirements to identify if the costs of standalone hosting are justifiable.

All the other options are characteristics of standalone hosting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which of the OWASP Top 10 security vulnerabilities addresses the protection of personally identifiable information (PII)?

A. Broken Access Control
B. Broken Authentication
C. Sensitive Data Exposure
D. Insecure Deserialization

A

C. Sensitive Data Exposure

Explanation:
When creating and managing a web application it’s vital to keep sensitive user information private. Many web applications use data such as credit card information, authentication data, and other personally identifiable information. The OWASP Top 10 addresses these items under the sensitive data exposure vulnerability and states that applications should implement various security controls to protect sensitive user data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

In an IaaS model, what is the customer NOT responsible for?

A. Enforcing company policies
B. Technology Provided
C. Technology Usage
D. Configuring the environment

A

B. Technology Provided

Explanation:
The cloud service provider (CSP) is responsible for providing the technology, but the customer is accountable for its use. Additionally, the client is accountable for setting up the environment and enforcing organizational policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which type of load balancer for web-based content makes use of edge servers in remote locations to serve users who are physically closer to the edge server than to the original web server?

A. SDN
B. CDN
C. RDM
D. SDS

A

B. CDN

Explanation:
A content delivery network (CDN) is a form of load balancing specifically designed for web servers. Its major purpose is to accelerate users’ access to web resources that are geographically dispersed. CDNs enable users in remote places to access web data via servers located closer to their location than the original web server.

Software defined storage (SDS), software defined networking (SDN) and raw device mapping (RDM) are incorrect options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What is an essential layer around a virtual machine, subnet, or cloud resource as part of a layered defense strategy?

A. Cloud Gateway
B. Network Security Group
C. Contextual-based Security
D. Ingress and Egress Monitoring

A

B. Network Security Group

Explanation:
A network security group (NSG) protects a group of cloud resources. It provides a set of security rules or virtual firewall for those resources. This gives the customer additional control over security.

A cloud gateway adds an additional layer of security by transferring data between the customer and the CSP away from the public internet. Contextual-based security leverages contextual information such as identification to assist in securing cloud resources. External access attempts from the public internet can be blocked by ingress controls. Egress controls are a technique for preventing internal resources from connecting to unauthorized and potentially harmful websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

An IT manager is weighing their options for protecting the organizations’ external-facing applications from SQL injection, cross site scripting and cross site forgery attacks. The manager decided to implement a mechanism to filter HTTP/HTTPS traffic. Why type of solution has the IT manager selected to protect the external-facing applications?

A. Application Programming Interface
B. Database Activity Monitor
C. Extensible Markup Language Firewall
D. Web Application Firewall

A

D. Web Application Firewall

Explanation:
By filtering HTTP/HTTPS traffic, a web application firewall (WAF) specifically addresses attacks on applications and external services. A WAF can assist in defending against SQL injection, cross-site scripting, and cross-site request forgery attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

A cloud provider has several of its cloud customers sharing access to its pool of resources. What term is used to describe the customers?

A. Partner
B. Hybrid
C. Tenant
C. Auditor

A

C. Tenant

Explanation:
Any cloud customer who is sharing access to a pool of resources is known as a tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

The data technique by which data dispersion encrypts data along with parity bits is referred to as:

A. RAID
B.Erasure Coding
C. Hashing
D. Data Encoding

A

B.Erasure Coding

Explanation:
Erasure encoding is a technique employed by data dispersion to encrypt data with parity bits added. This is quite similar to the concept of RAID storage parity bit calculation. On the segments, a mathematical calculation is performed and the results are stored with the data. If segments are lost, the parity bit enables the data to be recovered.

All other options are toolsets and technologies commonly used as data security strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Your organization has paid for cloud services, but when users seek to access them, the cloud services are unresponsive. The SLA requirements do not cover these repeated failures. What obstacles does the organization face?

A. Availability
B. Portability
C. Interoperability
D. Reversibility

A

A. Availability

Explanation:
The organization is currently experiencing service availability issues. Due to the fact that this failure is not covered by the SLA’s requirements, the organization may file a claim against the service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

The FIPS 140-2 standard defines four levels of security. Of the four levels, which provides the HIGHEST level of security and tamper protection?

A. Level 3
B. Level 2
C. Level 1
D. Level 4

A

D. Level 4

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 standard defines four levels of security. Level 1 is the lowest level of security and level 4 provides the highest level of security and tamper protection. Levels 2 and 3 are in between.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which form of auditor is accountable for evaluating the effectiveness of a provider’s service and detecting control flaws between the CSC and CSP, as well as the CSB, if used?

A. External Auditor
B. Third-party auditor
C. Cloud Auditor
D. Internal Auditor

A

C. Cloud Auditor

Explanation:
A cloud auditor is uniquely tasked with the responsibility of auditing cloud systems and cloud-based applications. The cloud auditor is responsible for evaluating the cloud service’s efficiency and finding control gaps between the cloud customer and the cloud service provider, as well as the cloud broker, if one is utilized.

All the other options are types of auditors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

A malicious actor created a free trial account for a cloud service using a fake identity. Once the free trial cloud environment was up and running, he used it as a launch pad for several cloud-based attacks. Because he used a fake identity to set up the free trial, it would be difficult (if not impossible) for the attacks to be traced back to him.

What type of cloud-based threat is being described here?

A. Shared Technology Issues
B. Advanced Persistent Threats
C. Denial-of-Service
D. Abuse or nefarious use of cloud services

A

D. Abuse or nefarious use of cloud services

Explanation:
Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service. Often times, when using a free trial, the attacker will configure everything using a fake identity so attacks can’t be traced back to him.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Which technology allows the use of home and native systems to provide authentication to users without requiring an established user base to be present?

A. Federation
B. Role-Based Access
C. Identification
D. Separation

A

A. Federation

Explanation:
Federation is a set of base policies and technologies which allow systems to accept credentials without requiring an established user base to be present. This works by establishing policies and guidelines that each member of the federation must adhere to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Which of the following is concerned with the proper restoration of systems after a disaster or unexpected outage?

A. Change Management
B. Incident Management
C. Information Security Management
D. Continuity Management

A

D. Continuity Management

Explanation:
Continuity management, sometimes known as business continuity management, is concerned with restoring systems and devices after a disaster or unexpected outage has occurred. Business continuity and disaster recovery (BCDR) plans are a part of continuity management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Which applications are possible targets for denial of service attacks?

A. Only applications hosted in the cloud
B. All Applications
C. Only applications hosted in a traditional data center
D. Only applications that do not have input validation

A

B. All Applications

Explanation:
A denial of service attack occurs when a system is flooded with useless data from an attacker in an attempt to overload the system resources, making the system unavailable to valid users. All applications are possible targets for denial of service attacks. In order to help prevent denial of service attacks, developers should limit how many operations can be performed by non-authenticated users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Which of the following terms BEST describes the role of someone who connects existing systems and services to the cloud?

A. Cloud service business manager
B. Cloud Service Auditor
C. Cloud Service Integrator
D. Cloud Service Operations Manager

A

C. Cloud Service Integrator

Explanation:
A cloud service integrator is someone who connects (or integrates) existing systems and services to the cloud for a cloud customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

A criminal is targeting a cloud web application. He was able to send a properly formatted SELECT statement through one of the input fields. This returned him data about the database, which he can use to further attack the application.

What is the name of this type of attack?

A. Cross-site request forgery
B. Cross-site scripting
C. Browser Hijacking
D. SQL Injection

A

D. SQL Injection

Explanation:
A SQL injection attack occurs when an attacker is able to send a properly formatted SQL SELECT statement through one of the input fields in the web applications. This malicious query can return information about the database that should not be publicly available. In order to prevent injection attacks, it’s important to ensure that any data sent through an input field is properly sanitized and validated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Through the Common Criteria standard, what does an EAL2 score tell us about the organization’s security practices and results?

A. It has been structurally tested
B. It has a formally verified design and has been tested
C. It has been methodically tested and checked
D. It has been functionally tested

A

A. It has been structurally tested

Explanation:
The possible EAL (evaluation assurance level) scores are as follows:

EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4- Methodically designed, tested, and reviewed
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What is used to fix bugs found in software, apply security vulnerability fixes, and introduce new software features?

A. Scanning
B. Vulnerability Assessment
C. Patching
D. Imaging

A

C. Patching

Explanation:
Patching is used to fix bugs found in software, apply security vulnerability fixes, introduce new software features, and much more. Regardless of the types of applications and systems involved, all software will require regular patching. Before patches are applied, they should be properly tested and validated. There should be a process in place for patch management in each organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

The management plan for operations in a cloud environment includes scheduling, orchestration, and which of the following?

A. Patching
B. Repudiation
C. Scanning
D. Maintenance

A

D. Maintenance

Explanation:
The management plan for operations in a cloud environment includes scheduling, orchestration, and maintenance. In a cloud environment it’s vital to ensure that careful planning and management are put in place to operate systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Through sustained cooperation with a cloud service provider, the third-party file hosting and sharing platform extends its reach to service areas where it lacks infrastructure. What functional cloud computing role does the third-party file hosting and sharing platform play in this scenario?

A. Cloud Service Broker
B. Cloud Service Provider (CSP)
C. Cloud Service Partner
D. Cloud Service Customer (CSC)

A

C. Cloud Service Partner

Explanation:
A cloud service partner is a third-party provider of cloud-based services (infrastructure, storage and application, and platform services) through the CSP with which it is associated. The third-party cloud service partner makes use of the cloud service provider’s service in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Under the Federal Information Security Management Act (FISMA), all U.S. Government agencies are required to conduct risk assessments that align with what framework?

A. FedRAMP
B. ISO 31000
C. NIST CSF
D. NIST RMF

A

D. NIST RMF

Explanation:
The NIST Risk Management Framework acts as a guide for risk management practices used by United States federal agencies.

NIST developed the NIST CSF to assist commercial enterprises in developing and executing security strategies. FedRAMP is a cloud-specific version of NIST 800-53 that contains policies and procedures to assist cloud service providers in adopting security controls and risk assessment.

ISO 31000 are “Risk Management - Guidelines,” to be used during the risk management process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Your organization has been using ISO/IEC 27001 as a reference standard. What are the objectives of your organization in terms of design and implementation?

A. Data Handling Procedures
B. eDiscovery Management Plan
C. Information Security Management System
D. Audit Plan

A

C. Information Security Management System

Explanation:
ISO/IEC 27001 provides guidelines for creating and managing an ISMS.

All other options would not use ISO/IEC 27001 as a guideline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

In regard to data sanitization, which type of cloud service model requires special considerations as the data is often more interconnected throughout the platform?

A. SaaS
B. IaaS
C. DaaS
D. PaaS

A

A. SaaS

Explanation:
Data sanitization in cloud environments already differs from that of on-prem environments since physical destruction methods are not possible. However, of the three types of cloud service models (which include IaaS, PaaS, and Saas), SaaS requires special consideration because the data is often far more interconnected than in the other two service models.

DaaS is not an accepted cloud service model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Data that is easily searchable and organized within a database is known as:

A. Unstructured Data
B. Uncorrelated Data
C. Correlated Data
D. Structured Data

A

D. Structured Data

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

In cloud environments, redundancy can be broken up into two areas: internal redundancy and external redundancy. Which of the following is an example of external redundancy?

A. Networking
B. Storage units
C. Generators
D. Power Distribution Units

A

C. Generators

Explanation:
External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure.

Internal redundancy includes power distribution units, power feeds to rack, cooling units, networking, storage units, and physical access points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Which of the following would benefit the MOST from a private cloud deployment?

A. A healthcare organization that needs to keep all of its patients data secure, no matter the cost
B. A student building a lab for testing purposes
C. A medium-sized business that requires some data to be kept confidential, but also has a lot of non-private data stored
D. A small business that needs to keep costs low

A

A. A healthcare organization that needs to keep all of its patients data secure, no matter the cost

Explanation:
Private clouds are the most expensive of the cloud deployments, but they are also the most secure. This is because the owner of the private cloud controls and retains ownership of all the data in that cloud. Healthcare organizations have to meet HIPAA requirements and, therefore, patient data must be kept extremely safe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

An organization has just completed the design phase of developing their business continuity and disaster recovery (BCDR) plan. What is the next step for this organization?

A. Test the plan
B. Implement the plan
C. Revise
D. Assess Risk

A

B. Implement the plan

Explanation:
The steps of developing a BCDR plan are as follows: Define scope, gather requirements, analyze, assess risk, design, implement, test, report, and finally, revise. Once an organization has completed all of the design phase, they are ready to implement their BCDR plan. Even though the plan has already gone through design, it will likely require some changes (both technical and policy-wise) during implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

An organization implemented a data rights management program. The cloud security specialist has been tasked with the responsibility of ensuring an in-depth report on the usage and access history that can be generated for all files. Which of the following BEST represents this functionality?

A. Replication Restrictions
B. Continuous Auditing
C. Rights Revocation
D. Persistent Protection

A

B. Continuous Auditing

Explanation:
Continuous auditing ensures that you can provide an in-depth report on usage and access history for all files that are protected by data rights management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Which of the following would benefit the MOST from using a hybrid cloud?

A. A group of organizations looking to create a shared service for all their customers to use
B. A healthcare company that needs to ensure that all of their data is kept extremely secure and private, no matter the expense
C. A small business that doesnt have much sensitive data and is just looking to move email to the cloud
D. An organizations that only requires certain items are kept very secure, but cant afford a full private cloud

A

D. An organizations that only requires certain items are kept very secure, but cant afford a full private cloud

Explanation:
Hybrid clouds are the best solution for any organization that requires the security of a private cloud for some, but not all, of their data. By only needing some of the data to be kept in a private cloud, the expense of building a full private cloud can be greatly reduced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

The process of removing all identifiable characteristics from data is known as:

A. Obfuscation
B. Anonymization
C. Hashing
D. Masking

A

B. Anonymization

Explanation:
Anonymization is a method used in data de-identification. Unlike masking or obfuscation, in which the data is replaced, hidden, or removed entirely, anonymization is the process of removing any identifiable characteristics from data. It is often used in conjunction with another method such as masking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

An attacker is trying to steal data regarding a new product that an organization is developing. The attacker has planted malware on the system and has left it on the system for eight months.

What is the name of this type of attacker?

A. Malicious Insider
B. Insecure API
C. Worm
D. Advanced Persistent Threat

A

D. Advanced Persistent Threat

Explanation:
Many types of malware and malicious programs are loud and aim to disrupt a system or network. Advanced persistent threats are the opposite. Advanced persistent threats (APTs) are attacks which attempt to steal data and stay hidden on the system or network for as long as possible. The longer the APT can stay in the system, the more data it is able to collect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

A network engineer wants to move all of his organization’s physical hardware to the cloud. This includes routers, switches, firewalls, and servers. He is looking for a service that will allow him to manage the operating systems of the servers and all of the applications that will be installed on the servers, but he no longer wants to have to manage any physical hardware.

Which type of cloud provider would BEST fit this network engineer’s needs?

A. IaaS
B. MaaS
C.PaaS
D. SaaS

A

A. IaaS

Explanation:
Infrastructure as a Service (IaaS) providers will provide cloud customers with everything they need from a hardware standpoint, including routers, switches, firewalls, and servers. The customer will still be responsible for managing all of the software and operating systems, but will not need to manage any hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Your organization is conducting a test of its disaster recovery plan. The team members take the steps needed in case of a disaster while critical systems continue to run. Which type of disaster recovery plan testing are they conducting?

A. Full cutover
B. Simulation
C. Parallel
D. Tabletop

A

C. Parallel

Explanation:
In a parallel test, team members replicate the procedures necessary in the event of a disaster. Their objective is to ensure that critical business operations can continue to function in parallel if existing systems are affected by a disaster.

All other options are types of business continuity and disaster recovery plan tests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

Of the following, which feature of cloud computing allows data to move between multiple cloud providers seamlessly?

A. Portability
B. Interoperability
C. Resiliency
D. Auditability

A

A. Portability

Explanation:
Portability is the feature that allows data to move between multiple cloud providers without any issues.

Interoperability is a term used to describe the ease with which components of an application can be moved or reused. Resiliency is the ability to recover quickly after an issue has occurred. Auditability is the ease with which a cloud environment can be audited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Which of the following is a disadvantage of resource pooling?

A. Interoperability
B. Self-service
C. Auditiability
D. Multi-tenancy

A

D. Multi-tenancy

Explanation:
Resource pooling is one of the many benefits of cloud computing. Multiple clients share a set of resources, such as servers, storage, and application services, and each customer pays only for the resources they consume. This can create a problem when resources are pooled, since multi-tenancy may result, and a competitor or rival may share physical hardware with you. If the system is compromised, particularly the hypervisor, sensitive data may be exposed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

An organization had a large amount of private data stolen by a hacker and then leaked online. This is an example of which type of threat?

A. Malicious Insider
B. Advanced Persistent Threat
C. Account Hijacking
D. Data Breach

A

D. Data Breach

Explanation:
A data breach occurs when data is leaked or stolen, either intentionally or unintentionally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

Which of the following statements regarding responding to risk is FALSE?

A. An organization can transfer risk via insurance policies to cover financial costs of successful exploits
B. Organizations may opt to implement procedures and controls to ensure that a specific risk is never realized
C. Risk mitigation typically depends on the results of a cost benefit analysis
D. There is never an appropriate scenario in which to accept a risk

A

D. There is never an appropriate scenario in which to accept a risk

Explanation:
There are times when a company may choose to simply accept a risk rather than do anything to deal with it. This is often done when the cost of mitigating the risk outweighs the cost of simply dealing with the consequences if the risk was to occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

A small business was unhappy with its cloud provider’s services. For this reason, the business decided to remove all data and applications from its cloud provider’s environment and move to a new cloud provider. It was able to do so without any major impact on its production and operations.

What term BEST describes the ability to do this?

A. Reversibility
B. Rapid Elasticity
C. On-demand Self-service
D. Multitenancy

A

A. Reversibility

Explanation:
Reversibility is the ability of a cloud customer to quickly remove all data, applications, and anything else that may reside in the cloud provider’s environment, and move to a different cloud provider with minimal impact on operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Which should be the PRIMARY concern for all cloud customers when looking into cloud providers?

A. Ensuring 100% uptime
B. Ensuring the confidentiality and integrity of their data
C. Cost
D. Preventing vendor lock in

A

B. Ensuring the confidentiality and integrity of their data

Explanation:
While things like uptime, cost, and preventing vendor lock-in are all important concerns, the primary concern when reviewing cloud providers should always be ensuring the confidentiality and integrity of data. Because of this, it’s vital that cloud customers know where and how their data is going to be stored at all times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

You are accountable for the security of medical records at a community hospital. Which types of data are you safeguarding?

A. PCI
B. PII
C. PD
D. PHI

A

D. PHI

Explanation:
You are safeguarding protected health information that may be contained within the medical records you are accountable for. These can be in the form of lap reports, visit summaries or other types of medical records.

Personally identifiable information (PII) is unique to an individual, such as a Social Security number or phone number. Payment card industry (PCI) is not a data type. Personal data (PD) is not a known acronym.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Private clouds are more expensive than other cloud deployment models. With that in mind, what unique feature does a private cloud offer that makes it a better choice for certain organizations?

A. Multitenancy
B. Rapid Elasticity
C. Ownership Retention
D. Disaster Recovery

A

C. Ownership Retention

Explanation:
Private clouds are a must for organizations that need to retain complete ownership of their entire cloud environment. Public, hybrid, and community clouds can’t offer this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

A college student is looking to set up her own cloud server so that she can install a few programs and create a lab. She needs a cloud option that is cost-effective and will allow her to only pay for what she needs. She doesn’t have the funds to purchase and maintain her own hardware.

Which cloud model would suit this student’s needs the BEST?

A. Community Cloud
B. Private Cloud
C. Public Cloud
D. Hybrid Cloud

A

C. Public Cloud

Explanation:
A public cloud would be the best option for this student because it is the least expensive and will allow her to pay only for the resources that she uses. Since she is planning to use the server as a lab environment, it’s unlikely that security will be a large concern for this student.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

As part of the risk management process, an engineer has been asked to perform an assessment where hard values such as SLE, ARO, and ALE can be used for a numerical analysis.

Which type of assessment has this engineer been asked to perform?

A. Risk benefit analysis
B. Cost Benefit Analysis
C. Quanitative Assessment
D. Qualitative Assessment

A

C. Quanitative Assessment

Explanation:
The two main types of assessments used in the risk management process are quantitative assessments and qualitative assessments. Qualitative assessments are nonnumerical assessments. Quantitative assessments use values such as single loss expectancy (SLE), annual loss expectancy (ALE), and annual rate of occurrence (ARO) for a numeric approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Which cloud storage type operates as a web service call or as an API?

A. Structured
B. Unstructured
C. Object
D. Volume

A

C. Object

Explanation:
Object storage is a storage type used in IaaS cloud environments which operates as an API or a web service call. In object file storage, files are stored in an independent system and given a value for retrieval and reference.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

During which phase of the TLS process is the connection between the two parties negotiated and established?

A. TLS Negotiation
B. TLS Functional Protocol
C. TLS Record Protocol
D. TLS Handshake Protocol

A

D. TLS Handshake Protocol

Explanation:
TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established.

During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

It is important that the security team is involved at every step of the software development lifecycle. What is the FIRST step of the software development lifecycle?

A. Development
B. Requirement Gathering and Feasibility
C. Testing
D.Design

A

B. Requirement Gathering and Feasibility

Explanation:
The initial step of the software development lifecycle (SDLC) is to gather all of the requirements and determine their feasibility. This is determined through setting goals, reviewing the timeline for the project, performing cost analysis, and reviewing possible risks of the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

Which term BEST describes a group of hosts combined together to achieve the same purpose, such as redundancy or fail over?

A. Multitenancy
B. Cluster
C. VPN
D. SAN

A

B. Cluster

Explanation:
A cluster is a group of hosts that are combined together to achieve the same purpose, such as redundancy, configuration synchronization, fail over, or to minimize downtime. Clusters can be groups of hosts that are physically or logically grouped together. Clusters are handled as one unit, meaning that resources are pooled and shared between the hosts within the group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

The software as a service (SaaS) hosting model uses which of the following types of storage methods?

A. Structured
B. Object
C. Volume
D. Content and File Storage

A

D. Content and File Storage

Explanation:
Each cloud service model uses a different method of storage as shown below:

Software as a Service (SaaS) - content and file storage, information storage and management
Platform as a Service (PaaS) - structured, unstructured
Infrastructure as a Service (IaaS) - volume, object
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

An engineer entered a data center and noticed that the humidity level was 20 percent relative humidity. What risk could this pose to systems?

A. Condensation may form causing water damage
B. Excess electrostatic discharge
C. There is not risk because 20% relative humidity is the ideal humidity level
D. Systems may overheat and fry internal components

A

B. Excess electrostatic discharge

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

What type of testing is performed during the maintenance phase of software development to guarantee that changes to the software program do NOT destroy existing functionality, introduce new vulnerabilities, or resurface previously resolved vulnerabilities?

A. Unit Testing
B. Integration Testing
C. Regression Testing
D. Useability Testing

A

C. Regression Testing

Explanation:
Regression testing is carried out during the maintenance phase of the software development lifecycle to ensure that changes to the software program do not break existing functionality, introduce new vulnerabilities, or resurface previously addressed problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

Which of the following focuses on personally identifiable information (PII) as it pertains to financial institutions?

A. GDPR
B. GLBA
C. FRCP
D. HIPAA

A

B. GLBA

Explanation:
The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks.

HIPAA is concerned with the privacy of protected healthcare information and healthcare facilities. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

In which type of scenario would it make sense to accept risk?

A. When there is a low chance the risk will actually occur, but the cost of dealing with the risk if it did occur would be overwhelming to the organization
B. When the cost to mitigate the risk outweights the cost to simply deal with the risk if it were to occur
C. When simple measures can be put in place within the organization to ensure that the risk is never realized
D. When the cost of mitigating the risk and the cost of dealing with the risk when it occurs are about the same

A

B. When the cost to mitigate the risk outweights the cost to simply deal with the risk if it were to occur

Explanation:
There are some instances where organizations will choose to accept risk rather than to do anything to deal with it. This is typically done whenever the cost to mitigate the risk outweighs the cost to simply deal with the risk when or if it were to occur.

Accepting the risk would never be a good option if the risk being realized could financially overwhelm an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

In log management, what defines which categories of events are and are NOT written into logs?

A. Transparency Level
B. Quality Level
C. Clipping Level
D. Retention Level

A

C. Clipping Level

Explanation:
Many systems and apps allow you to customize what data is written to log files based on the importance of the data. The clipping level determines which events, such as user authentication events, informational system messages, and system restarts, are written in the logs and which are ignored. Clipping levels are used to ensure that the correct logs are being accounted for.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

What should be the FIRST step for any organization that is considering a move to the cloud?

A. Proof of concept
B. Cost-benefit analysis
C. Create a cloud committee
D. Hire a team of cloud experts

A

B. Cost-benefit analysis

Explanation:
Any organization that is considering a move from an on-premises solution to the cloud should first perform a cost-benefit analysis to ensure that the decision makes sense for its company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

DREAD and STRIDE are both used in which type of business activity?

A. Project Planning
B. Threat Modeling
C. Penetration Testing
D. Vulnerability Scanning

A

B. Threat Modeling

Explanation:
Threat modeling is the processing of finding threats and risks that face an application or system once it has gone live. This is an ongoing process that will change as the risk landscape changes and is, therefore, an activity that is never fully completed. DREAD and STRIDE, which were both conceptualized by Microsoft, are two prominent models recommend by OWASP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

In which layer of the TLS protocol does the secure communications method for transmitting data occur?

A. TLS Handshake Protocol
B. TLS Record Protocol
C. TLS Combined Protocol
D. TLS Connection Protocol

A

B. TLS Record Protocol

Explanation:
TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established. During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

An organization within the European Union experienced a data breach. During the breach, personally identifiable data was stolen by the attackers. Under which regulation is this organization required to notify the applicable government agencies of the breach within 72 hours?

A. GLBA
B. SOX
C. APEC
D. GDPR

A

D. GDPR

Explanation:
The European Union implemented GDPR (general data protection regulation), which covers the entire European Union and the European Economic Area. GDPR focuses on the protection of private and personal user data for all EU citizens, regardless of where the data was created, collected, processed, or stored. Any organization that has a data breach where protected or private user information is viewed or stolen by an attacker must report it to the applicable government agencies within 72 hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

Through Common Criteria, what does an EAL4 score tell us about an organization’s security practices and results?

A. It has been semi-formally designed and tested
B. It has been functionally tested
C. It has been methodically designed, tested and reviewed
D. It has been structurally tested

A

C. It has been methodically designed, tested and reviewed

Explanation:
The possible EAL (evaluation assurance level) scores are as follows:

EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4- Methodically designed, tested, and reviewed
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

An organization has implemented a new system and communication protection. The security and compliance officer has been tasked with the responsibility of ensuring that the foundations for all security actions are covered in documentation by setting purpose, scope, roles and responsibilities. What control is being described?

A. Security function isolation
B. Separation of system and user functionality
C. Policy and Procedures
D. Boundary Protection

A

C. Policy and Procedures

Explanation:
Policies and procedures are a primary control in protecting systems and communications. Defining the objective, scope, roles, and responsibilities of all security actions, policies and procedures establishes a codified framework for all security actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

An engineer has been asked to determine how much data and information must be restored in order to get to a minimum acceptable operating level after a disaster.

What has this engineer been asked to determine?

A. RSL
B. MTR
C. RPO
D. RTO

A

C. RPO

Explanation:
The recovery point objective (RPO) is defined as the amount of data and information which must be restored and recovered after a disaster to meet business continuity and disaster recovery objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

Which of the following is a security concern within an IaaS environment?

A. System Isolation
B. Multitenancy
C. Cross-site scripting
D. Web Application Security

A

B. Multitenancy

Explanation:
In an IaaS environment, resources are hosted on a cloud system which is often shared by other cloud customers. Therefore, the cloud provider must take precautions to ensure that the data between the multiple clients is not accessible by the others. This can pose a risk if the cloud provider doesn’t take great care in keeping that separation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

Virtualization hosts, along with which of the following, have BIOS settings in place that control hardware configurations as well as security technologies which assist in preventing access to the BIOS?

A. VUMs
B. TLS
C. RDP
D. TPMs

A

D. TPMs

Explanation:
TPMs (Trusted Platform Modules) and virtualization hosts have BIOS settings in place that control hardware configurations and security technologies to prevent unauthorized access to the BIOS. It’s important to ensure that access to the BIOS is locked down for all systems to prevent unauthorized changes to the systems at the BIOS-level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

Storage in the cloud typically consists of:

A. RAID and SANs
B. VLANs and SANs
C. RAID and VLANs
D. NAS and VLANs

A

A. RAID and SANs

Explanation:
Storage in the cloud is very similar to storage used in a traditional datacenter. The storage consists of RAID (redundant array of inexpensive disks) an SANs (storage area networks). These are connected to the virtualized server structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

Of the following, how is data in use typically protected?

A. Hashing
B. Secure API calls and web services
C. Encrypted transport methods
D. Antivirus

A

B. Secure API calls and web services

Explanation:
Data in use is protected through secure API calls and web services, which make use of technologies such as digital signatures.

Data in transit is best protected through encrypted transport methods like TLS. To protect data at rest, encryption methods such as AES should be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

Which of the following is listed on the Cloud Security Alliance’s Treacherous Twelve, but NOT listed on the OWASP Top 10?

A. Injection
B. XML external entities
C. Broken Access Control
D. Denial of Service

A

D. Denial of Service

Explanation:
A denial of service attack occurs when an attacker (or attackers) flood systems with so much useless traffic that the resources are unable to respond to legitimate traffic. Denial of service is listed as one of the Cloud Security Alliance’s Treacherous Twelve, but is not on the OWASP Top 10 list.

XML external entities, injection, and broken access control are all listed on the OWASP Top 10 list and not the Cloud Security Alliance’s Treacherous Twelve list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

An organization utilized data event logging recommendations by OWASP in their cloud auditing plan. Which of the following is NOT a recommendation?

A. Differing classification schemes
B. Network traffic logs
C. Time synchronization
D. Identity attribution

A

B. Network traffic logs

Explanation:
The OWASP data event logging cheat sheet does not recommend network traffic logs. However, other logging recommendations by OWASP include:

    Synchronize time across all servers and devices
    Differing classification schemes
    Identity attribution
    Application-specific logs
    Integrity of log files

The full logging cheat sheet is available here: cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

Volume storage is a storage type where a virtual machine has storage allocated to it and configured as a hard drive or file system. In a volume storage system, the main storage is sliced into smaller segments that are then assigned to a virtual machine by a hypervisor and mounted to that machine.

What is the name of the smaller segments described here?

A. VLAN
B. LUN
C. LAN
D. SAN

A

B. LUN

Explanation:
In a volume storage system, the main storage is sliced into smaller segments, called LUNs (logical units) that are then assigned to a virtual machine by a hypervisor and mounted to that machine.

A SAN is a storage area network, and not a small segment of storage. The terms LAN and VLAN refer to types of networks and are not applicable to this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

An organization is alerted that a regulatory agency is initiating an investigation against it and the organization must suspend all relevant data destruction activities until the investigation has been fully resolved. What process is being described?

A. Attribution
B. Chain of custody
C. Legal Hold
D. Non-repudiation

A

C. Legal Hold

Explanation:
When an organization is told that a regulatory body is commencing an inquiry against it, a legal hold should be immediately imposed. The organization must pause all data deletion actions relevant to the investigation until the matter is resolved. A legal hold has significant ramifications for data retention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

A cloud engineer needs to make use of the cloud component that can create, stop, and start virtual machines, as well as provision them with the needed resources such as memory, storage, and CPU.

What cloud component can be used to do all the above items?

A. API
B. Federation Server
C. Software Defined Network
D. Management Plane

A

D. Management Plane

Explanation:
The management plane in a cloud environment can be used to create, stop and start virtual machines, as well as provision the virtual machines with the needed resources. Because the management plane has access to all the virtual machines from a high level it’s very important that security measures are taken to prevent unauthorized access to the management plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

After seeing “Broken Authentication” listed as one of the top vulnerabilities on the OWASP Top 10, a security engineer has started looking into options to protect against this.

Which of the following could the engineer implement to help protect against broken authentication?

A. MFA
B. DLP
C. Proper Logging
D. Input Validation

A

A. MFA

Explanation:
Multi-factor authentication (MFA) is an authentication method in which a user is required to provide two or more types of factors proving they are who they claim to be. For example, a user would need both a password and a randomly generated code sent to their smartphone to access an application. MFA factors are broken up into categories such as something you know (passwords, pin), something you are (biometrics), something you have (key card, smartphone), and something you do (behavioral).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

Which of the following BEST defines a trust zone?

A. The ability to shared pooled resources among different cloud customers
B. Virtual tunnels that connect resources at different locations
C. Set of rules that define which employees have access to which resources
D. Physical, logical or virtual boundaries around network resources

A

D. Physical, logical or virtual boundaries around network resources

Explanation:
A trust zone is a physical, logical, or virtual boundary around network resources. Before a cloud provider can implement trust zones, they must undergo threat and vulnerability assessments to determine where their weaknesses are within the environment. This will help to determine where trust zones would be most useful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

The main method of protecting data at rest is which of the following?

A. Encrypted transport methods such as TLS
B. Secure APIs
C. Antivirus
D. Encryption

A

D. Encryption

Explanation:
The main method for protecting data at rest is to use encryption methods such as AES.

Data in transport is protected by encrypted transport methods such as TLS. To protect data in use, secure API calls and web services must be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

The mechanism that directs and controls the provisioning and use of cloud services both internally and externally is referred to as

A. SLA
B. Governance
C. Privacy
D. Interoperability

A

B. Governance

Explanation:

Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance will put a framework in place to ensure compliance with regulatory obligations.

All other options are shared cloud considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

When systems are given a set of seed data and patterns to search for and then continuously change their behavior depending on information and analysis of continuing trends, this process is referred to as?

A. Quantum Computing
B. Blockchain
C. Machine Learning
D. Artificial Intelligence

A

C. Machine Learning

Explanation:
Artificial intelligence relies heavily on machine learning. Machine learning enables a solution to learn and develop on its own without the need for extra programming. Intrusion detection, email filtering, and virus scanning are all examples of current machine learning usage.

Blockchain, quantum computing and artificial intelligence are other related technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

When conducting functional testing, which is NOT an important consideration?

A. Testing must use limited information about the application
B. Testing must be realistic for all environments
C. Testing must be sufficient to have reasonable assurance there are no bugs
D. Testing must be designed to exercise all requirements

A

A. Testing must use limited information about the application

Explanation:
Testing that must use limited information about the application is called grey-box testing and occurs after functional testing and deployment.

Functional testing is performed on an entire system and the following are important considerations: Testing must be realistic, must exercise all requirements, and be bug free.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

When developing a business continuity and disaster recovery (BCDR) plan, what step should be completed after the scope has been defined?

A. Analyze Risk
B. Gather requirements
C. Report and revise
D. Test the plan

A

B. Gather requirements

Explanation:
After defining the scope, the next step of developing a BCDR plan is to gather requirements. This stages determines what should be included in the plan and looks at items such as the recovery time objective (RTO) and recovery point objective (RPO). It will be necessary during this stage to identify critical systems within the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

What is the FINAL stage of the risk management process?

A. Monitoring the risk
B.Transferring the risk
C. Framing the risk
D. Responding to the risk

A

A. Monitoring the risk

Explanation:
After a risk has been responded to, whether by accepting, transferring, avoiding, or mitigating the risk, it must still be monitored. Monitoring the risk is an ongoing process to determine if the same threats and risk still exist in the same form. Monitoring risk serves as a way to ensure that current risk evaluations and mitigation meet current regulatory requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
144
Q

An engineer is adding validation processes to an application that will check that session tokens are being submitted by the valid and original obtainer of the token.

What OWASP Top 10 vulnerability is this engineer mitigating by doing so?

A. Insecure deserialization
B. Broken Access Control
C. Security Misconfiguration
D. Broken Authentication

A

D. Broken Authentication

Explanation:
The OWASP Top 10 is an up to date list of the most critical web application vulnerabilities and risks. Broken authentication refers to the ability for an attacker to hijack a session token and use it to gain unauthorized access to an application. This risk can be mitigated by adding proper validation processes to ensure that session tokens are being submitted by the valid and original obtainer of the token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
145
Q

What is the first step in establishing communications with vendors?

A. Creating a support ticket
B. Inventory of critical parties
C. Set up bidirectional communication
D. Review documentation

A

B. Inventory of critical parties

Explanation:
The first step in communicating with vendors is to compile a list of all key third parties on which the business relies. This inventory will serve as the basis for risk management operations with third parties or vendors. Additionally, contact with vendors will be nearly entirely driven by contract and service level agreement obligations.

All other options are not steps in establishing communications with vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
146
Q

What is generally part of the development coding phase of the SSDLC?

A. Unit Testing
B. Integration testing
C. Acceptance testing
D. Useability Testing

A

A. Unit Testing

Explanation:
The coding phase of the SSDLC covers the generation of software components as well as integrations and the build of the overall solution. Unit testing is part of the coding process. This is a developer’s test of the modules that are being developed as part of a larger architecture. All of the module’s pathways must be tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
147
Q

Which of the following places controls on how protected health information must be handled in the United States?

A. HIPAA
B. SOX
C. GDPR
D. PCI

A

A. HIPAA

Explanation:
In the United States, any protected health information (PHI) must be kept secure and confidential. The Health Insurance Portability and Accountability Act (HIPAA) places controls on how PHI must be handled and protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
148
Q

Which OWASP Top 10 vulnerability is defined as the capacity of unauthenticated users to see unauthorized and sensitive data, perform unauthorized functions, and modify access rights?

A. Injection
B. Sensitive Data Exposure
C.Broken Authentication
D. Broken Access Control

A

D. Broken Access Control

Explanation:
Broken access control vulnerabilities may enable authenticated users to view unlawful and sensitive data, perform unauthorized functions, and modify access privileges. It is imperative that applications perform checks when each function is accessed to ensure the user is properly authorized to access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
149
Q

Your organization needs to come up with a plan to continue operations during and after an incident. What can the cloud provide during and after an incident?

A. Resiliency
B. Performance
C. Privacy
D. Governance

A

A. Resiliency

Explanation:
Resilience is the ability to continue operating under adverse or unexpected conditions. Many organizations plan a resiliency strategy that includes internal resources and the capabilities of the cloud. A cloud strategy allows the company to continue to operate during and after an event such as a natural disaster or severe weather event.

Performance, governance and privacy are other shared cloud considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
150
Q

The move to utilize cloud resources partnered with an increasingly regulated and dispersed supply chain elevates the priority of stakeholder coordination. Which of the following stakeholder groups is the LEAST likely to have contracts or formal agreements with a cloud provider?

A. Regulators
B. Partners
C. Customers
D. Vendors

A

A. Regulators

Explanation:
CSPs are likely to have contracts or some form of agreement with vendors, partners, and customers, but rarely (if ever) with a regulator.

The CCSP is responsible for ensuring their cloud environment is in compliance with all regulatory obligations applicable to their organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
151
Q

An organization needs to use multiple data formats, including both JSON and XML, in their cloud deployment. Which API type should they use?

A. REST
B. DAST
C. SAST
D. SOAP

A

A. REST

Explanation
Representational State Transfer (REST) is a software architectural scheme which support multiple data types, including both JSON and XML.

Simple Object Access Protocol (SOAP) supports only the use of XML-formatted data types, so it would not work for the organization. DAST and SAST are testing methodologies and are not API types.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
152
Q

Which of the following allows the cloud provider to manage all the hosts in the environment from a centralized location?

A. Virtual Dashboard
B. Management Plane
C. Hypervisor
D. Software Defined Network

A

B. Management Plane

Explanation:
The management plane allows for cloud providers to manage all the hosts from a centralized location instead of needing to log into each individual server when needing to perform tasks. The management plane is typically hosted on its own dedicated server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
153
Q

Emilia is a cloud security engineer. She needs to verify the integrity and completeness of data stored within a cloud environment. Which of the following technologies can help Emilia to ensure the integrity of data in a cloud environment?

A. Hashing
B. Obfuscation
C. Metadata
D. Mapping

A

A. Hashing

Explanation:
If multiple files contain the exact same data, they will produce the same hash value as long as the same hashing algorithm is used. In this way, hashing can verify integrity. In order to do this, a hash value must be created for the original data. Next time the data is accessed, the same hashing algorithm can be used to verify integrity. If the hash value is different from the first hash value, then the data has changed in some way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
154
Q

The ability to confirm the origin or authenticity of data to a high degree of certainty is known as:

A. E-Discovery
B. Non-repudiation
C. Compliance
D. Encryption

A

B. Non-repudiation

Explanation:
Nonrepudiation is the ability to confirm the origin or authenticity of data to a high degree of certainly. Nonrepudiation is typically done through methods such as hashing and digital signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
155
Q

An engineer is using DREAD for threat modeling. Which is the correct algorithm when using DREAD to determine the quantitative value for risk and threats?

A. RISK_DREAD = (Damage + Restoration + Exploitability + Affected Users + Discoverability) / 5
B. RISK_DREAD= (Damage + Recoverability + Exploitability + Affected Users + Discoverability) / 10
C. RISK_DREAD= (Damage - Reproductibility + End Users Affected - Awareness + Discoverability) / 10
D. RISK_DREAD = (Damage + Reproductibility + Exploitability + Affected Users + DIscoverability) /5

A

D. RISK_DREAD = (Damage + Reproductibility + Exploitability + Affected Users + DIscoverability) /5

Explanation:
DREAD looks at the categories of damage potential, reproducibility, exploitability, affected users, and discoverability. Risk is given a value of 0 to 10 in each category, with 10 being the highest risk value. The algorithm used in DREAD is RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
156
Q

According to the ASHRAE, what is the ideal temperature for a data center?

A. 49.8 - 70.6 degrees F
B. 64.4 - 80.6 degrees F
C. 55.7 - 78.5 degrees F
D. 70.2 - 85.0 degrees F

A

B. 64.4 - 80.6 degrees F

Explanation:
Due to the amount of systems running, data centers produce a lot of heat. If the systems in the data center overheat, it could fry the systems and make them unusable. In order to protect the systems, adequate and redundant cooling systems are needed. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that the ideal temperature for a data center is 64.4 - 80.6 degrees F.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
157
Q

Which of the following statements regarding VLANs is TRUE?

A. VLANs are dependent on the physical wiring and cabling infrastructure
B. VLANs work the best if implemented in the same geographical location
C. VLANs can be used across multiple datacenters without concerns for geographical location
D. VLANs are used to allow remote access for employees working outside the office

A

C. VLANs can be used across multiple datacenters without concerns for geographical location

Explanation:
VLANs are not dependent on the physical infrastructure at all, so this makes them ideal for network segmentation across multiple datacenters without the need to worry about the geographical location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
158
Q

As cloud service customers, the majority of businesses will get communications from their cloud service providers. What are the primary responsibilities of cloud service customers?

A. Defining SLA terms
B. Creating support tickets
C. Active participants in the Shared Responsibility Model
D. Provide IT services

A

A. Defining SLA terms

Explanation:
Receiving communications from CSPs doesn’t imply much responsibility. However, cloud customers have a critical accountability to define SLA terms. This will ensure that the CSC receives the proper level of communication, and through the correct channels from the CSP.

All other options support communications with relevant parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
159
Q

A cloud engineer needs to rapidly deploy an application package throughout a large cloud environment. Which of the following could this engineer use to accomplish this easily?

A. MDM
B. Machine Learning
C. Containers
D. Key management

A

C. Containers

Explanation:
A wrapper that contains all of the configuration, code, and libraries needed for an application, which can be rapidly deployed across a cloud environment, is known as a container.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
160
Q

Which of the following is an example of the Internet of Things (IoT)?

A. A computer with the capability to analyze data in a human-like manner
B. A computing device that can perform actions that it has not been programmed to do
C. An engineer using cryptography to link a list of records together
D. A smart refrigerator that can send a grocery list to the owner via a push notification to their mobile phone

A

D. A smart refrigerator that can send a grocery list to the owner via a push notification to their mobile phone

Explanation:
The Internet of Things (IoT) refers to non-traditional devices (such as lamps, refrigerators, and other home devices) having access to the Internet to perform various processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
161
Q

What networking practice is based on hierarchical, distributed tables, and when a change is made to the relationship between a domain and a specific IP address, the change is registered at the top of the hierarchical table and filters down to all remaining entries?

A. DHCP
B. TLS
C. VPN
D. DNS

A

D. DNS

Explanation:
The Domain Name Service (DNS) is how computers translate IP addresses to domain names. When a user wants to communicate with another machine, the user’s machine queries a device within the DNS table to get the correct address.

All other options are other basic networking practices or protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
162
Q

An engineer is moving an application from one cloud provider to another cloud provider. Which of the following gives him the ability to do this?

A. Cloud Data Portability
B. Multitenancy
C. Rapid Elasticity
D. Cloud Application Portability

A

D. Cloud Application Portability

Explanation:
The ability to move an application between multiple cloud providers is known as cloud application portability, while cloud data portability refers, instead, to the ability to move data between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within an environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
163
Q

A large organization has just implemented a SIEM. Their main reason for implementing this SIEM was to take data from many different sources and have it housed in a single indexed system.

Which function of a SIEM is being described here?

A. Reporting
B. Alerting
C. Aggregation
D. Compliance

A

C. Aggregation

Explanation:
Security information and event management (SIEM) systems are able to take data and logs from a large number of sources and house it in one single indexed system. This process is known as aggregation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
164
Q

During a cyber investigation, it is critical that any time evidence changes hands, it is documented. What is this process known as?

A. Chain of Custody
B. Evidence Correlation
C. Non Repudiation
D. Evidence Retention

A

A. Chain of Custody

Explanation:
During an investigation, it’s important that there is a paper trail which can document where evidence was and who was handling it at any given time. This process is known as chain of custody. Chain of custody is crucial in investigations so that evidence is usable in court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
165
Q

Which of the following organizations publishes security standards applicable to any systems used by the federal government and its contractors?

A. SOC
B. NIST
C. ISO
D. ISACA

A

B. NIST

Explanation:
The National Institute of Standards and Technology (NIST) is a part of the United States government which is responsible for publishing security standards applicable to any systems used by the federal government and its contractors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
166
Q

An application utilizes a browser token to maintain state, but it doesn’t have any validation processes in place to ensure that the token is submitted by the original and valid obtained of the token. An attacker was able to hijack a browser token and gain unauthorized access to application.

Which of the OWASP Top 10 vulnerabilities is this an example of?

A. XML External Entities
B. Insecure Deserialization
C. Injection
D. Broken Authentication

A

D. Broken Authentication

Explanation:
Broken authentication occurs when applications do not have the proper controls or processes in place to secure their authentication and session tokens. This type of vulnerability allows for attackers to hijack session tokens and use them for their own nefarious purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
167
Q

A small enterprise would like to move their environment from one cloud provider to another. However, the cloud provider implemented techniques which have made it very difficult to move their systems to a new provider. What is this an example of?

A. Provider Control
B. Data Elasticity
C. Vendor Lock-In
D. Cloud Proprietary

A

C. Vendor Lock-In

Explanation:
Vendor lock-in is the term used to describe the scenario in which a cloud customer is stuck using one cloud provider for one reason or another. Vendor lock-in can occur when the cloud provider has implemented technologies that make it difficult for the customer to move their data without hassle to another provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
168
Q

An engineer is working on developing a process that will allow his organization to manage and control the risks and impacts associated with changes. What is this process called?

A. Capacity Management
B. Continuity Management
C. Deployment Management
D. Change Management

A

D. Change Management

Explanation:
The change management process is concerned with the impact of change on the organization. This change can include the implementation of new systems or simply configuration changes to already existing systems. Change management allows for changes in the organization to only be made by following a strict and structured procedure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
169
Q

What two organizational activities are reliant on identifying and mapping the location of data within an organization?

A. Antivirus and DLP
B. Supply chain management and communications
C. Problem management and Continuous Improvement
D. Asset Inventory and Risk Assessment

A

D. Asset Inventory and Risk Assessment

Explanation:
Identification and mapping of data locations within an organization is crucial for asset inventory and risk assessment tasks. According to a common adage, you cannot secure your assets if you are unaware they exist. Mapping enables a business to keep track of its assets, which is crucial for risk assessment and asset protection.

All other options are important activities within an organization. However, they are not reliant on mapping the location of data within the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
170
Q

A person’s birth date is an example of what type of PII?

A. Direct Identifier
B. Indirect Identifier
C. Descript Identifier
D. Nondescript Identifier

A

B. Indirect Identifier

Explanation:
PII (personally identifiable information) is broken up into direct and indirect identifiers. Because a birth date is not enough information to identify just one single person, it is an indirect identifier.

An example of a direct identifier would be a social security number. Nondescript and descript identifiers are not real types of PII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
171
Q

When an application is accessed via a network and is NOT installed locally onto a user’s computer, this application is known as which of the following?

A. Tenant
B. Measured Service
C. Cloud Application
D. IaaS

A

C. Cloud Application

Explanation:
When an application resides in the cloud and is accessed via the network, instead of being locally installed on a user’s computer, it is known as a cloud application.

A measured service is a method for billing for cloud services. A tenant is the term used to describe one or more cloud customers sharing the same pool of resources. IaaS stands for infrastructure as a service and is a cloud service category in which the provider supplies infrastructure devices such as servers, network devices, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
172
Q

The following are examples of what?

Microsoft Active Directory Domain Services

Microsoft Azure Active Directory

Google Cloud Discovery

Amazon Services Directory

A. Federated Identities
B. CASB
C. APIs
D. Identity Providers

A

D. Identity Providers

Explanation:
Identity providers create and manage security principals (users, devices, and software). On-premises and cloud-based identity providers can be synchronized so that users can access on-premises and cloud-based applications using their existing on-premises credentials. Identity providers support identity federation. Identity federation allows multiple parties to trust the use of a central identity provider. This eliminates the requirement for each application to create its own user credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
173
Q

Which of the following is an example of a sandboxing strategy?

A. Application Virtualization
B. Encryption
C. Orchestration
D. Tokenization

A

A. Application Virtualization

Explanation:
Sandboxing can be done with application virtualization by employing containers, which allow applications to be bundled with all dependencies and rigorous configuration management. While testing code or apps, sandboxing isolates components while protecting the operating system and other applications.

Encryption, Tokenization and Orchestration are other ways to protect components such as operating systems and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
174
Q

IRM can be used as a means for:

A. Data control and data modification
B. Data classification and data deletion
C. Data modification and data deletion
D. Data classification and control

A

D. Data classification and control

Explanation:
Information rights management (IRM) can be used as a means for data classification and control. It isn’t used as a means for data modification or data deletion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
175
Q

Your organization is considering using a data rights management solution that incorporates dynamic policy controls. Which of the following is the MOST accurate description of this functionality?

A. Data is secure no what where it is stored
B. Permissions can be modified after a document has been shared
C. The illicit or unauthorized copying of data is prohibited
D. Expiration dates and time-limitations can be applied

A

B. Permissions can be modified after a document has been shared

Explanation:
Dynamic policy controls allow data owners to modify the permissions for their protected data even after it has been shared with others.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
176
Q

To allow automation and orchestration within a cloud environment, what network protocol must be enabled?

A. IPSec
B. DHCP
C. DNS
D. SSL

A

B. DHCP

Explanation:
The Dynamic Host Configuration Protocol (DHCP) assigns an IP address and other networking information to devices in the network automatically. This facilitates the creation of a centralized management system. New hosts can be activated with DHCP, as well as hosts that need to be auto-scaled, dynamically optimized, or relocated between physical hardware programmatically. DHCP allows network information to be readily updated and changed as needed.

IPSEC, DNS and SSL are other networking protocols that work together with DHCP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
177
Q

In terms of cloud services, at what point are there concerns regarding data protection and privacy present?

A. During a contract
B. At the end of a contract
C. All options are correct
D. During the erasure or destruction of data

A

C. All options are correct

Explanation:
Privacy concerns are present during and after a contract, as well as during data erasure or destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
178
Q

Your organization is transitioning from one cloud service provider to another and is apprehensive that data will remain retrievable even after it has been requested to be destroyed. Which data disposal method is the BEST for ensuring data recovery is impossible?

A. Anonymization
B. Clearing
C. Crypto-shredding
D. Mapping

A

C. Crypto-shredding

Explanation:
The optimal solution would be cryptographic shredding. Crypto-shredding encrypts the data and then destroys the encryption key, rendering the data unrecoverable.

All other options are data security methods. However, there is a possibility that data can be recovered after it has been destroyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
179
Q

What management strategy is focused on preventing issues from occurring within a system or process in a proactive manner?

A. Release Management
B. Incident management
C. Service Level Agreement
D. Problem management

A

D. Problem management

Explanation:
Problem management is focused on preventing potential issues from occurring within a system or process.

All other options are types of management strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
180
Q

Which of the following is NOT one of the main cloud service categories?

A. Infrastructure service capability
B. Platform service capability
C. Software service capability
D. Internet Service Capability

A

D. Internet Service Capability

Explanation:
The three main cloud service categories are infrastructure service capability, platform service capability, and software service capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
181
Q

What is used to consolidate large amounts of structured data, often from desperate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?

A. Data warehouse
B. Data mart
C. Data Lake
D. Data Mining

A

A. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
182
Q

Which of the following operates by consuming a large amount of data and analyzing that data for patterns?

A. Internet of Things
B. Machine Learning
C. Block Chaining
D. Artificial Intelligence

A

D. Artificial Intelligence

Explanation:
Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
183
Q

An engineer has implemented data loss prevention solutions that are installed on each of the systems which house and store data. This includes any servers, workstations, and mobile devices which hold data.

These DLP solutions are used to protect data in which state?

A. Data in transit
B. Data at rest
C. Data in use
D. Data in motion

A

B. Data at rest

Explanation:
In order to protect data at rest (DAR), data loss prevention (DLP) solutions must be deployed on each of the systems that house data, including any servers, workstations, and mobile devices. This is the simplest of DLP solutions but, in order to be most effective, it may also require network integration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
184
Q

Due to the volume of log data generated by systems, it poses a challenge for organizations when performing log reviews. What can an organization implement to help solve this issue?

A. SIEM
B. DLP
C. Next-generation firewall
D. IDS/IPS

A

A. SIEM

Explanation:
An organization’s logs are valuable only if the organization makes use of them to identify activity that is unauthorized or compromising. Due to the volume of log data generated by systems, the organization can implement a System Information and Event Monitoring (SIEM) system to overcome these challenges. The SIEM system provides the following:

    Log centralization and aggregation
    Data integrity
    Normalization
    Automated or continuous monitoring
    Alerting
    Investigative monitoring

All other options are security solutions implemented within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
185
Q

An attack on which of the following would give an attacker complete control over the entire environment?

A. Management plane
B. Hypervisor
C. Software defined network
D. Virtual host

A

A. Management plane

Explanation:
The management plane is used by cloud providers to manage all of the hosts from one centralized location. If the management plane were to be compromised, the attacker would have complete control over the entire cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
186
Q

Of the following, which term describes the “slices” of the main storage infrastructure which are then allocated virtual machines in volume storage?

A. LUNs
B. RAM
C. CPU
D. RAID

A

A. LUNs

Explanation:
Volume storage is where storage is allocated to a virtual machine and configured as a typical hard drive and file system on that server. In a volume storage system, the main storage system is sliced into pieces called LUNs (logical units) and then allocated to a particular virtual machine by the hypervisor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
187
Q

Which phase of the cloud data lifecycle is the first phase in which security controls are implemented to protect data at rest?

A. Create
B. Destroy
C. Use
D. Store

A

D. Store

Explanation:
While security controls are implemented in the create phase in the form of SSL/TLS, this only protects data in transit and not data at rest. The store phase is the first phase in which security controls are implemented to protect data at rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
188
Q

In the shared responsibility model, the consumer will always be responsible for what in the IaaS, SaaS, and PaaS models?

A. Identity and access management
B. Network security
C. Application security
D. Data classification

A

D. Data classification

Explanation:
In any cloud deployment model, IaaS, PaaS, or SaaS, the cloud consumer will be responsible for any control over the data they store in the cloud. This includes its classification.

All other options are functions in the cloud. However, the cloud deployment model being used will determine who is responsible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
189
Q

Data dispersion is BEST described as which of the following?

A. Data can be easily erased from a cloud provider system
B. Data can be distributed across many data centers in different geographical locations
C. Data storage can quickly be added to a cloud environment with little intervention from the cloud provider
D. Data can be quickly moved from one cloud provider to another

A

B. Data can be distributed across many data centers in different geographical locations

Explanation:
Data dispersion is the concept that data can be distributed across many data centers in different geographical locations. This is a key benefit in cloud environments because it provides disaster recovery. Having data in numerous geographical locations reduces the risk of traditional problems posed by disaster scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
190
Q

Which of the following statements regarding type 2 hypervisors is TRUE?

A. Due to being software-based, it’s less likely that an attacker will be able to inject malicious code into the hypervisor.
B. Due to being hardware-based, it’s less likely that an attacker will be able to inject malicious code into the hypervisor.
C. Due to being software-based, they are more vulnerable to flaws and exploits than type 1 hypervisors.
D. Due to being hardware-based, they are more vulnerable to flaws and exploits than type 1 hypervisors.

A

C. Due to being software-based, they are more vulnerable to flaws and exploits than type 1 hypervisors.

Explanation:
Since type 1 hypervisors are tied into the physical hardware of the machine, it can be more difficult to inject malicious code. However, type 2 hypervisors are software-based and operate independent of the hardware. This can make type 2 hypervisors more susceptible and vulnerable to flaws and software exploits than type 1 hypervisors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
191
Q

Although the cloud data lifecycle is not necessarily iterative, it does have distinct phases. What is the proper sequence of the data lifecycle phases?

A. Create, Use, Share, Store, Archive, Destroy
B. Create, Store, Share, Use, Archive, Destroy
C. Create, Store, Use, Share, Archive, Destroy
D. Create, Use, Store, Share, Archive, Destroy

A

C. Create, Store, Use, Share, Archive, Destroy

Explanation:
Create, Store, Use, Share, Archive, Destroy are the phases in the cloud data lifecycle, in order.

All other options are in the incorrect order.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
192
Q

Which of the following statements regarding SOAP and REST is TRUE?

A.REST only allows the use of XML-formatted data.
B. REST is typically only used when technical limitations prevent the use of SOAP.
C. SOAP does not allow for caching, making it less scalable and having lower performance than REST.
D. SOAP supports a wide variety of data formats, including both JSON and XML.

A

C. SOAP does not allow for caching, making it less scalable and having lower performance than REST.

Explanation:
SOAP does not allow for caching, making it less scalable and having lower performance than REST. Because of this, SOAP is typically used only when there are restrictions which prevent the use of REST in the environment.

REST is more flexible and supports a variety of data formats, including both JSON and XML, while SOAP only allows the use of XML-formatted data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
193
Q

An engineer wants to ensure the security of a single host. She would like to run a program on that host which would analyze all inbound and outbound traffic for that specific host.

Which of the following should this engineer use?

A. NIDS
B. HIDS
C. Honeypot
D. IPS

A

B. HIDS

Explanation:
A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions.

A network intrusion detection system (NIDS) is similar to a HIDS, but rather than running on a single host, it analyzes all of the traffic on the network. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
194
Q

A breach occurred at a doctor’s office in which information about a patient’s medical history and treatment were stolen. What type of data has been stolen in this scenario?

A. PCD
B. PCI
C. PHI
D. PII

A

C. PHI

Explanation:
PHI, which stands for protected health information, includes a wide spectrum of data about an individual and their health. Medical history, treatment, lab results, demographic information, and health insurance information is all considered to be PHI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
195
Q

Because an organization is in a multitenant cloud, they have decided that they need to implement cryptography and encryption into their cloud application.

In order to provide maximum security and high performance, which of the following should be used?

A. SSL 2.0
B. TLS 1.3
C. TLS 1.2
D. SSL 3.0

A

B. TLS 1.3

Explanation:
TLS (transport layer security) has replaced SSL (secure sockets layer) as the best encryption of network traffic. Currently TLS 1.3 is the latest form of TLS and should be used, as it provides maximum security and high performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
196
Q

An organization is in the process of fighting a civil legal battle with a previous employee. The organization has requested that one of their engineers search for and collect electronic data (such as emails and stored files) regarding the case so that it can be used in the court proceedings.

What task has this engineer been asked to complete?

A. eDiscovery
B. eForensics
C. Digital examination
D. Digital discovery

A

A. eDiscovery

Explanation:
eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
197
Q

Which of the following BEST describes a SOC?

A. A centralized group in an organization that handles network configurations
B. A centralized group in an organization dedicated to addressing general help desk tickets
C. A centralized group in an organization that handles security issues
D. A centralized group in an organization dedicated to collecting evidence for digital forensics cases

A

C. A centralized group in an organization that handles security issues

Explanation:
A SOC (security operations center) is a centralized group within an organization that handles security issues. 

A NOC (network operations center) is a centralized group within an organization that handles network configurations. SOC engineers are not likely to handle general help desk tickets or collect evidence for a forensics investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
198
Q

Which of the following is widely considered to be the “gold standard” in regard to the security of information systems and their data?

A. NIST SP 800-53
B. PCI DSS
C. FIPS 140-2
D. ISO/IEC 27001

A

D. ISO/IEC 27001

Explanation:
The ISO/IEC 27001, with its newest update of 27001:2013 is widely considered to be the gold standard in regard to the security of information systems and their data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
199
Q

In the cloud, what are the major cloud performance concerns?

A, Availability and bandwidth
B. Encryption and security
C. Identity and access
D. Virtualization

A

A, Availability and bandwidth

Explanation:
In the cloud, the primary performance issues are network availability and bandwidth. A network is a critical component of cloud services. If the network is down, the service will be unavailable. If the service is unavailable, performance will be impacted.

All other options are minor cloud performance concerns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
200
Q

Virtualization in the cloud is powerful and has specific risks. Who is responsible for protecting the hypervisor under the shared security model of the cloud?

A. Cloud service provider
B. Cloud data center operations
C.Cloud service customer
D. Cloud service broker

A

A. Cloud service provider

Explanation:
In a shared security model, the cloud service provider controls the hypervisor. If the hypervisor is compromised, all virtual machines running on it may be vulnerable as well. As a result, the CSP’s role in securing the hypervisor is important.

All other options are roles related to the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
201
Q

An engineer needs to protect confidential information, but doesn’t want to go through the complexity of encryption. Instead, the engineer is going to use a technique in which data is replaced by an arbitrary value generated by an application. The application is then able to map the arbitrary value back to the original value.

What is this technique known as?

A. Tokenization
B. De-identification
C. Hashing
D. Key management

A

A. Tokenization

Explanation:
Tokenization is a method used to protect data without needing to go through the process of encryption. In tokenization, an application is used to replace confidential data with an arbitrary value (known as a token). The application has the ability to map the token back to the original data when needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
202
Q

An application uses application-specific access control and users must authenticate with their own credentials to gain their allowed level of access to the application. A user was able to log into the application using another user’s credentials and received an elevated level of privileges due to this.

According to the STRIDE threat model, what type of threat is this?

A. Spoofing identity
B. Insufficient due diligence
C. Broken authentication
D. Tampering with data

A

A. Spoofing identity

Explanation:
The STRIDE threat model has six threat categories, including spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. When a user is able to gain access to something they shouldn’t by using another user’s account, this is known as spoofing identity. It’s important to have controls in place to prevent users from leveraging another user’s account to gain additional permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
203
Q

Which is NOT an overall countermeasure strategy to mitigate risks in the cloud environment?

A. Secure configuration management
B. User education
C. Security by design
D. Due diligence

A

B. User education

Explanation:
Due diligence on vendors, a trusted cloud service provider, security built into system design, encryption, and CSP security configuration management tools are all risk mitigation strategies in the cloud environment. User education is critical, but it is not as successful as the countermeasures outlined above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
204
Q

A user is moving data from one system to another. What phase of the cloud data lifecycle is occurring?

A. Archive
B. Store
C. Share
D. Create

A

D. Create

Explanation:
Any time data can be considered new, it is in the create phase. Data can be considered new whenever it is newly created, moved from one system to another, or modified into a new form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
205
Q

An engineer has recently started working for an organization. They are concerned about which regulations might affect how long they need to retain or store financial and accounting data.

Which of the following regulations does this engineer need to be aware of to address the organization’s concerns?

A. GLBA
B. SOX
C. APEC
D. HIPAA

A

B. SOX

Explanation:
SOX (Sarbanes-Oxley Act) regulates accounting and financial practices within an organization. IT engineers need to be aware of SOX, as it can affect which type of data needs to be stored/retained, and for how long.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
206
Q

Using two or more storage servers together to increase performance, capacity, and reliability is known as which of the following?

A. Storage area network
B. Dynamic optimization
C. Clustered storage
D. Network attached storage

A

C. Clustered storage

Explanation:
A cluster is taking two or more systems and treating them as one entity. Clustered storage is the process of taking two or more storage servers and combining them to increase performance, capacity, and reliability. Storage clusters are used in cloud environments because high availability is extremely important.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
207
Q

Which API relies on the HTTP protocol to support data formats such as XML an JSON?

A. SOAP
B. FTP
C. SOP
D. REST

A

D. REST

Explanation:
The REST (representational state transfer) API relies on the HTTP protocol and supports a variety of data formats including both XML and JSON. It allows for caching, which increases performance and scalability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
208
Q

Data loss prevention (DLP) is made up of three common stages. Which of the following is the FIRST stage of DLP implementation?

A. Enforcement
B. Data de-identification
C. Monitoring
D. Discovery and classification

A

D. Discovery and classification

Explanation:
DLP is made up of three common stages which include discovery and classification, monitoring and, finally, enforcement. Discovery and classification is the first phase, as the security requirements of the data must be addressed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
209
Q

Which is NOT one of the three key elements of incident management?

A. Incident response team
B. Incident classification
C. Incident response plan
D. Root-cause analysis

A

B. Incident classification

Explanation:
Incident management exists to help organizations plan for incidents, identify when they occur, and restore normal operations as quickly as possible with minimum adverse impact. This is referred to as a capability, or the combination of procedures and resources needed to respond to incidents. It generally comprises of three key elements: incident response plan (IRP), incident response team (IRT), and root-cause analysis.

Incident classification ensures an incident is dealt with correctly. It is important to determine how critical an incident is and prioritize the response appropriately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
210
Q

Which of the following is NOT one of the four main categories for responding to risk?

A. Avoiding risk
B. Transferring risk
C. Ignoring risk
D. Accepting risk

A

C. Ignoring risk

Explanation:
After risk has been identified and evaluated, either through qualitative or quantitative assessments, the decision must be made on how to respond to risk. There are four main categories for responding to risk, which include accepting risk, avoiding risk, transferring risk, and mitigating risk.

Ignoring the risk is not one of the four categories.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
211
Q

During which phase of the cloud data lifecycle would data undergo overwriting?

A. Archive
B. Use
C. Store
D. Destroy

A

D. Destroy

Explanation:
As the name suggests, the destroy phase is where data is removed completely from a system (or “destroyed”) and should be unable to be recovered. In cloud environments, methods such as degassing and shredding can’t be used because they require physical access to the hardware. Instead, in cloud environments, techniques like overwriting and cryptographic erasure are used to destroy the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
212
Q

Which one of the ten key principles of GAPP focuses on organizations having well documented and communicated privacy policies and procedures?

A. Collection
B. Management
C. Security for privacy
D. Quality

A

B. Management

Explanation:
The management principle of the Generally Accepted Privacy Principles (GAPP) focuses on ensuring that organizations have well documented privacy policies and procedures. In addition, this information is communicated to necessary parties, and official measures are taken to ensure accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
213
Q

Your organization currently hosts its cloud environment in the organization’s data center. The organization utilizes a provider for their backup solution in accordance with their business continuity plan. Which configuration BEST describes their deployment?

A. Private cloud, private backup
B. Cloud service backup, private backup
C. Cloud service backup, third-party backup
D. Private cloud, cloud service backup

A

D. Private cloud, cloud service backup

Explanation:
The organization is using their own private data center with backups being replicated to the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
214
Q

Who is responsible for the security of the public internet?

A. Users
B. CSC
C. CSP
D. ISP

A

A. Users

Explanation:
The individuals using the public internet are responsible for security. Security is a shared responsibility.

The CSP, CSC or ISP would not be responsible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
215
Q

Which of the following standards establishes internationally recognized standards for eDiscovery?

A. ISO/IEC 27050
B. ISO/IEC 27002
C. ISO/IEC 27018
D. ISO/IEC 27001

A

A. ISO/IEC 27050

Explanation:
ISO/IEC 27050 provides internationally accepted standards related to eDiscovery processes and best practices.

All other options are technology standards set forth by the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
216
Q

In which phase of implementing a cloud data center should security be considered?

A. Testing
B. Design
C. Implementation
D. Maintenance

A

B. Design

Explanation:
Security is extremely important to consider when implementing a cloud data center. Due to its importance, security should be taken into consideration in the design phase so that it doesn’t have to be added as an afterthought later on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
217
Q

Insecure services such as FTP are disallowed on all organization systems. However, an FTP client is found on a terminal server. What can the organization do to ensure there are no other internal servers responding to FTP requests?

A. Antivirus Scan
B. Patch Scan
C. Penetration Test
D. Vulnerability Scan

A

D. Vulnerability Scan

Explanation:
By running a vulnerability scan, the organization can easily identify a server responding to FTP requests. This vulnerability indicates a system that does not conform to the baseline configuration and that requires immediate remediation action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
218
Q

Securing supply chain management software in the cloud and securely connecting vendors globally through cloud services reduces what type of risk?

A. IT-related Risk
B. Cloud-Related Risk
C. Software-related Risk
D. Application-related

A

A. IT-related Risk

Explanation:
Supply chain management entails a plethora of dangers, one of which is cloud computing. By protecting supply-chain management software in the cloud and securely linking providers globally via cloud services, risk associated with information technology is reduced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
219
Q

Which type of plan allows an organization to be prepared for what needs to be done in the event of a disaster or critical failure?

A. Data privacy
B. BCDR
C. SOC
D. DLP

A

B. BCDR

Explanation:
A business continuity and disaster recovery (BCDR) plan lays out the steps for what an organization must do immediately following a disaster or critical failure. BCDR plans should be regularly tested to ensure that they will work in the event of a real situation. BCDR plans cover what to do in the event of scenarios such as natural disasters, acts of war, equipment failures, and utility failures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
220
Q

A forensic investigator must complete the task of identifying, collecting, and securing electronic data and records so that they can be used in a criminal court hearing.

What task is this forensic investigator completing?

A. Chain of custody
B. eDiscovery
C. Repudiation
D. Digital sweep

A

B. eDiscovery

Explanation:
eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
221
Q

Structured and unstructured storage pertain to which of the three cloud service models?

A. SaaS
B. DaaS
C. IaaS
D. PaaS

A

D. PaaS

Explanation:
Each cloud service model uses a different method of storage as shown below:

Platform as a Service (PaaS) - structured, unstructured
Infrastructure as a Service (IaaS) - volume, object
Software as a Service (SaaS) - content and file storage, information storage and management

DaaS is not a real type of cloud service model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
222
Q

Which of the following is the MAIN concern for using a BCDR solution in the cloud?

A. The number of organizations that share the same cloud environment as your organization
B. The location where the data is stored and the local laws and jurisdictions that apply to it
C. The number of individuals who have access to the data and their credentials
D. The cost and timeline for recovery

A

B. The location where the data is stored and the local laws and jurisdictions that apply to it

Explanation:
When using a cloud environment as a BCDR solution, it’s likely that data will be housed in numerous cloud datacenters in various geographical locations. It’s important to take into consideration what types of regulations and jurisdictions are applicable to the locations where your data is being stored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
223
Q

Which eDiscovery investigative method includes services set forth by pre-arranged contractual obligations that can be exercised when necessary?

A. On-Premises eDiscovery
B. Third-party eDiscovery
C. Hosted eDiscovery
D. SaaS-based eDiscovery

A

C. Hosted eDiscovery

Explanation:
With Hosted eDiscovery, your cloud service provider incorporates eDiscovery into contractual responsibilities that can be executed as needed. However, a list of pre-selected forensic solutions may have limitations.

SaaS-based eDiscovery is hosted on the cloud and is used to collect, store, and evaluate evidence by investigators and law firms. Third-party eDiscovery is not bound by contract and can be engaged to undertake eDiscovery operations on an as-needed basis. On-premises eDiscovery is a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
224
Q

An organization has too many systems for administrators to manually configure network settings on each one. Which technology can this organization implement to handle the assigning of network configurations from a central server?

A. IPSec
B. DHCP
C. TLS
D. DNS

A

B. DHCP

Explanation:
DHCP (dynamic host configuration protocol) runs on a centralized server and is able to dynamically assign network configurations such as IP address, DNS server address, and other settings to systems on the network. This removes the need for administrators to go around to each computer and statically assign network information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
225
Q

Which of the following regulatory requirements applies to a retail clothing store that accepts credit cards?

A. NFPA
B. HIPAA
C. PCI DSS
D. FISMA

A

C. PCI DSS

Explanation:
PCI DSS (Payment Card Industry Data Security Standard) is a regulatory requirement that applies to financial and retail environments, specifically those that accept payment cards.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
226
Q

Of the following, performing checks against client browsers to ensure they meet security standards can help to mitigate which vulnerability?

A. Insufficient logging
B. Injection
C. Sensitive data exposure
D. XML external entities

A

C. Sensitive data exposure

Explanation:
Even with proper encryption methods put in place, sensitive data is still at risk if the client’s browser is insecure. In order to help mitigate this vulnerability, web applications can perform checks against client browsers to ensure they meet security standards. If the browser doesn’t meet the security standards, it will not be granted access to the web application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
227
Q

The cloud enables operations in geographically dispersed places and increases hardware and data redundancy. What is the end result of this in terms of disaster recovery and business continuity?

A. Lower RPOs and RTOs
B. Lower RTOs and Higher RPOs
C. Higher RSLs
D. Lower RPOs and RSLs
E. Higher RTOs and RPOs
A

A. Lower RPOs and RTOs

Explanation:
The capacity to operate in geographically remote locations and to provide increased hardware and data redundancy results in lower recovery time objectives (RTOs) and recovery point objectives (RPOs) for disaster recovery and business continuity.

The recovery service level (RSL) measures the percentage of the total production service level that needs to be restored to meet BCDR objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
228
Q

Of the following technologies, which can be used to verify the integrity of data?

A. Hashing
B. Encryption
C. Tokenization
D. Key management

A

A. Hashing

Explanation:
Hashing is a process that can be used to verify the integrity of data. This is because if you use the same hashing algorithm on the same data time and time again, the hash value that is generated will be the same. If the data is changed, the hash value will be different, confirming that the integrity of the data is not intact.

While encryption, key management, and tokenization can help you to protect data, they can’t guarantee the integrity of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
229
Q

According to studies, the later in the software development that phase errors are discovered, the more expensive it is to remedy them. What can be done to avert such problems?

A. SAMM
B. OWASP
C. SSDF
D. SSDLC

A

D. SSDLC

Explanation:
Including security in the Software Development Lifecycle (SDLC) aids in the creation of secure software. The Secure Software Development Lifecycle (SSDLC) is expected to yield software solutions that are more secure against attack, minimizing the risk of important business and consumer data being exposed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
230
Q

Which of the following can be used on the network to stop attacks automatically when an intrusion has been detected?

A. IPS
B. IDS
C. HIDS
D. Honeypot

A

A. IPS

Explanation:
An intrusion prevention system (IPS) is placed at the network level. It analyzes all traffic on the network in the same way as an IDS. However, rather than simply alerting administrators when an intrusion is detected, it can actually stop and block the malicious traffic and prevent an attack from occurring automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
231
Q

Which of the following statements regarding recovery time objectives is false?

A. The role of IT is to implement the decision and to meet the business RTO.
B. The organization requires complete information on RTO solutions and associated expenses.
C. RTOs are an IT decision.
D. IT’s responsibility is to assist the organization with RTO options and costs.

A

C. RTOs are an IT decision.

Explanation:
Recovery time objectives are a business decision and not an IT decision. IT’s responsibility is to assist the organization with RTO options and costs. To make the best decision, the organization requires complete information on RTO solutions and associated expenses. Once a decision is reached, it is up to IT to implement it and make all attempts to adhere to the business RTO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
232
Q

Which entity would be responsible for only providing identity and access management?

A. Cloud broker
B. CASB
C. CSP
D. Service Provider

A

B. CASB

Explanation:
One of the services provided by a Cloud Access Security Broker (CASB) is the monitoring of Identity and Access Management (IAM) in your cloud. A CASB does not provide any other services. A cloud access security broker (CASB) sits between the cloud application and the customer. This service keeps track of all activities and ensures that corporate security requirements are followed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
233
Q

Which of the following statements regarding “portability” is TRUE?

A. Transitioning between a traditional data center model and a cloud environment is typically a seamless, simple, and transparent process.

B. Even legacy systems from traditional data centers are typically programmed to work within a cloud environment.
C. It is unlikely that controls or configurations will require any reengineering or changes to work in the cloud.
D. It is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
234
Q

Michael needs to perform data destruction within a public cloud model. What method is Michael able to use?

A. Shredding
B. Overwriting
C. Incineration
D. Degaussing

A

B. Overwriting

Explanation:
Michael will not be able to perform incineration, shredding, or degaussing because these require physical access, which is not available in a public cloud.

Overwriting is the process of writing a pattern of ones and zeros over the data. For especially sensitive data, it may be best to overwrite the data more than once.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
235
Q

REST and SOAP are two common examples of which of the following?

A. Policies
B. State regulations
C. Security protocols
D. APIs

A

D. APIs

Explanation:
Cloud environments rely heavily on APIs (application programming interfaces) for both access and function. SOAP (simple object access protocol) and REST (representation state transfer) are two examples of commonly used APIs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
236
Q

RSL, recovery service level, can BEST be described as:

A. The average time it takes to recover services back to their normal production state
B. The length of time that is acceptable for services to be offline or unavailable during a disaster recovery scenario
C. The percentage of data needed to be restored to meet BCDR objectives
D. The percentage of the performance level which must be restored to meet BCDR objectives

A

D. The percentage of the performance level which must be restored to meet BCDR objectives

Explanation:
Recovery service level (RSL or RSL%) is a newer term used to describe the percentage of the performance level which needs to be restored to meet BCDR objectives. For example, an RSL of 50% would specify that the DR system would need to operate at a minimum of 50% of the performance level of the normal production system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
237
Q

Which of the following terms is used to describe the minimum amount of data needed to be recoverable by an organization for it to function at an acceptable level?

A. MTR
B. RSL
C. RPO
D. RTO

A

C. RPO

Explanation:
RPO stands for recovery point objective, and it is the minimum amount of data that would be needed to be retained and recovered for an organization to function at a level which is acceptable to stakeholders. The RPO does not mean that the organization has to be operating at full capacity, just at an acceptable level where crucial systems are online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
238
Q

The General Data Protection Regulation (GDPR) covers which of the following?

A. United States
B. Russian Federation
C. China
D. European Union

A

D. European Union

Explanation:
The General Data Protection Regulation, or GDPR, is a regulation and law which affects all countries in the European Union (EU) and the European Economic Area. The purpose of the GDPR is to protect data on all citizens of the EU, regardless of where the data is created, stored, or processed.

While similar legislation has and will be implemented in other parts of the world, GDPR specifically covers the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
239
Q

Which of the following events is likely to cause the initiation of a BCDR plan?

A. Moving offices
B. An earthquake
C. A manager forgetting their password
D. Changing internet providers

A

B. An earthquake

Explanation:
Business continuity and disaster recovery (BCDR) plans are likely to be initiated as a result of the following: natural diaster (earthquakes, floods, tornadoes, etc.), terrorist attacks or acts of war, equipment failures, utility failures or disruptions, and service provider failures.

The other items listed should not result in the initiation of a BCDR plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
240
Q

Your cloud environment has changed significantly during the last year. Several of these adjustments resulted in service interruptions. You’ll want to develop a mechanism to track these modifications, and rollback if necessary. What are the requirements for your cloud?

A. Configuration management
B. Data management
C. Resource management
D. Change management

A

A. Configuration management

Explanation:
Configuration management is required. Configuration management technologies aid in cloud deployment management by centrally storing and archiving cloud configurations. It enables the tracking of configuration changes and the identification of the individuals who made the changes. These provisions enable you to guarantee that your cloud conforms with applicable regulations.

All other selections are operational controls and standards within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
241
Q

What does the “R” in the DREAD threat model stand for?

A. Reproducibility
B. Repudiation
C. Rapid deployment
D. Reconstruction

A

A. Reproducibility

Explanation:
The DREAD threat model looks at five categories, including damage potential, reproducibility, exploitability, affected users, and discoverability. Reproducibility is the measure of how easy an exploit is to reproduce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
242
Q

Which of the following is NOT one of the three values needed for performing a quantitative assessment?

A. MTR
B. SLE
C. ARO
D. ALE

A

A. MTR

Explanation:
When performing a quantitative assessment, the values needed are the single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

MTR stands for mean time to recovery, which is not used when performing a quantitative assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
243
Q

In a cloud environment, the key functionality of applications and the management of the cloud are based on which of the following?

A. TPMs
B. iSCSI
C. APIs
D. KVM

A

C. APIs

Explanation:
In a cloud environment, the key functionality of applications and the management of the cloud are based on APIs (application programming interfaces). It’s very important that APIs are implemented in a secure and appropriate manner. When possible, TLS (transport layer security) should be used for API communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
244
Q

Which type of attack could be caused by a compromised DHCP server?

A. Redirecting legitimate users to compromised or spoofed systems
B. Flooding the systems on the network with traffic so that they can’t reply to legitimate traffic
C. Stealing personally identifiable information (PII)
D. All files on the network being encrypted by an attacker

A

A. Redirecting legitimate users to compromised or spoofed systems

Explanation:
A DHCP (dynamic host configuration protocol) is used to automatically configure network settings on systems without the need for admins to do this manually on each computer. DHCP servers must be kept secure. If a DHCP server were to be compromised, the attacker would have access to change network settings that are given out by the DHCP server. This would allow them to redirect legitimate users to compromised or spoofed systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
245
Q

Which of the following is a benefit of using a private cloud over a hybrid, community, or public cloud deployment?

A. Security
B. Easier setup
C. Most scalable
D. Less expensive

A

A. Security

Explanation:
The private cloud deployment model is the most secure cloud deployment model. However, private clouds do not offer an easier setup, less expense, or more scalability than the other cloud deployment methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
246
Q

Which statement is false in regards to validated open-source software?

A. Open-source software is validated in a business environment.
B. Open-source software must follow the same verification as commercial software.
C. Open-source software has less risk because it’s inexpensive.
D. Open-source software has the advantage of code being available.

A

C. Open-source software has less risk because it’s inexpensive.

Explanation:
The widespread idea that open-source software carries fewer risks due to its low cost is false. Risk is defined by the asset being protected, not by the cost of the software being employed. Losing your data to low-priced software does not mitigate the expense of a data breach and exfiltration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
247
Q

Which attack can be used to deface a web page?

A. Cross-site request forgery
B. Cross-site scripting
C. Broken authentication
D. SQL injection

A

B. Cross-site scripting

Explanation:
A cross-site scripting attack is a type of injection attack. It occurs when an attacker is able to inject malicious code into a web application. While this type of attack is mainly used to execute scripts and hijack a user’s session, it can also be used to deface or edit a web page without going through any authentication processes. The web application runs the scripts injected without validating them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
248
Q

What is the MAIN reason that eDiscovery is typically easier in a traditional data center than it is in a cloud environment?

A. Systems aren’t able to be simply physically isolated and preserved in a cloud environment
B. Cloud providers are often not willing to work with lawyers on legal matters
C. There are no tools available to perform eDiscovery in a cloud environment
D. Organizations don’t own any of the data they store in the cloud

A

A. Systems aren’t able to be simply physically isolated and preserved in a cloud environment

Explanation:
When eDiscovery must be done within a traditional data center, it’s possible to physically isolate the system and preserve the data. In a cloud environment, however, many cloud customers are using the same hardware, so it’s not possible to physically isolate a system and preserve it. Instead, special measures must be taken to achieve eDiscovery in a cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
249
Q

Which of the following is TRUE regarding virtualization?

A. The most important component to secure in a virtualized environment is the hypervisor
B. It’s more important to secure the virtual images than the management plane in a virtualized environment
C. Virtual images are susceptible to attacks whether they are running or not
D. Virtual images are susceptible to attacks only when they are online and running

A

C. Virtual images are susceptible to attacks whether they are running or not

Explanation:
Virtual images are susceptible to attacks, even when they are not running. Due to this, it’s extremely important to ensure the security of where the images are housed.

Ensuring that the management plane and the hypervisor are secured is the first step to ensuring the virtual images are secure. The management plane is the most important component to secure first because a compromise of the management plane would lead to a compromise of the entire environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
250
Q

When enforcing OS baselines, which of the following is LEAST likely to be covered?

A. Data retention
B. Approved protocols
C. Compliance requirements
D. Approved access methods

A

A. Data retention

Explanation:
OS baselines establish and enforce known good states of system configuration, and focus on ensuring least privilege and other security OS and application best practices. Each configuration option should match a risk mitigation (security control objective).

Data retention and other data-specific requirements are not commonly part of an OS baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
251
Q

Under the General Data Protection Regulation (GDPR) passed in the EU, how long does a data controller have to notify the applicable government agency after a data breach or leak of personal or private information?

A. 48 hours
B. 72 hours
C. 96 hours
D. 24 hours

A

B. 72 hours

Explanation:
Under GDPR, data controllers must notify the applicable government agencies within 72 hours of a data breach or leak of personal or private information; however, there are some exemptions for law enforcement and national security agencies. GDPR is mostly focused on scenarios where the data is viewable by a malicious party, rather than instances where the data is erased or encrypted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
252
Q

What is the purpose of hot/cold aisles?

A. Hot aisles are used in colder climates, while cold aisles are mainly used in warmer clients
B. Servers are placed in cold aisles, while network equipment is placed in hot aisles
C. Some systems require more more cooling than others, so the systems are separated into hot and cold rows
D. To avoid one row of racks pushing hot air directly into another row

A

D. To avoid one row of racks pushing hot air directly into another row

Explanation:
Heating and cooling within a data center is a very important component. Servers and network equipment use a lot of energy which, in turn, produces a lot of hot air. In order to avoid one row of racks pushing hot air directly into another row, many data centers will use the concept of hot/cold aisles. This practice includes alternating rows of physical racks in order to have hot and cold rows for optimal air flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
253
Q

What are the functions of substitution, shuffling, value variance, nullification, and encryption on data used for?

A. Obfuscation
B. Discovery
C. DLP
D. Tokenization

A

A. Obfuscation

Explanation:
Obfuscation is the process of replacing, concealing, or erasing sensitive data from a data set. By substituting random or replaced data for sensitive data fields, it can be swiftly employed without exposing sensitive information to systems. Substitution, shuffling, value variance, nullification, and encryption are all methods for concealing data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
254
Q

Which of the following standards was developed by a joint privacy task force consisting of the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants?

A. SOX
B. GDPR
C. ISO/IEC 27018
D. GAPP

A

D. GAPP

Explanation:
GAPP (Generally Accepted Privacy Principles) is a privacy standard developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. GAPP contains ten main privacy principles and is focused on managing and preventing threats to privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
255
Q

In order to access their cloud environment remotely, a cloud engineer set up a method to connect in. This method uses a system which is publicly accessible on the Internet; however, the machine is extremely hardened to prevent attacks and is focused to allow access to a single application.

Which of the following did the cloud engineer create?

A. Bastion host
B. VPN
C. Federated server
D. Jump server

A

A. Bastion host

Explanation:
A bastion host is a method for remote access to a secure environment. The bastion host is an extremely hardened device that is typically focused on providing access to one application or for one particular usage. Having the device set up in this focused manner makes hardening it more effective. Bastion hosts are made publicly available on the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
256
Q

Which of the following is officially known as the “Financial Modernization Act of 1999”?

A. General Data Protection Regulation
B. Asian-Pacific Economic Cooperation
C. The Gramm-Leach-Bliley Act
D. The Sarbanes-Oxley Act

A

C. The Gramm-Leach-Bliley Act

Explanation:
Although it is officially named the Financial Modernization Act of 1999, it is most commonly known as and referred to as the Gramm-Leach-Bliley Act, or GLBA. This name pays tribute to the lead sponsors and authors of the act. GLBA is focused on protecting personally identifiable information (PII) as it related to financial institutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
257
Q

The architecture of an encryption system has three components. Which of the following is NOT one of the three components?

A. Hashing algorithm
B. Encryption engine
C. Encryption keys
D. Data

A

A. Hashing algorithm

Explanation:
The three basic components of an encryption system include the data itself, the encryption engine, and the encryption keys.

Hashing is a separate technology from encryption used to verify the integrity of data. Hashing algorithms are used in hashing and are not a part of encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
258
Q

In which phase of the cloud data lifecycle should security controls using SSL/TLS be implemented?

A. Create phase
B. Use phase
C. Share phase
D. Store phase

A

A. Create phase

Explanation:
The create phase is an ideal time to implement technologies such as SSL/TLS technologies with the data that is inputted or imported. It should be done in the create phase so that the data is protected initially before any further phases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
259
Q

What is a cloud storage architecture that organizes data into fields based on the properties of individual data elements?

A. Database
B. Raw-data
C. File-based
D. Object-based

A

A. Database

Explanation:
Databases store data in fields, following a related pattern.

All other options are cloud storage architectures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
260
Q

The decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are separate from each other when which of the following technologies is being used?

A. SAN
B. SDN
C. VLAN
D. VPN

A

B. SDN

Explanation:
Within a software defined network (SDN), decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are completely separate from each other.

A VLAN (virtual local private network) is used to expand a local area network beyond physical/geographical limitations. A VPN (virtual private network) securely provides access to a private network over a public network. A SAN (storage area network) is used for mass storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
261
Q

A cloud engineer needs to access the cloud environment remotely for administration purposes. The MOST common ways for engineers to get administrative access are via VPN tunnels and which of the following?

A. Hypervisors
B. Virtual switches
C. Federated servers
D. Jump servers

A

D. Jump servers

Explanation:
A jump server, sometimes called a jump box, is a hardened and monitored system on the network that has one purpose, which is to be used as a means to access and manage devices in a separate security zone. The jump server will span two different security zones, which makes this possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
262
Q

Cloud computing would not be possible without the use of which underlying technology?

A. Resource pooling
B. Multitenancy
C. Object storage
D. Virtualization

A

D. Virtualization

Explanation:
Sometimes, the terms virtualization and cloud computing are used interchangeably. However, they are two very separate concepts. Cloud computing is defined by NIST as “enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.” Virtualization is the underlying technology that makes cloud computing possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
263
Q

IPsec can be used to accomplish which of the following?

A. Create an additional layer of security to the DNS protocol
B. Extend a private network over a public network
C. Isolate and segregate portions of the network
D. Encrypt and authenticate packets during transmission between two servers

A

D. Encrypt and authenticate packets during transmission between two servers

Explanation:
IPsec can be used to encrypt and authenticate packets during transmission between two systems. Examples of this include between two servers, between two network devices, and between network devices and servers.

DNSSEC is used to add an additional layer of security to the DNS protocol. A VPN is used as a way to extend a private network over public network. A VLAN is used to create a logical isolation and separation within a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
264
Q

The process of pinpointing an entity (an individual or a system) in a way that they are distinctive from any other identify is known as which of the following?

A. Authorization
B. Identification
C. Auditing
D. Federation

A

B. Identification

Explanation:
Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify.

Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
265
Q

An engineer is deciding between using a cloud BCDR solution or using a physical/traditional BCDR solution. He must weigh the pros and cons of each solution.

Of the following, which is NOT an advantage to moving to a cloud BCDR solution?

A. Scalability
B. Cost benefits
C. Access from anywhere
D. Full ownership of hardware

A

D. Full ownership of hardware

Explanation:
Using a cloud provider for a business continuity and disaster recovery (BCDR) solution comes with many benefits, including cost benefits, scalability, and access from anywhere.

Full ownership of hardware is not an advantage of a cloud BCDR solution as the cloud customer doesn’t typically have ownership of the hardware. The hardware will belong to the cloud provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
266
Q

Very detailed logging should be in place for which of the following?

A. Wherever the client accesses the management plane only
B. Only specific levels of the virtualization structure
C. Each level of the virtualization infrastructure, as well as wherever the client accesses the management plane
D. Only access to the hypervisor and the management plane

A

C. Each level of the virtualization infrastructure, as well as wherever the client accesses the management plane

Explanation:
Logging is imperative for a cloud environment. Role-based access should be implemented, and logging should be done at each and every level of the virtualization infrastructure, as well as wherever the client accesses the management plane (such as web portal).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
267
Q

Of the following examples, which is NOT a risk associated with having a BCDR plan?

A. Maintaining redundancy
B. Location changes
C. Functionality with external services
D. Budget

A

D. Budget

Explanation:
The risks associated with a business continuity and disaster recovery (BCDR) plan include changes in location, maintaining redundancy, having proper failover mechanisms, having the ability to bring services online quickly, and having functionality with external services.

Budget is something that should already be factored in and accounted for and, therefore, should not pose any risks to your BCDR plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
268
Q

What adds to security and reduces susceptibility to spoofing by providing origin authority, data integrity, and authenticated denial of service?

A. DNSSEC
B. FQDN
C. PKI
D. SDP

A

A. DNSSEC

Explanation: 
DNS security (DNSSEC) extensions is a set of specifications primarily aimed at reinforcing the integrity of DNS. It provides cryptographic authentication of DNS data using digital signatures.

Software defined permitter (SDP), Public Key Infrastructure (PKI), and Fully Qualified Domain Name (FQDN) are distractors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
269
Q

It is vital to have an understanding of how data located in cloud storage is being accessed by members of an organization. What should be maintained to preserve visibility and promote monitoring?

A. Classification log scheme
B. Centralized logs
C. Chain of custody
D. Application-specific logs

A

B. Centralized logs

Explanation:
Logging is the process of documenting events or activities that occur against an asset. Logging is crucial for any business since it serves as the primary repository of information about previous events. Security information and event management (SIEM) technology is used to centralize these logs. A SIEM technology enables the collection, analysis, aggregation, correlation and reporting of suspected security incidents in a centralized manner. SIEM solutions can ingest a variety of different forms of log data from hardware, software, and data sources. Logging and a SIEM solution operate in tandem to centralize data and make it visible where it is needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
270
Q

The organization has deployed a federated single sign-on system (SSO). The organization is configured to generate tokens for users and send them to the other provider. Which BEST describes the organization’s role?

A. Certificate Authority
B. Domain Registrar
C. Identity Provider
D. Service Provider

A

C. Identity Provider

Explanation:
The organization would act as the identity provider, while the relying party would act as the service provider. The identity provider is the organization that generates tokens for users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
271
Q

To take a snapshot and backup a virtual machine, which of the following backup solutions is typically used?

A. All options are correct
B. Agentless
C. Snapshots
D. Agent-based

A

B. Agentless

Explanation:
Agentless backups generally interact directly with your hypervisor to snapshot and backup your VMs.

All other options do not apply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
272
Q

Interoperability can BEST be described as:

A. The ability for two customers to share the same pool of resources while being isolated from each other
B. The ease with which resources can be rapidly expanded as needed by a cloud customer
C. The ease with which components of an application or service can be moved or reused
D. The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider

A

C. The ease with which components of an application or service can be moved or reused

Explanation:
Interoperability is the ease with which components of an application or service can be moved or reused.

The ability for two customers to share the same pool of resources while being isolated from each other is known as multitenancy. The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider is known as on-demand self-service. The ease with which resources can be rapidly expanded as needed by a cloud customer is called rapid elasticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
273
Q

What function is focused on maintaining compliance, and hence assumes the role of a regulator with correctional authority rather than a trusted advisor?

A. Internal auditor
B. External auditor
C. Cloud auditor
D. Compliance auditor

A

B. External auditor

Explanation:
An external auditor is not employed by the company being audited. An external auditor may be necessary to ensure compliance with information security regulations. Because the external auditor’s primary objective is to ensure compliance, they do not act as a trusted counsel, but rather as a regulator with enforcement authority.

All other options are types of auditors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
274
Q

What is the MOST commonly used communications protocol for network-based storage?

A. CHAP
B. SAN
C. NetBIOS
D. iSCSI

A

D. iSCSI

Explanation:
iSCSI allows for the transmission of SCSI commands over a TCP-based network. SCSI allows systems to use block-level storage that behaves like a SAN would on physical servers, but leverages the TCP network within a virtualized environment. iSCSI is the most commonly used communications protocol for network-based storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
275
Q

Which of the following is NOT an accurate statement about Remote Desktop Protocol (RDP)?

A. Client-server operation
B. Available to most operating systems
C. GUI access to interact with a remote computer
D. Secure means of remotely accessing machines

A

D. Secure means of remotely accessing machines

Explanation:
RDP is considered an insecure protocol and should be used only with a private network.

If used over the internet, a VPN should be considered a strict requirement. Additionally, filtering should be applied on the firewall to allow only those with permitted access to connect. RDP is GUI accessible, available for Linux, Mac and Windows devices and uses a client-server operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
276
Q

From a legal perspective, what is the MAIN factor that differentiates a cloud environment from a traditional data center?

A. Rapid elasticity
B. Self-service
C. Multitenancy
D. Repudiation

A

C. Multitenancy

Explanation:
Multitenancy is the main factor, from a legal perspective, which differentiates a cloud environment from a traditional data center. Multitenancy is a concept in cloud computing in which multiple cloud customers may be housed in the same cloud environment and share the same resources. Because of this, the cloud provider has legal obligations to all cloud customers housed on its hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
277
Q

Which of the following statements regarding moving from a data center model to a cloud model is TRUE?

A. Using a cloud environment or a traditional data center will incur the exact same costs.
B. A traditional data center will have higher costs on the operational side and lower costs in regard to hardware.
C. The pricing for cloud computing may be less predictable than that of a traditional data center.
D. A traditional data center is much more secure than a cloud environment.

A

C. The pricing for cloud computing may be less predictable than that of a traditional data center.

Explanation:
In a traditional data center, it is fairly easy to map out costs for the year, including necessary equipment upgrades and licensing. In a cloud environment with metered pricing, resources are added right as they are needed and, therefore, the cost can change over time, making it unpredictable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
278
Q

Confidentiality, integrity, and availability are the three core aspects of security. With the recent increase in mobile computing and apps, which of the following has become a fourth core aspect?

A. Privacy
B. Recovery
C. Restoration
D. Budget

A

A. Privacy

Explanation:
Confidentiality, integrity, and availability are the three core aspects of security. This is often known as the CIA triad. In recent years, as mobile and cloud computing have increased, privacy has become the fourth major aspect of security. While privacy could technically be consolidated within confidentiality, it’s often thought of as its own aspect due to its importance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
279
Q

What is the FIRST stage of the risk treatment process?

A. Framing risk
B. Defining scope
C. Qualitative assessments
D. Assessing risk

A

A. Framing risk

Explanation:
In regard to risk treatment and the risk management process, the first stage is framing risk. Framing risk refers to determining what risk and levels are to be evaluated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
280
Q

Which of the following BEST describes the types of applications that create risk in a cloud environment?

A. Every piece of software in the environment
B. Software with administrator privileges
C. Full application suites
D. Small utility scripts

A

A. Every piece of software in the environment

Explanation:
Any piece of software, from major software suites to small utility scripts, can have possible vulnerabilities. This means that every program and every piece of software in the environment carries an inherent amount of risk with it. Any software that is installed in a cloud environment should be properly vetted and regularly audited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
281
Q

Which of the following statements regarding REST and SOAP is FALSE?

A. REST relies on the HTTP protocol for transmission.
B. REST supports a variety of data formats.
C. SOAP is unable to use the FTP protocol for transmission.
D. SOAP encapsulates its data into what is known as a SOAP envelope.

A

C. SOAP is unable to use the FTP protocol for transmission.

Explanation:
While the simple object access protocol (SOAP) most commonly uses the HTTP protocol for transmission, it is possible for it to use the FTP protocol and other communication protocols as well.

282
Q

Which of the following is an authentication protocol based on OAuth 2.0 specifications?

A .OpenID
B. SAML 2.0
C. WS-Federation
D. SAML

A

A .OpenID

Explanation:
OpenID is an authentication protocol based on OAuth 2.0 specifications. OpenID provides an easy and flexible way for developers to support authentication across an organization. It provides web-based applications with a method for authentication that is not dependent on particular devices or clients to access it.

283
Q

What is a grouping of resources with a coordinating software agent that facilitates communication, resource sharing, and routing of tasks?

A. Storage controller
B. Cluster
C. Tenant
D. Virtual Local Area Network

A

B. Cluster

Explanation:
Clusters are a collection of resources linked together by a software agent that enables communication, resource sharing, and task routing inside the cluster. Clusters are an important aspect of resource pooling, which is fundamental to cloud computing. They are used to provide most of the resources required in modern computing systems, such as processing, storage, network traffic handling, and application hosting.

All other options are logical infrastructure found in the cloud.

284
Q

Which of the following is NOT a protection technique for virtualization systems?

A. Least privilege
B. Separation of duty
C. Privileged access
D. Standard configurations

A

C. Privileged access

Explanation:
Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism.

Standard configurations, commonly referred to as baselines, can be used to safeguard virtualization systems. All other options are protection techniques for virtualized systems.

285
Q

An engineer has been asked by her supervisor to determine how fast each system must be back up and running after a disaster has occurred to meet BCDR objectives. What has this engineer been asked to determine?

A. RPO
B. RTO
C. MTR
D. RSL

A

B. RTO

Explanation:
The recovery time objective (RTO) is a time measurement of the speed in which each system must be brought back up and running after a disaster occurs in order to meet business continuity and disaster recovery (BCDR) objectives.

286
Q

Client care representatives in your firm are now permitted to access and see customer accounts. For added protection, you’d like to build a feature that obscures a portion of the data when a customer support representative reviews a customer’s account. What type of data protection is your firm attempting to implement?

A. Tokenization
B. Hashing
C. Masking
D. Key management

A

C. Masking

Explanation:
The organization is trying to deploy masking. Masking obscures data by displaying only the last four digits of a Social Security or credit card number. As a result, the data is incomplete in the absence of the blocked/removed content.

All other options are data security strategies.

287
Q

A security incident occurred within an organization that affected numerous servers and network devices. A security engineer was able to use the SIEM to see all of the logs pertaining to that event, even though they occurred on different devices, by using the IP address of the source.

Which function of a SIEM is being described in this scenario?

A. Aggregation
B. Correlation
C. Compliance
D. Reporting

A

B. Correlation

Explanation:
Security information and event management (SIEM) systems are very useful because they are able to correlate data. This means that not only can the data be stored in one place through aggregation, but it can also be searched using specific items such as an IP address or timestamp.

288
Q

What type of technology uses iSCSI, Fibre Channel, and Fiber channel over Ethernet (FCoE) to create dedicated networks for data storage and retrieval?

A. SAN
B. CDN
C. SDN
D. SDS

A

A. SAN

Explanation:
iSCSI, Fibre Channel, and Fiber channel over Ethernet (FCoE) are storage area network technologies that create dedicated networks for data storage and retrieval.

289
Q

In a cloud environment, all systems must be which of the following, in order to ensure high availability for cloud customers?

A. Audited
B. Redundant
C. Reserved
D. Encrypted

A

B. Redundant

Explanation:
Cloud customers have high expectations for availability and resiliency. In order to meet these expectations, all systems must be redundant to ensure there is no downtime for the customer.

290
Q

What is used to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems?

A. Honeypot
B. IDS
C. Jumpbox
D. DNS Sinkhole

A

A. Honeypot

Explanation:
A honeypot consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored and that seems to contain information or a resource of value to attackers.

All other options are incorrect.

291
Q

At the conclusion of which phase of the software development lifecycle (SDLC), will there be formal requirements and specifications ready for the development team to turn into actual software?

A. Requirement gathering and feasibility
B. Testing
C. Analysis
D. Design

A

C. Analysis

Explanation:
The analysis phase of the SDLC is when requirements of the project are put into a project plan. This plan will outline the specifications for the features and functionality of the software or application to be created. At the end of the analysis phase of the SDLC, there will be formal requirements and specifications ready for the development team to turn into actual software.

292
Q

Your CSP has fulfilled your request for a SOC 1 audit report. The audit report covers the CSPs internal controls over financial reporting. What is the audit report in accordance with?

A. SAS
B. GAPP
C. SSAE
D. ISAE

A

C. SSAE

Explanation:
The statement on standards for attestation engagements (SSAE) is a set of standards defined by the AICPA to be used when creating SOC reports. SOC 1 reports assist with compliance with regulations.

Statement on Auditing Standards (SAS) reports have been replaced by SSAE reports. The International Standard on Assurance Engagements (ISAE) is similar to SOC Type 2 reports. Generally Accepted Privacy Principles (GAPP) is not a reporting standard.

293
Q

A cloud service is:

A. Specifically an application which is offered by a cloud provider
B. The process of building infrastructure in the cloud
C. Specifically a piece of software that is hosted in the cloud
D. Any capability which is offered by a cloud provider

A

D. Any capability which is offered by a cloud provider

Explanation:
A cloud service is any capability which is offered by a cloud provider and it’s not limited to just software or applications, but also full platforms and infrastructure.

294
Q

A cloud provider has the capability to use a large pool of resources for numerous client hosts and applications. They are able to offer scalability and on-demand self-service.

Which technology makes all of this possible?

A. VLANs
B. Virtualization
C. Software defined networking
D. Volume storage

A

B. Virtualization

Explanation:
Without virtualization, cloud environments as we know them would not be possible. This is because cloud environments are built on virtualization technology. It is virtualization which allows for cloud providers to leverage a pool of resources for various customers and the ability to offer such scalability and on-demand self-service.

295
Q

Ada has been tasked with implementing a SIEM solution for her organization. She is looking at several different options. Which of the following is NOT a SIEM solution that Ada could implement?

A. Splunk
B. OWASP
C. LogRhythm
D. ArcSight

A

B. OWASP

Explanation:
Popular SIEM products include Splunk, LogRhythm, and ArcSight. OWASP stands for the Open Web Application Security Project, and it is not a SIEM product.

296
Q

Which of the following is a disadvantage to using fault tolerance?

A. Fault tolerance does not provide any support against hardware failures.
B. Fault tolerance is only effective in traditional data center models and not in the cloud.
C. Fault tolerance is much more expensive to implement than other availability solutions.
D. Fault tolerance does not provide any support against software failures.

A

D. Fault tolerance does not provide any support against software failures.

Explanation:
The majority of system availability issues are software related rather than hardware related. Unfortunately, fault tolerance is solely used to help with hardware failures and doesn’t do anything to mitigate software failures. This is a major disadvantage to using fault tolerance.

297
Q

Which is NOT a common issue caused by distributed IT models ?

A. Governance
B. Cost
C. Coordination of activities
D. Communications

A

B. Cost

Explanation:
Modern applications rely on sophisticated systems comprised of a variety of components and technologies, and may be located throughout the world. Cloud computing has exacerbated these complexities, as users increasingly rely on consumable services rather than owned and maintained equipment. The distributed IT model has made creating and scaling considerably more affordable and simple than ever before.

However, that being said, common challenges caused by the distributed IT model include communications, coordination of activities, and governance.

298
Q

Data dispersal in cloud settings can have a mixed effect on an organization’s security. What are the disadvantages of data dispersion?

A. Availability of data
B. Relocation of data
C. Reconstruction of data
D. Erasure coding of data

A

B. Relocation of data

Explanation:
Segment dispersion can create complications in cloud environments. If data is distributed to regions with varying legal and regulatory requirements, the organization may become subject to unforeseen laws and regulations.

All other options are cloud data concepts.

299
Q

What is the primary physical consideration that must be determined FIRST when building a data center?

A. Budget
B. Location
C. Size
D. Redundancy

A

B. Location

Explanation:
Location is the major and primary concern when building a data center. It’s important to understand the jurisdiction where the data center will be located. This means understanding the local laws and regulations under that jurisdiction. Additionally, the physical location of the data center will also drive requirements for protecting data during threats such as natural disasters.

300
Q

An engineer is looking add an additional layer of security into a cloud network by separating different tiers of servers and restricting access to certain areas of the network.

What is this process known as?

A. Network isolation
B. Virtualization
C. Network segmentation
D. Software defined networking

A

C. Network segmentation

Explanation:
Network segmentation is the process of separating different parts of the network and/or restricting access to certain areas of the network. Network segmentation can be done using physical separation methods or software/virtual separation methods.

301
Q

Which of the following is NOT one of the main risks that needs to be assessed during the “assess risk” phase of developing a BCDR plan?

A. Legal and contractual issues
B. Budgetary restraints
C. Migration of services
D. Load capacity at the BCDR site

A

B. Budgetary restraints

Explanation:
As with any new system or plan being implemented, it’s important to assess the risks of the changes. Budgetary restraints are not a main risk when developing a BCDR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.

302
Q

An engineer is looking for a way to protect data in the share phase of the cloud data lifecycle. Which technology can be utilized to accomplish this?

A. TPM
B. DLP
C. DAST
D. BYOD

A

B. DLP

Explanation:
Data is at a greater risk during the share phase of the lifecycle because it is leaving the system in which it is created on or for. To help mitigate some of that risk, DLP (Data Loss Prevention) technologies can be implemented to prevent modification.

303
Q

What is the main difference between an IDS and an IPS?

A. An IPS looks at traffic just from a specific host, while an IDS looks at all traffic on the network
B. An IPS can only detect intrusions, while an IDS can prevent intrusions
C. An IDS can only detect intrusions, while an IPS can prevent intrusions
D. An IDS looks at traffic just from a specific host, while an IPS looks at all traffic on the network

A

C. An IDS can only detect intrusions, while an IPS can prevent intrusions

Explanation: 
An IDS (intrusion detection system) detects malicious traffic and potential intrusions. It can alert about the possible intrusion, but it isn't able to prevent the intrusion. An IPS (intrusion prevention system) is able to both detect and prevent the intrusion by blocking the malicious traffic in real time.
304
Q

At which point during the incident response process are new security controls implemented?

A.Recover
B. Prepare
C. Respond
D. Post-incident
E. Detect
A

A.Recover

Explanation:
During the recovery and eradication phases of an incident response, new countermeasures are implemented. You must restore regular operation to your organization’s impacted systems.

All other options are phases of incident response.

305
Q

What is the main purpose of a SIEM?

A. To collect logs and store them in a centralized location
B. To prevent attacks in real time by blocking suspicious traffic
C. To provide high availability for cloud customers
D. To perform disaster recovery functions

A

A. To collect logs and store them in a centralized location

Explanation:
SIEM (security information and event management) systems are used to collect logs and store them in a centralized location. Having logs in one centralized location can make it easier to troubleshoot events as they occur. In addition, having the logs in a centralized location and not just on the device they originate from can prevent the risk of log manipulation.

306
Q

During which phase of the SDLC are formal requirements for risk mitigation/minimization integrated with the programming designs?

A. Requirement gathering and feasibility
B. Maintenance
C. Development
D. Design

A

D. Design

Explanation:
While the requirements for risk mitigation and minimization may be determined during the requirement gathering and feasibility stage of the software development lifecycle (SDLC), they are not integrated with the programming designs until the design phase of the SDLC.

307
Q

An attacker sent commands through an application’s input and data fields. By doing this, the attacker was able to get the application to execute the code he sent as part of its normal processing. The attacker was able to use this technique to get the application to expose sensitive data that he should not have access to.

What type of attack was used here?

A. Broken authentication
B. Injection
C. Denial of service
D. Cross-site scripting

A

B. Injection

Explanation:
An injection attack occurs when an attacker sends (injects) malicious code or commands to an application’s input or data fields. The goal of the attacker is to get the application to execute the code as part of its normal processing. The best way to prevent injection attacks is by ensuring that all data and input fields include proper input validation.

308
Q

Which of the following is NOT currently listed on the OWASP Top 10?

A. Insecure deserialization
B. Social engineering
C. Cross-site scripting
D. XML external entities

A

B. Social engineering

Explanation:
The Open Web Application Security Project (OWASP) Top 10 is a regularly updated report of the current top 10 vulnerabilities that affect web applications. The current top 10 include:

    Injection
    Broken authentication
    Sensitive data exposure
    XML external entities
    Broken access control
    Security misconfigurations
    Cross-site scripting
    Insecure deserialization
    Using components with known vulnerabilities
    Insufficient logging and monitoring
309
Q

Which technology has replaced SSL?

A. IPSec
B. TCP
C. TLS
D. UDP

A

C. TLS

Explanation:
Transport layer security (TLS) has replaced Secure Socket Layer (SSL) as the preferred encryption method for traffic across a network. TLS has two layers: TLS handshake protocol and TLS record protocol. TLS is used to secure everything from web traffic to email.

310
Q

What is the CORRECT equation to use when determining annual loss expectancy (ALE)?

A. ARO / SLE = ALE
B. SLE + ARO = ALE
C. ARO - SLE = ALE
D. SLE x ARO = ALE

A

D. SLE x ARO = ALE

Explanation:
In order to find the annual loss expectancy, you must first know the single loss expectancy and the annual rate of occurrence. In order to determine the annual loss of expectancy, multiply the single loss expectancy value by the annual rate of occurrence.

311
Q

A cloud engineer wants to ensure that the management plane and virtualized infrastructure of his cloud environment are well protected. What security method is the MOST important to implement to accomplish this?

A. SLA requirements
B. Role-based access controls
C. Data destruction policies
D. Intrusion detection systems

A

B. Role-based access controls

Explanation:
Both the management plane and virtualized infrastructure are high priority targets for attackers. It’s very important to implement role-based access controls so that only those individuals who truly need access to these will have it. If too many people have access to the management plane without needing it, there is more of a chance it will become compromised.

312
Q

You’re revising your organization’s data retention policy to guarantee that your cloud deployment is adequately protected. Which stage of the cloud data lifecycle will be impacted by this policy?

A. Store
B. Archive
C. Destroy
D. Use

A

B. Archive

Explanation:
The data retention policy will have an effect on the data lifecycle’s archive phase.

The remaining options correspond to stages of the cloud data lifecycle that are unaffected by the data retention policy.

313
Q

When selecting a cloud service provider, what is the MOST preferred attestation report to receive from vendors providing cloud services?

A. SOC-2 Type-1
B. FISMA
C. ISO 270018
D. SOC-2 Type-2
E. FEDRAMP
A

D. SOC-2 Type-2

Explanation:
A SOC-2 Type-2 attestation report is the most desirable attestation report to receive from vendors providing cloud services. A SOC for Service Organizations: Trust Services Criteria (SOC-2) provides information about the control objectives relating to security, availability, processing, integrity, confidentiality, and/or privacy. The scope of the Type-2 report is limited to a specified time period and includes information about the controls’ presentation, system and design suitability, and operational efficacy in achieving the related control objective. The scope of a Type 1 report is determined by a single precise date, rather than an extended time period, as with a Type 2 report.

The other options are acceptable attestation reports. However, the SOC-2 Type-2 is the most preferred and may require an NDA.

314
Q

A cloud customer wants to perform a packet capture on the border routers of their cloud network. What will this likely require?

A. No special requirements are needed as long as this is occurring in an IaaS environment
B. Input and involvement from the cloud provider
C. Permission from all cloud customers using the same cloud provider
D. A written contract and written permission

A

B. Input and involvement from the cloud provider

Explanation:
Because the border routers in a cloud environment are used by more than just one cloud customer, any packet capture done on the border routers will require the involvement of the cloud provider. This is true for all cloud types such as IaaS, PaaS, and SaaS.

315
Q

Your cloud infrastructure will be scanned for vulnerabilities by a third-party auditor. The auditor must determine if your organization is subject to FISMA and is in compliance with the law. Which type of organization are you employed by?

A. Government agency
B. Banking
C. Healthcare
D. Retail

A

A. Government agency

Explanation:
Your organization is a government agency. Government agencies are affected by the Federal Information Security Management Act (FISMA). The law defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. It requires that government agencies conduct vulnerability scans.

None of the other organizations are affected by FISMA.

316
Q

Of the following, which is the MOST important to consider when setting minimum encryption levels and retention timelines?

A. Regulatory requirements
B. Storage requirements
C. Budget
D. Security team size

A

A. Regulatory requirements

Explanation:
While there are many factors that come into play when setting encryption levels and retention timelines, the most important will be whether there are regulatory requirements that must be adhered to. The regulatory requirements will likely set the minimum encryption levels and retention timelines.

317
Q

Which of the following should never be permitted?

A. Password managers
B. Storing of private data
C. External access to internal resources
D. Account sharing

A

D. Account sharing

Explanation:
Account sharing is never permitted. Each user on a network should have their own account. Having shared accounts reduces accountability for those using the account and makes it harder to audit who access which devices and when.

318
Q

An engineer is going through an old file server and moving data to a repository where it can be preserved for the next couple of years in case it’s needed again. Which step of the cloud secure data life cycle is this?

A. Use
B. Archive
C. Store
D. Destroy

A

B. Archive

Explanation:
Step 5 of the cloud secure data life cycle is archive. At this step, the data is taken from a location of active access and moved to a static repository. Here, the data can be preserved for a long period of time in case it is needed in the future.

319
Q

Which of the following is the KEY driver and base technology used in cloud computing?

A. Virtualization
B. Rapid elasticity
C. Resource pooling
D. Multitenancy

A

A. Virtualization

Explanation:
Virtualization is the key driver and base technology used in cloud computing. Without virtualization, cloud computing is not possible.

Multitenancy, resource pooling, and rapid elasticity are all features of cloud computing; they are not the key aspects that make cloud computing possible.

320
Q

Which organization is responsible for developing the Infinity Paradigm?

A. IDCA
B. NFPA
C. NIST
D. BICSI

A

A. IDCA

Explanation: 
The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, security, connectivity, and much more.
321
Q

The MOST commonly used communication protocol by SOAP is:

A. TFTP
B. SSH
C. HTTP
D. FTP

A

C. HTTP

Explanation:
The simple object access protocol (SOAP) is used to exchange information between web services. SOAP works by encapsulating its data in a SOAP envelope, then uses common communication protocols to transmit the data. SOAP most commonly leverages HTTP as its communication protocol, but other protocols may also be used.

322
Q

What phase should threat modeling occur in the SSDLC?

A. O&M
B. Deployment
C. Development
D. Requirements

A

D. Requirements

Explanation:
Threat modeling should be performed early in the requirements phase of the SSDLC. The steps are as follows:

    Define security requirements.
    Create an application overview.
    Identify threats.
    Mitigate threats.
    Validate threat mitigation.
323
Q

The analysis of the data generated by a cloud feasibility study to identify areas where cloud solutions may fall short of meeting specific computing requirements is referred to as what type of assessment?

A. Risk assessment
B. Gap analysis
C. Feasibility study
D. Vulnerability assessment

A

B. Gap analysis

Explanation:
The current and future IT resource requirements of a business are diverse. To move forward, you must close the gap between where you are now and where you want to be. You can identify all areas in which gaps exist by means of a gap analysis.

A feasibility study’s output will include data that can be used to conduct a gap analysis. You can supplement that report with additional information to generate your own data for identifying and tracking progress toward closing the gap. Risk and vulnerability assessments are incorrect.

324
Q

A cloud engineer needs to implement network segmentation, but does not want to use physical segmentation methods. Which software/virtual method can the engineer use to segment the network?

A. VLAN
B. MAN
C. VPN
D. PAN

A

A. VLAN

Explanation:
VLANs (virtual local area networks) can be used to segment the network without needing to use physical segmentation methods. Because VLANs are not dependent on physical network devices, they can be used across multiple datacenters without concern for geographical location.

325
Q

Which of the following is NOT listed as one of the Cloud Security Alliance’s Treacherous Twelve?

A. Advanced persistent threats
B. Data breaches
C. Insecure interfaces and APIs
D. Insecure deserialization

A

D. Insecure deserialization

Explanation:
Insecure deserialization is listed as on the OWASP Top 10, but it is not one of the CSA’s Treacherous Twelve. The twelve included are:

    Data breaches
    Insufficient identity, credentials, and access management
    Insecure interfaces and APIs
    System vulnerabilities
    Account hijacking
    Malicious insiders
    Advanced persistent threats
    Data loss
    Insufficient due diligence
    Abuse and nefarious use of cloud services
    Denial of service
    Shared technology issues
326
Q

To ensure compliance with regulatory requirements, an organization must conduct an annual assessment of its negotiated service agreements with its present cloud provider.This year, the organization may decide to change their CSP due to cost concerns. What should the organization consider as it evaluates the service agreement?

A. Reversibility
B. Resiliency
C. Interoperability
D. Auditability

A

A. Reversibility

Explanation:
Reversibility refers to the process by which customers can retrieve their data and applications and providers can remove data after an agreed-upon period. Reversibility would be critical if a customer switched cloud providers.

Auditiability, resiliency and interoperability are other shared cloud considerations.

327
Q

An engineer suspects that attackers have been targeting her organization’s servers. She wants to put a system in place, isolated from all production systems, to trick attackers into thinking it is a legitimate server. This will allow her to monitor the attackers’ behavior and see what they are trying to do on her network.

What is this isolated system called?

A. DMZ
B. Honeypot
C. HIDS
D. Jump server

A

B. Honeypot

Explanation:
A honeypot is a system used to trick attackers into thinking it is an actual production system. The honeypot is kept separated and isolated from all other systems on the network. When an attack gains access to a honeypot, it allows administrators to monitor the behavior of the attack and see what they are trying to accomplish on the network.

328
Q

The terms public, private, hybrid, and community are types of:

A. Cloud deployment model
B. Cloud tenant
C. Cloud service category
D. On-demand self-service

A

A. Cloud deployment model

Explanation:
A cloud deployment model is the way in which a cloud environment is delivered. The four cloud deployment models are public, private, hybrid, and community.

329
Q

Which of the following statements about the IaaS cloud service category is FALSE?

A. IaaS can provide HA (high availability) functionality.
B. IaaS customers can have metered usage, meaning they only pay for the resources they are using.
C. IaaS is often less expensive than owning and maintaining physical hardware.
D. IaaS does not provide much scalability

A

D. IaaS does not provide much scalability

Explanation:
One pro of IaaS is that, since the cloud customer doesn’t have to manage the physical hardware, it offers excellent scalability.

330
Q

Which of these cloud system characteristics is LEAST likely to be a consideration for a cloud customer from a compliance standpoint?

A. Containers
B. Data custodian
C. Data location
D. Multitenancy

A

A. Containers

Explanation:
Containers are a type of virtualized storage that does not present significant compliance concerns on its own.

For regulated customers, data location and multitenancy are frequently the primary compliance concerns. GDPR and other privacy requirements place a premium on data custodianship.

331
Q

In cloud computing, the security of DNS is very important in order to prevent an attacker from hijacking DNS and redirecting network traffic.
Which of the following could a cloud provider implement as a layer of DNS security?

A. High availability
B. DNSSEC
C. IPSec
D. Honeypot

A

B. DNSSEC

Explanation:
DNSSEC (domain name system security) is a protocol that works as a security addition to the standard DNS (domain name system) protocol. DNSSEC works by ensuring all FQDN (fully qualified domain name) responses are validated.

332
Q

CSPs and virtualization technologies offer a form of backup that captures all the data on a drive at a point in time and freezes it. What type of backup is this?

A. Incremental backup
B. Data replication
C. Host OS Image
D. Snapshot

A

D. Snapshot

Explanation:
CSPs and virtualization technologies offer snapshots as a form of backup. A snapshot will capture all the data on a drive at a point in time and freeze it. The snapshot can be used for a number of reasons including: rolling back or restoring a virtual machine to its snapshot state, creating a new virtual machine from the snapshot which serves as an exact replica of the original server and, lastly, copying the snapshot to object storage for eventual recovery.

The other options are incorrect.

333
Q

An engineer needs to create a baseline image. What is the FIRST step this engineer needs to take to create a baseline image?

A. Install updates and service packs
B. Perform a clean install of the OS
C. Update all drivers
D. Disable unnecessary services

A

B. Perform a clean install of the OS

Explanation:
The first step in creating a baseline image is to perform a clean install of the operating system. This ensures that changes from other images won’t be applied to the new image. Once the image is installed, then the other tasks can be performed.

334
Q

Of the following, which is NOT a typical attribute of IRM implementations?

A. Auditing
B. Policy control
C. Deletion
D. Protection

A

C. Deletion

Explanation:The typical attributes of information rights management (IRM) implementations include auditing, expiration, policy control, protection, and support for applications and formats.

Deletion is not a typical attribute of an IRM implementation.

335
Q

Organizations such as the Cloud Security Alliance (CSA) and the Open Web Application Security Project (OWASP) publish information about cloud threats and risks. Who is responsible for mitigating these risks in an organization?

A. CSP
B. Database administrators
C. Security professionals
D. Executive management

A

C. Security professionals

Explanation:
It is the security professionals’ responsibility to protect their organizations from the threats to cloud computing and mitigate the risks where feasible.

336
Q

What role do Amazon Web Services, Microsoft Azure, and Google Cloud play in cloud computing?

A. Cloud Service Broker
B. Cloud Service Provider (CSP)
C. Cloud Service Customer (CSC)
D. Cloud Service Partner

A

B. Cloud Service Provider (CSP)

Explanation:
A company or other entity offering cloud services is known as a cloud service provider (CSP).

337
Q

The most common and well understood threat to storage is:

A. Malware that modifies data
B. Accidental deletion of data
C. Unauthorized access to data
D. Improper credential management

A

C. Unauthorized access to data

Explanation:
Individuals who gain unauthorized access to data are the most common and well understood threat to storage. The unauthorized access can be from an outside attacker, a malicious insider, or a user who may not be malicious but still has access to something they shouldn’t.

338
Q

The BEST time to classify data is in which phase of the data lifecycle?

A. Archive
B. Use
C. Create
D. Store

A

C. Create

Explanation:
Data should be classified during the create phase of the data lifecycle. This is the best time to classify data because its value and sensitivity are known by the creator.

339
Q

In a shared responsibility continuum, who takes a larger security role in an IaaS model and a smaller role in a SaaS model?

A. Cloud Service Provider (CSP)
B. Cloud Service Broker
C. Cloud Service Customer (CSC)
D. Cloud Service Partner

A

C. Cloud Service Customer (CSC)

Explanation:
In a shared responsibility continuum, the customer takes the larger security role in an IaaS model and the smaller security role in a SaaS model. The cloud service customer would take a balanced role in the PaaS model.

340
Q

Communication, Consent, Control, Transparency, and Independent and yearly audits are the five key principles found in what standard that cloud providers adhere to?

A.ISO/IEC 27001
B. GDPR
C. GAPP
D. ISO/IEC 27018

A

D. ISO/IEC 27018

Explanation:
ISO/IEC 27018 is a standard privacy requirement for cloud service providers to adhere to. It is focused on five key principals: communication, consent, control, transparency, and independent and yearly audits.

All other options are other standard privacy requirements.

341
Q

In regard to physical location, which of the following is a major concern when dealing with cloud data?

A. Encryption
B. Jurisdiction
C. Storage
D. Management plane

A

B. Jurisdiction

Explanation:
When determining a location for a cloud data center, jurisdiction is a major concern. There will most likely be jurisdictional requirements, which could affect the design of the data center. It’s vital to note the laws and regulations for the jurisdiction, as well.

Encryption, storage, and the management plane are not physical aspects of a cloud data center.

342
Q

Which of the following is NOT one of the components that make up the basis for a quantitative assessment?

A. SLE
B. RTO
C. ALE
D. ARO

A

B. RTO

Explanation:
RTO refers to the recovery time objective. This is not used in a quantitative assessment. ALE (annual loss expectancy), SLE (single loss expectancy), and ARO (annual rate of occurrence) make up the basis for a quantitative assessment.

343
Q

Choose the correct order of the SDLC.

A. Requirement gathering and feasibility, design, development/coding, analysis, testing, maintenance
B. ;Analysis, requirement gathering and feasibility, testing, design, development/coding, maintenance
C. Analysis, requirement gathering and feasibility, design, development/coding, testing, maintenance
D. Requirement gathering and feasibility, analysis, design, development/coding, testing, maintenance

A

D. Requirement gathering and feasibility, analysis, design, development/coding, testing, maintenance

Explanation:
The software development lifecycle (SDLC) is a process/framework for development and coding. The SDLC is made up of six phases to be carried out in the following order:

    Requirement gathering and feasibility
    Analysis
    Design
    Development/coding
    Testing
    Maintenance
344
Q

The speed with which incidents are acknowledged and triaged, the required schedule for notifying customers of planned downtime, the operating hours of support resources, and the timeframe for reporting service performance are all examples of communication items that should be included in what, between a CSP and CSC?

A. RFC
B. MOU
C. ToS
D. SLA

A

D. SLA

Explanation:
Levels of communication service from the CSP should be defined and agreed upon by both parties. This is why it is vital for customers to be accountable for setting SLA terms. SLAs may be adjusted to provide further flexibility, albeit at a significant expense.

All other options are various documents that are not applicable to communications.

345
Q

What is the SDLC?

A. Framework for how to develop, alter, and maintain software
B. Regulations for keeping software secure in the cloud
C. Certification for cloud security engineers
D. Organization that audits cloud environment

A

A. Framework for how to develop, alter, and maintain software

Explanation:
SDLC stands for the software development lifecycle. It is a framework for how to develop, alter, and maintain software. The framework outlines the software development process from beginning (requirement gathering and feasibility) to end (maintenance).

346
Q

Cloud security is a difficult task, made all the more difficult by laws and regulations imposing restrictions on cross-border data transfers. The actual hardware in the cloud can be located anywhere, so it is critical to understand where your data resides. Which of the following statements is true in regards to responsibility of data?

A. The cloud service provider (CSP) retains ultimate responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.
B. Both the cloud service provider (CSP) and the cloud service customer (CSC) retain responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.
C. The cloud service customer retains ultimate responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.
D. The cloud administrator retains ultimate responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.

A

C. The cloud service customer retains ultimate responsibility for the data’s security, regardless of whether cloud or non-cloud services are employed.

Explanation:
Regardless of whether cloud or non-cloud services are utilized, the data owner (the cloud service customer (CSC)) is ultimately responsible for the data’s security. Cloud security encompasses more than data protection; it also encompasses applications and infrastructure.

347
Q

Which of the following industries needs to meet the specialized compliance requirements set forth by the NERC/CIP?

A.Electric utilities
B. Accounting organizations
C. Financial institutions
D. Payment card industry

A

A.Electric utilities

Explanation:
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a not-for-profit organization that collaborates with industry stakeholders to set standards for the operations and monitoring of the power system and its enforcement.

All other options are types of organizations.

348
Q

Which of the following regulatory requirements applies to those in the health care industry?

A. HIPAA
B. PCI DSS
C. FISMA
D. FRCP

A

A. HIPAA

Explanation:
HIPAA (The Health Insurance Portability and Accountability Act) is an industry specific regulatory requirement for U.S. health care organizations.

349
Q

Which of the following, published by the Cloud Security Alliance, provides a detailed framework and approach for handling controls that are pertinent and applicable in a cloud environment?

A. Cloud Standard Operating Procedure
B. Cloud Controls Matrix
C. Cloud Security Controls Standard
D. Generally Accepted Privacy Principles

A

B. Cloud Controls Matrix

Explanation:
The Cloud Controls Matrix (CCM) outlines a detailed approach for handling controls in a cloud environment. The Cloud Controls Matrix was developed and published by the Cloud Security Alliance.

350
Q

During periods of high utilization, cloud providers must prioritize which systems will be given resources in the event that there are not enough resources for all systems.

Which is the term used to describe this concept?

A. Pooling
B. Limits
C. Shares
D. Reservations

A

C. Shares

Explanation:
In the event that there are not enough resources to serve all hosts, cloud providers must prioritize and weigh which systems will receive the limited resources available. This concept is known as shares.

Reservations refer to the minimum amount of resources that each cloud customer will receive, and limits refer to the maximum that they will receive.

351
Q

Data can be encrypted and then the encryption keys can be destroyed as a method of data sanitation. This process is known as:

A. Encrypted overwriting
B. Overwriting
C. Incineration
D. Cryptographic erasing

A

D. Cryptographic erasing

Explanation:
Cryptographic erasing is a method of data sanitation. Cryptographic erasing is performed using encryption and the destruction of the encryption keys as a method of data destruction.

352
Q

An engineer has been asked to perform threat modeling. Which of the following is an OWASP recommended model that he can use to perform this task?

A. TOGAF
B. REST
C. SDLC
D. DREAD

A

D. DREAD

Explanation:
DREAD is a model that was conceptualized by Microsoft and recommended by OWASP. DREAD focuses on coming up with a quantitative value for assessing risk.

SDLC, REST, and TOGAF are not threat models.

353
Q

What process is oriented around service delivery of the application service produced in modern DevOps / DevSecOps and occurs at all phases to provide continuous improvement and quality tracking?

A. Software assurance
B. Threat Modeling
C. Software Configuration Management
D. Quality Assurance

A

D. Quality Assurance

Explanation:
Quality assurance (QA) is centered on service delivery of the application service built in the modern DevOps / DevSecOps process, and it occurs at all phases to assure continuous improvement and quality tracking. When more functional and requirements testing is done, QA is most effective. Testing may be automated to make it even more efficient.
354
Q

An engineer is helping to design and build a new data center. She knows that there are many institutions that create standards which govern the physical design of data centers.

Of the following, which is NOT an institution that creates standards governing the physical design of data centers?

A. IDCA
B. NFPA
C. ITIL
D. Uptime Institute

A

C. ITIL

Explanation:
Uptime Institute, National Fire Protection Association (NFPA), and International Data Center Authority (IDCA) are all institutions which create standards used to govern the design and building of data centers.

ITIL (formerly an acronym for Information Technology Infrastructure Library), provides detailed practices for IT service management. These practices focus on aligning IT services with the needs of business instead of creating data center design and building standards.

355
Q

Which of the following terms refers to the use of automation for tasks such as provisioning, scaling, and allocating resources in a cloud environment?

A. Maintenance
B. Rapid elasticity
C. Scheduling
D. Orchestration

A

D. Orchestration

Explanation:
Orchestration is the term used to describe the large use of automation a cloud environment. The automation is used for tasks such as provisions, scaling, allocating resources, and much more. Orchestration must be used in a way that it doesn’t violate a cloud customer’s SLA requirements.

356
Q

Cryptographic erasure is an example of:

A. Data storage
B.Data sanitation
C. Data archival
D. Data dispersion

A

B.Data sanitation

Explanation:
There are many types of data sanitation but not all of them are applicable to cloud environments. For example, physical methods of data destruction, such as incineration, are not available in cloud environments. Cryptographic erasure and overwriting are two examples of data sanitation for cloud environments.

357
Q

A law firm is moving their data to the cloud. For legal reasons, they need to ensure that their data is kept completely private, and that the data is owned entirely by themselves and nobody else.

Which cloud deployment model would be the BEST fit for this law firm?

A. Community cloud
B. Private cloud
C. Public cloud
D. Hybrid cloud

A

B. Private cloud

Explanation:
A private cloud is owned, managed, and controlled by a single organization. Unlike a public cloud, hybrid cloud, or community cloud, there is no chance that resources will be shared with another organization on a private cloud.

358
Q

Generally Accepted Privacy Principles (GAPP) is a standard consisting of how many privacy principles?

A. 10
B.8
C. 5
D. 4

A

A. 10

Explanation:
The Generally Accepted Privacy Principles (GAPP) is a standard that consists of the 10 key principles listed below. In addition, GAPP is also made up of over 70 privacy objectives and associated methods for measuring and evaluating criteria.

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement
359
Q

Which of the Trust Services principles is included in a SOC 2 audit?

A. Security
B.Process integrity
C. Confidentiality
D. Privacy
E. Availability
A

A. Security

Explanation:
The Trust Service Criteria is made up of 5 key principles: Availability, Confidentiality, Process integrity, Privacy, and Security. Security is always required as part of a SOC 2 audit. The other four principles are optional.

The security principle is made up of seven categories: Change management, Communications, Logical and physical access controls, Monitoring of controls, Organization and management, Risk management, and Design and implementation controls.

360
Q

Which of the following is NOT one of the ten key principles of the Generally Accepted Privacy Principles (GAPP) standard?

A. Access
B. Transparency
C. Quality
D. Notice

A

B. Transparency

Explanation:
GAPP was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. It includes ten key privacy principles as listed below:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement
361
Q

There are three main types of data discovery. Which of the following is NOT a method for data discovery?

A. Labeling
B. Content analysis
C. Data de-identification
D. Metadata

A

C. Data de-identification

Explanation:
The three types of data discovery include metadata, labels, and content analysis. Data de-identification refers to processes such as masking, obfuscation, and anonymization of data and not to a method of data discovery.

362
Q

Your organization wants to address baseline monitoring and compliance by restricting the duration of a host’s non-compliant condition. When the application is deployed again, the organization would like to decommission the old host and replace it with a new VM constructed from the standard baseline image. What functionality is described here?

A. Virtual architecture
B. Immutable architecture
C. Infrastructure as Code
D. Blockchain

A

B. Immutable architecture

Explanation:
Due to the immutability of cloud infrastructure, it is feasible to easily decommission all virtual infrastructure components utilized by an older version of software and deploy a new virtual infrastructure in cloud settings. Immutable infrastructure is a solution to the problem of systems deviating from baseline settings over time.

363
Q

In their cloud environment, an organization encounters a catastrophic business impact event. The occurrence happened as a result of an outage in the eastern U.S. region, but the CSP’s failover between availability zones was not triggered. Who would be responsible for configuring the cloud-based resiliency functions?

A. Cloud service customer
B. Cloud service broker
C. Cloud service provider
D. Cloud service auditor

A

A. Cloud service customer

Explanation:
The consumer will always be responsible for configuring resiliency functions such as automated data replication, failover between CSP availability zones, and network load balancing.

The CSP’s response is to preserve the capabilities that provide these solutions, but the consumer must construct their cloud system to suit their own resiliency requirements.

All other options are roles that support cloud services.

364
Q

Computing and processing capabilities are defined as which of the following?

A. Storage and CPU
B. Shares and storage
C. Storage and RAM
D. RAM and CPU

A

D. RAM and CPU

Explanation:
Computing and processing capabilities are defined as memory (RAM) and the CPU of the system and environment. This is the same in both cloud environments and traditional datacenters, however, the management of these items are different depending on whether it’s a cloud environment or a traditional datacenter.

365
Q

A lamp that can be turned on remotely using a mobile phone app is an example of:

A. Machine learning
B. IoT
C. AI
D. Cryptography

A

B. IoT

Explanation:
The Internet of Things (IoT) refers to the ability of non-traditional computing devices (such as lamps, thermostats, and other smart devices) to access the Internet.

366
Q

When considering options for choosing a data center, which option will give the organization the MOST control over all aspects of the data center?

A. Renting
B. Building
C. Subletting
D. Leasing

A

B. Building

Explanation:
Organizations that are able to build their own data centers will have the most input into everything from physical security to all other aspects of the setup. However, buying or leasing space in an already built data center is a much quicker and easier option for many organizations.

367
Q

Select the correct order of the cloud data lifecycle.

A. Create, use, store, share, archive, destroy
B. Create, store, use, share, archive, destroy
C. Create, share, use, store, archive, destroy
D. Create, use, archive, store, share, destroy

A

B. Create, store, use, share, archive, destroy

Explanation:
The phases of the cloud data lifecycle are as follows:

Create: Any time data is considered new (this can be brand new data, data migrated from another system, or existing data which is modified), it is in the create phase.
Store: Data is stored immediately after it is created. Storing methods include files residing on a file server, remote object storage, and data written to a database.
Use: When data is consumed or processed by an application or user, it is in the use phase.
Share: When data is made available for use outside of the system it was created in, this is known as the share phase.
Archive: The final stage is archive, in which data is moved to long-term storage and no longer considered active.
Destroy: As the name suggests, the destroy phase is where data is removed completely. In cloud environments, this is done using methods such as overwriting and cryptographic erasure.
368
Q

VUM was developed by which of the following?

A. Apple
B. Microsoft
C. Linux
D. VMware

A

D. VMware

Explanation:
VUM (virtual update manager) was developed by VMware. It is used to update both the vSphere hosts and the virtual machines which are running under them.

369
Q

Of the following, which uses known attacks and methodologies to verify that systems are properly hardened against known vulnerabilities and then produces a report for management regarding discovered weakness?

A. RASP
B. Penetration testing
C. Vulnerability scanning
D. SAST

A

C. Vulnerability scanning

Explanation:
Vulnerability scanning is often run by organizations against their own systems. It uses known attacks and methodologies to ensure that systems are hardened against known vulnerabilities and threats.

Runtime application self-protection (RASP) is a security mechanism that is allows an application to protect itself by responding and reacting to ongoing events and threats. Penetration tests are typically done by a third-party. During a penetration test, the tester will try to break into systems using the same techniques that an actual attacker would use. Static application security testing (SAST) is a test in which the tester has special knowledge of and access to the source code to manually review it for vulnerabilities and weaknesses.

370
Q

Any text, or binary data, that does not conform to a specific type of defined data structure or defined format can simply be classified as:

A. Unstructured data
B. Classified data
C. Structured data
D. Discovered data

A

A. Unstructured data

Explanation:
Unstructured data is all data that doesn’t fall into the structured data category. This means that the data doesn’t conform to a defined data structure or format. Unstructured data can be binary data or text, and it can be entered via human input or machine generated.

371
Q

A cloud engineer is interested in grouping data elements of similar types together. This would allow her to quickly locate similar data in the future and compare it. Which technology could the cloud engineer use to accomplish this task?

A. Encryption
B. Metadata
C. Labeling
D. Hashing

A

C. Labeling

Explanation:
Labeling is the process of adding “labels” to data elements. These labels are more informal than metadata and, in order for them to work, they must be configured with consistency throughout the entire organization. Labels are used to group data elements together and provide information about them.

372
Q

It’s extremely difficult, if not impossible, to find a location for a data center that is not at risk of being hit by some type of natural disaster. Which of the following can be used to help mitigate the threats of natural disasters?

A. Rapid elasticity
B. Multitenancy
C. Encryption
D. Reinforced walls

A

D. Reinforced walls

Explanation:
Reinforced walls may help to mitigate the risk of certain types of natural disasters.

Encryption, multitenancy, and rapid elasticity will not help in the event of a natural disaster.

373
Q

Of the following, which is listed on the OWASP Top 10?

A. Cross-site scripting
B. Malicious insiders
C. Insecure interfaces and APIs
D. Advanced persistent threats

A

A. Cross-site scripting

Explanation:
Cross-site scripting is a type of injection attack in which a malicious actor can send data to a user’s browser without going through proper validation. This is listed on the OWASP Top 10, which is an up to date report of the most critical risks and vulnerabilities that affect web applications.

Insecure interfaces and APIs, malicious insiders, and advanced persistent threats are not listed on the OWASP Top 10; however, they are listed on the Cloud Security Alliance’s Treacherous Twelve, a list similar to the OWASP Top 10 that covers risks and vulnerabilities specifically associated with cloud-based applications and systems.

374
Q

Which management process is concerned with the management of all changes to configuration items, including the addition of any new devices?

A. Incident management
B. Deployment management
C. Continuity management
D. Change management

A

D. Change management

Explanation:
The change management process, one of the most well-known components of IT operations, includes all of the processes and procedures needed to make configuration changes to IT systems or to implement any new IT systems into the environment.

375
Q

Aden works for a large corporation that maintains its own traditional datacenter. How many computers is this data center likely to house?

A. Hundreds
B. Hundreds of thousands
C. Tens
D. Thousands

A

D. Thousands

Explanation:
A traditional data center will likely house thousands of computers for a large enterprise corporation. This means that they will have incredible cooling and utility requirements. On the other hand, a major cloud environment may house hundreds of thousands of servers across many physical locations with their own cooling and utility requirements. In the cloud environment, however, the concern for these requirements is moved away from the cloud customer to the cloud provider.

376
Q

A minimum resource that is granted to a cloud customer within a cloud environment is known as:

A. A reservation
B. An allotment
C. A limit
D. The volume

A

A. A reservation

Explanation:
A minimum resource that is granted to a cloud customer within a cloud environment is known as a reservation. With a reservation, the cloud customer should always have, at the minimum, the amount of resources needed to power and operate any of their services. On the flip side, limits are the opposite of reservations. A limit is the maximum utilization of memory or processing allowed for a cloud customer.

377
Q

An engineer has been asked to review a piece of completed software to ensure that there are no defects and that the code is free of bugs. What phase of the software development life cycle is currently being described?

A. Analysis
B. Maintenance
C. Development/coding
D. Testing

A

D. Testing

Explanation:
During the testing phase of the SLDC, the completed code is reviewed for problems. It’s checked to ensure that it is functioning and operating as expected. This includes having quality assurance check the software for defects and bugs. During testing, the code is also checked using security scans to ensure that it is secure.

378
Q

An organization purchases their accounting program through the cloud. The accounting program is hosted entirely by the cloud provider, on cloud hosted servers. The cloud customer is not responsible for maintaining any of items needed in order to access the accounting program, they are simply able to access the program from anywhere that they have an Internet connection.

What type of cloud service is being described here?

A. DaaS
B. PaaS
C. IaaS
D. SaaS

A

D. SaaS

Explanation:
Software as a Service (SaaS) is a type of cloud service in which the cloud provider maintains and manages everything on the back-end (including the infrastructure, platform, and server OS), and the cloud customer can simply access the software without needing to do any maintenance on it.

379
Q

The Generally Accepted Privacy Principles (GAPP) standard was developed by the American Institute of Certified Public Accountants and which other group?

A. Securities and Exchange Commission
B. European Union and European Economic Area
C. World Health Organization
D. Canadian Institute for Chartered Accountants

A

D. Canadian Institute for Chartered Accountants

Explanation:
The Generally Accepted Privacy Principles (GAPP) standard was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. The standard includes ten key privacy principles to manage and prevent threats to privacy.

380
Q

It is vital for your firm to implement a solution in order to comply with compliance and regulatory standards and regulations. In order to prevent destructive commands from being executed on your organization’s database, this service must also monitor suspicious activity and give notifications when anomalies are discovered. When it comes to security controls, what should the organization consider implementing?

A. DAM
B. XML Firewall
C. API Gateway
D. WAF

A

A. DAM

Explanation:
It is possible to detect malicious commands being executed on your organization’s database and to prevent them from being executed with the help of a database activity monitor (DAM). In addition, suspicious activity is monitored, and alerts are sent out when anomalies are discovered.

381
Q

In testing their BCDR plan, engineers brought their recovery site online to an operational state of readiness, while leaving their primary site active and operational as well.

What type of test was conducted in this scenario?

A. Simulation
B. Full interruption test
C. Walk through test
D. Parallel test

A

D. Parallel test

Explanation:
A parallel test is a type of test for business continuity and disaster recovery (BCDR) plans in which the recovery site is brought online to a state of operational readiness, but operations at the primary site are also maintained and active.

382
Q

You’re revising your organization’s data archiving policy to guarantee that your cloud deployment is adequately protected. Which stage of the cloud data lifecycle will be impacted by this policy?

A. Destroy
B. Share
C. Use
D. Archive

A

D. Archive

Explanation:
The data archiving policy will have an effect on the cloud data lifecycle’s archive phase.

The remaining options correspond to phases of the data lifecycle that are unaffected by the data archive policy.

383
Q

After terminating an employee, the former employee went on to leak an organization’s sensitive intellectual property to a competitor. Which type of threat is being described here?

A. Malicious insider
B. Advanced persistent threat
C. Denial of service
D. Account hijacking

A

A. Malicious insider

Explanation:
A malicious insider is an individual who has been granted appropriate access to complete their job, but then uses that access for unauthorized uses.

384
Q

The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. This standard is based on how many tiers?

A. 3
B. 4
C. 8
D. 5

A

B. 4

Explanation:
The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include:

Tier I: Basic Capacity
Tier II: Redundant Capacity Components
Tier III: Concurrently Maintainable
Tier IV: Fault Tolerance
385
Q

Which of the following has the LEAST impact when collecting forensic evidence in the cloud?

A. Operational impact
B. Jurisdiction
C. Data ownership
D. Multitenancy

A

A. Operational impact

Explanation:
Typically, collecting forensic evidence in the cloud has no operational impact.

When it comes to collecting forensic evidence, data ownership, multitenancy, and jurisdiction are key considerations for both cloud providers and cloud clients

386
Q

Upon review, a security engineer noticed that one of their cloud applications includes a SELECT statement. The engineer has asked the developers of the application to modify the code so that user-supplied input must be validated and attackers are unable to send malicious SQL statements through the application.

What type of attack is this engineer trying to prevent?

A. SQL injection
B. Cross-site scripting
C. Browser hijacking
D. Cross-site request forgery

A

A. SQL injection

Explanation:
An SQL injection attack occurs when an attacker sends malicious SQL statements to the application via data input fields. In order to prevent these types of attacks, developers can use techniques such as whitelist input validation, using prepared statements, and escaping all user supplied input.

387
Q

An application developer has left references regarding the configuration of the hosting system in his code. An attacker was able to find this information in the code and use it to access the application without needing to go through proper validation.

This is an example of what type of vulnerability?

A. XML external entities
B. Broken access control
C. Cross-site scripting
D. Injection

A

A. XML external entities

Explanation:
During development, it’s not uncommon for developers to leave comments or notes in their code. While this is not inherently an issue, it can become an issue when the comments and notes are not removed before the code is published. An XML external entity occurs when a developer leaves references to items such as the directory structure of the application, configuration about the hosting system, or any other information about the inner workings of the application itself, in the code. This information can be used by an attacker, if found, to gain unauthorized access to the application.

388
Q

Regarding data privacy, different roles and responsibilities exist between the cloud customer and cloud provider. In a Platform as a Service environment, where does the responsibility fall for platform security?

A. Responsibility is shared between the cloud customer and the cloud provider
B. The cloud provider is solely responsible
C. The cloud customer is solely responsible
D. A third party is solely responsible

A

A. Responsibility is shared between the cloud customer and the cloud provider

Explanation:
In a Platform as a Service (PaaS) model, platform security is a responsibility that is shared between both the cloud provider and the cloud customer.

In an SaaS model, platform security is solely the responsibility of the cloud provider and in an IaaS model, platform security is solely the responsibility of the cloud customer.

389
Q

Alice is responsible for preparing systems for the cloud, as well as administering and monitoring services. When requested, Alice provides audit data. She is also responsible for managing inventory and assets.

Which title BEST fits Alice’s responsibilities?

A. Cloud service business manager
B. Cloud service developer
C. Cloud service operations manager
D. Cloud service broker

A

C. Cloud service operations manager

Explanation:
A cloud service operations manager is a role within a cloud service provider. The cloud service operations manager will provide audit data when requested or required, manage inventory and assets, prepare systems for the cloud, and also manage and maintain services.

390
Q

File level and storage level encryption methods are used to protect data in which state?

A. Data in motion
B. Data in use
C. Data in transit
D. Data at rest

A

D. Data at rest

Explanation:
Data at rest (DAR) refers to data that is in an idle state. This means that the data isn’t currently being moved between systems and it’s not currently being used by an application. The best way to protect data at rest is by using file level and storage level encryption methods. The encryption methods will vary depending on how the data is stored.

391
Q

Which of the following is used to analyze all the traffic on a network and alert administrators when there is a possible intrusion?

A. NIDS
B. Honeypot
C. IPS
D. HIDS

A

A. NIDS

Explanation:
A network intrusion detection system (NIDS) analyzes all of the traffic on the network and detects possible intrusions. It can send an alert out to administrators to investigate.

A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

392
Q

A developer performs validation and sanitization of his application code to ensure that there are no references to items such as the application directory structure or the configuration of the hosting system.

Which of the following vulnerabilities is this developer addressing?

A. Cross-site scripting
B. Injection
C. Broken authentication
D. XML external entities

A

D. XML external entities

Explanation:
XML external entities refer to references, such as the application directory structure or the configuration of the hosting system, that should be removed from the code, but are left in by accident. These items can provide information to an attacker that may allow them to circumvent authentication measures to gain access.

393
Q

Which of the following statements regarding “portability” is TRUE?

A. Transitioning between a traditional data center model and a cloud environment is typically a seamless, simple, and transparent process.
B. It is unlikely that controls or configurations will require any reengineering or changes to work in the cloud.
C. It is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment.
D. Even legacy systems from traditional data centers are typically programmed to work within a cloud environment.

A

C. It is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment.

Explanation:
Many believe that moving from a traditional data center model to a cloud environment is a completely simple, easy, and seamless process. This is not the case in most situations. In fact, it is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment without requiring any code changes.

Many data centers use legacy systems that are not programmed to work in a rapidly changing cloud environment. In most cases, controls and configurations that have been in place at a traditional data center will need to be reworked and reengineered to function in a cloud environment.

394
Q

Which of the following is an example of data sanitation?

A. An engineer applies encryption to a user’s hard drive so that it’s protected if it’s ever stolen
B. After replacing a hard drive, a user smashed the old hard drive with a hammer so that data couldn’t be recovered from it
C. A user resets their password every 30 days in order to help prevent breaches
D. An engineer installed new locks on the server rack so that attackers cannot gain unauthorized physical access

A

B. After replacing a hard drive, a user smashed the old hard drive with a hammer so that data couldn’t be recovered from it

Explanation:
Data sanitation means that data is removed (or sanitized) from old equipment or an old environment. In this scenario, destroying a hard drive prevents the data from being recovered; therefore, this data has been sanitized. In a cloud environment, sanitizing data becomes more difficult, since methods such as destruction, shredding, and incineration are not options in the cloud.

395
Q

Monitoring the effectiveness of your organization’s security procedures is critical. Which security control monitoring component is the MOST fundamental?

A. SIEM
B. Security Operations Center
C. Vulnerability assessment
D. Documentation

A

D. Documentation

Explanation:
Monitoring your security controls should begin with documentation that details the purpose and implementation of each control. Additionally, you should have process documentation on how to monitor each security control.

A vulnerability assessment is an effective method of determining the efficiency of your controls indirectly, while SIEM tools and a Security Operations Center are critical components of security monitoring.

396
Q

Brock is interested in implementing a SIEM. Which of the following is a function that Brock can expect from the SIEM?

A. Encrypt data
B. Backup data
C. Block malware
D. Reporting

A

D. Reporting

Explanation:
Security and information event management (SIEM) systems provide a great number of functions, including reporting, compliance, dashboards, alerting, aggregation, and correlation. Despite all of these functions, SIEMs are not able to block malware, encrypt data, or backup data.

397
Q

Resource pooling is one of the key cloud computing characteristics. Which of the following security principles does resource pooling BEST support?

A. Availability
B. Integrity
C. Confidentiality
D. Security

A

A. Availability

Explanation:
Resource pooling allows a cloud customer to quickly scale resources up or down as needed. The CSP ensures that resources are available when the cloud customer needs them. Resource pooling occurs when a cloud service provider groups its resources for shared use between multiple cloud customers. This also allows the CSP to scale resources up and down on a per-customer basis.

All other options are security principles.

398
Q

An organization has implemented multi-factor authentication. Which of the following combinations of factors would be acceptable to use?

A. Password and pin
B. Password and fingerprint scan
C. Fingerprint scan and retina scan
D. Key card and smart card

A

B. Password and fingerprint scan

Explanation:
In multi-factor authentication (MFA), users must have two separate and unique factor types. MFA factors include something you know (password, pin, passphrase), something you have (key card, smart card), and something you are (biometrics). Of the options given, the password and fingerprint scan combination is the only option which includes two unique types of factors.

399
Q

To monitor and control access to application services of a SaaS solution, what should be implemented?

A. Validated open-source software
B. Third-party software management
C. Supply-chain management
D. Approved Application Programming Interface

A

D. Approved Application Programming Interface

Explanation:
An approved API is critical for ensuring the security of system components we are interacting with. Enforcing the usage of APIs to reduce the number of ways for accessing application services simplifies their monitoring and protection.

400
Q

An engineer has been asked to perform an assessment using nonnumerical data. The assessment would focus on being descriptive and not data driven.

Which type of assessment has this engineer been asked to perform?

A. Quantitative assessment
B. Risk analysis assessment
C. Qualitative assessment
D. Advanced rational assessment

A

C. Qualitative assessment

Explanation:
There are two main assessment types that can be done for assessing risk: qualitative assessments and quantitative assessments. While quantitative assessments are data driven, focusing on items such as single loss expectancy, annual rate of occurrences, and annual loss expectancy, qualitative assessments are descriptive in nature and not data driven.

401
Q

A retina scan is which type of authentication component?

A. Something the user knows
B. Something the user has
C. Something the user does
D. Something the user is

A

D. Something the user is

Explanation:
In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

402
Q

In which IAM model are applications configured to trust identity providers, and identity providers authenticate users using digital security tokens?

A. Federated identity
B. MFA
C. Single sign-on
D. CASB

A

C. Single sign-on

Explanation:
Through the usage of single sign-on (SSO), an organization’s users can authenticate once and share their identity attributes across numerous cloud services. This enables users to submit their credentials only once, rather than each time an application is accessed. Configuration of single sign-on occurs at two levels: the identity provider and the application. Applications are configured to have a high level of trust in identity providers. A successful authentication results in the issuance of a digital security token signed with the identity provider’s private key. This means that the application does not receive the user’s actual credentials. Instead, apps will use the public key of the identity provider to authenticate the digitally signed token.

403
Q

Having data stored in many foreign jurisdictions creates legal and regulatory complications. Which of the following is NOT an item that could have an effect on cloud computing customers?

A. Political borders
B. Different legal frameworks in different countries
C. Differing legal requirements
D. Challenges of conflicting laws

A

A. Political borders

Explanation:
When it comes to evaluating cloud providers’ services, customers are not constrained by political borders. The opportunity to expand into new locations introduces a new set of risks for organizations. Having data stored in many foreign jurisdictions creates legal and regulatory challenges. Customers of cloud computing are impacted by a variety of legal requirements, varying legal systems and frameworks between countries, and the complexities of conflicting law.

404
Q

In an IaaS environment, the cloud customer will likely NOT have access to logs stemming from which of the following?

A. Hypervisor
B. Operating system
C. Virtual server
D. Applications

A

A. Hypervisor

Explanation:
In an IaaS environment, the cloud customer will likely have access to logs from the operating system, the virtual devices, and the applications that they are using. However, it’s unlikely that the cloud customer will have access to any logs from the hypervisor itself. If the cloud customer wanted logs from the hypervisor, they would need to work with the cloud provider and have something written into their contract. Even though the cloud customer has access to the logs from the operating systems, virtual servers and devices, and the applications, they will still likely need some method to aggregate all of these logs.

405
Q

How many layers of encryption are typically used on database storage systems?

A. Three layers
B. Two layers
C. Four layers
D. One layer

A

B. Two layers

Explanation:
Database storage systems are generally encrypted with two layers of encryption. First, the files on the database can be protected through a file system level encryption. Second, encryption can be used within the application itself.

406
Q

What is the term used when a cloud service provider documents a system architecture in a definition file and then uses it to spin up a virtual infrastructure?

A. Infrastructure as Code (IaC)
B. Database as a Service (DBaaS)
C. Immutable infrastructure
D. Identity Management as a Service (IDMaaS)

A

A. Infrastructure as Code (IaC)

Explanation:
The use of Infrastructure as Code, in which the system architecture is defined in a definition file that the CSP uses to spin up a virtual infrastructure. The definition files are frequently used to establish virtual infrastructure in PaaS setups.

All other options are incorrect.

407
Q

Which of the following reports is focused on the effectiveness of controls during a set point in time?

A. SOC 1 Type 3
B. SOC 1 Type 1
C. SOC 1 Type 4
D. SOC 1 Type 2

A

B. SOC 1 Type 1

Explanation:
A SOC 1 Type 1 report is focused on the effectiveness of controls during a set point in time. A SOC 1 Type 2 report is focused on the effectiveness of controls over a period of at least six months rather than a finite period in time.

SOC 1 Type 3 and 4 do not exist.

408
Q

An organization has just moved from a traditional data center environment to a cloud IaaS environment. Prior to moving to this new environment, the security team did not do a risk assessment or ensure the security of the new cloud provider.

What type of threat is being described here?

A. Insufficient monitoring and logging
B. Shared technology issues
C. Insufficient due diligence
D. Malicious insiders

A

C. Insufficient due diligence

Explanation:
When a security team or organization doesn’t perform proper due diligence (such as performing risk assessments and ensuring that the new cloud provider has the proper security procedures in place) it creates threats and problems that could have been addressed before moving to the new environment. Through active due diligence, such as training and maintaining proper procedures, many common threats and risks can be avoided.

409
Q

An organization wants a way to ensure to the general public that their systems are safe and secure. What type of report should be done in order to share it with the general public?

A. SAS
B. SSAE
C. SOC 1
D. SOC 3

A

D. SOC 3

Explanation:
SOC 3 reports are meant to be consumed and reviewed by the general public. SOC 3 allows for a much wider audience than the other reports listed. SOC 3 reports are meant to be consumed by a large audience to instill confidence that the organization’s systems are secure.

410
Q

Data that can’t be easily used in a formatted database is known as:

A. Correlated data
B. Structured data
C. Uncorrelated data
D. Unstructured data

A

D. Unstructured data

Explanation:
Unstructured data is a data type that can’t be easily used (or used at all) in a structured, rigid, or formatted database.

411
Q

An engineer is in the process of audit planning. What is the FIRST step of audit planning?

A. Conduct research
B. Define scope
C. Define objectives
D. Perform a vulnerability scan

A

C. Define objectives

Explanation:
Audit planning is made up of four main steps which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis

Defining the objectives must be the first step of the audit plan because it will lay the groundwork for the rest of the plan.

412
Q

Your organization is considering using a data rights management solution that provides persistent protection. Which of the following is the MOST accurate description of this functionality?

A. Permissions can be modified after a document has been shared.
B. Data is secure no matter where it is stored.
C. Dates and time-limitations can be applied.
D. The illicit or unauthorized copying of data is prohibited.

A

B. Data is secure no matter where it is stored.

Explanation:
Persistent protection ensures that data is preserved or protected regardless of the location of the data, including reproduction of the data.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

413
Q

Cloud customers benefit from standalone hosts and clustered hosts in different ways. What are standalone hosts known to provide?

A. Confidentiality
B. Integrity
C. All options are correct
D. Availability

A

A. Confidentiality

Explanation:
Customers often select standalone hosts because they ensure that their data will not be commingled with other tenants. This is helpful for compliance purposes and also supports data confidentiality.

Standalone hosts are not well-known for ensuring data integrity and availability. However they do help support other technologies.

414
Q

Any information relating to past, present, or future health status that can be tied to a specific individual is known as which of the following?

A. GBLA
B. PHI
C. PCI
D. HIPAA

A

B. PHI

Explanation:
PHI (protected health information) is a subset of PII (personally identifiable information). PHI applies to any entity defined under the U.S. HIPAA (health information portability and accountability act) laws. Any information that can be tied to a unique individual as it related to their past, current, or future health status is considered PHI.

415
Q

A cloud provider wants to assure potential cloud customers that their environment is secure. What is one way for the cloud provider to achieve this without needing to provide audit access to every potential customer?

A. Undergo a SOC 2 audit
B. Undergo a HIPAA audit
C. Undergo an ITIL audit
D. Undergo a PCI DSS audit

A

A. Undergo a SOC 2 audit

Explanation:
A SOC 2 (Service Organization Control 2) audit reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. A cloud provider may choose to have a SOC 2 audit done and make the report available to the public. This allows for potential customers to have a sense of confidence that the environment is secure without needing to do an audit of their own.

416
Q

Which of the following did the European Union (EU) officially implement in 2018?

A. GDPR
B. APEC
C. HIPAA
D. PCI DSS

A

A. GDPR

Explanation:
The General Data Protection Regulation (GDPR) was officially implemented by the European Union (EU) on May 25, 2018. GDPR is a massive undertaking to give users full control over their personal data and how it is used.

417
Q

An engineer needs to ensure his organization is aware of all ten key principles of GAPP. Which of the following is NOT a key principle of the GAPP standard?

A. Management
B. Quality
C. Restriction
D. Access

A

C. Restriction

Explanation:
The Generally Accepted Privacy Principles (GAPP) includes 10 key privacy principles and over 70 privacy objectives and methods for measuring and evaluating criteria. The 10 key privacy principles are listed below:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third parties
    Security for privacy
    Quality
    Monitoring and enforcement
418
Q

Cloud customers benefit from standalone hosts and clustered hosts in different ways. What are clustered hosts known to provide?

A. Availability
B. All options are correct
C. Confidentiality
D. Integrity

A

A. Availability

Explanation:
A host cluster is a pool of hosts connected together to operate as a single host. The cluster helps protect against failures of a single machine, through redundancy. This provides availability assurance.

A clustered host is not well known for ensuring data integrity and confidentiality. However, they do help support other technologies.

419
Q

A university is interested in forming a research cooperative; which cloud deployment model would be MOST appropriate for this workload?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

A

B. Community cloud

Explanation:
A community cloud is a type of cloud that exists between public and private clouds. The community cloud was designed to meet the requirements of multiple organizations operating in the same industry. Universities frequently form research consortiums, which can be supported by a community cloud.

420
Q

Which of the following areas is always entirely the CSP’s responsibility, regardless of the cloud service model used?

A. Databases
B. Networking
C. Storage
D. Virtualization

A

D. Virtualization

Explanation:
The cloud service provider (CSP) is always responsible for managing the virtualized environment. Virtualization enables server sharing, and the CSP allocates resources to a diverse set of services and clients. While the consumer is always responsible for their data, the operating system, networking, and storage responsibilities change according to the cloud service model.

Storage, networking, databases and orchestration are other cloud building block technologies.

421
Q

Your organization must be able to rapidly scale resources up or down, as required, to meet future needs and from a variety of cloud geographical regions. Which cloud characteristic is required in this scenario?

A. High Availability
B. Scalability
C. Resource Pooling
D. Elasticity

A

D. Elasticity

Explanation:
Elasticity increases and decreases resources as needed, but unlike scalability, elasticity is done automatically. Elastic resources are based on the current needs and resources are added and removed dynamically to meet those needs from a variety of geographical locations.

422
Q

Which organization produced the “Data Center Design and Implementation Best Practices” standard, which includes specification for items such as hot/cold aisle setups?

A. NIST
B. NFPA
C. IDCA
D. BICSI

A

D. BICSI

Explanation:
BICSI (Building Industry Consulting Service International) has been around since 1977. Of the all the standards that BICSI has developed, the ANSI/BICSI 002-2014 is the most prominent. This standard is “Data Center Design and Implementation Best Practices.” In this standard, items such as hot/cold aisle setups, power specifications, and energy efficiency are all covered.

423
Q

When developing a continuity plan, which of the following can be done to identify which systems are the most important?

A. BIA
B. Vulnerability assessment
C. BCDR
D. REST

A

A. BIA

Explanation:
A BIA (business impact analysis) can be done to identify the most important systems to an organization. The BIA can help to identify which services and systems need to be prioritized and which can endure a longer outage.
424
Q

An engineer would like to access a server remotely. Which proprietary Microsoft technology allows a user to connect to a remote computer over the network and utilize a GUI to control it?

A. IPsec
B. RDP
C. TLS
D. KVM

A

B. RDP

Explanation:
RDP (remote desktop protocol) is a proprietary technology, developed by Microsoft, that allows a user to connect to another remote computer over the network and utilize a GUI to control the remote computer. Microsoft has also created clients so that Linux and UNIX systems can utilize RDP to connect Microsoft systems.

425
Q

An organization has spent quite a significant amount of their budget on vendor-specific investments and now the cost for them to move to a new cloud provider would be far too high to be feasible.

What is the term used to describe this type of scenario?

A. Customer lock-in
B. Provider exit
C. Vendor lock-in
D. Data sanitation

A

C. Vendor lock-in

Explanation:
Cloud customers should avoid vendor-lock in. Vendor lock-in occurs when an organization is unable to easily move from one cloud provider to another without incurring extremely high costs. Vendor lock-in can occur when a specific cloud provider requires the cloud customers to purchase expensive proprietary systems.

426
Q

Which jurisdiction does NOT have a standard national/regional data privacy regulation that applies to all personal information?

A. United States
B. Canada
C. Russia
D. European Union

A

A. United States

Explanation:
Of this list, the United States is the only locale that does not have a unified privacy law at the federal level. However, some states do have privacy laws, such as the California Consumer Privacy Act (CCPA).

All other options have national or regional data privacy regulations.

427
Q

Authorized access to a customer’s account is allowed to the customer support agent, but the data is concealed as it is fed to them. What form of obfuscation is being used?

A. Consistant
B. Varied
C. Static
D. Dynamic

A

D. Dynamic

Explanation:
Obfuscation of data can be done statically or dynamically. The static technique creates a new data set as a copy of the original data and uses only the concealed copy. When the customer support agent accesses the data via the dynamic method, the data is masked as it is used.

All other options are incorrect.

428
Q

Multitenancy is BEST described as:

A. The ability for two separate organizations to share an identity system while keeping autonomy
B. The ability for a cloud customer to use two or more cloud providers for their infrastructure
C. Multiple cloud customers sharing the same computing resources of a cloud provider
D. Multiple cloud customers having access to each other’s data

A

C. Multiple cloud customers sharing the same computing resources of a cloud provider

Explanation:
Multitenancy refers to when multiple cloud customers share the same computing resources of the cloud provider. With multitenancy, it’s very important that the cloud provider has security measures put in place so that confidential data is not visible to the other organizations that share the same resources.

429
Q

Which of the following is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats?

A. RASP
B. Vulnerability scanning
C. DAST
D. SAST

A

A. RASP

Explanation:
Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time.

Dynamic application security testing (DAST) is a “black-box” type of security test, meaning that the tester is not given any special information about the systems they are testing. Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities in the system.

430
Q

An engineer has been asked to determine annual loss expectancy. Which two values must this engineer already know in order to determine annual loss expectancy?

A. ARO and MTR
B. SLE and RTO
C. ARO and SLE
D. MTR and SLE

A

C. ARO and SLE

Explanation:
In order to find annual loss expectancy, you must first know the values for annual rate of occurrence (ARO) and single loss expectancy (SLE). The equation used to find annual loss expectancy (ALE) is SLE X ARO = ALE.

431
Q

Upon researching an incident, an engineer noticed that all of the event logs on one of their devices had been completely wiped. According to the STRIDE threat model, which type of threat is this?

A. Repudiation
B. Data loss
C. Spoofing identity
D. Denial of service

A

A. Repudiation

Explanation:
The STRIDE threat model has six threat categories, which include spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. Logs being erased or wiped is a type of repudiation threat. Keeping accurate and comprehensive logs is vital to an organization, as it can prevent a user from denying that they made a change when they actually did.

432
Q

The security team for Organization A wants to implement a way for all of their users to only be required to use a single set of authentication credentials to access all of the organization’s resources.

Which of the following should Organization A implement to achieve this?

A. Multi-factor authentication
B. Single sign-on
C. Federated identity management
D. LDAP

A

B. Single sign-on

Explanation:
Single sign-on (SSO) allows an individual to authenticate once using a single set of authentication credentials and be given access to other independent systems. SSO is beneficial for many reasons, one being that it allows users to create one strong set of credentials that they will remember, rather than having them create many weaker passwords that they are likely to forget.

433
Q

Complete the sentence with the MOST accurate statement.

Cloud environments:

A. consist of far fewer systems and servers.
B. take the level of concern away from the cloud customer and place it onto the cloud provider.
C. are built of components that are completely different from those used in a traditional environment.
D. are generally operated out of one physical location.

A

B. take the level of concern away from the cloud customer and place it onto the cloud provider.

Explanation:
While it may seem that a cloud infrastructure is completely different from that of a traditional data center, all the components that exist in a traditional data center are still needed in the cloud. The main difference is that within a cloud environment, the responsibility and level of concern is moved away from the cloud customer to the cloud provider.

434
Q

The organization must guarantee that cloud-based systems and communications with cloud-based systems are properly secured. Which of the following is an organization’s responsibility, regardless of the cloud model used?

A. Physical and environmental
B. System and communications
C. Identity, authentication, and authorization
D. Governance, risk, and compliance

A

D. Governance, risk, and compliance

Explanation:
Whichever deployment approach is adopted, the organization is ultimately responsible for governance, risk, and compliance.

All other options may be under the organization’s control depending on the cloud model used.

435
Q

Which phase of the software development lifecycle results in a comprehensive report outlining the deficiencies and successes of the project?

A. Testing
B. Maintenance
C. Design
D. Development/coding

A

A. Testing

Explanation:
During the testing phase, security scans are run against the actual code and the completed application as it runs. This is also the phase in which the code is checked for syntax errors and problems. The output of the testing phase is a report which outlines the deficiencies and successes found during the testing phase.

436
Q

A cloud provider would like to use information on one of their cloud customers for advertising purposes. Before they can do this, they must get explicit permission from the cloud customer to do so.

Which key principle of ISO/IEC 27018 does this scenario fall into?

A. Transparency
B. Consent
C. Control
D. Communication

A

B. Consent

Explanation:
The ISO/IEC 27018 is a standard which is focused on the security of cloud computing. The five key principles of ISO/IEC 27018 include communication, consent, control, transparency, and independent and yearly audits. Consent refers to cloud providers getting explicit permission from a cloud customer before they can use their data or information in any way.

437
Q

What are the two pieces that make up TLS?

A. TLS handshake protocol and TLS record protocol
B. TLS establishment protocol and TLS connection protocol
C. TLS establishment protocol and TLS record protocol
D. TLS handshake protocol and TLS connection protocol

A

A. TLS handshake protocol and TLS record protocol

Explanation:
TLS (transport layer security) replaced SSL (secure socket layer) as the standard method for encryption of traffic across a network. TLS is made up of two main layers. The first layer is the TLS handshake protocol. This protocol is what negotiates and establishes the actual TLS connection. The second layer is the TLS record protocol. The TLS record protocol is the actual secure communication method for transferring the data.

438
Q

The number of CPUs and the amount of RAM in a cloud environment can be described as which of the following?

A. Limits
B. Compute parameters
C. Reservations
D. Software defined networking

A

B. Compute parameters

Explanation:
The compute parameters and processing power of a cloud environment is made up by the number of CPUs and the amount of RAM in the system or environment. In a cloud environment, compute parameters can be more difficult to manage and plan due to resource pooling and multitenancy.

439
Q

An engineer is working with data that is in the store phase of the cloud data lifecycle. Now that the data is in the store phase, what must the engineer immediately employ on top of security controls?

A. Sharing permissions
B. Data classification
C. Data destruction methods
D. Backup methods

A

D. Backup methods

Explanation:
As soon as the data enters the store phase, it’s important to immediately employ the use of backup methods on top of security controls to prevent data loss.

440
Q

Which storage medium is commonly utilized for processing?

A. RAID
B. Long-term
C. Ephermeral
D. Raw-disk

A

C. Ephermeral

Explanation:
Temporary storage and data are stored in ephemeral storage solely for processing purposes. Ephemeral storage is not intended to provide long-term data storage. Ephemeral storage is similar to random access memory (RAM) and other non-permanent storage technologies.

All other options are different forms of storage that are utilized for different purposes.

441
Q

Which of the following involves implementing standard processes and technologies across various organizations so that they can join their identity systems while keeping their autonomy?

A. Federation
B. Identification
C. Authorization
D. Auditing

A

A. Federation

Explanation:
Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity systems while keeping their autonomy.

Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

442
Q

Which of the following roles sometimes exists, in addition to the data owner, that oversees access requests and the utilization of data?

A. Data steward
B. Data processor
C. Data custodian
D. Data consumer

A

A. Data steward

Explanation:
While the data owner maintains sole responsibility for the data and the controls surrounding that data, there is sometimes the additional role of data steward, who will oversee data access requests and the utilization of the data.

443
Q

Which of the following statements is TRUE regarding a compromised hypervisor?

A. A compromised hypervisor can be used to attack network devices, but it can’t be used to attack other hypervisors in the environment.
B. A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors.
C. A compromised hypervisor is only a threat to other hypervisors in the environment but not a threat to the actual virtual machines.
D. A compromised hypervisor is only a threat to the virtual machines hosted on it, and not other hypervisors in the environment.

A

B. A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors.

Explanation:
A compromised hypervisor can have serious consequences. If an attacker can compromise a hypervisor, they will then have access to all the virtual machines that are hosted on that hypervisor. In addition, the attacker could use the hypervisor as a launching pad for additional attacks on other hypervisors, since each hypervisor plays a central role in the cloud environment.

444
Q

An organization is evaluating potential risks. One risk they have uncovered is very unlikely to occur, and it would cost more to implement a fix for the risk than it would cost if the vulnerability was actually exploited.

In this scenario, which risk response is the organization likely to take?

A. Accept the risk
B. Mitigate the risk
C. Avoid the risk
D. Transfer the risk

A

A. Accept the risk

Explanation:
For some risks, the cost to mitigate the risk would outweigh the cost of accepting the risk and dealing with any potential fall out that would come if the risk was realized. In these scenarios, the organization will often simply accept the risk and deal with the exploit when or if it were to occur.

445
Q

Which of the following is mainly concerned with minimizing the impact of issues in an organization by identifying the root cause of the issue?

A. Release and deployment management
B. Incident management
C. Problem management
D. Change management

A

C. Problem management

Explanation:
The focus of problem management is to identify and analyze potential issues in an organization to determine the root cause of that issue. Problem management is responsible for implementing processes to prevent the issues from occurring in the future.

446
Q

Cloud environments are constantly maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn’t become overloaded.

What is this process known as?

A. Dynamic optimization
B. Distributed resource scheduling
C. High availability
D. Maintenance mode

A

A. Dynamic optimization

Explanation:
Dynamic optimization is the process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn’t become overloaded.

Distributed resource scheduling is a method for providing high availability, workload distribution, and balancing of jobs in a cluster. When a host is in maintenance mode, no virtual machines can run under that physical host. High availability is the concept that systems experience little to no downtime.

447
Q

A cloud security engineer working for a financial institution needs to determine how long specific financial records must be stored and preserved.

Which of the following specifies how long financial records must be preserved?

A. GDPR
B. HIPAA
C. SOX
D. GLBA

A

C. SOX

Explanation:
The Sarbanes-Oxley Act (SOX) regulates how long financial records must be kept. SOX is enforced by the Securities and Exchange Commission (SEC). SOX was passed as a way to protect stakeholders and shareholders from improper practices and errors.

448
Q

An engineer is concerned about the security of mobile devices in the organization which have been given access to corporate resources. What can this engineer implement to manage and maintain the devices?

A. IoT
B. MDM
C. AI
D. BYOD

A

B. MDM

Explanation:
MDM (mobile device management) is the term used to describe the management and maintenance of mobile devices (such as tablets and mobile phones) that have access to corporate resources. Usually, MDM software will be installed on the devices so that the IT staff can manage the devices remotely in the case of a lost or stolen device.

449
Q

What is used to consolidate large amounts of unstructured data, often from disparate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?

A. Data mart
B. Data warehouse
C. Data lake
D. Data mining

A

C. Data lake

Explanation:
A data lake is an unstructured data storage mechanism with data often stored in files or blobs.

All other options are data storage mechanisms.

450
Q

There are four main steps in audit planning. Choose the correct sequence of audit planning steps.

A. Define objectives, conduct and audit, review results, perform secondary audit
B. Define scope, define objectives, conduct audit, monitor results
C. Define objectives, define scope, conduct the audit, lessons learned
D. Define scope, conduct the audit, lessons learned, monitoring

A

C. Define objectives, define scope, conduct the audit, lessons learned

Explanation:
There are four main steps in audit planning as listed below in the correct order:

Define objectives
Define scope
Conduct the audit
Lessons learned (and analysis)
451
Q

Which type of storage system places files in a flat organization of containers and uses IDs to retrieve them?

A. Object storage
B. LUN
C. Volume storage
D. Software-defined storage

A

A. Object storage

Explanation:
Object storage utilizes a flat system and assigns files and objects a key value (ID) that can be used to retrieve the files later. This differs from traditional storage, which uses a directory and tree structure.

452
Q

A compromise of which of the following would be the MOST severe?

A. Hypervisor
B. Router
C. Management plane
D. Virtual machine

A

C. Management plane

Explanation:
The management plane provides access to manage all the hosts within a cloud environment. If the management plane were to be compromised, the attacker would then have full control over the cloud environment. The severity of a compromised management plane outweighs that of a compromised hypervisor, virtual machine, or router. For this reason, only a limited and highly vetted group of administrators should have access to the management plane, and access should be audited regularly.

453
Q

Which organization officially defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”?

A. ISO
B. NIST
C. TOGAF
D. ITIL

A

B. NIST

Explanation:
The National Institute of Standards and Technology (NIST) defines cloud computing in the Special Publication (SP) 800-145 as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

454
Q

Which of the following is the LEAST important to consider when securing the management plane for a cloud environment?

A. Access control
B. Network segregation
C. Backups
D. Use of secure communications

A

C. Backups

Explanation:
The management plane can be used to allow administrators to quickly make changes across all of the hypervisors and hosted systems in an environment. If the management plane were to be compromised, it would give the attacker full control of all hypervisors and hosted systems in the environment. This means that protecting the management plane from attackers is of the utmost importance. In order to protect the management plane from attackers, special considerations should be made to ensure the use of secure communications, network separation, and access control.

455
Q

An organization is using VMware ESXI. Which of the following is this an example of?

A. Type 4 hypervisor
B. Type 1 hypervisor
C. Type 3 hypervisor
D. Type 2 hypervisor

A

B. Type 1 hypervisor

Explanation:
A type 1 hypervisor, also known as a bare-metal hypervisor, runs directly on the machine’s physical hardware, unlike type 2 hypervisors that are software-based. VMware ESXI is an example of a type 1 hypervisor.

456
Q

A company is in the midst of SLA discussions with a cloud service provider (CSP). They are in the final phases of selecting a CSP and discover that the SLA may not include the collection and provision of crucial evidence regarding the cloud’s operation and use. What is the proper terminology for this?

A. Interoperability
B. Auditability
C. Resiliency
D. Measured service

A

B. Auditability

Explanation:
Auditability is the process of gathering and making available the evidence necessary to demonstrate the operation and use of the cloud. It is good to keep in mind that a CSP will rarely allow a customer to perform an audit on their controls. However, a CSP usually does supply third-party attestations under NDA.

All other options are shared cloud considerations.

457
Q

A cloud security professional has been tasked with creating a logical network segregation and isolation of systems in a cloud environment.

Which networking concept can be used to achieve this?

A. DNS
B. VLAN
C. IPSec
D. SIEM

A

B. VLAN

Explanation:
A VLAN (virtual local area network) is a network concept which allows for logical network segregation and isolation of systems. This is done by establishing virtual network segments with their own IP ranges and firewall settings that are separate from other segments of the network.
458
Q

Which of the following can data masking NOT be used for?

A. Sandbox environment
B. Authentication
C. Least privilege
D. Remote access

A

B. Authentication

Explanation:
Data masking does not provide any form of authentication.

All the others are good examples of data masking in action.

459
Q

Which of the following standards seeks to provide internationally accepted guidelines for eDiscovery processes and best practices?

A. NIST SP 800-53
B. FISMA
C. ISO/IEC 27050
D. PCI DSS

A

C. ISO/IEC 27050

Explanation:
The ISO/IEC 27050 standard provides guidelines for eDiscovery processes and best practices. ISO/IEC 27050 covers all steps of eDiscovery processes including identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive.

460
Q

Which of the following BEST describes the main difference between TLS and IPsec?

A. TLS is mainly used to encrypt traffic between network devices, while IPsec is used only to encrypt API calls
B. TLS can provide end-to-end encryption of all communications and traffic because it operates at the transport level
C. IPsec can provide end-to-end encryption of all communications and traffic because it operates at the Internet level
D. TLS replaced IPsec as the preferred method for encrypting traffic on the network

A

C. IPsec can provide end-to-end encryption of all communications and traffic because it operates at the Internet level

Explanation:
The IPsec (IP Security) and TLS (Transport Layer Security) protocols are both protocols to encrypt traffic as it moves through a network. The main difference between the two (which causes IPsec to stand out), is that IPsec operates at the Internet network layer rather than the application layer (like TLS). Because IPsec operates at the network layer, it is able to provide complete end-to-end encryption of all communications and traffic.
461
Q

Data loss prevention (DLP) is BEST described as:

A. The practice of safeguarding encryption keys
B. A set of controls and practices put in place to ensure that data is only accessible to those authorized to access it
C. The practice of utilizing a random or opaque value to replace what would otherwise be sensitive data
D. The method of using masking, obfuscation, or anonymization to protect sensitive data

A

B. A set of controls and practices put in place to ensure that data is only accessible to those authorized to access it

Explanation:
Data loss prevention refers to a set of controls and practices put in place to ensure that data is only accessible to those authorized to access it.

Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Key management is the practice of safeguarding encryption keys. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data.

462
Q

Which phase of the software development lifecycle will last for the entire lifetime of the software or application?

A. Analysis
B. Design
C. Maintenance
D. Testing

A

C. Maintenance

Explanation:
The maintenance phase of the software development lifecycle is the final stage, and it will go on through the entire lifetime of the software or application. The maintenance phase includes pushing out continual updates, bug fixes, security patches, and anything else needed to keep the software running securely and operating as it should.

463
Q

Incident classification is determined based on what two criteria?

A. Incident type and time of day
B. Time of day and urgency
C. Incident type and impact
D. Impact and urgency

A

D. Impact and urgency

Explanation:
To ensure an incident is dealt with correctly, it is important to determine how critical it is and prioritize the response appropriately. Urgency and impact are assigned values from Low, Medium, or High, and incidents that are high priority are handled first.

464
Q

Company A and Company B both purchase cloud services from the same cloud provider. The cloud provider has Company A and Company B sharing the same environment but ensures that both Company A’s and Company B’s data is isolated from each other and not visible to the other.

What can this type of scenario be described as?

A. Multitenancy
B. Private tenant
C. On-demand self-service
D. Hybrid cloud

A

A. Multitenancy

Explanation:
Cloud providers will often have numerous customers sharing the same environment. However, it falls to the cloud provider to ensure that all the data between these customers is not visible to the others and is isolated from one another.

465
Q

Your organization is considering using a data rights management solution that provides replication restrictions. Which of the following is the MOST accurate description of this functionality?

A. Dates and time-limitations can be applied.
B. Permissions can be modified after a document has been shared.
C. Data is secure no matter where it is stored.
D. The illicit or unauthorized copying of data is prohibited.

A

D. The illicit or unauthorized copying of data is prohibited.

Explanation:
Replication restrictions ensure that no unauthorized or unlawful copying of protected data occurs.

All other options are descriptions of functionalities provided by other features of data rights management solutions.

466
Q

The capacity to independently verify the origin or authenticity of data with a high degree of assurance is referred to as

A. Digital signatures
B. Hashing
C. Chain of custody
D. Non-repudiation

A

D. Non-repudiation

Explanation:
The capacity to affirm the origin or authenticity of data with a high degree of assurance is referred to as non-repudiation. This is accomplished through the use of digital signatures and hashing to ensure that data has not been altered in any way.

This idea is complementary to chain of custody in terms of maintaining the legitimacy and integrity of data.

467
Q

Which storage type uses a virtual hard drive that is attached to the virtual host?

A. Structured
B. Unstructured
C. Object
D. Volume

A

D. Volume

Explanation:
Used in IaaS cloud environments, volume storage involves a virtual hard drive which is attached to the virtual host. The host is able to access the virtual hard drive in the same way a computer accesses a traditional hard drive.

468
Q

In which of the following cloud categories does the cloud customer have full access to and control over the operating systems, storage, and applications without having access to the physical infrastructure?

A. IaaS
B. MaaS
C. PaaS
D. SaaS

A

A. IaaS

Explanation:
IaaS (infrastructure as a service) is often also referred to as “data center as a service.” This is because the cloud provider is the one to provide and maintain all of the infrastructure devices. However, the cloud customer is responsible for the management of everything on the devices, from the storage to the operating systems to the applications installed.

469
Q

The process of ensuring compliance with policy, guidelines, and regulations is known as:

A. Auditing
B. Identification
C. Federation
D. Authorization

A

A. Auditing

Explanation:
Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join identity systems while maintaining their autonomy.

470
Q

Which network device is in charge of managing the flow of traffic in and out of the network based on configured rules?

A.Hub
B. Router
C. Switch
D. Firewall

A

D. Firewall

Explanation:
The firewall is the main device that is used to manage the flow of traffic in and out of the network based on rules configured on the firewall. Firewalls can be virtual devices or physical devices.

471
Q

IRM restrictions are typically provisioned by a data owner. In what access model is the owner responsible for defining the restrictions on a per-document basis?

A. Role-based Access Control
B. Mandatory Access Control
C. Non-discretionary Access Control
D. Discretionary Access Control

A

D. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

472
Q

You’re revising your organization’s data destruction policy to guarantee that your cloud deployment is adequately protected. Which stage of the cloud data lifecycle will be impacted by this policy?

A. Destroy
B. Use
C. Create
D. All phases of the cloud data lifecycle.
E. Store
A

D. All phases of the cloud data lifecycle.

Explanation:
Data destruction policies encompass all phases of the data lifecycle. This is because data destruction may occur at all phases of the cloud data lifecycle.

473
Q

The ISO/IEC 27018 standard is focused on five key principles. Which of the following is NOT one of these key principles?

A. Consent
B. Transparency
C. Control
D. Restrict

A

D. Restrict

Explanation:
ISO/IEC 27018 is an international standard for security and privacy in cloud computing. The five key principles of ISO/IEC 27018 are communication, consent, control, transparency, and independent and yearly audits.

Restrict is not one of the key principles.

474
Q

A merchant takes credit cards through a point of sale system. Which compliance standard must the merchant adhere to?

A. PCI DSS
B. ISO/IEC 27017
C. Common criteria
D. FIPS 140-2

A

A. PCI DSS

Explanation:
Due to the merchant’s involvement with debit or credit cards, they must conform to the Payment Card Industry Data Security Standard (PCI DSS) framework. PCI DSS compliance is a contractual requirement. This is true regardless of local rules and regulations regarding cardholder data. Much of the PCI DSS is comprised of generic suggestions regarding the most effective security controls to implement in order to limit risk.

All other options are compliance standards.

475
Q

Organization A and Organization B are both cloud customers using the same cloud provider. Organization B was hit with a denial-of-service attack causing them to use many more resources than they would normally need. Fortunately, Organization A will always receive, at least, the minimum resources needed to power and operate their services so that they are not affected by Organization B’s DoS attack.

Which concept guarantees that Organization A will always receive the amount of resources needed to run their services?

A. Reservations
B. Pooling
C. Shares
D. Limits

A

A. Reservations

Explanation:
Reservations refer to the minimum guaranteed amount of resources that a cloud customer will receive, regardless of the resources being used by other cloud customers. This guarantees that the cloud customer will always have, at the very least, the minimum amount of resources needed to power and operate their services. Because of ideas such as multitenancy, in which many cloud customers are utilizing the same pool of resources, reservations protect cloud customers in the event that a neighboring cloud customer experiences an attack which causes them to overuse resources, making them limited.

476
Q

Which of the following is true in terms of maintenance and versioning in the cloud?

A. The CSC is responsible for the maintenance and versioning of all components in a SaaS product.
B. Updates and patches are scheduled with the customer in the SaaS or PaaS model.
C. The CSC is responsible for the maintenance and versioning of the hardware, network, and storage, as well as the virtualization software, in an IaaS solution.
D. The Cloud Service Customer (CSC) is responsible for the maintenance and versioning of the apps they acquire and develop in a PaaS solution. The Cloud Service Provider (CSP) is responsible for the platform, tools, and underlying infrastructure.

A

D. The Cloud Service Customer (CSC) is responsible for the maintenance and versioning of the apps they acquire and develop in a PaaS solution. The Cloud Service Provider (CSP) is responsible for the platform, tools, and underlying infrastructure.

Explanation:
In the PaaS cloud service model, the CSC is in charge of maintaining and versioning the apps they acquire and develop.

The CSP is responsible for the platform and tools supplied by the PaaS solution, as well as the underlying infrastructure. SaaS and IaaS are other cloud service models.

477
Q

An engineer has been tasked with ensuring that only authorized systems and users have access to sensitive information. This is done using a set of controls to protect the data.

What name is given to the set of controls that ensures data is only accessible by authorized users and systems?

A. API
B. SDN
C. DLP
D. SLA

A

C. DLP

Explanation:
DLP stands for data loss prevention or data leakage prevention. As the name suggests, DLP is a set of controls that is used to ensure that data is only accessible to those who should have access to it. DLP control sets, practices, and measures will vary from organization to organization.

478
Q

In traditional data centers, physical separation and segregation are used to secure data. However, these concepts are not possible in or applicable to cloud environments. With concepts like multitenancy and resource pooling at the forefront of cloud technologies, which of the following is used to keep data private?

A. Antivirus
B. Object storage
C. Encryption
D. BYOD

A

C. Encryption

Explanation:
In order to secure data in a multitenancy and resource pooling cloud environment, encryption is required. There are different types of encryption for data at rest, data in use, and data in transit.

479
Q

IRM restrictions are typically provisioned by a data owner. In what access model is the owner responsible for defining the restrictions on a per-document basis?

A. Discretionary Access Control
B. Role-based Access Control
C. Non-discretionary Access Control
D. Mandatory Access Control

A

A. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

480
Q

An organization is building a new data center. They need to ensure that proper heating and cooling has been implemented. What is the recommended minimum and maximum temperature for a data center?

A. 62.2 - 81.0 degrees F
B. 64.4 - 80.6 degrees F
C. 60.1 - 75.2 degrees F
D. 59.5 - 79.5 degrees F

A

B. 64.4 - 80.6 degrees F

Explanation:
According to ASHRAE (American Society of Heating, Refrigeration, and Air Conditioning Engineers), the recommended temperature for a data center is a minimum of 64.4 degrees F, and a maximum of 80.6 degrees F. This is 18 - 27 degrees C.

481
Q

At what phase of the SSDLC does the coding of software components and integration occur?

A. Design
B. O&M
C. Development
D. Deployment

A

C. Development

Explanation:
The development phase entails the coding of software components as well as the integration and construction of the overall solution.

482
Q

There are two main types of storage in SaaS environments. Which SaaS storage type is the classic form of storing data within databases that the application uses and maintains?

A. Volume storage
B. Information storage and management
C. Content and file storage
D. Object storage

A

B. Information storage and management

Explanation:
Information storage and management is the classic form of storing data within databases that the application uses and maintains. This storage method is used in software as a service (SaaS) offerings.

The other type of SaaS storage is content and file storage in which the SaaS application allows for data to be uploaded that is not part of the underlying database. Volume and object storage are used in IaaS environments rather than SaaS.

483
Q

FISMA is piece of legislation that pertains specifically to which of the following?

A. Any systems that will interact with federal agencies
B. The collection and storing of protected health information
C. Any organization which deals with credit card information
D. The storing of personally identifiable data (PII)

A

A. Any systems that will interact with federal agencies

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

484
Q

An organization has hired a centralized group of security engineers to focus solely on dealing with security issues that arise within the organization. The group is responsible for monitoring the logs in the SIEM, responding to incidents, and analyzing threats that arise.

What would this group of engineers be called?

A. SOC
B. NOC
C. Regulator
D. Cloud provider

A

A. SOC

Explanation:
A SOC (security operations center) is a group of individuals who focus solely on the monitoring, reporting, and handling of any security issues for an organization. SOC engineers will typically be responsible for monitoring the logs within a SIEM if there is one in place. SOCs are usually staffed 24/7 to ensure that someone is available in the event of a security incident.
485
Q

What form of storage is used when content is saved in object storage and then dispersed to multiple geographical hosts to increase internet consumption speed?

A. SAN
B. CDN
C. SDS
D. SDN

A

B. CDN

Explanation:
A content delivery network (CDN) provides globally-distributed object storage, allowing an organization to keep data as close to users as possible. As a result, end users benefit from reduced bandwidth consumption and decreased latency because they can pull from a server closer to their geographic location.

Software defined storage (SDS), Software defined networking (SDN) and storage area network (SAN) are incorrect options.

486
Q

Which of the following should always be used, when available, to ensure that a patch file that has been downloaded matches what the vendor has provided?

A. Validation software
B. Proprietary file checking
C. Hash values
D. Encryption algorithms

A

C. Hash values

Explanation:
It’s very important to ensure that security patches that are downloaded are actually from the vendor and have not been modified by an attacker. In many cases, vendors will provide a hash value that can be used to check and validate the download of the patch file. When these hash values are available, they should be used to validate and ensure that the patch file matches what the vendor has provided.

487
Q

Which management strategy is focused on the required system resources needed to deliver performance at an acceptable level to meet SLA requirements and in a cost-effective manner?

A. Capacity management
B. Release and Deployment management
C. Availability management
D. Configuration management

A

A. Capacity management

Explanation:
Capacity management is a critical component of any IT system’s overall operation. If a system is under-provisioned, services and performance will suffer, perhaps resulting in business or reputation damage. Capacity management focuses on the system resources required to offer acceptable performance in order to meet SLA criteria while remaining cost-effective.

All other options do not support capacity management.

488
Q

When designing and building out a cloud data center, which component requires the MOST security, as a compromise of this could lead to a compromise of all hosted systems?

A. Hypervisor
B. Virtual router
C. Virtual machine
D. Management plane

A

D. Management plane

Explanation:
In virtual environments, the management plane has access to all of the hypervisors and hosted systems. While this creates ease of use for administrators, it can also lead to security risks. If an attacker were able to compromise the management plane, they would be able to compromise all of the hypervisors and hosted systems in the environment.

489
Q

You work for a financial institution and have recently migrated from a private cloud to a cloud-based infrastructure as a service (IaaS) deployment with a public CSP. As the technology director, you are concerned about the exposure of personal financial information. Which U.S. federal legislation would be applicable?

A. GLBA
B. SCA
C. SOX
D. HIPAA

A

A. GLBA

Explanation:
The Gramm-Leach-Bliley Act (GLBA) would be most applicable. GLBA is a U.S. federal law that requires financial institutions to disclose how they share and protect their customers’ private information. GLBA is widely regarded as the most comprehensive federal data privacy and security legislation.

Health care businesses are subject to the Health Insurance Portability and Accountability Act (HIPAA). Sarbanes-Oxley (SOX) protects individuals in publicly-traded firms against accounting errors and fraudulent practices. The Stored Communications Act (SCA) guards against illegal access to and interception of electronic communications and computer services.

490
Q

Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and which of the following?

A. Monitoring
B. Data leakage
C. Encryption
D. Data de-identification

A

A. Monitoring

Explanation:
Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

491
Q

Which of the following is NOT checked when using the DREAD threat model?

A. Measure of damage to the system should a successful exploit occur
B. Measure of how easy it is to reproduce an exploit
C. Measure of how easy or hard it is to discover the threat
D. Measure of the skill level or resources needed to successfully exploit a threat
E. Measure of RTO disaster recovery activities should systems need restoration after a successful exploitation

A

E. Measure of RTO disaster recovery activities should systems need restoration after a successful exploitation

Explanation:
The measure of RTO disaster recovery activities should systems need restoration after a successful exploit is not checked when using the DREAD threat model.

The DREAD threat model focuses on the quantification of risk and threat evaluation. DREAD is based on the equation below, which calculates the value based on risk quantification in specific categories, with a value ranging from 0 to 10:

Risk DREAD = (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5

492
Q

An organization implemented new system and communication protections that prevents users from altering and misconfiguring systems and communication processes. What type of protection did the organization implement?

A. Boundary protection
B.Security function isolation
C. DOS Protection
D. Separation of system and user functionality

A

D. Separation of system and user functionality

Explanation:
Separating system and user functions is critical for system and communication security. Separation of duties is a key security concept that protects users from modifying or incorrectly configuring systems and communication processes.

493
Q

The process of developing cloud-based software solutions entails data ingestion, processing, and output. Which of the following is a data exchange format that is used when data is transmitted over a network using the HTTP/S or SMTP protocols?

A. XML
B. REST API
C. SOAP
D. OOS

A

A. XML

Explanation:
Software components process and send data in a variety of ways between themselves and storage media. Extensible Markup Language (XML) is a standard information exchange format that employs tags to define data and is transmitted using the HTTP/S or SMTP protocols.

All other options are incorrect.

494
Q

An organization is taking a network approach which allows network control and filtering to be handled separate of traffic forwarding. This allows for dynamic changes to traffic flows based on customer needs and demands.

What is the name of the network approach described here?

A. Compute reservations
B. Software-defined networking
C. Virtualization
D. Cloud computing

A

B. Software-defined networking

Explanation:
In software defined networking, decisions regarding where traffic is filtered and sent are separate from the actual forwarding of the traffic. This separation allows network administrators to quickly and dynamically adjust network flows based on the needs of customers. Software defined networking is often shortened as SDN.

495
Q

Which international standard contains information about the architecture and security of Trusted Platform Modules (TPMs)?

A. ISO/IEC 11889
B. ISO/IEC 27018
C. ISO/IEC 11900
D. ISO/IEC 27050

A

A. ISO/IEC 11889

Explanation:
ISO/IEC 11889 specifies how various cryptographic techniques and architectural elements are to be implemented. It consists of four parts including an overview of architectures of the TPN, design principles, commands, and supporting code.

All other options are ISO/IEC standards that apply to other types of technologies.

496
Q

An individual who has full ownership and responsibility over data, and determines the appropriate controls for it, is known as which of the following?

A. Data processor
B. Data steward
C. Data custodian
D. Data owner

A

D. Data owner

Explanation:
A data owner is the party that maintains full responsibility and ownership of data. Data owners determine the appropriate controls that are necessary to protect that data. The data owner also determines appropriate use of the data.

497
Q

An organization is the process of building a new data center. They want to ensure that the moisture level is not too high in their data center. What is the recommended maximum moisture level for a data center?

A. 80 percent relative humidity
B. 50 percent relative humidity
C. 60 percent relative humidity
D. 70 percent relative humidity

A

C. 60 percent relative humidity

Explanation:
The recommended maximum moisture level in a data center is 60 percent relative humidity. The recommended minimum is 40 percent relative humidity. When there is too much moisture in the air, it can cause condensation to form, which may damage the systems. In addition, having the humidity levels too low may cause an excess of electrostatic discharge.

498
Q

Organizations like yours are looking for guidance on how to meet business objectives while also managing and minimizing the risks that come with implementing cloud computing solutions. Which of the following would be the most helpful?

A. OWASP
B. IEEE
C. IANA
D. CSA

A

D. CSA

Explanation:
The cloud security alliance (CSA) is an organization that offers guidance to organizations deploying a cloud environment.

OWASP, IANA and IEEE are other guidance organizations.

499
Q

A hacker was able to send untrusted data to a user’s browser without going through any validation process. What type of attack is being described here?

A. SQL injection
B. XML external entities
C. Sensitive data exposure
D. Cross-site scripting

A

D. Cross-site scripting

Explanation:
Cross-site scripting (XSS) is a type of injection attack. XSS attacks occur when an attacker is able to send data to a user’s browser without having to go through any validation process. Essentially, the victim visits a website or web application which delivers and executes the malicious code to the user’s browser. Web forums and message boards are common locations to find XSS attacks.

500
Q

During the development/coding phase of the software development lifecycle, functional testing is done as each portion of the code is completed by which team?

A. Security
B. Quality assurance
C. Development
D. Management

A

C. Development

Explanation:
As each portion of code is created and completed, functional testing is done on it by the development team. This testing is done to ensure that it compiles correctly and operates as intended.

501
Q

Which of the following is a benefit of using a proprietary or vendor API rather than using an open source API?

A. Ability to change code
B. Ability to review code
C. Free to use
D. Formal patch management

A

D. Formal patch management

Explanation:
When using a vendor or proprietary API, it is unlikely that you will have access to review or make changes to the source code. It’s also unlikely that a vendor or proprietary API will be free to use. These are all generally features of using an open source API.

One benefit of using a proprietary or vendor API is that it will likely include formal patch management.

502
Q

A social security number is which type of PII?

A. Descript identifier
B. Nondescript identifier
C. Direct identifier
D. Indirect identifier

A

C. Direct identifier

Explanation:
PII (personally identifiable information) is broken up into direct and indirect identifiers. A social security number is enough to identify a person without requiring more information, making it a direct identifier.

An example of an indirect identifier would be a zip code. Nondescript and descript identifiers are not real types of PII.

503
Q

An organization has purchased an IaaS cloud service from their cloud provider. What type of billing model should this organization expect to see?

A. Metered usage that changes based upon resource utilization
B. Up-front equipment purchase, then a locked-in monthly fee afterward
C. One up-front cost to purchase cloud equipment
D. Locked-in monthly payment that never changes

A

A. Metered usage that changes based upon resource utilization

Explanation:
In an IaaS environment, the customer can expect to only pay for the resources that they are using. This is far more cost effective and allows for greater scalability. However, this type of billing does mean that the price is not locked-in and it could change as the need for resources either increases or decreases from month to month.

504
Q

Of the following, which is TRUE regarding eDiscovery?

A. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment.
B. eDiscovery is not possible in a traditional data center environment.
C. eDiscovery is not possible in a cloud environment.
D. eDiscovery in a cloud environment is typically easier and less complex than eDiscovery in a traditional data center.

A

A. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment.

Explanation:
Within a traditional data center environment, any systems needed for an investigation can easily be physically isolated and preserved. In a cloud environment, most cloud customers do not own their own hardware, but instead share physical hardware in a multi-tenant cloud. Due to this, eDiscovery is typically easier and less complex in a traditional data center than in a cloud environment.

505
Q

Which of the following statements regarding GDPR is FALSE?

A. GDPR does offer some exemptions for national security agencies and law enforcement agencies.
B. Under Article 33 of the GDPR, data controllers have 72 hours to report a breach to the applicable agencies if an attacker was able to view data of any EU citizen.
C. GDPR has no impact on organizations operating outside of the EU.
D. GDPR is focused on protecting the personal and private data of EU citizens.

A

C. GDPR has no impact on organizations operating outside of the EU.

Explanation:
The General Data Protection Regulation (GDPR) is a regulation which focuses on protecting the data of EU citizens regardless of where the data was created, collected, processed, or stored. This means that if a citizen of the EU utilizes a website that is run by an organization outside of the EU, that organization is still required by law to adhere to GDPR.

506
Q

A software development company is looking to purchase a cloud service. They need the ability to develop and maintain their applications in the cloud without needing to manage and maintain the servers and network equipment that keeps the applications running.

Which of the following cloud service types BEST fits the needs of the software development company?

A. PaaS
B. DaaS
C. SaaS
D. IaaS

A

A. PaaS

Explanation:
Platform as a Service (PaaS) provides organizations with a place to develop and maintain software and applications without needing to maintain the infrastructure or the server operating systems. This allows the developers and programmers to focus strictly on the tasks that they excel at, such as creating new applications.

507
Q

In which of the following cloud service categories would the cloud customer share responsibility with the cloud provider for data privacy at the infrastructure level?

A. PaaS
B. DaaS
C. IaaS
D. SaaS

A

C. IaaS

Explanation:
In the Infrastructure as a Service cloud service model, the cloud customer shares responsibility with the cloud provider for infrastructure security.

In both PaaS and Saas models, the cloud provider is solely responsible for security at the infrastructure level.

508
Q

What term BEST describes the scenario of multiple cloud customers sharing the same resources within the same environment, while also isolating them from each other for security purposes?

A. Multitenancy
B. Shared tenancy
C. On-demand self service
D. Hybrid cloud

A

A. Multitenancy

Explanation:
Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

509
Q

Your organization is in the process of migrating to the cloud. Mid-migration you come across details in an agreement that may leave you non-compliant. Who would be the BEST contact to discuss your cloud environment compliance with legal jurisdictions?

A. Partner
B. Regulator
C. Stakeholder
D. Consultant

A

B. Regulator

Explanation:
As a CCSP, you are responsible for ensuring that your organization’s cloud environments adhere to all applicable regulatory requirements. By staying current on regulatory communications surrounding cloud computing and maintaining contact with approved advisors and, most crucially, regulators, you should be able to assure compliance with legal jurisdictions.

All other options are roles within the organization.

510
Q

An engineer has just implemented a new hypervisor that is completely dependent on the host operating system for all operations. What type of hypervisor has this engineer implemented?

A. Full service hypervisor
B. Type 2 hypervisor
C. Type 1 hypervisor
D. Bare metal hypervisor

A

B. Type 2 hypervisor

Explanation:
Type 2 hypervisors are dependent and run off of the host operating system rather than being tied directly into the hypervisor hardware in the way Type 1 hypervisors are.

Bare metal hypervisors are another name used for type 1 hypervisors. Full service hypervisors are not an actual type of hypervisor.

511
Q

IRM restrictions are typically provisioned by a data owner. In what access model is the owner responsible for defining the restrictions on a per-document basis?

A. Role-based Access Control
B. Mandatory Access Control
C. Non-discretionary Access Control
D. Discretionary Access Control

A

D. Discretionary Access Control

Explanation:
The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database.

All other options are access control models.

512
Q

An auditor performing a manual audit pulls a registry file from a sample of windows servers and compares it to a baseline. Where would she be pulling the baseline from?

A. ISMS
B. CMDB
C. Code repository
D. SIEM

A

B. CMDB

Explanation:
The organization’s configuration management database (CMDB) should capture all configuration items (CI’s) that have been placed under configuration management. This database can be used for manual audits as well as automated scanning to identify systems that have drifted out of their secure state.

513
Q

Of the following statements, which is the MOST accurate?

A. Cloud platforms are always less expensive than on-prem solutions.
B. Traditional data centers and cloud environments have the exact same risks.
C. Cloud platforms offer increased scalability and performance.
D. There are no security risks associated with moving to a cloud environment.

A

C. Cloud platforms offer increased scalability and performance.

Explanation:
Cloud environments are attractive to organizations because they offer increased scalability and performance.

While it’s possible that moving to the cloud can be less expensive than traditional data centers, that is not always the case. Sometimes cloud platforms can come with hidden costs that weren’t initially expected. Cloud platforms come with their own set of security risks and, while some are the same as the risks you’d see in a traditional data center, some are different as well.

514
Q

Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and which of the following?

A. Data de-identification
B. Data leakage
C. Monitoring
D. Encryption

A

C. Monitoring

Explanation:
Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

515
Q

An engineer is helping to develop a business continuity and disaster recovery (BCDR) plan with her organization. What is the proper order of steps to follow when developing a BCDR plan?

A. Gather requirements, define scope, design, assess risk, implement, analyze, test, report and revise
B. Define scope, gather requirements, analyze, assess risk, design, implement, test, report and revise
C. Define scope, analyze, gather requirements, assess risk, design, implement, report and revise, and test
D. Gather requirements, define scope, assess risk, design, analyze, implement, test, report and revise

A

B. Define scope, gather requirements, analyze, assess risk, design, implement, test, report and revise

Explanation:
When developing a business continuity and disaster recovery (BCDR) plan, the following order should be followed:

    Define scope
    Gather requirements
    Analyze
    Assess risk
    Design
    Implement the plan
    Test the plan
    Report and revise
516
Q

A cloud provider has its customer’s data distributed throughout numerous data centers worldwide for the purpose of disaster recovery. What is the name of this process?

A. Community cloud
B. Data dispersion
C. Cloud distribution
D. Data sanitization

A

B. Data dispersion

Explanation:
When a customer’s data is distributed (or dispersed) throughout numerous geographic locations, this is known as data dispersion. Data dispersion can be used for disaster recovery purposes as it mitigates the risk of permanently losing data due to a disaster that occurs in one location.

517
Q

A cloud provider had customers using a multitenancy and resource pooling environment. Unfortunately, the cloud provider didn’t have the proper layers of security in place, which made it possible for one customer to access another customer’s private data.

What type of threat is this known as?

A. Malicious insiders
B. Insufficient logging and monitoring
C. Shared technology issues
D. Advanced persistent threats

A

C. Shared technology issues

Explanation:
Shared technology issues occur in the cloud whenever there is a multitenancy and resource pooling environment that the cloud provider has not properly secured. Multitenancy and resource pooling are both very common practices in cloud computing; but, when they are being used, it is up to the cloud provider to add additional layers of security to ensure that each cloud customer has access to only their own data and not others’ who may be sharing the same environment.

518
Q

Volume and object are storage types used in which cloud service model?

A. IaaS
B. SaaS
C. PaaS
D. DaaS

A

A. IaaS

Explanation:
Each cloud service model uses different types of storage as shown below.

Infrastructure as a Service (IaaS): Volume, Object
Platform as a Service (PaaS): Structured, Unstructured
Software as a Service (SaaS): Content and file storage, information storage and management

DaaS is not a real type of cloud service model.

519
Q

What term BEST describes the scenario of multiple cloud customers sharing the same resources within the same environment, while also isolating them from each other for security purposes?

A. On-demand self service
B. Hybrid cloud
C. Multitenancy
D. Shared tenancy

A

C. Multitenancy

Explanation:
Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

520
Q

In cloud computing, what would be considered the opposite of reservations?

A. Limits
B. Multitenancy
C. Shares
D. Authentication

A

A. Limits

Explanation:
Limits and reservations are both terms referring to how resources are allocated in a cloud environment. Reservations refer to the minimum amount of resources that a cloud customer is guaranteed to receive. The opposite of reservations are limits. Limits refer to the maximum of resources that a cloud customer may utilize.

Shares refer to the prioritization of systems in the even of high utilization periods. Multitenancy refers to multiple cloud customers sharing the same cloud environment. Authentication is the granting of access to resources.

521
Q

Which of the following acronyms is used to describe the act of allowing employees to bring their own equipment (laptops, smartphones, tablets) on to the company’s network?

A. BYOC
B. BDOY
C. BYOD
D. BYOE

A

C. BYOD

Explanation:
BYOD stands for Bring Your Own Device and it is the act of allowing employees to bring their own equipment such as laptops, smartphones, and tablets on to the company network. This has become specifically popular with the onset of cloud computing.

522
Q

The final stage of DLP implementation is:

A. Monitoring
B. Enforcement
C. Identification
D. Discovery

A

B. Enforcement|

Explanation:
DLP is made up of three main stages including discovery and classification, monitoring, and enforcement. Enforcement is the final stage of DLP implementation. During the final stage, DLP policies are enforced and violations which were observed during the monitoring stage are addressed.

523
Q

DLP solutions that are implemented on the network perimeter, to capture traffic as it leaves the network, are used to protect data in which state?

A. Data at rest
B. Data in use
C. Data in transit
D. Data in storage

A

C. Data in transit

Explanation:
In order to protect data in transit (DIT), data loss prevention (DLP) methods are put in place on the network perimeter. They will capture traffic as it leaves the network through various protocols such HTTP and SMTP. These DLP solutions check to ensure that data leaving the network meets the security requirements.

524
Q

The cloud administrator created a VM in Azure and accidently removed all network access from it, effectively locking themselves out. What are the other options for the administrator to regain access?

A. RDP 
B. Console access
C. Jumpbox
D. Contact Microsoft
E. None of the options are correct
A

E. None of the options are correct

Explanation:
Since the user removed all networking access from the VM, the user will be unable to use console access, RDP, or a jump box. Unfortunately, Microsoft cannot reconfigure that VM, because allowing that level of access to consumer resources is incredibly risky.

525
Q

Alison is concerned that a malicious individual had gained access to her online health account in which her mental health history was listed. What type of data is Alison concerned was stolen?

A. PCI
B. PCD
C. PII
D. PHI

A

D. PHI

Explanation:
PHI stand for protected health information. All data that pertains to an individual and their health care is classified as PHI. This includes mental health information, physical health information, medical history, test and lab results, as well as a number of other items.

526
Q

Tracking file modifications is imperative when it comes to data security strategies. What can be used to ensure the integrity of data?

A. Tokenization
B. Obfuscation
C. DLP
D. Hashing

A

D. Hashing

Explanation:
Hashing feeds data into a one-way cryptographic algorithm that generates a unique value called a hash or message digest. Generating another hash of the same file in the future will produce the exact same value only if the data has not been modified; this protects data integrity. If the data has been altered, the new hash will differ from the original.

All other options are data security technologies and strategies.

527
Q

Cloud customers are spared from needing detailed network hardware configuration knowledge when configuring cloud network components due to what type of networking?

A. SDN
B. SDS
C. SSH
D. CDN

A

A. SDN

Explanation:
Software-Defined Networking (SDN) enables the creation of virtual networks that do not require any hardware much like a virtual machine. SDNs are theoretically a software layer that sits between user interfaces and the underlying networking devices. When configuring cloud-based network resources, users are not required to have device-specific technical knowledge.

Software defined storage (SDS) and content delivery network (CDN) are other networking technologies in the cloud. SSH is an invalid choice.

528
Q

Which of the following is an agreement with a cloud service provider that specifies the metrics to be anticipated?

A. MSA
B. RSL
C. SLA
D. MTTR

A

B. RSL

Explanation:
The recovery service level (RSL) identifies the operations that you anticipate from your cloud service provider (CSP) during the restoration of a cloud resource. RSL agreements outline the parameters of the CSPs recovery process.

529
Q

An attacker has managed to gain access to one of the file servers within an organization using a social engineering technique. Now that he has access to the file server, he has planted a backdoor so that he can return regularly and collect data without the organization knowing. He has had this access for several months and has stayed under the radar so that the organization can’t detect him.

What type of threat is being described here?

A. Advanced persistent threat
B. Malicious insider
C. Denial of service
D. Account hijacking

A

A. Advanced persistent threat

Explanation:
As the name suggests, an advanced persistent threat is done by an advanced attacker who has managed to gain unauthorized access and is carrying out the attack (usually the act of data theft) over a long (persistent) period of time. Unlike some attacks which cause chaos and make themselves very well known, advanced persistent threats try to stay undetected for as long as possible.

530
Q

What is the FIRST stage in the software development lifecycle (SDLC) in which security engineers should be involved?

A. Testing
B. Requirement gathering and feasibility
C. Design
D. Development/coding

A

B. Requirement gathering and feasibility

Explanation:
Security engineers should be a part of every single phase of the SDLC, including the first stage: requirement gathering and feasibility. It is much more efficient to add security into an application as it’s being developed, than to attempt to add in security features later on (after it’s in production). During the requirement gather and feasibility stage of the SDLC, security engineers look at the risks associated with the project.

531
Q

What is a KVM used for?

A. As a method for backing up data within a cloud environment
B. As a storage method for cloud hosted servers
C. To connect a keyboard, mouse, and monitor to a physical server
D. To prevent attacks from gaining unauthorized access to physical servers

A

C. To connect a keyboard, mouse, and monitor to a physical server

Explanation:
A KVM is used to connect a keyboard, mouse and monitor to physical servers in a data center to provide access. KVM stands for keyboard, video, mouse. It’s important in a data center, that security measures are put in place to prevent unauthorized access using the KVM.

532
Q

A guest on a virtual machine was able to ‘break out’ of the virtual machine and interact directly with the hypervisor. What type of attack is being described here?

A. Brute force
B. Side channel attack
C. VM escape
D. Denial-of-service

A

C. VM escape

Explanation:
In a VM escape attack, a guest on a virtual machine uses an exploit to break outside the limits of the virtual machine and interact directly with the hypervisor. VM escape attacks allow the attacker to access the host operating system and all virtual machines running on that host.

533
Q

Any systems that will interact with federal agencies must adhere to the requirements in which of the following?

A. FISMA
B. PCI DSS
C. SOX
D. HIPAA

A

A. FISMA

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

534
Q

Tokenization can BEST be described as:

A. A set of controls and practices put in place to ensure that data is only accessible to individuals who are authorized to access it
B. The practice of safeguarding encryption keys
C. A method which involves transforming a string of characters into a fixed-length value or key that represents the original string
D. The practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data

A

D. The practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data

Explanation:
Tokenization is the practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data.

Data loss prevention (DLP) is a set of controls and practices put in place to ensure that data is only accessible to individuals who are authorized to access it. Hashing is a method which involves transforming a string of characters into a fixed-length value or key that represents the original string. Key management is the practice of safeguarding encryption keys.

535
Q

An engineer needs to provision a new cloud service. He is able to do so without ever interacting with the cloud provider. What is this known as?

A. Resource pooling
B. Reversibility
C. Hybrid cloud
D. On-demand self service

A

D. On-demand self service

Explanation:
In cloud computing, on-demand self service is the ability for cloud customers to add, configure, and provision a new cloud service without ever needing to interact with the cloud provider. This is usually done through a web portal and is an integral component of the pay-as-you-go cloud billing model.

536
Q

Which of the following is TRUE regarding the transfer of risk?

A. Transfer of risk is often the cheapest option for responding to risk
B. Risk transfer can only be done when the organization has exhausted all other risk responses
C. Under some regulations, risk cannot be transferred
D. Risk transfer should always be the first avenue that an organization takes to respond to risk

A

C. Under some regulations, risk cannot be transferred

Explanation:
Under some regulations, risk cannot be transferred because the data owner bears the responsibility for any exploits resulting in loss of privacy or confidential data. This is especially true in regard to personal data.

537
Q

The main goal of ________ is to ensure that individuals who should not have access to sensitive data and systems are not given access to them.

A. Repudiation
B. Integrity
C. Confidentiality
D. Availability

A

C. Confidentiality

Explanation:
The main goal of confidentiality is to ensure that individuals who should not have access to sensitive data and systems are not given access to them. However, it’s important that preventing access to unauthorized parties does not impact access to those who are authorized.

538
Q

Which phase of the software development lifecycle (SDLC) typically takes the LONGEST amount of time?

A. Development/coding
B. Design
C. Testing
D. Requirement gathering and feasibility

A

A. Development/coding

Explanation:
During the development/coding phase of the SLDC, the plans and requirements are turned into executable programming language. This is the heart of the software development process. Some functional testing is also completed during this stage. Development/coding is the bulk of the SDLC and will typically take the longest.

539
Q

Which Russian law states that any collecting, processing, or storing of data on Russian citizens must be done from systems which are physically located in the Russian Federation?

A. GLBA
B. SOX
C. 526-FZ
D. GRPD

A

C. 526-FZ

Explanation:
Russian law 526-FZ was enacted in September of 2015. The law states that any collecting, processing, or storing of personal or private data that pertains to Russian citizens must be done from systems and databases which are physically located within the Russian Federation.

540
Q

What is used to consolidate large amounts of structured data, often from desperate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?

A. Data lake
B. Data mining
C. Data warehouse
D. Data mart

A

C. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims.

541
Q

The six-step cloud secure data life cycle starts with the creation of data and ends with:

A. The archival of data
B. The use of data
C. The sharing of data
D. The destruction of data

A

D. The destruction of data

Explanation:
The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

542
Q

Communication is critical and necessary between parties, even more so when it comes to IT cloud services. What role goes through an onboarding, management, maintenance, and offboarding process to ensure that the cloud customer security expectations are met?

A. Partner
B. Vendor
C. Regulator
D. Cloud service provider

A

A. Partner

Explanation:
Partners frequently have the same amount of access to an organization’s systems as employees do, but they are not directly under the organization’s authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer’s security needs.

All other options are roles within an organization using cloud services.

543
Q

Roger is working within a database. The data in the database is encrypted, but Roger doesn’t notice the encryption. Which method of encryption is integrated within the actual database processes and, therefore, not noticeable by the user?

A. Speed encryption
B. Computational encryption
C. Blind encryption
D. Transparent encryption

A

D. Transparent encryption

Explanation:
Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user.

Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

544
Q

Your data in the cloud is stored in the EU region—what law or regulation would the data be governed by?

A. The nation where the data is stored
B. The nation where the business is registered
C. The nation where the data is collected
D. The user must specify where data is to be located and stored.

A

C. The nation where the data is collected

Explanation:
Data sovereignty refers to the concept that data is subject to a nation’s laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria.

All other options are incorrect.

545
Q

Company A needs to have a way for employees within their organization, as well as partners and customers, to authenticate and access data in their cloud.

Which of the following authentication mechanisms would be the BEST choice for Company A to implement?

A. REST
B. SOAP
C. Federated identity management
D. Single sign on

A

C. Federated identity management

Explanation:
Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation.

Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn’t provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

546
Q

There are four main cloud deployment models: public cloud, private cloud, community cloud, and which of the following?

A. Expanded cloud
B. Mixed cloud
C. Hybrid cloud
D. Metropolitan cloud

A

C. Hybrid cloud

Explanation:
The four main cloud deployment models include public, private, community, and hybrid.

Metropolitan, expanded, and mixed cloud do not exist.

547
Q

The Generally Accepted Privacy Principles (GAPP) were developed to contribute to the formation of privacy programs. Which of the following is NOT one of the GAPP’s ten principles?

A. Management
B. Reliability
C. Access
D. Quality

A

B. Reliability

Explanation:
The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP.

The ten privacy principles are:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third-parties
    Security for privacy
    Quality
    Monitoring and enforcement
548
Q

Having the ability to move data between two separate cloud providers is known as:

A. Rapid elasticity
B. Multitenancy
C. Cloud data portability
D. Cloud application portability

A

C. Cloud data portability

Explanation:
The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

549
Q

When data is stored on a device, but not being used by an application or actively traversing the network, it is called:

A. Structured data
B. Unstructured data
C. Data at rest
D. Data in transit

A

C. Data at rest

Explanation:
Data that is stored on a device but not being used by an application is known as data at rest.

Data that is being used by an application is known as data in transit. Unstructured and structured data are not applicable answers to this question.

550
Q

What role works with IT to offer a proactive approach with a balance of consultative and assurance services?

A. External auditor
B. Cloud auditor
C. Internal auditor
D. Compliance auditor

A

C. Internal auditor

Explanation:
Internal auditors serve as an organization’s trusted counsel. Internal auditors collaborate with information technology (IT) to provide a proactive strategy that balances advisory and assurance services. Internal auditors are an independent entity that is not affiliated with either the cloud customer or the cloud provider. In most cases, an internal auditor will conduct audits in the conventional sense, ensuring that cloud systems comply with contractual and regulatory obligations.

All other options are types of auditors.

551
Q

James is able to connect to his home’s thermostat using the Internet on his phone and adjust the temperature remotely. This is an example of which type of technology?

A. Blockchain
B. Machine learning
C. IoT
D. AI

A

C. IoT

Explanation:
The Internet of Things (IoT) refers to the use of non-traditional computing devices (such as lamps, thermostats, and other home appliances) by accessing the Internet.

552
Q

An audit must have parameters to ensure the efforts are focused on relevant areas that can be effectively audited. Setting these parameters for an audit is commonly known as

A. Audit overrides
B. Audit remediation
C. Audit objectives
D. Audit scope restrictions

A

D. Audit scope restrictions

Explanation:
Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems. Carefully crafted scope constraints can help ensure that production systems are not harmed.

553
Q

Communication is critical and necessary between parties, even more so when it comes to IT cloud services. What role goes through an onboarding, management, maintenance, and offboarding process to ensure that the cloud customer security expectations are met?

A. Regulator
B. Partner
C. Cloud service provider
D. Vendor

A

B. Partner

Explanation:
Partners frequently have the same amount of access to an organization’s systems as employees do, but they are not directly under the organization’s authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer’s security needs.

All other options are roles within an organization using cloud services.

554
Q

The FIRST step of developing a BCDR plan is to:

A. Create testing procedures
B. Define scope
C. Assess risks
D. Gather requirements

A

B. Define scope

Explanation:
The first step of developing a business continuity and disaster recovery (BCDR) plan is to define the scope. While it will be important to define testing procedures, assess risks, and gather requirements later on, nothing can be done before the scope has been defined. This ensures that all security concerns are a part of the plan from the start and not added retroactively later on.

555
Q

The role of governance in regard to data stored in a cloud environment is the sole responsibility of who?

A. Cloud customer
B. Cloud broker
C. Cloud auditor
D. Cloud provider

A

A. Cloud customer

Explanation:
In all cloud service types (IaaS, PaaS, SaaS), the roles and responsibility of governance fall solely to the cloud customer and not the cloud provider.

556
Q

Of the following types of cloud deployments, which is MOST susceptible to virtual machine and virtual switch attacks?

A. IaaS
B. DaaS
C. PaaS
D. SaaS

A

A. IaaS

Explanation:
Two special security considerations that are applicable to IaaS cloud environments are virtual switch attacks and virtual machine attacks.

557
Q

What is the final step in deploying a newly upgraded application into production?

A. Release management
B. Service level management
C. Configuration management
D. Change management

A

D. Change management

Explanation:
Change management is a critical component of configuration management and, more broadly, business. The process of committing to a change that will influence production workload is known as change management. In the case of any change that will have an impact on production, change management is the last stage and approval process.

All other options are management strategies.

558
Q

Your organization has suffered a fire in its office building, and it is your responsibility to maintain operations during the incident. Which document should you consult before moving forward?

A. IRP
B. DRP
C. AUP
D. BCP

A

D. BCP

Explanation:
A business continuity plan (BCP) is designed to keep an organization operating in the event of a disaster. The BCP may prioritize important business procedures necessary to maintain operations during disaster recovery. The business continuity plan identifies the events and incidents that will trigger the plan’s execution, as well as the severity levels associated with such events and incidents.

Incident response plan (IRP), disaster recovery plan (DRP) and acceptable use policy (AUP) are other types of organizational documents.

559
Q

Certain data will require more advanced security controls in addition to traditional security controls. This may include extra access controls lists placed on the data or having additional permission requirements to access the data.

This extension of normal data protection is known as which of the following?

A. Identify access management
B. Infrastructure and access management
C. Data rights management
D. Threat and vulnerability management

A

C. Data rights management

Explanation:
Data rights management (DRM) is an extension of normal data protection which is encapsulated within the concept of information rights management (IRM). In DRM, advanced security controls such as extra ACLs and permission requirements are placed onto the data.

560
Q

Jonathan is responsible for creating a cloud data archiving strategy. Which of the following must Jonathan take into consideration when creating the strategy?

A. Amount
B. Format
C. Size
D. Classification

A

B. Format

Explanation:
It is crucial that format is taken into consideration when developing a cloud data archiving strategy. If format is not thought about during the strategy, then the archived data may become very difficult to retrieve if needed in the long run. Other important considerations include technologies used to create and maintain the archives, regulatory requirements, and testing procedures.

561
Q

Removing all nonessential services and software from a host is part of which process?

A. Host hardening
B. Rapid elasticity
C. DNSSEC
D. Physical hardening

A

A. Host hardening

Explanation:
In computing, hardening is the process of securing a system by reducing its vulnerability surface. Host hardening is the processing of hardening a host system by removing all nonessential services and software from that host. Removing the services and software that are not needed reduces the opportunities for attackers to gain access using one of those unnecessary services or programs.

562
Q

Which incident response phase aims to prevent further damage to the organization as a result of a recognized incident?

A. Recover
B. Post-incident
C. Respond
D. Detect
E. Prepare
A

C. Respond

Explanation:
Isolation and containment are the initial response steps in an incident response. The purpose of containment is to protect an organization from further damage caused by a known incident. Disconnecting affected systems, disabling hardware, and disconnecting storage are only a few of the responsibilities.

All other options are phases of incident response.

563
Q

Of the following, which is NOT one of the three ways to implement key storage in a cloud environment?

A. Having an external and independent service or system host the key storage
B. Having the keys stored on a dedicated host server in the same network but which is separate from the where the encryption service is housed
C. Having the keys stored and accessed within the same virtual machine as the encryption service or engine
D. Creating a physical copy of the encryption keys and storing them in a physical safe

A

D. Creating a physical copy of the encryption keys and storing them in a physical safe

Explanation:
There are three main methods of key storage in a cloud environment. The first and simplest is to have the keys stored and accessed from the same virtual machine that is hosting the encryption service or engine. Alternatively, the keys can be stored on a separate device from the virtual machine that is hosting the encryption service or engine. The final option is to have an external and independent service or system to host the key storage.

Creating a physical copy of the encryption keys and storing them in a physical safe is not one of the methods used for key storage.

564
Q

A cloud engineer at an organization is working on a project to move from a traditional data center to a cloud environment. Which of the following is common pitfall that the engineer should be aware of?

A. Storage requirements
B. Scalability concerns
C. Budgetary restraints
D. Portability issues

A

D. Portability issues

Explanation:
Many people believe that moving from a traditional data center to a cloud environment is a simple, easy, and seamless transition, but this is a common misconception. There is a lot of work and reworking that must go into moving systems the cloud. Not all applications will be easy to pick up and move into a cloud environment, and they may require some code changes to be made.

565
Q

The Treacherous Twelve is a list of twelve risks that are associated specifically with which type of technology?

A. All network devices
B. Traditional data centers
C. All web applications
D. Cloud-based applications and systems

A

D. Cloud-based applications and systems

Explanation:
The Treacherous Twelve is similar to the OWASP Top 10. However, unlike the OWASP Top 10, which lays out vulnerabilities and risks associated with all web applications (regardless of whether they are hosted in the cloud or in a traditional data center), the Treacherous Twelve lays out risks and vulnerabilities that are specific to cloud-based applications and systems.

566
Q

Of the following, which is NOT one of the three data states?

A. Data in motion
B. Data in use
C. Data at rest
D. Data in encryption

A

D. Data in encryption

Explanation:
The three data states include data in use, data in motion (also called data in transit), and data at rest. Data in encryption is not one of these three data states.

Data in use refers to when the data is being actively used by a system. Data in motion, or data in transit, refers to when the data is in active transmission across the network. Data at rest refers to data being stored in an idle state.

567
Q

Company A needs to have a way for employees within their organization, as well as partners and customers, to authenticate and access data in their cloud.

Which of the following authentication mechanisms would be the BEST choice for Company A to implement?

A. Single sign on
B. SOAP
C. Federated identity management
D. REST

A

C. Federated identity management

Explanation:
Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation.

Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn’t provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

568
Q

Which of the following is NOT a type of PII?

A. Regulated PII
B. Non-disclosed PII
C. PHI
D. Contractual PII

A

B. Non-disclosed PII

Explanation:
The two main types of PII (personally identifiable information) include contractual PII and regulated PII. Another type of PII is PHI or protected health information, which is a special type of PII pertaining to healthcare data.

Non-disclosed PII is not a recognized type of PII.

569
Q

Which of the following ways is NOT how a business addresses regulatory compliance challenges in the cloud?

A. Delegation of all security to CSP
B. Creating security policies
C. SLAs with CSPs
D. Annual auditing

A

A. Delegation of all security to CSP

Explanation:
While an organization may delegate operational responsibilities to a cloud service provider (CSP) and the CSP may, in some situations, share responsibility with the organization, an organization cannot delegate all compliance responsibilities to a CSP.

All other options address regulatory compliance challenges in the cloud.

570
Q

What is used to consolidate large amounts of structured data, often from desperate sources inside or outside the organization, with the goal of supporting business intelligence and analysis efforts?

A. Data mining
B. Data warehouse
C. Data mart
D. Data lake

A

B. Data warehouse

Explanation:
A data warehouse is structured storage in which data has been normalized to fit a defined data model.

All other selections are data storage mechnisims.

571
Q

What can an organization pay for during peak periods rather than permanently maintaining the maximum resource level?

A. Measured service
B. Broad network access
C. Multi-tenancy
D. On-demand self-service

A

A. Measured service

Explanation:
Measured service use enables CSPs to bill for resources consumed. With a measured service, everyone pays their share of the cost. Rather than maintaining the maximum service level at all times, an organization might pay for the metered service at peak periods. As a result, costly utilization and resource waste are avoided.

572
Q

What is the MAIN difference between high availability and fault tolerance?

A. Fault tolerance is used to resolve software failures, while high availability is used to address hardware failures.
B. There is no difference between high availability and fault tolerance.
C. Fault tolerance involves the use of shared resources and pooled resources to minimize downtime.
D. Fault tolerance involves the use of specialized hardware that can detect faults and automatically switch to redundant systems.

A

D. Fault tolerance involves the use of specialized hardware that can detect faults and automatically switch to redundant systems.

Explanation:
High availability makes use of shared and pooled resources to maintain a high level of availability and minimize downtime. Fault tolerance is different, in that it utilizes a specialized hardware which can detect faults and automatically switch to redundant systems based on the type of failure.

573
Q

Which of the following is an XML-based standard used to exchange information in the authorization and authentication process, which was put out by the OASIS consortium and its Security Services Technical Committee?

A. SAML
B. OAuth
C. OpenID
D. WS-Federation

A

A. SAML

Explanation:
SAML is an XML-based standard used to exchange information in the authorization and authentication process. SAML 2.0, which was adopted in 2005, is the latest standard put out by the nonprofit OASIS consortium and its Security Services Technical Committee.

574
Q

In an IaaS environment, who allocates and maintains storage?

A. Cloud customer
B. Cloud broker
C. Cloud auditor
D. Cloud provider

A

D. Cloud provider

Explanation:
In an Infrastructure as a Service (IaaS ) environment, the cloud provider is responsible for allocating and maintaining storage which comes in the form of volume and object storage.

575
Q

To perform a quantitative assessment, an organization must determine their SLE. Which of the following is the BEST definition of SLE?

A. The length of time it would take to recover after a successful attack
B. The difference between the original value of an asset and the remaining value of an asset after a single successful exploitation
C. The estimated number of times a threat will successfully exploit a vulnerability over the course of a year
D. The length of time that an organization can operate after an exploit has been successful against their organization

A

B. The difference between the original value of an asset and the remaining value of an asset after a single successful exploitation

Explanation:
SLE refers to single loss expectancy. The SLE is the difference between the original value of an asset and the remaining value of an asset after a single successful exploitation. The SLE is used alongside the ALE and ARO to perform a quantitative assessment.

576
Q

Which of these cloud-related factors has the biggest influence on vendor lock-in?

A. Resiliency
B. Portability
C. Interoperability
D. Reversibility

A

C. Interoperability

Explanation:
Cloud interoperability refers to a customer’s capacity to interact with cloud services in any way they desire. Interoperability enables communication and data sharing across many platforms provided by various providers. Interoperability enables customers to prioritize services needed rather than the vendor providing the service, which lessens the concern of vendor lock-in.

All other options are other shared cloud considerations.

577
Q

Which of the following is NOT one of the most commonly used risk ratings?

A. Urgent
B. Low
C. Critical
D. Minimal

A

A. Urgent

Explanation:
The correct names for risk ratings are (in order) minimal, low, moderate, high, and critical.

Urgent is not a commonly accepted risk rating.

578
Q

Who should have access to the management plane in a cloud environment?

A. A highly vetted and limited set of administrators
B. All cloud engineers
C. Everyone
D. A single, highly vetted administrator

A

A. A highly vetted and limited set of administrators

Explanation:
If compromised, the management plane would provide full control of the cloud environment to an attacker. Due to this, only a highly vetted and limited set of administrators should have access to the management plane. However, you will want more than a single administrator, in case the single administrator leaves or is no longer able to perform management duties.

579
Q

The CSP is responsible for security in the cloud, and the consumer is responsible for security in the cloud. What cloud security model is this referring to in the cloud?

A. Security by design
B. Software defined storage
C. Shared responsibility
D. Software defined networking

A

C. Shared responsibility

Explanation:
The shared responsibility model places the obligation for cloud security, which includes both services and infrastructure such as computing and storage, on the CSP. Cloud consumers are responsible for ensuring that the security of the cloud is maintained, such as managing operating systems, enforcing access control policies, and protecting client data.

All other options are unrelated technologies used in the cloud.

580
Q

The Unified Extensible Firmware Interface (UEFI) replaces the traditional BIOS and incorporates numerous enhancements. What is the theoretical maximum capacity of a hard drive that UEFI can address?

A. 4.4 zettabytes
B. 10 zettabytes
C. 9.4 zettabytes
D. 4.9 zettabytes

A

C. 9.4 zettabytes

Explanation:
The correct answer is 9.4 zettabytes.

581
Q

The recovery point objective can be zero in a cloud environment, with what other technology implemented?

A. Failover
B. Load balancers
C. Availability zones
D. Compute resources

A

A. Failover

Explanation:
The recovery point objective (RPO) is defined as the period of time during which an organization is willing to accept the risk of missing transactions. With seamless failover in a cloud environment, the RPO for all but the most catastrophic incidents can practically be zero seconds of lost transactions. This is facilitated by maintaining a copy of data in another region or availability zone.

582
Q

Which of the following operates by consuming a large amount of data and analyzing that data for patterns?

A. Block chain
B. Internet of Things
C. Machine learning
D. Artificial intelligence

A

D. Artificial intelligence

Explanation:
Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

583
Q

Which line of defense would your organization’s Information Security department be considered?

A. Third line of defense
B. First line of defense
C. Second line of defense

A

B. First line of defense

Explanation:
Your Information Security department is your organization’s first line of defense.

Your Risk Management team is your second line of defense. Internal Audit is your third line of defense.

584
Q

Like the EU and the United States, which other influential body has released privacy protections and regulations regarding data privacy?

A. APEC
B. NFPA
C. BICSI
D. CICA

A

A. APEC

Explanation:
Both the United States and the European Union (EU) have established data privacy regulations such as HIPAA and GDPR. In addition, the Asian-Pacific Economic Cooperation (APEC) is another influential body that has established regulations regarding data privacy. APEC developed the APEC Privacy Framework.

585
Q

A cloud application has experienced a data breach. This may be a threat to other applications hosted by the same cloud provider due to which cloud functionality?

A. Rapid elasticity
B. Reversibility
C. Multitenancy
D. On-demand self-service

A

C. Multitenancy

Explanation:
Multitenancy is a cloud function in which multiple cloud customers (tenants) are hosted by the same cloud provider using the same cloud environment. Because the cloud customers are sharing resources and may be running off the same hardware, a breach to one system may lead to a data breach of all the other tenants in the cloud environment.

586
Q

Which of the following concepts is focused on maintaining the chain of custody in a forensic investigation?

A. Capacity management
B. Evidence management
C. Incident management
D. Continuity management

A

B. Evidence management

Explanation:
Evidence management is concerned with maintaining the chain of custody in a forensics investigation.

Capacity management is focused on maintaining the required resources needed to meet SLAs. Incident management is focused on limiting the impact of incidents on an organization. Continuity management is concerned with developing a business continuity and disaster recovery plan.

587
Q

What type of system is a systematic approach to information security comprised of processes, technology, and people designed to assist in the protection and management of an organization’s information?

A. GAAP
B. GLBA
C. CMDB
D. ISMS

A

D. ISMS

Explanation:
An Information security management system (ISMS) is intended to protect the confidentiality, availability, and integrity of an organization’s data. The most effective ISMSs are those that are aligned with the organization’s standards and include specific information on compliance requirements.

588
Q

Which of the following are examples of a security feature that may be used to protect storage controllers?

A. Kerberos, CHAP, SAML
B. Kerberos, CHAP, IPSec
C. Kerberos, IPsec, SAML
D. Kerberos, HTTPS, SAML

A

B. Kerberos, CHAP, IPSec

Explanation:
Secure authentication protocols such as CHAP and Kerberos can be utilized, while encrypted communications can use IPsec protocol.

SAML is an authentication markup language, although it is not especially effective for securing storage controllers.

589
Q

The six-step cloud secure data life cycle starts with the creation of data and ends with:

A. The archival of data
B. The use of data
C. The destruction of data
D. The sharing of data

A

C. The destruction of data

Explanation:
The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

590
Q

The FIPS 140-2 standard is divided into 11 sections that define security requirements. Which of the following is NOT one of these sections?

A. Self-tests
B. Physical security
C. Operational environment
D. Security budget

A

D. Security budget

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 standard is divided into 11 sections that define security requirements, which include: 
    Cryptographic Module Specification
    Cryptographic Module Ports and Interfaces
    Roles, Services, Authentication
    Finite State Model
    Physical Security
    Operational Environment
    Cryptographic Key Management
    EMI/EMC
    Self-tests
    Design Assurance
    Mitigation of Other Attacks
591
Q

Which of the following statements BEST describes blockchain?

A. A form of Internet currency
B. When the Internet is extended outside of traditional computing devices
C. When records are listed and linked together using cryptography
D. The ability for machines to adapt and learn from experiences

A

C. When records are listed and linked together using cryptography

Explanation:
Blockchain is a list of records that are linked together in a chain using a cryptography method.

592
Q

Some communication policies are required by law or regulation. What law is MOST referenced to when talking about mandatory reporting or communications?

A. SOX
B. PCI DSS
C. HIPAA
D. GDPR

A

A. SOX

Explanation:
Some post-incident communication policies are mandated by legislation or regulation. Sarbanes-Oxley (SOX) is the most frequently mentioned standard when discussing obligatory reporting and communications. SOX requires the disclosure or reporting of events applying exclusively to financial records.

HIPAA, GDPR and PCI DSS are not applicable.

593
Q

Which of the following would be of the MOST concern to an individual working within a healthcare facility, such a doctor’s office, within the United States?

A. HIPAA
B. GDPR
C. GLBA
D. FRCP

A

A. HIPAA

Explanation:
HIPAA (Health Insurance Portability and Accountability Act) is concerned with the security controls and confidentiality of protected health information (PHI). It’s vital that anyone working in any healthcare facility be aware of HIPAA regulations.

The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

594
Q

What type of monitoring is required to identify issues such as dropped packets, excessive memory utilization, slow CPU reaction time, and high latency?

A. Resource monitoring
B. Hardware monitoring
C. Baseline monitoring
D. Performance monitoring

A

D. Performance monitoring

Explanation:
Performance monitoring is a continual process in which the CSP ensures that systems operate reliably and that customer service level agreements are met.

All other options are types of monitoring.

595
Q

Masking, obfuscations, and anonymization are all techniques used in which of the following?

A. Encryption
B. Hashing
C. Data mirroring
D. Data de-identification

A

D. Data de-identification

Explanation:
Data de-identification is the process of removing, hiding, covering, or replacing sensitive data. Masking, obfuscations, and anonymization are all techniques used in data de-identification.

596
Q

In the cloud, the medium on which the data can be stored is dependent of the data classification. Which section of the data retention policy would outline the details of handling procedures?

A. Retention formats
B. Archiving and retrieval
C. Data classification
D. Retention periods

A

A. Retention formats

Explanation:
The retention format section of the data retention policy specifies the media on which the various data classifications should be stored, as well as any associated handling processes.

597
Q

A CSP relies on third-parties to deliver services to its clients. What type of supply chain management is this a form of?

A. Dynamic software management
B. Due Diligence
C. Verified secure software
D. Vendor Risk Management

A

D. Vendor Risk Management

Explanation:
The CSPs reliance on other third-party vendors to provide services used by their customers is a form of vendor risk management.

598
Q

Data security comprises three core aspects. Of the following, which is NOT one of these three core aspects?

A. Availability
B. Encryptability
C. Confidentiality
D. Integrity

A

B. Encryptability

Explanation:
The three main concepts of data security are confidentiality, integrity, and availability. This is often known as the CIA triad. Although privacy is part of confidentiality, it is sometimes thought of, along with nonrepudiation, as the other core aspect of data security.

Encryptability is not one of the core aspects of security.

599
Q

A cloud provider has assembled all of the cloud resources together and made them available for allocation to cloud customers. Which term BEST describes this process?

A. Reversibility
B. Resource pooling
C. Data portability
D. Application portability

A

B. Resource pooling

Explanation:
Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

600
Q

Which of the following should NOT be permitted to be connected to a KVM?

A. Keyboard
B. Mouse
C. Flash drive
D. Monitor

A

C. Flash drive

Explanation:
KVM (keyboard, video, mouse) are used to connect input devices into multiple servers. This allows for easy access and management. However, usb storage devices, such as a flash drive, should not be permitted to connect to the KVM for security reasons.

601
Q

What term is used to describe the business intelligence and user-driven process in which data is analyzed and represented visually in order to look for specific attributes and patterns within that data?

A. Data deduplication
B. Data classification
C. Data de-identification
D. Data discovery

A

D. Data discovery

Explanation:
Data discovery is a unique type of data analysis process because it relies heavily on the data user to interpret the data in a meaningful way. Data discovery is a user-driven business intelligence process where data is visually represented and analyzed to look for specific attributes and patterns within the data.

602
Q

Which of the following is NOT likely to result in the initiation of a BCDR plan?

A. A major hurricane in the area
B. Data center failure and neglect
C. Acts of war
D. Moving to a new office

A

D. Moving to a new office

Explanation:
There are many incidents which can result in the initiation of a business continuity and disaster recovery (BCDR) plan. These include a natural disaster, terrorist attacks or acts of war, equipment failure, utility disruptions or failures and, finally, data center or service provider failures, and neglect.

Moving to a new office location is unlikely to result in the initiation of a BCDR plan.

603
Q

The final stage of the software development lifecycle is:

A. Testing
B. Analysis
C. Implementation
D. Maintenance

A

D. Maintenance

Explanation:
The software development lifecycle (SDLC) is made up of six steps which include requirement gathering and feasibility, analysis, design, development/coding, testing, and maintenance. The final step of the SDLC is maintenance, although this step is never quite finished. Maintenance is ongoing process that must occur throughout the entire lifetime of the software or application.

604
Q

Your data in the cloud is stored in the EU region—what law or regulation would the data be governed by?

A. The nation where the business is registered
B. The nation where the data is collected
C. The nation where the data is stored
D. The user must specify where data is to be located and stored.

A

B. The nation where the data is collected

Explanation:
Data sovereignty refers to the concept that data is subject to a nation’s laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria.

All other options are incorrect.

605
Q

An engineer needs to ensure that data has been completely removed from cloud servers after a data migration. Which data sanitation technique can be used in a cloud environment successfully?

A. Destruction
B. Overwriting
C. Incineration
D. Degaussing

A

B. Overwriting

Explanation:
In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

606
Q

Hashing can be used to do which of the following?

A. Encrypt data so that it can only be viewed by authorized individuals
B. Group multiple data objects of the same type together so that they can be easily found later
C. Determine the origin and location of a data object
D.Quickly ensure the integrity of data which is spread throughout multiple storage locations

A

D.Quickly ensure the integrity of data which is spread throughout multiple storage locations

Explanation:
Hashing creates a fingerprint or checksum value of a fixed size (known as the hash value) of the original data object. If the same hashing algorithm is used and the data remains unchanged, the hash value will always be the same. This makes it possible to quickly ensure the integrity of data that may be stored in various storage locations.

607
Q

There are four main cloud deployment models: public cloud, private cloud, community cloud, and which of the following?

A. Hybrid cloud
B. Metropolitan cloud
C. Mixed cloud
D. Expanded cloud

A

A. Hybrid cloud

Explanation:
The four main cloud deployment models include public, private, community, and hybrid.

Metropolitan, expanded, and mixed cloud do not exist.

608
Q

Which of the following is a security concern caused by multitenancy?

A. There will not be enough resources to share
B. Physical segregation is not possible
C. Access control can’t be implemented
D. Virtual segregation is not possible

A

B. Physical segregation is not possible

Explanation:
Multitenancy is an aspect of cloud computing in which many different cloud customers are able to share the same cloud environment. This raises security concerns because, in a cloud environment, physical segregation is not possible. Multitenancy relies on the cloud provider to implement virtual network segregation and isolation to ensure that one cloud customer is only able to see their own data and not the data and resources of the other tenants in the environment.

609
Q

Communication, consent, control, transparency, and independent yearly audits are the five key principles focused on by which of the following standards?

A. ISO/IEC 27001:2005
B. ISO/IEC 31000:2018
C. ISO/IEC 27050
D. ISO/IEC 27018

A

D. ISO/IEC 27018

Explanation:
ISO/IEC 27018 is a standard for providing security and privacy within cloud computing. The ISO/IEC 27018 focuses on five key principles which include communication (relaying information to cloud customers), consent (receiving permission before using customer data for any reason), control (cloud customers retain full control over their own data in the cloud), transparency (cloud providers inform customers of any potential exposure to support staff and contractors), and independent and yearly audits (cloud providers must undergo yearly audits performed by a third party).

610
Q

A data leak is MOST LIKELY to occur during which phase of the cloud data lifecycle?

A. Destroy
B. Archive
C. Use
D. Store

A

C. Use

Explanation:
Due to the nature of data being actively used, viewed, and processed in the use phase, it is more likely to be leaked in this phase than in others, such as the store, archive, and destroy phases.

611
Q

A cloud provider has assembled all of the cloud resources together and made them available for allocation to cloud customers. Which term BEST describes this process?

A. Reversibility
B. Resource pooling
C. Application portability
D. Data portability

A

B. Resource pooling

Explanation:
Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

612
Q

A cloud security professional has been asked to ensure that an organization’s systems have been hardened against known attacks and vulnerabilities and then provide a report outlining their weaknesses.

What is the BEST course of action for this cloud security professional?

A. Perform a vulnerability scan
B. Perform static application security testing
C. Perform dynamic application security testing
D. Perform cloud-based functional testing

A

A. Perform a vulnerability scan

Explanation:
Vulnerability scans are typically performed by an organization against their own systems. Vulnerability scans are relatively simple to perform. They use known attacks and methodologies to verify that systems are hardened against them. Vulnerability scans use known tests and signatures and can quickly output a report displaying the weaknesses. The vulnerability scan is the best choice out of the options listed to provide the requested outcome.

613
Q

Which standard provides guidelines on contract negotiations with cloud service providers about eDiscovery, searchability, and data preservation?

A. ISO/IEC 27041
B. ISO/IEC 27042
C. ISO/IEC 27037
D. CSA

A

D. CSA

Explanation:
Cloud Security Alliance (CSA) Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery provides guidance on contract negotiations with cloud service providers about eDiscovery search ability and data preservation.

ISO/IEC 27037: Provides guidelines for handling digital evidence. ISO/IEC 27041: Provides guidance for methods and processes used in investigations to make sure they are “fit for purpose”. ISO/IEC 27042: Provides guidance on analysis and interpretation of digital evidence.

614
Q

Organization A typically leaves their images offline at the business continuity and disaster recovery (BCDR) site when not in use. What risk is associated with this?

A. Attacks may be able to gain access to the offline images through malware attacks
B. Images may not be patched and up to date with production system baselines and configurations
C. There are no risks associated with leaving the images offline when not in use
D. The offline images will often become corrupt if not brought online regularly

A

B. Images may not be patched and up to date with production system baselines and configurations

Explanation:
It isn’t uncommon for organizations to leave their images offline at the BCDR site when not in use; however, this does cause some risks. If the images are left offline, they might not be up to date on patches or up to date with the latest configurations and systems baselines of the production environment. This could lead to serious issues in the event of a disaster when these images are needed. If the images are kept offline, engineers must take special care to ensure that there are processes in place to patch and update the images at the BCDR site.

615
Q

An engineer is interested in implementing a system that will collect logs from all of the organization network devices and put them into a centralized location. Having the logs in a centralized location will allow them to be correlated to certain events.

What type of program is this engineer looking to implement?

A. SIEM
B. SOC
C. NIDS
D. WSUS

A

A. SIEM

Explanation:
A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location.
616
Q

Of the following, which is the MOST common and likely scenario to cause a vendor lock-in?

A. Many proprietary requirements from the cloud provider
B. Overly expensive hardware
C. Poorly written SLAs
D. Undocumented software

A

A. Many proprietary requirements from the cloud provider

Explanation:
Vendor lock-in occurs when an organization is unable to move from one cloud provider to another without incurring major burdens or expenses. The most likely and common scenario for this is that the current cloud provider has many proprietary requirements. The proprietary requirements make it very expensive, difficult, and burdensome to move to a new provider.

617
Q

An engineer is working in a data center. He notices that the temperature of the data center is 71.7 degrees Fahrenheit and the humidity level is at 35 percent.

Which of the statements is TRUE regarding this data center?

A. The temperature is too high and the humidity level is too low
B. The temperature is ideal, but the humidity level is too low
C. Both temperature and humidity are within the ideal ranges
D. The temperature is too high and the humidity level is ideal

A

B. The temperature is ideal, but the humidity level is too low

Explanation:
It’s very important to ensure that both temperature and humidity levels are ideal within a data center. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that data centers have a temperature between 64.4-80.6 degrees Fahrenheit and a humidity level of between 40-60 percent relative humidity. A humidity level of 35 percent is too low and could lead to an excess of electrostatic discharge.

618
Q

A cloud provider needs to ensure that the data of each tenant in their multitenant environment is only visible to authorized parties and not to the other tenants in the environment.

Which of the following can the cloud provider implement to ensure this?

A. Logical network separation
B. Anti spyware
C. Physical network segregation
D. APIs

A

A. Logical network separation

Explanation:
In a cloud environment, physical network segregation is not possible. However, it’s important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

619
Q

Your current SaaS solution provider uses an independent CSP for some of their storage needs. What type of risk does this introduce to the organization?

A. Legal risk
B. Privacy risk
C. Outsourced risk
D. Fourth party risk

A

D. Fourth party risk

Explanation:
The term “fourth party” refers to a third-party’s third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

620
Q

An engineer was asked by his supervisor to purchase a new bare metal hypervisor. What type of hypervisor should this engineer purchase?

A. Type 4 hypervisor
B. Type 1 hypervisor
C. Type 2 hypervisor
D. Type 3 hypervisor

A

B. Type 1 hypervisor

Explanation:
There are only two types of hypervisors: type 1 hypervisors and type 2 hypervisors. Type 1 hypervisors are also called bare metal, embedded, or native hypervisors. This is because type 1 hypervisors run directly on the physical hardware, while type 2 hypervisors are dependent upon the host operating systems.

621
Q

An engineer is interested in implementing a system that will collect logs from all of the organization network devices and put them into a centralized location. Having the logs in a centralized location will allow them to be correlated to certain events.

What type of program is this engineer looking to implement?

A. WSUS
B. NIDS
C. SIEM
D. SOC

A

C. SIEM

Explanation:
A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location.
622
Q

An engineer needs to ensure that data has been completely removed from cloud servers after a data migration. Which data sanitation technique can be used in a cloud environment successfully?

A. Destruction
B. Overwriting
C. Degaussing
D. Incineration

A

B. Overwriting

Explanation:
In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

623
Q

The following features characterize what type of storage?

Files are stored as sectors on a drive.
Format of virtual machine disks.
VMs and servers use this type of storage.
Databases will store files on this type of storage.
Storage is in a hierarchical structure for retrieval.

A. Block storage
B. Volume storage
C. File storage
D. Object storage

A

A. Block storage

Explanation:
Block storage is a type of storage in which all information is stored in equal-sized blocks on disks. It is more efficient and effective than file storage in general and is utilized in databases and virtual machines. The above-mentioned characteristics are those of block storage.

All other options are types of storage.

624
Q

Which of the following is used to mitigate and control customer requests for resources in case the environment doesn’t have enough resources available to meet the requests?

A. Objects
B. Limits
C. Reservations
D. Shares

A

D. Shares

Explanation:
The concept of shares works by prioritizing hosts within the environment using a scoring system. When resources are limited, hosts with a higher score value will have access to the limited resources that are available.

625
Q

A cloud provider needs to ensure that the data of each tenant in their multitenant environment is only visible to authorized parties and not to the other tenants in the environment.

Which of the following can the cloud provider implement to ensure this?

A. Logical network separation
B. Anti spyware
C. Physical network segregation
D. APIs

A

A. Logical network separation

Explanation:
In a cloud environment, physical network segregation is not possible. However, it’s important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

626
Q

Your current SaaS solution provider uses an independent CSP for some of their storage needs. What type of risk does this introduce to the organization?

A. Outsourced risk
B. Fourth party risk
C. Legal risk
D. Privacy risk

A

B. Fourth party risk

Explanation:
The term “fourth party” refers to a third-party’s third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

627
Q

Which of the following statements about type 1 hypervisors is TRUE?

A. Due to it being software-based, it’s less vulnerable to an attack from someone injecting malicious code than a type 2 hypervisor.
B. Due to being tied to the physical hardware of the machine, it would be harder for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.
C. Due to it being software-based, it’s more vulnerable to an attack from someone using software exploits than a type 2 hypervisor.
D. Due to it being tied to the physical hardware of the machine, it’s more vulnerable to an attack from someone using software exploits than a type 2 hypervisor.

A

B. Due to being tied to the physical hardware of the machine, it would be harder for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.

Explanation:
Type 1 hypervisors are known as bare-metal hypervisors because they run directly on the physical hardware of the machine and they are not software-based like type 2 hypervisors. Because they are tied to the hardware, it is more difficult for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.

628
Q

An engineer has been tasked with safeguarding encryption keys and access to those keys. What is this known as?

A. Tokenization
B. Key management
C. Hashing
D. Key binding

A

B. Key management

Explanation:
Key management is the process of safeguarding encryption keys and access to those keys. Key management is complex and of extreme importance. This is because encryption is only as strong as the protection of the encryption keys.

629
Q

When configuring a new hypervisor, the engineer forgot to change the default administrative credentials. Which type of vulnerability listed on the OWASP Top 10 is this an example of?

A. XML external entities
B. Security misconfiguration
C. Cross-site scripting
D. Insecure deserialization

A

B. Security misconfiguration

Explanation:
A security misconfiguration occurs whenever systems or applications are configured in a way that makes them insecure. Systems regularly come preconfigured with default administrative credentials. These default credentials are generally easy to find online, so the failure to change them makes it possible for an attacker to gain access. This is an example of a security misconfiguration.

630
Q

The process of identifying, provisioning, and deprovisioning accounts is known as:

A. Identity management
B. Federation management
C. Management planning
D. Audit identification

A

A. Identity management

Explanation:
Identity management is the process of identifying, provisioning, and deprovisioning accounts (or identities). Most organizations will use an identity system such as LDAP to assist with the process of identity management.

631
Q

The Simple Object Access Protocol (SOAP) encapsulates its information in a SOAP:

A. Frame
B. Pocket
C. Packet
D. Envelope

A

D. Envelope

Explanation:
The Simple Object Access Protocol (SOAP) is used to exchange information between web services. It does this by encapsulating its data in what is called a SOAP envelope and then using common communication protocols such as HTTP for transmission.

632
Q

Traditional encryption methods may become obsolete as the cloud’s computing power and innovative technology improve optimization issues. What kind of advanced technology is potentially capable of defeating today’s encryption methods?

A. Blockchain
B. Artificial intelligence
C. Machine learning
D. Quantum computing

A

D. Quantum computing

Explanation:
Quantum computing is capable of solving problems that traditional computers are incapable of solving. When quantum computing becomes widely accessible to the general public, it will almost certainly be via the cloud, due to the substantial processing resources necessary to do quantum calculations.

633
Q

In which phase of the software development lifecycle (SDLC) should a cost-benefit analysis be done?

A. Design
B. Requirement gathering and feasibility
C. Maintenance
D. Development

A

B. Requirement gathering and feasibility

Explanation:
During the requirement gathering and feasibility stage of the SDLC, overall goals as well as desired outcomes should be documented. Timing and duration of the project should also be defined. During this phase, a cost-benefit analysis should be done to determine the feasibility of the project.

634
Q

Which of the primary information security principles does DNSSEC primarily ensure?

A. Availability
B. Confidentiality
C. All options are correct
D. Integrity

A

D. Integrity

Explanation:
DNSSEC addresses DNS integrity, but does nothing for availability.

Confidentiality is not generally a concern for DNS.

635
Q

An engineer has been asked to review the most critical web application security risks currently known. What could this engineer use to review these?

A. ISO/IEC 31000:2018
B. ITIL
C. OWASP Top 10
D. NIST 800-146

A

C. OWASP Top 10

Explanation:
The Open Web Application Security Project (OWASP) Top 10 list identifies the 10 most critical web application security risks as a given time. The project is regularly updated to ensure that their list is up to date. The current top 10 are as follows:

    Injection
    Broken authentication
    Sensitive data exposure
    XML external entities
    Broken access control
    Security misconfigurations
    Cross-site scripting
    Insecure deserialization
    Using components with known vulnerabilities
    Insufficient logging and monitoring
636
Q

The terms, “evaluation assurance level” (EAL), “protection profile” (PP), and “security assurance requirements” (SARs) are related to which of the following standards?

A. FIPS 140-2
B. NIST SP 800-53
C. Common Criteria
D. PCI DSS

A

C. Common Criteria

Explanation:
The terms EAL, PP, and SARs are all applicable within the Common Criteria standard, which is set forth by ISO/IEC.

637
Q

A password would be considered which type of authentication type?

A. Something the user knows
B. Something the user does
C. Something the user has
D. Somewhere the user is

A

A. Something the user knows

Explanation:
In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

638
Q

Which framework, developed by the IDCA, covers all aspects of data center design, including cabling, location, connectivity, and security?

A. HITRUST
B. OWASP top 10
C. PCI DSS
D. Infinity Paradigm

A

D. Infinity Paradigm

Explanation:
The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, cabling, security, connectivity, and much more.
639
Q

When data is used in an application where it is viewable to users, customers, etc., it is known as which stage of the cloud secure data life cycle?

A. Use
B. Archive
C. Store
D. Share

A

D. Share

Explanation:
When data is used in an application where it is viewable to users, customers, and administrators, this is known as the share stage of the cloud secure data life cycle.

640
Q

What management strategy encompasses planning, coordinating, execution, and validation of changes and rollouts to the production environment?

A. Service level management
B. Release management
C. Configuration management
D. Change management

A

B. Release management

Explanation:
Cloud release management includes the planning, coordination, execution, and validation of updates and rollouts to the production environment. The primary focus is on accurately mapping out all of the procedures necessary for a release and then setting and loading them correctly.

All other selections are operational controls and standards within an organization.

641
Q

Company A and Company B have both purchased cloud services from a cloud service provider. Company A and Company B are both sharing access to a pool of resources owned by the cloud service provider.

Which of the following BEST describes Company A and Company B?

A. Audit
B. Broker
C. Tenant
D. Partner

A

C. Tenant

Explanation:
When one or more cloud customers share access to the same pool of resources, each customer is known as a tenant.

642
Q

Metadata is BEST described as:

A. Location data
B. Sensitive data
C. Data about data
D. Personally identifiable data

A

C. Data about data

Explanation:
Metadata is information regarding data such as the type of data, how the data is stored, and when the data was created.

643
Q

Which institute publishes the most widely used standard for data center topologies?

A. ITIL
B. Uptime Institute
C. NFPA
D. SOAP

A

B. Uptime Institute

Explanation:
The Uptime Institute publishes the most widely used standard for data center topologies. The standard is based on a series of four tiers. The standard also incorporates compliance tests.

ITIL (formerly the Information Technology Infrastructure Library), publishes best practices for implementing technology into business practices. The National Fire Protection Association (NFPA) publishes standards regarding fire protection. SOAP is not an institution, but a type of API.

644
Q

TLS is a critical technology for encrypting data while it is in transit. TLS is composed of two protocol layers. What are they?

A. Handshake Protocol and Record Protocol
B. Data Protocol and Handshake protocol
C. Transport Protocol and Record Protocol
D. Record Protocol and Data Protocol

A

A. Handshake Protocol and Record Protocol

Explanation:
Transport Layer Security (TLS) is a set of cryptographic protocols that provide encryption for data in transit. TLS specifies a handshake protocol when two parties establish an encrypted communications channel and TLS record protocol uses keys created during the handshake.

645
Q

Which of the following is NOT in the top three threats to cloud computing according to CSA’s 2020 Egregious 11?

A. Data breaches
B. Misconfigurations and inadequate change control
C. Lack of cloud security architecture and strategy
D. Abuse and nefarious use of cloud services

A

D. Abuse and nefarious use of cloud services

Explanation:
The Cloud Security Alliances (CSA) Egregious 11 includes the following:

Data breaches
Misconfigurations and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credentials, access and key management
Account hijacking
Insider threat
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services
646
Q

When deploying and using containers, which of the following should be the security team’s FIRST step before deployment?

A. Verify that the image has not been modified and is from the source that it claims to be
B. Create a project plan for implementing the new container
C. Research several different container types for the best option
D. Ensure the container is up to date with the latest patches

A

A. Verify that the image has not been modified and is from the source that it claims to be

Explanation:
If a container image is not verified, then it could have been modified to allow an attacker to gain access to an organization’s data after it’s been deployed. Verification can be done via checksums or signing by the vendor, which is verified by the organization after downloading.

647
Q

In a cloud environment, security of the physical equipment becomes the sole responsibility of which of the following?

A. Cloud customer
B. Cloud auditor
C. Cloud broker
D. Cloud provider

A

D. Cloud provider

Explanation:
The cloud provider is solely responsible for the security of the physical environment for all cloud types, which includes IaaS, SaaS, and PaaS.

648
Q

The Generally Accepted Privacy Principles (GAPP) were developed to contribute to the formation of privacy programs. Which of the following is NOT one of the GAPP’s ten principles?

A. Reliability
B. Access
C. Management
D. Quality

A

A. Reliability

Explanation:
The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP.

The ten privacy principles are:

    Management
    Notice
    Choice and consent
    Collection
    Use, retention, and disposal
    Access
    Disclosure to third-parties
    Security for privacy
    Quality
    Monitoring and enforcement
649
Q

During which phase of the cloud data lifecycle is data removed from being active or “hot” within the system to long term storage?

A. Share phase
B. Use phase
C. Destroy phase
D. Archive phase

A

D. Archive phase

Explanation:
The archive phase is when data is removed from the system and moved to long term storage. In many cases, archived data is stored offsite for disaster recovery purposes.

650
Q

Which technology facilitates the extension of a private network over a public network?

A. VLAN
B. RDP
C. VPN
D. DNSSEC

A

C. VPN

Explanation:
A VPN (virtual private network) facilities the extension of a private network over a public network as the name suggests. When a user is connected a VPN, they are able to work as if they were sitting within the physical boundaries of the private network.
651
Q

Of the following, which is the BEST way to protect data in transit?

A. Encrypted transport methods such as TLS
B. Antivirus
C. Secure APIs and web services
D. Encryption technologies such as AES

A

A. Encrypted transport methods such as TLS

Explanation:
Data in transport is protected by encrypted transport methods such as TLS.

To protect data in use, secure API calls and web services must be used. The main method for protecting data at rest is to use encryption methods such as AES.

652
Q

HTTPS is a security protocol applicable to which type of data?

A. Data in transit
B. Data in deletion
C. Data at rest
D. Data in storage

A

A. Data in transit

Explanation:
HTTPS, IPSec, TLS/SSL and vpn technologies are used to secure data in transit.

In order to protect data at rest, it’s best to encrypt the full hard drive of the device where the data is being stored.

653
Q

What term is used to describe an individual or organization that serves as an intermediary between cloud customers and a cloud service provider?

A. Cloud service partner
B. Cloud service auditor
C. Cloud service broker
D. Cloud service user

A

C. Cloud service broker

Explanation:
A cloud service broker is an individual or organization which serves as the go-between or intermediary between cloud customers and cloud service providers.

654
Q

Which of the following terms can be used to describe the process of overwriting erased data with arbitrary data and zero values as a method of data sanitation?

A. Data hijacking
B. Cryptographic erasing
C. Degaussing
D. Zeroing

A

D. Zeroing

Explanation:
Zeroing is another term for overwriting. In this process, erased data is overwritten with arbitrary data and zero values as a means of data sanitation.

655
Q

A software developer is looking for a way to avoid installing and running application software directly within the operating system. As an alternative, it is suggested they should begin storing applications and any associated library files in the cloud. Which cloud service is being discussed?

A. Quantum computing
B. Containerization
C. Blockchain
D. Virtualization

A

B. Containerization

Explanation:
Containerization is the process of putting all objects into a container. Developers can accomplish this by packaging a program they have written along with all necessary components for the program’s execution. Application containers isolate application files and dependencies from the container’s host system. Containerization is a lightweight alternative to installing and running applications directly within an operating system.

All other options are related technologies.

656
Q

An organization has hired a hacker to infiltrate one of their competitor’s systems and steal confidential data regarding a new product they are releasing. The attacker was able to gain a foothold in the network. Once the attacker gained access to the systems, he began silently stealing the data necessary. He also created back-doors into the network for easy reentry. The attacker stayed undetected on the network for many months.

What type of threat is this?

A. Denial of service attack
B. Advanced persistent threat
C. Injection attack
D. Malicious insider

A

B. Advanced persistent threat

Explanation:
An advanced persistent threat (APT) is an attack which aims to gain access to the network and systems while staying undetected. APTs will try not to do anything that could be disruptive, as their goal is to maintain access for as long as possible without raising any red flags. During an APT’s stay on the network, the attackers will often create more back-doors for re-entry in case the original way in gets patched. APTs are generally looking for ways to steal data from the network and systems.

657
Q

Which of the following is quantified in terms of data loss rather than time?

A. MTD
B. RPO
C. RTO
D. ALE

A

B. RPO

Explanation:
A Recovery point objective (RPO) is defined in terms of data loss, not time period; it defines the maximum quantity of data that may be tolerated during a disaster recovery incident. Increasing scheduled backups can decrease the value.

RTO, MTD and ALE are other disaster recovery and business continuity criteria.

658
Q

Which type of security test is run against live systems and those testing have limited knowledge of the systems?

A. Vulnerability scanning
B. SAST
C. DAST
D. Penetration testing

A

C. DAST

Explanation:
Dynamic application security testing (DAST) is a “black-box” type of security test, meaning that the tester is not given any special information about the systems they are testing. DAST is performed on live systems.

Static application security testing (SAST) is a “white-box” type of test, meaning that the tester has knowledge of and access to the source code. SAST is performed in an offline manner. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities on the system. Penetration testing is a type of test in which the tester attempts to break into systems using the same tools that an attacker would to discovery vulnerabilities.

659
Q

An organization has a team working on an audit plan. They have just effectively defined all of the objectives needed to set the groundwork for the audit plan.

What is the NEXT step for this team to complete?

A. Review previous audits
B. Conduct market research
C. Perform the audit
D. Define scope

A

D. Define scope

Explanation:
Audit planning is made up of four main steps, which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis
660
Q

In the event of a disaster, the measurement of time that it would take to get operations back online to a point where management’s BCDR objectives are met, is known as:

A. RPO
B. RSL
C. MTR
D. RTO

A

D. RTO

Explanation:
The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management’s BCDR (business continuity and disaster recovery) objectives are met.

661
Q

Which of the following is NOT a feature that is provided by a typical SIEM solution?

A. Web content filtering
B. Correlation
C. Reporting
D.Alerting

A

A. Web content filtering

Explanation:
SIEM (Security and Information Event Management) solutions include features such as aggregation, correlation, alerting, reporting, compliance, and dashboards.

A SIEM solution will not provide web content filtering. Firewalls are often used as a way to accomplish web content filtering.

662
Q

Which of the following can make it difficult for a software developer using a public cloud to receive a security certification for their application?

A. Many regulations require that applications be built in physical data centers to be considered secure
B. The cloud provider may not be willing to allow auditors the level of access needed to certify their environment
C. The cost of auditing a cloud environment is much higher than the cost of auditing a physical data center
D. Cloud environments are inherently less secure than other physical environments

A

B. The cloud provider may not be willing to allow auditors the level of access needed to certify their environment

Explanation:
In many cases, to meet regulatory requirements, the underlying infrastructure and hosting environment of an application must undergo auditing before the application residing there can be certified. This can be a problem for applications hosted in the cloud, especially those in a public cloud. The cloud provider may not be willing to allow auditors the access needed to certify their environment. The cloud provider may also be unwilling or unable to meet the requirements necessary to be certified, anyway.

663
Q

An engineer is involved with limiting the effects that security events have on an organization. What type of management process is this engineer involved in?

A. Incident management
B. Continuity management
C. Deployment management
D. Change management

A

A. Incident management

Explanation:
Any event that causes disruptions within an organization is known as an incident; this includes security events as well. Processes and procedures put in place to limit the effects of these incidents are known as incident management.

664
Q

Your organization uses an IaaS cloud model and they need to select a storage mechanism that allows metadata tags. What would be the BEST option for your organization?

A. Object storage
B. Volume storage
C. Blob storage
D. Block storage

A

A. Object storage

Explanation:
While block storage is ideal for big, organized data sets that require frequent access and updates, it struggles with metadata, which is required to make sense of unstructured data. The best option for unstructured data is object storage. Each storage unit in object storage is an object, which may or may not be connected with metadata describing the item. This simplifies the organization and retrieval of data. A business can simplify the categorization and retrieval of unstructured data by utilizing object storage.

Block, Blob, and Volume are other storage types.

665
Q

Within LDAP, which of the following acts as the primary key for an object?

A. CN
B. HN
C. AN
D. DN

A

D. DN

Explanation:
A DN (distinguished name) acts as the primary key for an object in LDAP (lightweight directory access protocol).
666
Q

What is OAuth used for?

A. Authentication
B. Authorization
C. Federation
D. Identification

A

B. Authorization

Explanation;
OAuth is a framework used for authorization. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

667
Q

Which of the following terms is used to describe the maximum memory or processing utilization allowed by a cloud customer?

A. Caps
B. Reservations
C. Shares
D. Limits

A

D. Limits

Explanation:
The maximum amount of memory and processing utilization allowed by a cloud customer is known as a limit. Limits are the opposite of reservations. Reservations are used to ensure that cloud customers have the minimum amount of resources needed to run their services.

668
Q

When data is being used by an application, it is referred to as:

A. Unstructured data
B. Structured data
C. Data at rest
D. Data in transit

A

D. Data in transit

Explanation:
When data is being used by an application, it is referred to as data in transit.

When data is not being used by an application, it is known as data at rest. Structured and unstructured data are not applicable answers to this question.

669
Q

“Finite State Model” is one of the 11 sections that are defined in which standard?

A. PCI DSS
B. FIPS 140-2
C. NIST SP 800-53
D. ISO/IEC 27001

A

B. FIPS 140-2

Explanation:
The FIPS (Federal Information Processing Standard) 140-2 is divided into 11 sections used to define security requirements. Finite State Model is one of the 11 standards
670
Q

An organization is running VMware Workstation. What type of hypervisor is this?

A. PaaS
B. Bare-metal
C. Software-based
D. IaaS

A

C. Software-based

Explanation:
VMware Workstation is a type 2 hypervisor, also known as a software-based hypervisor. It is not tied directly to the hardware infrastructure and can run within an operating system as software.

671
Q

The CSP will not permit your business to conduct an independent examination of cloud service controls, and has indicated that this role must be performed by an independent third party and the results provided to your organization. What type of cloud challenge is this?

A. Auditability
B. Resiliency
C. Regulatory
D. Governance

A

A. Auditability

Explanation:
CSPs rarely permit CSC to audit their service controls. CSC engages third parties to conduct independent examinations of cloud service controls and to offer an opinion on their function in relation to their purpose. SOC reports, vulnerability scans, and penetration testing are all examples of these types of assessments.

Regulatory, governance and resiliency are other shared cloud considerations.

672
Q

Which type of attack is carried out by flooding a system with useless traffic so that it isn’t able to respond to legitimate resource requests?

A. Denial-of-service
B. Logic bomb
C. Escalation of privileges
D. Advanced persistent threat

A

A. Denial-of-service

Explanation:
A denial-of-service attack occurs when a large amount of useless traffic is sent to a system, thereby overloading the system’s resources and making it unable to respond to legitimate requests. In a cloud environment, it’s possible for a denial-of-service attack to affect all clients of the affected cloud provider.

673
Q

Which of the following would be a benefit of using a public cloud deployment rather than a private, hybrid, or community cloud deployment?

A. Security
B. Inexpensive
C. Full ownership of data
D. Control over systems

A

B. Inexpensive

Explanation:
A public cloud is the least expensive cloud deployment option, but also the least secure. Public clouds are available to the general public and customers only pay for the services that they use. All expenses ranging from the licensing, hardware, bandwidth and operational costs are handled by the provider.

Public clouds do not offer full control over the systems in the way that private clouds do, nor do they offer the control over data the way that private clouds do.

674
Q

A cloud engineer must notify their cloud customer that they have located a vulnerability in their system that they are currently working to resolve.

Which of the five key principles of the ISO/IEC 27018 would this scenario fall into?

A. Yearly audits
B. Control
C. Communication
D. Consent

A

C. Communication

Explanation:
The ISO/IEC 27018 is focused on five key principles, which include communication, consent, control, transparency, and independent and yearly audits. Communication refers to the need for any event that could impact the security of data within a cloud environment to be clearly documented as well as relayed to the cloud customers.

675
Q

In regard to data privacy, the security of the actual data is the responsibility of the cloud customer in which of the following cloud service models?

A. SaaS only
B. All cloud service models
C. PaaS only
D. IaaS only

A

B. All cloud service models

Explanation:
The security and privacy of the actual data itself is the sole responsibility of the cloud customer in all cloud service models, including SaaS, PaaS, and IaaS.

676
Q

Which is NOT a driver for the distributed IT models?

A. Globalization of companies
B. Reduced costs
C. Outsourcing to multiple vendors
D. Collaboration with geographically distributed offices
E. Clear communication
A

E. Clear communication

Explanation:
Clear communication is one of the variables affecting the distributed IT model. Traditional IT model deployments have a line of sight, which means they have physical access to the systems and are aware of what is happening. Now that you have distributed offices, you must maintain clear communication with them. Collaboration and information sharing are vital. Thus, there must be clear, effective communication.

All other options are drivers of the distributed IT model.

677
Q

Adam would like to find information regarding the minimal requirements that his organization’s cloud provider must meet for contractual satisfaction. Where could Adam find this information?

A. SLA
B. EAL
C. API
D. ISO

A

A. SLA

Explanation:
The service level agreement (SLA) is a criterion that provides specific requirements that must be met by the cloud provider for contractual satisfaction between the cloud customer and the cloud provider.

678
Q

Organization A has hired a third party to perform a security test for them. The third-party vendor has been given no special knowledge of the environment. Instead, they are to use the same techniques, toolsets, and methodologies that an actual attacker would use to try to actively attempt to attack and compromise Organization A’s application.

What type of test is being described here?

A. Penetration test
B. RASP
C.Static application security testing
D. Vulnerability scan

A

A. Penetration test

Explanation:
During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario and therefore, the tester will use the same techniques, methodologies, and toolsets that an actual attacker would use to compromise a system.

During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner. Vulnerability scans are usually done by an organization against their own systems to ensure that their systems are hardened against known vulnerabilities. Runtime application self-protection (RASP) is a security mechanism that helps applications protect themselves by blocking attacks in real time.

679
Q

Which sort of testing embeds an agent within an application and analyzes traffic application performance in real time to identify potential security issues?

A. DAST
B. RASP
C. SAST
D. IAST

A

D. IAST

Explanation:
Interactive Application Security Testing (IAST) is a gray-box testing technique. An agent is placed in an application to undertake real-time analysis of the program’s traffic performance in order to uncover any security vulnerabilities. IAST can be used at any point during the SSDLC.

Static application security testing (SAST), Dynamic application security testing (DAST) and Runtime application self-protection (RASP) are other security testing types.

680
Q

For the organizations’ cloud environment, they are using a SaaS IAM manager and users will be using the same username and password for both the cloud and on-premise IAM systems. Due to the risks this may present, what is an important component to the organization’s cloud IAM strategy?

A. Vendors policies and processes
B. Cloud audit controls
C. User education
D. Cloud vendor due diligence

A

C. User education

Explanation:
In any sort of identity and access management (IAM) system, whether through a SaaS provider solution or through federation with the organization’s on-premise IAM manager, there are risks. In either case, user education is an important component to the organization’s cloud IAM strategy.

All other options are incorrect.

681
Q

Reservations in cloud environments ensure that cloud customers always have at least the minimum amount of resources needed to power and operate their services.

This is particularly important in case of which type of cyber attack?

A. Denial-of-service
B. Logic bomb
C. Ransomware
D. Spear-phishing

A

A. Denial-of-service

Explanation:
Denial-of-service (DoS) attacks flood a network with useless traffic in order to consume all the available resources. This eventually makes it impossible for the resources to be used for legitimate traffic, rendering the services useless. Without reservations in place to guarantee that all customers have the minimum needed resources to operate, a DoS attack on one customer could prevent other customers from operating as well.

682
Q

According to ASHRAE, what is the ideal humidity level for a data center?

A. 45-65 percent relative humidity
B. 40-60 percent relative humidity
C. 50-70 percent relative humidity
D. 20-40 percent relative humidity

A

B. 40-60 percent relative humidity

Explanation:
It is important to ensure that both temperature and humidity are at ideal levels within a data center. Whenever humidity levels are too high, condensation can form and cause water damage to systems. Whenever humidity levels are too low, electrostatic discharge is more likely to occur and cause damage to systems. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends data centers to have a level of 40-60 percent relative humidity.

683
Q

A security engineer is responsible for implementing security features for a web application. How can this security engineer help prevent possible injection attacks?

A. Input validation
B. Proper logging
C. Security patching
D. Anti-malware programs

A

A. Input validation

Explanation:
An injection attack occurs when malicious code is sent via input fields to a web application. In order to prevent this type of attack, all data that goes through an input field should require input validation and be properly sanitized.

684
Q

SCM and versioning are widely used in all software development environments and are supported by the usage of what?

A. IAM
B. CMDB
C. SSDLC
D. QA

A

B. CMDB

Explanation:
Software configuration management (SCM) and versioning are commonly utilized in all types of software development environments and are facilitated by the use of configuration management databases (CMDBs). The CMDB can be federated and synchronized across many systems, and the database can be stored on-premises or in the cloud.

685
Q

Roger is working within a database. The data in the database is encrypted, but Roger doesn’t notice the encryption. Which method of encryption is integrated within the actual database processes and, therefore, not noticeable by the user?

A. Computational encryption
B. Transparent encryption
C. Blind encryption
D. Speed encryption

A

B. Transparent encryption

Explanation:
Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user.

Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

686
Q

Jada is currently vetting the tokenization process of her organization’s cloud provider. What is one risk that Jada should ensure is limited during the tokenization process?

A. Vendor lock-in
B. Price changes
C. SLA modifications
D. File type changes

A

A. Vendor lock-in

Explanation:
Vendor lock-in is a scenario in which a cloud customer is tied and dependent on one cloud provider without the ability to move to another provider. Cloud customers should ensure that anything done with the cloud provider will not cause this type of vendor lock-in.

687
Q

Which of the following is NOT considered PHI?

A. Demographic information
B. Medical history
C. Passport number
D. Lab results

A

C. Passport number

Explanation:
Protected health information (PHI) covers items such as a medical history, physical and mental health information, demographic information, lab results, physician notes, and other health related items.

Passport numbers would be considered personally identifiable information (PII) rather than PHI.

688
Q

Service level management is concerned with the oversight of SLAs (service level agreements), UCs (underpinning contracts) and what other component?

A. RPs
B. AROs
C. OLAs
D. RTOs

A

C. OLAs

Explanation:
OLAs (operational level agreements) are similar to SLAs, but rather than existing between a customer and an external provider, OLAs exist between to two units within the same organization. Service level management is concerned with the oversight of SLAs, UCs, and OLAs.

689
Q

You are using a well-known and well-supported OSS. How should this open-source software be validated?

A. SAST tools in conjunction with IAST tools
B. SAST tools only
C. DAST tools in conjunction with RASP tools
D. IAST tools only

A

A. SAST tools in conjunction with IAST tools

Explanation:
Given that you are utilizing a well-known and well-supported Open-Source Software (OSS), performing Static Application Security Testing (SAST) to identify vulnerabilities and then implementing Interactive Application Security Testing (IAST) to detect additional security issues in real time would be sufficient for validation.

690
Q

Having a proper mapping strategy will enable an organization to do which of the following?

A. Easily group together data of similar types
B. Know when data is modified within an application
C. Classify data based on whether it is structured or unstructured
D. Know all of the locations where data is present within its application

A

D. Know all of the locations where data is present within its application

Explanation:
In order to implement security controls and policies, an organization must first know where and what type of data is present in the system. Having a proper mapping strategy enables an organization to know all of the locations where data is present within its application and within other storage. Having this knowledge goes a long way in creating effective security policies.

691
Q

Network services and Acceptable use policies are examples of what type of policy?

A. Restrictive
B. Functional
C. Organization
D. Access

A

B. Functional

Explanation:
Network services and acceptable use policies are examples of functional policies. Functional policies set guiding principles for individual business functions and activities.

All other options are policy type categories.

692
Q

An organization has a team working on an audit plan. They have just effectively defined all of the objectives needed to set the groundwork for the audit plan.

What is the NEXT step for this team to complete?

A. Review previous audits
B. Define scope
C. Perform the audit
D. Conduct market research

A

B. Define scope

Explanation:
Audit planning is made up of four main steps, which occur in the following order:

Define objectives
Define scope
Conduct the audit
Lessons learned and analysis
693
Q

In the event of a disaster, the measurement of time that it would take to get operations back online to a point where management’s BCDR objectives are met, is known as:

A. RPO
B. MTR
C. RSL
D. RTO

A

D. RTO

Explanation:
The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management’s BCDR (business continuity and disaster recovery) objectives are met.

694
Q

An attacker was able to gain access to a cloud environment due to a lack of security controls in place. Once he gained access to that environment, he used those resources to perform a distributed denial of service attack against another organization.

What is this type of threat known as?

A. Abuse or nefarious use of cloud services
B. Shared technology issues
C. Insecure deserialization
D. Insufficient logging and monitoring

A

A. Abuse or nefarious use of cloud services

Explanation:
Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service.

695
Q

IRM is typically provisioned by the data owner. In what access model is the owner responsible for specifying metadata like classification rating and user role?

A. Role-based Access Control
B. Discretionary Access Control
C. Mandatory Access Control
D. Rule-based Access Control

A

C. Mandatory Access Control

Explanation:
In a mandatory access control (MAC) model, the owner is responsible for specifying metadata like classification rating or user role. The IRM system utilizes this metadata to enforce access control decisions.

All other options are access control models.

696
Q

An engineer is working on a system that will be used by employees of a federal government agency. Which of the following pieces of legislation must this engineer be especially aware of while working on this system?

A. GBLA
B. FISMA
C. PHI
D. HIPAA

A

B. FISMA

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government. An engineer working on a system that will be used by a federal government agency must be aware of FISMA.

697
Q

An engineer working in a data center noticed that the humidity level was 80% relative humidity. What threat could this cause to systems?

A. Systems may overheat and fry internal components
B. 80% relative humidity is within the ideal range, so it does not pose any risk to systems
C. Excess electrostatic discharge could damage systems
D. Condensation may form causing water damage

A

D. Condensation may form causing water damage

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

698
Q

An engineer needs to ensure that packets passing between two network devices are encrypted and authenticated. Which protocol can be used to accomplish this?

A. DHCP
B. RDP
C. DNSSEC
D. IPsec

A

D. IPsec

Explanation:
IPsec is a protocol for encrypting and authenticating packets between two parties. Examples of this include a pair of servers, a pair of network devices, or between network devices and servers.

DNSSEC is a security extension of the DNS protocol and couldn’t be used in the described scenario. DHCP is used to dynamically configure network information on hosts. RDP is a technology developed by Microsoft to allow users to connect into a remote device.

699
Q

Having the ability to move data between two separate cloud providers is known as:

A. Multitenancy
B. Rapid elasticity
C. Cloud data portability
D. Cloud application portability

A

C. Cloud data portability

Explanation:
The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers.

Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

700
Q

Cardholder data (CD) is a specific type of:

A. API
B.PHI
C. PII
D. PCI

A

C. PII

Explanation:
Personally identifiable data (PII) is a type of data that can either directly or indirectly identify an individual. Cardholder data (CD) is a specific type of PII that relates to information such as credit/debit card numbers, security codes, expiration numbers, and any information that ties these items to the cardholder.

701
Q

Which of the following is NOT one of the tiers documented in the Uptime Institute’s Data Center Site Infrastructure Tier Standard Topology?

A. Redundant maintainability
B. Basic capacity
C. Redundant capacity components
D. Fault tolerance

A

A. Redundant maintainability

Explanation:
The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include:

Tier I: Basic Capacity
Tier II: Redundant Capacity Components
Tier III: Concurrently Maintainable
Tier IV: Fault Tolerance