Question #201-300 Flashcards
QUESTION 201
What’s a potential problem when object storage versus volume storage is used within IaaS for application use and dependency?
A. Object storage is only optimized for small files.
B. Object storage is its own system, and data consistency depends on replication.
C. Object storage may have availability issues.
D. Object storage is dependent on access control from the host server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Object storage runs on its own independent systems, which have their own redundancy and distribution. To ensure data consistency, sufficient time is needed for objects to fully replicate to all potential locations before being accessed. Object storage is optimized for high availability and will not be any less reliable than any other virtual machine within a cloud environment. It is hosted on a separate system that does not have dependencies in local host servers for access control, and it is optimized for files of all different sizes and uses.
QUESTION 202
Many aspects of cloud computing bring enormous benefits over a traditional data center, but also introduce new challenges unique to cloud computing.
Which of the following aspects of cloud computing makes appropriate data classification of high importance?
A. Multitenancy
B. Interoperability
C. Portability
D. Reversibility
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
With multitenancy, where different cloud customers all share the same physical systems and networks, data classification becomes even more important to ensure that the appropriate security controls are applied immediately to prevent any potential leakage or exposure to other customers. Portability refers to the ability to move easily from one cloud provider to another. Interoperability refers to the ability to reuse components and services for different uses. Reversibility refers to the ability of the cloud customer to quickly and completely remove all data and services from a cloud provider and to verify the removal.
QUESTION 203
Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment?
A. Regulatory
B. Security
C. Testing
D. Development
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Cloud environments, regardless of the specific deployment model used, have extensive and robust security controls in place, especially in regard to physical and infrastructure security. A small company can leverage the extensive security controls and monitoring provided by a cloud provider, which they would unlikely ever be able to afford on their own. Moving to a cloud would not result in any gains for development and testing because these areas require the same rigor regardless of where deployment and hosting occur. Regulatory compliance in a cloud would not be a gain for an organization because it would likely result in additional oversight and auditing as well as require the organization to adapt to a new environment.
QUESTION 204
BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?
A. SRE
B. RPO
C. RSL
D. RTO
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. SRE is provided as an erroneous response.
QUESTION 205
Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?
A. IPSec
B. HTTPS
C. VPN
D. DNSSEC
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
DNSSEC is used as a security extension to DNS lookup queries in order to ensure the authenticity and authoritativeness of hostname resolutions, in order to prevent spoofing and redirection of traffic. Although it is a very important concept to be employed for security practices, it is not used to secure or encrypt data transmissions. HTTPS is the most commonly used security mechanism for data communications between clients and websites and web services. IPSec is less commonly used, but is also intended to secure communications between servers. VPN is commonly used to secure traffic into a network area or subnet for developers and administrative users.
QUESTION 206
Which crucial aspect of cloud computing can be most threatened by insecure APIs?
A. Automation
B. Resource pooling
C. Elasticity
D. Redundancy
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment. Resource pooling and elasticity could both be impacted by insecure APIs, as both require automation and orchestration to operate properly, but automation is the better answer here. Redundancy would not be directly impacted by insecure APIs.
QUESTION 207
The WS-Security standards are built around all of the following standards except which one?
A. SAML
B. WDSL
C. XML
D. SOAP
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The WS-Security specifications, as well as the WS-Federation system, are built upon XML, WDSL, and SOAP. SAML is a very similar protocol that is used as an alternative to WS.XML, WDSL, and SOAP are all integral to the WS-Security specifications.
QUESTION 208
Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties?
A. Record
B. Binding
C. Negotiation
D. Handshake
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables a secure communications channel to then handle data transmissions. The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for the encryption and authentication of packets throughout their transmission between the parties, and in some cases it also performs compression. Negotiation and binding are not protocols under TLS.
QUESTION 209
BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the required amount of time to restore services to the predetermined level?
A. RPO
B. RSL
C. RTO
D. SRE
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. SRE is provided as an erroneous response.
QUESTION 210
Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present?
A. Masking
B. Tokenization
C. Encryption
D. Anonymization
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Tokenization involves the replacement of sensitive data fields with key or token values, which can ultimately be mapped back to the original, sensitive data values. Masking refers to the overall approach to covering sensitive data, and anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.
QUESTION 211
Which of the following is NOT one of the components of multifactor authentication?
A. Something the user knows
B. Something the user has
C. Something the user sends
D. Something the user is
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Multifactor authentication systems are composed of something the user knows, has, and/or is, not something the user sends. Multifactor authentication commonly uses something that a user knows, has, and/or is (such as biometrics or features).
QUESTION 212
Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.
Which of the following is not a regulatory framework for more sensitive or specialized data?
A. FIPS 140-2
B. FedRAMP
C. PCI DSS
D. HIPAA
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The FIPS 140-2 standard pertains to the certification of cryptographic modules and is not a regulatory framework. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Risk and Authorization Management Program (FedRAMP), and the Health Insurance Portability and Accountability Act (HIPAA) are all regulatory frameworks for sensitive or specialized data.
QUESTION 213
Which of the following could be used as a second component of multifactor authentication if a user has an RSA token?
A. Access card
B. USB thumb drive
C. Retina scan
D. RFID
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A retina scan could be used in conjunction with an RSA token because it is a biometric factor, and thus a different type of factor. An access card, RFID, and USB thumb drive are all items in possession of a user, the same as an RSA token, and as such would not be appropriate.
QUESTION 214
Having a reservation in a cloud environment can ensure operations continue in the event of high utilization across the cloud.
Which of the following would NOT be a capability covered by reservations?
A. Performing business operations
B. Starting virtual machines
C. Running applications
D. Auto-scaling
Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation:
A reservation will not guarantee auto-scaling is available because it involves the allocation of additional resources beyond what a cloud customer already has provisioned. Reservations will guarantee minimal resources are available to start virtual machines, run applications, and perform normal business operations.
QUESTION 215
Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?
A. KVM
B. HTTPS
C. VPN
D. TLS
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A keyboard-video-mouse (KVM) system is commonly used for directly accessing server terminals in a data center. It is not a method that would be possible within a cloud environment, primarily due to the use virtualized systems, but also because only the cloud provider’s staff would be allowed the physical access to hardware systems that’s provided by a KVM. Hypertext Transfer Protocol Secure (HTTPS), virtual private network ( VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services.
QUESTION 216
Which protocol, as a part of TLS, handles the actual secure communications and transmission of data?
A. Negotiation
B. Handshake
C. Transfer
D. Record
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for encrypting and authenticating packets throughout their transmission between the parties, and in some cases it also performs compression. The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables the secure communications channel to then handle data transmissions. Negotiation and transfer are not protocols under TLS.
QUESTION 217
Which of the following terms is NOT a commonly used category of risk acceptance?
A. Moderate
B. Critical
C. Minimal
D. Accepted
Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation
Accepted is not a risk acceptance category. The risk acceptance categories are minimal, low, moderate, high, and critical.
QUESTION 218
Many activities within a cloud environment are performed via programmatic means, where complex and distributed operations are handled without the need to perform each step individually.
Which of the following concepts does this describe?
A. Orchestration
B. Provisioning
C. Automation
D. Allocation
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Orchestration is the programmatic means of managing and coordinating activities within a cloud environment and allowing for a commensurate level of automation and self-service. Provisioning, allocation, and automation are all components of orchestration, but none refers to the overall concept.
QUESTION 219
Which of the following provides assurance, to a predetermined acceptable level of certainty, that an entity is indeed who they claim to be?
A. Authentication
B. Identification
C. Proofing
D. Authorization
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Authentication goes a step further than identification by providing a means for proving an entity’s identification. Authentication is most commonly done through mechanisms such as passwords. Identification involves ascertaining who the entity is, but without a means of proving it, such as a name or user ID. Authorization occurs after authentication and sets access permissions and other privileges within a system or application for the user. Proofing is not a term that is relevant to the question.
QUESTION 220
When an organization is considering the use of cloud services for BCDR planning and solutions, which of the following cloud concepts would be the most important?
A. Reversibility
B. Elasticity
C. Interoperability
D. Portability
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Portability is the ability for a service or system to easily move among different cloud providers. This is essential for using a cloud solution for BCDR because vendor lock-in would inhibit easily moving and setting up services in the event of a disaster, or it would necessitate a large number of configuration or component changes to implement. Interoperability, or the ability to reuse components for other services or systems, would not be an important factor for BCDR. Reversibility, or the ability to remove all data quickly and completely from a cloud environment, would be important at the end of a disaster, but would not be important during setup and deployment. Elasticity, or the ability to resize resources to meet current demand, would be very beneficial to a BCDR situation, but not as vital as portability.
QUESTION 221
What masking strategy involves the replacing of sensitive data at the time it is accessed and used as it flows between the data and application layers of a service?
A. Active
B. Static
C. Dynamic
D. Transactional
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Dynamic masking involves the live replacing of sensitive data fields during transactional use between the data and application layers of a service. Static masking involves creating a full data set with the sensitive data fields masked, but is not done during live transactions like dynamic masking. Active and transactional are offered as similar types of answers but are not types of masking.
QUESTION 222
Which of the following would be considered an example of insufficient due diligence leading to security or operational problems when moving to a cloud?
A. Monitoring
B. Use of a remote key management system
C. Programming languages used
D. Reliance on physical network controls
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Many organizations in a traditional data center make heavy use of physical network controls for security. Although this is a perfectly acceptable best practice in a traditional data center, this reliance is not something that will port to a cloud environment. The failure of an organization to properly understand and adapt to the difference in network controls when moving to a cloud will likely leave an application with security holes and vulnerabilities. The use of a remote key management system, monitoring, or certain programming languages would not constitute insufficient due diligence by itself.
QUESTION 223
Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.
Which of the following groupings correctly represents the four possible approaches?
A. Accept, avoid, transfer, mitigate
B. Accept, deny, transfer, mitigate
C. Accept, deny, mitigate, revise
D. Accept, dismiss, transfer, mitigate
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The four possible approaches to risk are as follows: accept (do not patch and continue with the risk), avoid (implement solutions to prevent the risk from occurring), transfer (take out insurance), and mitigate (change configurations or patch to resolve the risk). Each of these answers contains at least one incorrect approach name.
QUESTION 224
Which of the following is NOT a component of access control?
A. Accounting
B. Federation
C. Authorization
D. Authentication
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Federation is not a component of access control. Instead, it is used to allow users possessing credentials from other authorities and systems to access services outside of their domain. This allows for access and trust without the need to create additional, local credentials. Access control encompasses not only the key concepts of authorization and authentication, but also accounting. Accounting consists of collecting and maintaining logs for both authentication and authorization for operational and regulatory requirements.
QUESTION 225
With an application hosted in a cloud environment, who could be the recipient of an eDiscovery order?
A. Users
B. Both the cloud provider and cloud customer
C. The cloud customer
D. The cloud provider
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Either the cloud customer or the cloud provider could receive an eDiscovery order, and in almost all circumstances they would need to work together to ensure compliance.
QUESTION 226
Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements?
A. Continuity management
B. Availability management
C. Configuration management
D. Problem management
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Configuration management tracks and maintains detailed information about all IT components within an organization. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.
QUESTION 227
Which ITIL component is an ongoing, iterative process of tracking all deployed and configured resources that an organization uses and depends on, whether they are hosted in a traditional data center or a cloud?
A. Problem management
B. Continuity management
C. Availability management
D. Configuration management
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Configuration management tracks and maintains detailed information about all IT components within an organization. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.
QUESTION 228
When beginning an audit, both the system owner and the auditors must agree on various aspects of the final audit report.
Which of the following would NOT be something that is predefined as part of the audit agreement?
A. Size
B. Format
C. Structure
D. Audience
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation
The ultimate size of the audit report is not something that would ever be included in the audit scope or definition. Decisions about the content of the report should be the only factor that drives the ultimate size of the report. The structure, audience, and format of the audit report are all crucial elements that must be defined and agreed upon as part of the audit scope.
QUESTION 229
What concept does the D represent within the STRIDE threat model?
A. Denial of service
B. Distributed
C. Data breach
D. Data loss
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Any application can be a possible target of denial of service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for unauthenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks. None of the other options provided is the correct term.
QUESTION 230
Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons?
A. Cell blocking
B. Sandboxing
C. Pooling
D. Fencing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Sandboxing involves the segregation and isolation of information or processes from other information or processes within the same system or application, typically for security concerns. Sandboxing is generally used for data isolation (for example, keeping different communities and populations of users isolated from others with similar data). In IT terminology, pooling typically means bringing together and consolidating resources or services, not segregating or separating them. Cell blocking and fencing are both erroneous terms.
QUESTION 231
Which cloud service category most commonly uses client-side key management systems?
A. Software as a Service
B. Infrastructure as a Service
C. Platform as a Service
D. Desktop as a Service
Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Explanation:
SaaS most commonly uses client-side key management. With this type of implementation, the software for doing key management is supplied by the cloud provider, but is hosted and run by the cloud customer. This allows for full integration with the SaaS implementation, but also provides full control to the cloud customer. Although the cloud provider may offer software for performing key management to the cloud customers, with the Infrastructure, Platform, and Desktop as a Service categories, the customers would largely be responsible for their own options and implementations and would not be bound by the offerings from the cloud provider.
QUESTION 232
Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)?
A. Personnel data
B. Security profiles
C. Publications
D. Financial records
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Whereas IRM is used to protect a broad range of data, DRM is focused specifically on the protection of consumer media, such as publications, music, movies, and so on. IRM is used to protect general institution data, so financial records, personnel data, and security profiles would all fall under the auspices of IRM.
QUESTION 233
Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances.
What does dynamic application security testing (DAST) NOT entail that SAST does?
A. Discovery
B. Knowledge of the system
C. Scanning
D. Probing
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Dynamic application security testing (DAST) is considered “black-box” testing and begins with no inside knowledge of the application or its configurations.
Everything about it must be discovered during its testing. As with most types of testing, dynamic application security testing (DAST) involves probing, scanning, and a discovery process for system information.
QUESTION 234
You need to gain approval to begin moving your company’s data and systems into a cloud environment. However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition.
Which of the following cloud concepts would this pertain to?
A. Removability
B. Extraction
C. Portability
D. Reversibility
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Reversibility is the cloud concept involving the ability for a cloud customer to remove all of its data and IT assets from a cloud provider. Also, processes and agreements would be in place with the cloud provider that ensure all removals have been completed fully within the agreed upon timeframe. Portability refers to the ability to easily move between different cloud providers and not be locked into a specific one. Removability and extraction are both provided as terms similar to reversibility, but neither is the official term or concept.
QUESTION 235
What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies?
A. Live testing
B. Source code access
C. Production system scanning
D. Injection attempts
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Static application security testing (SAST) is conducted against offline systems with previous knowledge of them, including their source code. Live testing is not part of static testing but rather is associated with dynamic testing. Production system scanning is not appropriate because static testing is done against offline systems. Injection attempts are done with many different types of testing and are not unique to one particular type. It is therefore not the best answer to the question.
QUESTION 236
Which of the following areas of responsibility always falls completely under the purview of the cloud provider, regardless of which cloud service category is used?
A. Infrastructure
B. Data
C. Physical
D. Governance
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. In many instances, the cloud provider will supply audit reports or some general information about their physical security practices, especially to those customers or potential customers that may have regulatory requirements, but otherwise the cloud customer will have very little insight into the physical environment. With IaaS, the infrastructure is a shared responsibility between
QUESTION 237
What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information?
A. Dynamic
B. Tokenized
C. Replicated
D. Static
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Static masking involves taking a data set and replacing sensitive fields and values with non-sensitive or garbage data. This is done to enable testing of an application against data that resembles production data, both in size and format, but without containing anything sensitive. Dynamic masking involves the live and transactional masking of data while an application is using it. Tokenized would refer to tokenization, which is the replacing of sensitive data with a key value that can later be matched back to the original value, and although it could be used as part of the production of test data, it does not refer to the overall process. Replicated is provided as an erroneous answer, as replicated data would be identical in value and would not accomplish the production of a test set.
QUESTION 238
When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern?
A. Self-service
B. Resource pooling
C. Availability
D. Location
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
If an organization wants to use a cloud service for BCDR, the location of the cloud hosting becomes a very important security consideration due to regulations and jurisdiction, which could be dramatically different from the organization’s normal hosting locations. Availability is a hallmark of any cloud service provider, and likely will not be a prime consideration when an organization is considering using a cloud for BCDR; the same goes for self-service options. Resource
among all cloud systems and would not be a concern when an organization is dealing with the provisioning of resources during a disaster.
QUESTION 239
What type of solution is at the core of virtually all directory services?
A. WS
B. LDAP
C. ADFS
D. PKI
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Lightweight Directory Access Protocol (LDAP) forms the basis of virtually all directory services, regardless of the specific vendor or software package.WS is a protocol for information exchange between two systems and does not actually store the data. ADFS is a Windows component for enabling single sign-on for the operating system and applications, but it relies on data from an LDAP server. PKI is used for managing and issuing security certificates.
QUESTION 240
The different cloud service models have varying levels of responsibilities for functions and operations depending with the model’s level of service.
In which of the following models would the responsibility for patching lie predominantly with the cloud customer?
A. DaaS
B. SaaS
C. PaaS
D. IaaS
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With Infrastructure as a Service (IaaS), the cloud customer is responsible for deploying and maintaining its own systems and virtual machines. Therefore, the customer is solely responsible for patching and any other security updates it finds necessary. With Software as a Service (SaaS), Platform as a Service (PaaS), and Desktop as a Service (DaaS), the cloud provider maintains the infrastructure components and is responsible for maintaining and patching them.
