Sample Exam Questions Flashcards

Test your knowledge and get to learn the style of the test makers.

1
Q

The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on __________.

A. Number of transactions per year
B. Dollar value of transactions per year
C. Geographic location
D. Jurisdiction

A

A: Number of transactions per year

The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all of the following EXCEPT __________.

A. Which party will be responsible for initiating a BCDR response activity
B. How a BCDR response will be initiated
C. How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service
D. How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event

A

D: How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event.

The contract between cloud customer and current cloud provider has no bearing on what the customer will have to pay a new provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is NOT a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment?

A. Pooled resources in the cloud
B. Shifting from CapEx to OpEx to support IT expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected

A

D: Branding associated with which cloud provider might be selected

Brand value is not part of standard cost-benefit analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is an aspect of IT costs that should be reduced by moving to the cloud?

A. Personnel training
B. Personnel turnover
C. Loss due to depreciation of IT assets
D. Loss due to an internal data breach

A

C: Loss due to depreciation of IT assets

Constant reinvestment in IT assets (which are almost always obsolete by the time they’re marketed, much less by the time they’re deployed in operational environments) is plagued with losses due to depreciation the systems never retain the value of their initial price. Moving to cloud reduces this cost considerably.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why might an organization choose to comply with NIST SP 800-series standards?

A. Price
B. Ease of implementation
C. International acceptance
D. Speed

A

A: Price

The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not recognized or mandated outside of the US government federal sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?

A. ISO 27002
B. Payment Card Industry Data Security Standard (PCI DSS)
C. NIST SP 800-37
D. Health Insurance Portability and Accountability Act (HIPAA)

A

A: ISO 27002

ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the __________.

A. SABSA
B. SSAE 16
C. Biba
D. NIST SP 800-53

A

B: SSAE 16

SSAE 16 replaced SAS 70 as the preferred audit standard for data center customers in 2011; it is scheduled to be replaced by the end of 2018, by SSAE 18.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which US federal law instigated the change from SAS 70 audit standard to SSAE 16?

A. NIST 800-53
B. HIPAA
C. Sarbanes-Oxley Act (SOX)
D. Gramm-Leach-Bliley Act (GLBA)

A

C: Sarbanes-Oxley Act (SOX)

This question is a bit more oblique than some of the others and requires the candidate to have some depth of understanding of laws, regulations, and standards. SOX was the congressional response to several high-profile scandals involving publicly traded corporations involved in nefarious activities, in collusion with or not truly addressed by the auditors who should have reported this behavior. As a result of SOX, the American Institute of Certified Public Accountants changed from SAS 70 standard to SSAE 16.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you MOST like to see?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

A

C: SOC 2, Type 2

The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven’t, which SOC report might be the best to use for your initial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

A

D: SOC 3

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on __________.

A. Dollar value of transactions over the course of a year
B. Number of transactions over the course of a year
C. Location of the merchant or processor
D. Dollar value and number of transactions over the course of a year

A

B: Number of transactions over the course of a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?

A. 1
B. 3
C. 5
D. 7

A

D: 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What distinguishes the FIPS 140-2 security levels for cryptographic modules?

A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic locations in which the product is permitted to be used

A

B: The amount of physical protection provided by the product, in terms of tamper resistance

The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For the US government agencies, what level of data sensitivity / classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria?

A. Controlled Unclassified Information (CUI)
B. Secret
C. Top Secret
D. Sensitive Compartmentalized Information (SCI)

A

A: Controlled Unclassified Information (CUI)

FIPS 140-2 is only for sensitive but unclassified (SBU) data such as CUI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?

A. Performing user security training
B. Check access each time a direct object reference is called by an untrusted source.
C. Install high-luminosity interior lighting throughout the facility.
D. Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.

A

B: Check access each time a direct object reference is called by an untrusted source.

Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “missing function level access control.” Which of these is a technique to reduce the potential for a missing function level access control?

A. Run a process as both user and privileged user, and determine similarity.
B. Run automated monitoring and audit scripts.
C. Include browser buttons / navigation elements to secure functions.
D. Enhance user training to include personnel.

A

A: Run a process as both user and privileged user, and determine similarity.

The above method will help you to determine if there are any functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?

A. HTML escape all HTML attributes.
B. Train users to recognize unvalidated links.
C. Block all inbound resource requests.
D. Implement audit logging.

A

B: Train users to recognize unvalidated links.

Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering / phishing attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?

A. Don’t use redirects / forwards in your applications.
B. Refrain from storing credentials long term.
C. Implement security incident / event monitoring (security information and event management (SIEM) / security information management (SIM) / security event management (SEM) solutions.
D. Implement digital rights management (DRM) solutions.

A

A: Don’t use redirects / forwards in your applications.

Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid this problem altogether, and, redirects / forwards are not necessary for efficient use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether your current applications in the on-premises environment will function properly with the providers’s hosted systems and tools. This is a(n) __________ issue.

A. Interoperability
B. Portability
C. Availability
D. Security

A

A: Interoperability

This is the definition of cloud migration interoperability challenges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the provider will have undue control over your data once it is within the provider’s data center; will the provider be able to hold your organization hostage because they have your data? This is a(n) __________ issue.

A. Interoperability
B. Portability
C. Availability
D. Security

A

B: Portability

This is the definition of cloud migration portability: the measure of how difficult is might be to move the organization’s systems / data from a given cloud host to another cloud host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Privileged user account access should be _________.

A. Temporary
B. Pervasive
C. Thorough
D. Granular

A

A: Temporary

Privileged users should only have privileged access to specific systems / data for the duration necessary to perform their administrative function; any longer incurs more risk than value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all of the following data breach notification requirements EXCEPT __________.

A. Multiple state laws
B. Contractual notification requirements
C. All standards-based notification schemes
D. Any applicable federal regulations

A

C: All standards-based notification schemes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is NOT an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider?

A. Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environment

B. Reviewing all contractual elements to appropriately define each party’s roles, responsibilities, and requirements

C. Assessing the provider’s financial standing and soundness

D. Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment

A

D: Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment

The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business. What do we call this problem?

A. Vendor lock-in
B. Vendor lock-out
C. Vendor incapacity
D. Unscaled

A

B: Vendor lock-out

This is the definition of vendor lock-out.

Vendor lock-in is when data portability is limited, either through unfavorable contact language or technical limitations.

Vendor incapacity and unscaled are not meaningful terms and are used as distractors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When should cloud providers allow PaaS customers shell access to the servers running their instances?

A. Never
B. Weekly
C. Only when the contract stipulates that requirement
D. Always

A

A: Never

According to (ISC)2 CCSP Training Guide (page 60), PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multi-tenant environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on __________.

A. International standards
B. Federal regulations
C. Organizational policies
D. Federation directives

A

C: Organizational policies

Organizational policies dictate rules for access entitlement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?

A. Confidentiality
B. Integrity
C. Availability
D. None

A

D: None

Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Your organization has migrated into a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notification in accordance with all applicable laws?

A. The network admin responsible
B. The cloud provider
C. The regulators overseeing your deployment
D. Your organization

A

D: Your organization

The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider may be liable for financial costs… but those damages can only be recovered long after the notifications have been made by the cloud customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, “Does it seem as if this vendor is subject to any pending acquisitions or mergers?” In gather data to answer this question, what are you trying to avoid?

A. Vendor lockout
B. Due care
C. Third-party dependencies
D. Regulatory oversight

A

A: Vendor lockout

Vendor lockout can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to that circumstance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.

The different merchant tier requirements will dictate __________.

A. Different types of audits each must conduct
B. Different amount of audits each must conduct
C. Different control sets based on tier level
D. Different cost of controls based on tier level

A

B: Different amount of audits each must conduct

Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.

Approximately how many controls are listed in the PCI DSS?

A. Around a dozen
B. About 20
C. About 100
D. Over 200

A

D: Over 200

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which US federal government entity was the regulator for the American Safe Harbor program and is now in charge of administering the Privacy Shield program?

A. State Department
B. Privacy Protection Office
C. Federal Trade Commission
D. Department of Health and Human Services

A

C: Federal Trade Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Using cloud storage is considered __________ under most privacy frameworks and laws.

A. Illegal
B. Data collection
C. Opt-in
D. Processing

A

D: Processing

Processing includes any manipulation, use, movement, or alteration of data – i.e. pretty much anything that can be done with or to data is “processing” (including making and manipulating hard-copy versions of data).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The Safe Harbor program, while no longer used, allowed US companies to collect and process privacy information about EU citizens. The program was included in which law?

A. FISMA
B. The EU Data Directive
C. HIPAA
D. Sarbanes-Oxley Act

A

B: The EU Data Directive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following should NOT be true about any tests performed during forensic analysis?

A. tests should be repeatable by opposing attorneys
B. tests should be standard to the forensics industry
C. tests should be performed by trained, certified professionals
D. tests should be tailored and customized for specific purposes

A

D: tests should be tailored and customized for specific purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The Reporting phase of forensic investigation usually involves presenting findings to __________.

A. Senior management
B. Regulators
C. The court
D. Stakeholders

A

C: The court

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrong-doing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection / analysis.

What should probably be your response?

A. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data.

B. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it.

C. No. You don’t want the liability of possibly disclosing someone else’s privacy data

D. No. You don’t want the liability of possibly damaging someone else’s property

A

C: No. You don’t want the liability of possibly disclosing someone else’s privacy data.

In a mult-tenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company’s exposure (something that could be disastrous because the company is already under investigation).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

__________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.

A. Due care
B. Due diligence
C. Liability
D. Reciprocity

A

B: Due diligence

Due care is about understanding and implementing common best practices (e.g. policies and standards); due diligence is the work of ensuring that these best practices are working as designed and are suited to your business. By looking to ensure that “protection is applied” – i.e. that best practices are working as designed – this is an example of due diligence.

Liability is the measure of responsibility an entity has for providing due care; option C is incorrect.

Answer D has no meaning in this context and is a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purpose, this make the data __________.

A. Inadmissible
B. Less believable, if the changes aren’t documented
C. Harder to control
D. Easily refutable

A

B: Less believable, if the changes aren’t documented

All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible.

Evidence is only inadmissible if it has no probative value; that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper __________.

A. Training credential
B. License
C. Background check
D. Approved toolset

A

B: License

There are certain jurisdictions where forensic data / IT analysis requires licensure (the stats of Texas and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize ___________.

A. Electronic data
B. Hardware
C. Electronic data and the hardware on which it resides
D. Only data extracted from hardware

A

C: Electronic data and the hardware on which it resides

Courts can issue seizure orders for anything and everything – i.e. favor the answer with the most expansive authority.

A and B are too limited; D is absurd.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case.

Which security control mechanism may also be useful in the e-discovery effort?

A. Trained and aware personnel
B. An egress monitoring solution (DLP)
C. A digital rights management (DRM) solution
D. A multifactor authentication implementation

A

B: An egress monitoring solution (DLP)

Typically, a discovery tool is a primary component of a DLP solution. All other options describe important facets of an overall organizational security program but are not especially helpful in e-discovery efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

You are the security manager for a software company that uses PaaS in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company.

If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with __________ as well as the lawsuit.

A. Spoliation
B. Fraud
C. Jurisdiction
D. Recompositing

A

A: Spoliation

“Spoliation” is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the ground for another lawsuit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month.

Which law is applicable in this instance?

A. Belgian law
B. The General Data Protection Act
C. NIST SP 800-53
D. The Federal Information Systems Management Act

A

B: The General Data Protection Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft.

The prosecutor can use the material you delivered because of __________.

A. The doctrine of plain view
B. The silver platter doctrine
C. The General Data Protection Act
D. The Federal Information System Management Act

A

B: The silver platter doctrine

The “silver platter doctrine” allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

You are the security manager for a retail sales company that uses a SaaS public cloud service. One of your employees uploads sensitive information they were NOT authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefitting the administrator and causing harm to your organization.

After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$ 125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation.

If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?

A. Your organization owes the cloud provider $31,250
B. The cloud provider owes your organization $93,750
C. Neither side owes the other party anything
D. The cloud provider owes your organization $125,000

A

D: The cloud provider owes your organization $125,000

Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of “preponderance of evidence,” so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What was the first international privacy standard specifically for cloud providers?

A. NIST SP 800-37
B. PIPEDA
C. PCI
D. ISO 27018

A

D: ISO 27018

ISO 27018 breaks down privacy requirements for cloud providers, including an annual audit mandate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Who should perform the gap analysis following an audit?

A. The security office
B. The auditor
C. A department other than the audit target
D. An external audit body, other than the original auditor

A

C: A department other than the audit target

Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, where the personnel in the target department may be constrained by habit and tradition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the CSA STAR program, the Uptime Institute’s Tier certification motif, and __________.

A. NIST Risk Management Framework (SP 800-37)
B. FedRAMP
C. ISO 27034
D. EuroCloud Star Audit program

A

D: EuroCloud Star Audit program

The ECSA is designed as a cloud service certification motif for organizations located in Europe.

NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable to European providers.

ISO 27034 deals with an organization’s use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

An audit against the __________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.

A. SAS 70 standard
B. SSAE 16 standard
C. ISO 27002 certification criteria
D. NIST SP 800-53

A

C: ISO 27002 certification criteria

The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001.

The SAS 70 and SSAE 16 are audit standards for service providers and include review of some security controls but does not constitute a cohesive program review – and, the SAS 70 is outdated.

NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

You’re a sophomore at a small, private, medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?

A. Sarbanes-Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)

A

A: Sarbanes-Oxley Act (SOX)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

In the United States, who manages the Safe Harbor / Privacy Shield program for voluntary compliance with EU data privacy laws?

A. Department of State
B. Department of Interior
C. Department of Trade
D. Department of Commerce

A

D: Department of Commerce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which of the following countries does NOT have a federal privacy law that complies with the EU Data Directive/Privacy Regulations?

A. Argentina
B. Israel
C. Australia
D. Brazil

A

D: Brazil

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Which of the following is NOT a way in which an entity located outside the EU can be allowed to gather / process privacy data belonging to EU citizens?

A. Be located in a country with a nationwide law that complies with the EU laws

B. Appeal to the EU High Court for permission

C. Create binding contractual language that complies with the EU laws

D. Join the Safe Harbor / Privacy Shield program in its own country

A

B: Appeal to the EU High Court for permission

The EU Data Directive and General Privacy Regulation prohibit entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:

Their own country has nationwide laws that comply with the EU laws.

The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.

The entity voluntarily subscribes to its own nation’s Safe Harbor / Privacy Shield program.

There is no process for the entity to appeal to the EU for permission to do so, however.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The Organization for Economic Cooperation and Development (OECD) is a multinational entity that creates non-binding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________.

A. Transient data principle
B. Security safeguards principle
C. Longtrack resiliency principle
D. Arbitrary insulation principle

A

B: Security safeguards principle

The principles are:

Collection limitation principle
Data quality principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation principle
Accountability principle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which one of the following technologies allows you to utilize your existing TCP / IP network to manage data storage elements using IP traffic?

A. Internet Small Computer System Interface (iSCSI)
B. Fibre Channel
C. Fibre Channel over Ethernet (FCoE)
D. Storage area networks (SAN)

A

A: Internet Small Computer System Interface (iSCSI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

The current American Institute of Certified Public Accountants (APICA) standard was created in reaction to what US federal law?

A. Gramm-Leach-Bliley Act (GLBA)
B. Sarbanes-Oxley Act (SOX)
C. Family Education Rights and Privacy Act (FERPA)
D. Payment Card Industry Data Security Standards (PCI DSS)

A

B: Sarbanes-Oxley Act (SOX)

SSAE 16 was created by the APICA in direct response to new guidance in SOX.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What is the PRIMARY incident response goal?

A. Remediating the incident
B. Reverting to the last known good state
C. Determining the scope of the possible loss
D. Outcomes dictated by business requirements

A

D: Outcomes dictated by business requirements

Not an easy question: Different industries and different organizations will have different goals. Each organization will determine for itself what the primary goal of incident response will be, and this might differ from incident to incident, depending on the nature of the incident itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

You are in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?

A. 10 inches
B. 8 inches
C. 18 inches
D. 2 feet

A

D: 2 feet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

An event is something that can be measured within the environment. An incident is a(n) __________ event.

A. Deleterious
B. Negative
C. Unscheduled
D. Major

A

C: Unscheduled

All activity in the environment can be considered events. Any event that was not planned or known is an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.

Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which of the following functionalities will you consider absolutely essential?

A. DDoS protections
B. Constant data mirroring
C. Encryption
D. Hashing

A

C: Encryption

If your company is involved in e-commerce, it is almost impossible that you are not using credit cards for online transactions; ergo, PCI DSS applies and encryption or tokenization will be required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.

Your company has decided to expand its business to include selling and monitoring life-support equipment for medical providers. What characteristic do you need to ensure is offered by your cloud provider?

A. Full automation of security controls within the cloud data center
B. Tier 4 of the Uptime Institute certifications
C. Global remote access
D. Prevention of ransomware infections

A

B: Tier 4 of the Uptime Institute certifications

The changing nature of your business will require a much more stringent set of operating standards, to include an increase in Uptime Institute Tier levels; because you’re no longer just using the cloud for backup and long-term storage and are now using it in direct support of health and human safety, Tier 4 is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

When designing a cloud data center, which of the following aspects is NOT necessary to ensure continuity of operations?

A. Access to clean water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the data center

A

C: Extended battery backup

Backup powers does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on-premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management?

A. Building a completely new data center
B. Leasing a data center that is currently owned by another firm
C. Renting private cloud space in a Tier 2 data center
D. Staying with the current data center

A

A: Building a completely new data center

This answer is arrived at through a process of elimination:

B is not optimal because of potential for vendor lock-in, restrictions on buildout, and privacy concerns.

C is not optimal because Tier 2 is not sufficient for medical use.

D is not optimal because there must be a reason to consider a new option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

When building a new data center within an urban environment, which of the following is probably the MOST restrictive aspect?

A. The size of the plot
B. Utility availability
C. Staffing
D. Municipal codes

A

D: Municipal codes

In any large metropolitan area, government restrictions on development and construction can severely limit how you use your property; this can be a significant limiting factor in building a data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

It is important to include __________ in the design of underfloor plenums if that are also used in wiring.

A. Mantraps
B. Sequestered channels
C. Heat sinks
D. Tight gaskets

A

D: Tight gaskets

When cables come up through a raised floor that is being used as a cold air feed, we don’t want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in air flow control. Gaskets are required at all points where cable comes through the floor, to restrict air flow and reduce the possibility of cold air escaping.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

You are designing a private cloud data center for an insurance underwriter, to be located in a major metropolitan area. Which of the following airflow management schemes is preferable?

A. Hot aisle
B. Cold aisle
C. Either hot aisle or cold aisle
D. Free flow

A

C: Either hot aisle or cold aisle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Which of these characteristics of a virtualized network adds risks to the cloud environment?

A. Redundancy
B. Scalability
C. Pay-per-use
D. Self-service

A

A: Redundancy

Virtual switches are widely used in virtualized networks. Unlike physical switches, which only lose one connection if a connecting cable is lost, virtual switches can be connected to multiple VMs via a single cable; if a cable is lost in a virtualized network, that can affect tens or dozens of devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Security best practices in a virtualized network environment would include which of the following?

A. Using distinct ports and port groups for various VLANs on a virtual switch rather than running them through the same port

B. Running iSCSI traffic unencrypted in order to have it observed and monitored by NIDS

C. Adding HIDS to all virtual guests

D. Hardening all outward-facing firewalls in order to make them resistant to attack

A

A: Using distinct ports and port groups for various VLANs on a virtual switch rather than running them through the same port

It’s possible to route multiple VLANs through a switch port (physical or virtual) with proper frame tagging. However, to optimize isolation of subnets and processes in a virtual network environment, it is better to use different ports instead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Which of the following is a risk that stems from a pooled-resources environment?

A. They have plenty of revenue and can afford it
B. They are gravely concerned with insider threats
C. Loss of data to widespread insider threat
D. Loss of data to law enforcement seizure of neighboring assets

A

D: Loss of data to law enforcement seizure of neighboring assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Modern managed cloud service providers will often use secure KVM devices within their data centers. These devices are extremely expensive compared to their non-secured counterparts. Which fo the following is one of the reasons cloud service providers do this?

A. The risk of transferring data from one customer to another is significant
B. The risk of devices leaving the cloud data center is significant
C. It makes physical inventories much easier to maintain
D. Audit purposes

A

A: The risk of transferring data from one customer to another is significant

Secure KVMs support drastically isolated operations; they cut down on the possibility of data being inadvertently shared from one customer to another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

A truly airgapped machine selector will __________.

A. Terminate a connection before creating a new connection
B. Be made of composites and not metal
C. Have total Faraday properties
D. Not be portable

A

A: Terminate a connection before creating a new connection

Referred to as “break before make,” these devices often take the form of manual push-button controls; as the button is pushed, the current connection is forced to physically separate, and when the button is fully engaged, the new connection is made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Which of the following cloud data center functions do NOT have to be performed on isolated networks?

A. Customer access provision
B. Management system control interface
C. Storage controller access
D. Customer production activities

A

D: Customer production activities

The production activities will make full use of pooled resources, so they will not be isolated (unless the customer is paying for that specific characteristic of service).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

TLS uses __________ to authenticate a connection and create a shared secret for the duration of the session.

A. SAML 2.0
B. X.509 certificates
C. 802.11X
D. The Diffie-Hellman process

A

B: X.509 certificates

TLS uses X.509 certificates to establish a connection and create a symmetric key that lasts for only one session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Halon is not illegal to use for data center fire suppression. What is the reason it was outlawed?

A. It poses a threat to health and human safety when deployed
B. It can harm the environment
C. It does not adequately suppress fires
D. It causes undue damage to electronic systems

A

B: It can harm the environment

Halon does pose a threat to health and human safety; but, it was outlawed because, as a CFC (chlorofluorocarbon), it depletes ozone – i.e. harms the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Which of the following is NOT a goal of a site survey?

A. Threat definition
B. Human interaction
C. Electricity
D. HVAC

A

C: Electricity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Updating virtual machine management tools will require __________.

A. An infusion of capital
B. An alternate data center
C. Sufficient redundancy
D. Peer review

A

C: Sufficient redundancy

Because updating the virtualization toolset may require server downtime, it is essential to have a sufficient amount of redundant machines to roll out the update over the environment without significant disruption of operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Before deploying a specific brand of virtualization toolset, it is important to configure it according to __________.

A. Industry standards
B. Prevailing law of that jurisdiction
C. Vendor guidance
D. Expert opinion

A

C: Vendor guidance

Toolset vendors will specify secure configurations of their products; these must be followed in order to fulfill due care requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Which of the following is essential for getting full security value from your system baseline?

A. Capturing and storing an image of the baseline
B. Keeping a copy of upcoming suggested modifications to the baseline
C. Having the baseline vetted by an objective third party
D. Using a baseline from another industry member so as not to engage in repetitious efforts

A

A: Capturing and storing an image of the baseline

An image of the baseline should be stored securely, preferably in more than one location. It is essential to have a copy on hand for reconstructing the environment during contingency operations, and it is also useful for audit / review purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

A loosely coupled storage cluster will have performance and capacity limitations based on the __________.

A. Physical backplane connecting it
B. Total number of nodes in the cluster
C. Amount of usage demanded
D. The performance and capacity in each node

A

D: The performance and capacity in each node

In a loosely coupled storage cluster, each node acts as an independent data store that can be added or removed from the cluster without affecting other nodes. This, however, means that the overall cluster’s performance / capacity depends on each node’s own maximum performance / capacity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

A honeypot can be used for all the following purposes EXCEPT __________.

A. Gathering threat intelligence
B. Luring attackers
C. Distracting attackers
D. Delaying attackers

A

B: Luring attackers

It is very important to distinguish the purpose of the honeypot: It is NOT for luring in attackers; a lure is an invitation and inviting an attack decreases the organizations ability to have the attacker prosecuted or conduct successful litigation against the attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Which of the following should honeypots contain?

A. Inward-facing connections
B. Network schematics
C. Production data
D. Detection systems

A

D: Detection systems

The honeypot is used to gather information about the attacker, the attacker’s tools, and the attacker’s techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

When applying patches, it is necessary to do all of the following EXCEPT __________.

A. Test the patch in a sandbox that simulates the production environment
B. Put the patch through the formal change management process
C. Be prepared to roll back to the last known good build
D. Inform users of any impact / interruptions

A

B: Put the patch through the formal change management process

In many cases, patches are released to deal with an imminent vulnerability / risk. Some organizations will give blanket pre-approval for applying these patches and having the formal change management process approve the patch after the fact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Which of the following aspects of a cloud environment is MOST likely to add risk to the patch management process?

A. Variations in user training / familiarity with the cloud
B. A cloud services contract that specifies which parties are responsible for which aspects of patching
C. VMs located physically in one location but operating in a different time zone
D. The prevalence of attacker activity at the time the patch is applied

A

C: VMs located physically in one location but operating in a different time zone

If patches are rolled out across an environment where users are operating VMs at different times, there is a possibility that VMs will not be patched uniformly, which could lead to data disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Synthetic performance monitoring may be preferable to real user monitoring (RUM) because __________.

A. It costs less.
B. It is a more accurate depiction of user behavior.
C. It is more comprehensive.
D. It can take place in the cloud.

A

C: It is more comprehensive

Synthetic agents can simulate user activity in a much faster, much broader, manner than real users; and, the agents perform these actions 24/7 without rest.

Synthetic or directed monitoring is a method to monitor your applications by simulating users – directing the path taken through the application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

You are the security manager for an organization with a cloud-based production environment. You are tasked with setting up the event monitoring and logging systems. In your jurisdiction, private entities are allowed to monitor all activity involving their systems, without exception. Which of the following best describes a logging motif you would recommend?

A. Logging every event, at all levels of granularity, including continual screen shots, keystroke logging, and browser history.
B. Sufficient logging to reconstruct a narrative of events at some later date
C. Only logging data related to incidents after they have occurred
D. Logging specific data sets recommended by industry standards and guidelines

A

B: Sufficient logging to reconstruct a narrative of events at some later date

Logging should suffice for the purpose of reconstructing the pertinent information (who, what, where, when, etc.) necessary to form a narrative of what transpired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which of these subsystems is probably MOST important for acquiring useful log information?

A. Fan
B. RAM
C. Clock
D. UPS

A

C: Clock

The clock needs to be synched throughout the environment so that all activity can be contextualize and mapped and the true narrative of events can be reconstructed later.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

You are the security officer for a small nonprofit organization. You are tasked with performing a risk assessment for your organization; you have one month to complete it. The IT personnel you work with have been with the organization for many years and have built the systems and infrastructure from the ground up. They have little training and experience in the field of risk. Which type of risk assessment would you choose to conduct?

A. Quantitative
B. Qualitative
C. Pro forma
D. Informal

A

B: Qualitative

Qualitative risk assessments are preferable in situations where the organization has personnel who understand the IT environment but might not have a lot of experience with risk functions and where the organization does not have a great deal of time or money to spend on the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which of the following will likely BEST help you predict the annualized rate of occurrence (ARO) of a specific loss?

A. Threat intelligence data
B. Historical data
C. Vulnerability data
D. Aggregation analysis

A

B: Historical data

While previous activity is not a great predictor of future outcomes (especially in the field of IT security), it is the best that we have.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which costs $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. In order to establish the true annualized loss expectancy (ALE), you would need all the following information EXCEPT __________.

A. The amount or revenue generated by the plant
B. The rate at which the plant generates revenue
C. The length of time it would take to rebuild the plant
D. The amount of product the plant creates

A

D: The amount of product the plant creates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Which comes first?

A. Accreditation
B. Operation
C. Maintenance
D. Certification

A

D: Certification

Certification and accreditation is a two-step process for security management / risk management of systems:

Step 1, Certification is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system; this process ensures that security threats are identified and plans for mitigation are in place.

Step 2, Accreditation is the process of accepting the residual risks associated with the continued operation of a system (net mitigation actions taken) and granting approval to operate the system for a specified period of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Symmetric encryption involves ___________.

A. Two key pairs, mathematically related
B. Unknown parties, sharing information
C. Signed certificates
D. A shared secret

A

D: A shared secret

In symmetric encryption, a single key is used to both encrypt and decrypt a message – this is often referred to as a shared secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and __________ Application Normative Framework (ANF(s)) for each application within the organization.

A. Many
B. Three
C. No
D. One

A

D: One

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Which of the following is an informal industry term for moving applications from a legacy environment into the cloud?

A. Instantiation
B. Porting
C. Grandslamming
D. Forklifting

A

D: Forklifting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

In the testing phase of the software development life cycle (SDLC), software performance and __________ should both be reviewed.

A. Quality
B. Brevity
C. Requirements
D. Security

A

D: Security

Performance and security both need to be reviewed for adequacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Which phase of the SDLC is most likely to involve crypto-shredding?

A. Define
B. Design
C. Test
D. Disposal

A

D: Disposal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the legacy environment.

Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that might not have been as important in the legacy environment?

A. IAM capability
B. DDoS resistance
C. Encryption for data at rest and in motion
D. Field validation

A

C: Encryption for data at rest and in motion

Legacy apps won’t usually require encryption in all phases of the data life cycle because data is protected in several stages in the legacy environment without the need for additional controls.

98
Q

What is the MOST secure form of code testing and review?

A. Open source
B. Proprietary / internal
C. Neither open source nor proprietary
D. Combination of open source and proprietary

A

D: Combination of open source and proprietary

Obviously, using multiple forms of code review will produce more secure results than any one form of review, in the same way that having multiple forms of security controls will provide better security than just one type.

99
Q

Who should determine which users have access to which specific objects?

A. The cloud provider
B. Senior management
C. Data owners
D. System administrators

A

C: Data owners

The data owner is responsible for the disposition of the data under their control; this includes access decisions.

100
Q

A web application firewall (WAF) usually operates at layer __________ of the OSI model.

A. 2
B. 3
C. 7
D. Q

A

C: 7

A WAF is a layer 7 tool.

101
Q

A database activity monitor (DAM) tool usually operates at layer __________ of the OSI model.

A. 2
B. 3
C. 7
D. Q

A

C: 7

A DAM is a layer 7 tool.

102
Q

This security tool can do content inspection of SFTP communications.

A. WAF
B. DAM
C. XML gateway
D. SSO

A

C: XML gateway

The XML gateway can provide this functionality; it acts as a reverse proxy and can perform content inspection on many traffic protocols.

103
Q

TLS provides __________ and __________ for communications.

A. Privacy, security
B. Security, optimization
C. Privacy, integrity
D. Enhancement, privacy

A

C: Privacy, integrity

TLS provides authentication, encryption, and integrity:

Authentication allows each party to verify that the other party is who they claim to be.

Data is encrypted while being transmitted between the user agent and the server, in order to prevent it from being read and interpreted by unauthorized parties.

TLS ensures that between encrypting, transmitting, and decrypting the data, no information is lost, damaged, tampered with, or falsified.

104
Q

DAST checks software functionality in __________.

A. The production environment
B. A runtime state
C. The cloud
D. An IaaS configuration

A

B: A runtime state

DAST is preformed as the application is running – i.e. “a runtime state.”

105
Q

According to OWASP recommendations, active software security testing should include all of the following EXCEPT __________.

A. Session initiation testing
B. Input validation testing
C. Testing for error handling
D. Testing for weak cryptography

A

A: Session initiation testing

While session management testing is included in the OWASP guide to active software security testing, session initiation is not.

106
Q

Software developers should receive cloud-specific training that highlights the specific challenges involved with having a production environment that operates in the cloud. One of these challenges is __________.

A. The massive additional hacking threat, especially from foreign sources
B. The prevalent use of encryption in all data life cycle phases
C. Drastic increase of risk due to DDoS attacks
D. Additional regulatory mandates

A

B: The prevalent use of encryption in all data life cycle phases

Because cloud operations are so dependent on encryption protections in all data life cycle phases, developers will have to accommodate the additional overhead and interoperability encryption requires.

107
Q

Which security technique is MOST preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?

A. Anonymization
B. Masking
C. Encryption
D. Training

A

B: Masking

Masking allows customer service representatives to review clients’ sales and account information without revealing the entirety of those records.

108
Q

In SDLC implementations that include a Secure Operations phase, which of the following security techniques / tools are implemented during that phase?

A. Vulnerability assessments and penetration testing
B. Performance testing and security control validation
C. Requirements fulfillment testing
D. Threat model and secure design review

A

A: Vulnerability assessments and penetration testing

Once a system is deployed operationally, continuous security monitoring, including periodic vulnerability assessments and penetration testing, is recommended.

109
Q

A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls __________.

A. Can lead to DDoS
B. Allows malware infections
C. Increases the risk of adverse environmental effects
D. Is an unnecessary expense

A

D: Is an unnecessary expense

From a simple financial perspective, money spent on excessive anything is money wasted.

110
Q

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for a BYOD workforce that works equally from the company offices and their own homes and other locations. The policies also dictate which APIs can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized users accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. You’ve brought the matter to the attention of the CEO, who understands the issue and asks for your recommendation. What is probably the best suggestion?

A. Gather more data about how users are utilizing the APIs and for what purposes.
B. Delete accounts of all users who had utilized unapproved APIs to access company data.
C. Suspend access for all users who had utilized unapproved APIs to access company data.
D. Block all unapproved APIs from accessing company data.

A

A: Gather more data about how users are utilizing the APIs and for what purposes.

Before taking any action that might impact operations, it would probably be best to figure out the actual user needs being met by the unapproved APIs and the severity of impact if they were removed from service.

111
Q

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for BYOD workforce that work equally from the company offices and their own homes or other locations. The policies also allow users to select which APIs they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to off-set the risk(s) incurred by this practice?

A. Encrypt all routers between mobile users and the cloud.
B. Use additional anti-malware detection capabilities on both user devices and the environment to which they connect.
C. Implement strong multifactor authentication on all user-owned devices.
D. Employ regular performance monitoring in the cloud environment to ensure that the cloud provider is meeting the SLA targets

A

B: Use additional antimalware detection capabilities on both user devices and the environment to which they connect

Because untrusted APIs may not be secured sufficiently, increased vigilance for the possibility of introducing malware into the production environment is essential.

112
Q

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for BYOD workforce that work equally from the company offices and their own homes or other locations. The policies also allow users to select which APIs they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?

A. Regular and widespread integrity checks on sampled data throughout the managed environment
B. More extensive and granular background checks on all employees, particularly new hires
C. Inclusion of references to all applicable regulations in the policy documents
D. Increased enforcement of separation of duties for all workflows

A

A: Regular and widespread integrity checks on sampled data throughout the managed environment

In order to detect possible erroneous or malicious modification of the organization’s data by unauthorized or security-deficient APIs, it’s important to take representative samples of the production data on a continual basis and perform integrity checks.

113
Q

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for BYOD workforce that work equally from the company offices and their own homes or other locations. The policies also allow users to select which APIs they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to off-set the risk(s) incurred by this practice?

A. Enact secure connections between the user devices and the cloud environment using end-to-end encryption.
B. Enact secure connections between the user devices and the cloud environment using like encryption
C. Employ additional user training
D. Tunnel all connections with a VPN

A

C: Employ additional user training

Additional user training would be helpful in this situation particularly any information that helps users understand the reason APIs from unknown sources might be less secure and the potential impacts from using them.

114
Q

__________ is perhaps the main external factor driving IAM efforts.

A. Regulation
B. Business need
C. The evolving threat landscape
D. Monetary value

A

A: Regulation

115
Q

A web application firewall (WAF) understands which protocol(s)?

A. All protocols that use the Internet as a medium
B. TLS
C. HTTP
D. FTP

A

C: HTTP

WAFs apply rulesets to web traffic, which uses HTTP.

116
Q

Which of the following is an example of useful and sufficient data masking of the string “CCSP”?

A. XCSP
B. PSCC
C. TtLp
D. 3X91

A

C: TtLp

This answer requires some thought about how the original data is displayed and its properties.

A, masks only one letter in a four-letter string.

B, like A, is too easy to break; it only reverses the content of the string

D, mixes numeric characters into what was originally only an alphabetic string

C, completely obscures the original content but retains the qualities of the original (all alpha). It may affect the use of the string by mixing uppercase and lowercase, but this is still the best choice of the four possible answers.

117
Q

A cloud-based sandbox should NOT be used for __________.

A. Application interoperability testing
B. Processing sensitive data
C. Application security testing
D. Malware analysis

A

D: Malware analysis

Installing malware on systems owned by someone else may be illegal in many jurisdictions.

118
Q

In which of these options does the encryption engine reside within the application accessing the database?

A. Transparent encryption
B. Symmetric-key encryption
C. Application-level encryption
D. Homomorphic encryption

A

C: Application-level encryption

In application-level encryption, the application will encrypt data before it is placed in the database.

119
Q

Which of the following is NOT a step in the crypto-shredding process?

A. Encrypt data with a particular encryption engine
B. Encrypt first resulting keys with another encryption engine
C. Save backup of second resulting keys
D. Destroy original second resulting keys

A

C: Save backup of second resulting keys

In crypto-shedding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data.

120
Q

When implementing cryptography in a cloud environment, where is the worst place to store the keys?

A. With the cloud provider
B. Off the cloud, with the data owner
C. With a third-party provider, in key escrow
D. Anywhere but with the cloud provider

A

A: With the cloud provider

Option A creates a conflict of interest and does not enforce separation of duties.

121
Q

Data dispersion users __________, where the legacy implementation was called “parity bits.”

A. Smurfing
B. Snarfing
C. Erasure coding
D. Real-time bitlinking

A

C: Erasure coding

Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chuck; parity bits serve the same purpose in the legacy RAID configuration.

122
Q

Data dispersion providers protection for all the following security aspects EXCEPT __________.

A. Protecting confidentiality against external attack on the storage area
B. Loss of availability due to single storage device failure
C. Loss due to seizure by law enforcement in a multitenant environment
D. Protecting against loss due to user error

A

D: Protecting against loss due to user error

Data dispersion can’t really aid in inadvertent loss caused by an errant user; if the user accidentally deletes / corrupts a file, that file will be deleted / corrupted across all the storage spaces where it is dispersed.

123
Q

Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management or IRM)?

A. Automatic expiration
B. Multilevel aggregation
C. Enhanced detail
D. Broad spectrum

A

A: Automatic expiration

Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual property moves into the public domain.

124
Q

Why is the term (ISC)2 Cloud Secure Data Life Cycle actually somewhat inaccurate?

A. The term is not used by (ISC)2
B. Not all phases are secure
C. Not all phases take place in the cloud
D. It’s not actually a cycle

A

D: It’s not actually a cycle

This is not truly a cycle because data does not continue after the Destroy phase – i.e. the same data or process does not go back to Create after Destroy.

125
Q

What is a form of cloud storage where data is stored as objects, arranged in a hierarchal structure, like a file tree?

A. Volume storage
B. Databases
C. Content delivery network (CDN)
D. Object storage

A

D: Object storage

Object storage stores data as objects – often arranged in an hierarchical structure.

126
Q

What is a form of cloud storage where data is stored in a logical storage area assigned to the user but not necessarily physically attached or even geographically proximate to the compute node the user is utilizing?

A. Volume storage
B. Databases
C. Content delivery network (CDN)
D. Object storage

A

A: Volume storage

In volume storage, the user is assigned a logical drive space into which anything (such as raw data, objects, or applications) may be saved or installed, similar to a mounted drive on a legacy network.

127
Q

Erasure coding, in the cloud, is similar to what element of RAID implementation in the legacy environment?

A. Deltas
B. Inversion
C. Parity bits
D. Transposition

A

C: Parity bits

Similar to parity bits in RAID, erasure coding is used in cloud data dispersion implementations to create a situation where data can still be recovered even if a segment or portion of the dispersed data is lost.

128
Q

You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment.

In order to get truly holistic coverage of your environment, you should be sure to include __________ as a step in the deployment process.

A. Getting signed user agreements from all users
B. Installation of the solution on all assets in the cloud data center
C. Adoption of the tool in all routers between your users and the cloud provider
D. All of your customers to install the tool

A

A: Getting signed user agreements from all users

This is a tricky question. In the cloud environment, we know that all users will be entering the environment through remote access; in may cases, this will include the user of their personal devices. In order for DLP solutions to function properly, all devices accessing the production environment must have local DLP agents installed, and, that requires signed user agreements.

129
Q

The cloud security professional should be aware that encryption will most likely be necessary in all the following aspects of a cloud deployment EXCEPT __________.

A. Data at rest
B. Data in motion
C. Data in use
D. Data of relief

A

D: Data of relief

130
Q

Volume-storage encryption in an IaaS motif will protect against data loss due to all of the following activities EXCEPT __________.

A. Physical loss or theft of a device
B. Disgruntled users
C. Malicious cloud administrators accessing the data
D. Virtual machine snapshots stolen from storage

A

B: Disgruntled users

An authorized user will still be able to access and decrypt the data for which they’ve been granted permissions, so encryption will not offer any protections for that threat.

131
Q

In an IaaS motif, all of the following are examples of object-storage encryption EXCEPT __________.

A. File-level encryption
B. Digital rights management (DRM)
C. Application-level encryption
D. Transport Layer Security (TLS)

A

D: Transport Layer Security (TLS)

TLS is encryption used in a communication session, not a storage volume.

132
Q

All of the following are database encryption options that could be used in a PaaS implementation EXCEPT __________.

A. File-level encryption
B. Secure Sockets Layer (SSL)
C. Transparent encryption
D. Application-level encryption

A

B: Secure Sockets Layer (SSL)

SSL is encryption used in a communication session, not a storage volume.

133
Q

According to (ISC)2, where should the cloud customer’s encryption keys be stored?

A. With the cloud customer
B. With a third-party provider
C. At the cloud provider data center
D. Anywhere but with the cloud provider

A

D: Anywhere but with the cloud provider

Best practice is to not keep the encryption keys alongside the data they’ve been used to encrypt.

134
Q

Event monitoring tools (solutions variously referred to as SIEM / SEM / SIM) can aid in which of the following efforts?

A. Detecting ambient heating / ventilation / air conditioning (HVAC) problems
B. Ensuring proper cloud migration
C. Deciding risk parameters
D. Protecting all physical entry points against the threat of fire

A

A: Detecting ambient heating / ventilation / air conditioning (HVAC) problems

Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the data center; also, some system monitoring metrics, such as CPU temperature, can directly indicate inadequate HVAC performance.

135
Q

If data masking is being performed for software testing purposes, which of the following is NOT a good masking technique to use?

A. Random substitution
B. Shuffling
C. Deletion
D. Algorithmic substitution

A

C: Deletion

While deletion is a very good way to avoid the possibility of inadvertently disclosing production data in a test environment, it also eliminates the usefulness of the data set as a plausible approximation of the production environment, greatly reducing the quality of the testing.

136
Q

Which of the following is a data discovery approach used by e-commerce retailers to discern and predict shoppers’ needs?

A. Big data
B. Real-time analytics
C. Agile analytics
D. Agile business intelligence

A

B: Real-time analytics

Real-time analytics allows for reactive and predictive operations (such as recommending other, related, products) based on a customer’s current and past shopping behavior.

137
Q

Which of the following is a data discovery approach that offers insight into trends by using both historical and predictive approaches?

A. Obverse polyglotism
B. Big data
C. Real-time analytics
D. Agile analytics / business intelligence

A

D: Agile analytics / business intelligence

The Agile approach to data analysis offers greater insight and capabilities than previous generations of analytical technologies.

138
Q

What is the risk to the organization posed by dashboards that display data discovery results?

A. Increased chance of external penetration
B. Flawed management decisions based on massaged displays
C. Higher likelihood of inadvertent disclosure
D. Raised incidence of physical theft

A

B: Flawed management decisions based on massaged displays

Because dashboards are often used for management purposes, management pressures often result in skewed data dash-boarding (‘no red!’), which can lead to the “data” being used for fallacious decisions.

139
Q

An organization’s data classification scheme MUST include which of the following categories?

A. File size
B. Origin of the data
C. Sensitivity of the data
D. Whatever the data owner decides

A

D: Whatever the data owner decides

This is a difficult, and somewhat tricky, question. Each organization has to decide for itself how to classify / categorize its own data. With that said, there will be many factors that bear on this determination: external regulations and drivers, the type of industry in which the organization operates, and so forth. But the kinds of data that the organization uses and how that data is sorted will differ for every organization, and each must make its own determination with regards to how to best sort that data.

140
Q

Classification is usually considered a facet of data __________.

A. Security
B. Labeling
C. Control
D. Markup

A

B: Labeling

This is another difficult question. Classification / categorization of data is an element of labeling, in so far as labeling is the grouping of data into discrete categories and types.

141
Q

Data transformation in a cloud environment should be of great concern to organizations considering cloud migration because __________ could affect data classification processes / implementations.

A. Multitenancy
B. Virtualization
C. Remote access
D. Physical distance

A

B: Virtualization

Data transforming from raw objects to virtualized instances to snapshotted images back into virtualized instances and then back out to users in the form of raw data may affect organization’s current classification methodology; classification techniques and tools that were suitable for the legacy environment might not withstand the standard cloud environment.

142
Q

If your organization collects / creates privacy data associated with European Union (EU) citizens, and you operate in the cloud, you must PREVENT your provider from storing / moving / processing that data where?

A. Argentina
B. The United States
C. Japan
D. Israel

A

B: The United States

The EU regulations associated with PII belonging to EU citizens prohibit utilization of that data in any way in any country that does not have a national privacy law commensurate with the EU regulations. Of this list, only the United States has no such law.

143
Q

The Cloud Security Alliances’s (CSA’s) Cloud Control Matrix (CCM) lists security controls from all the following laws EXCEPT __________.

A. Health Information Portability and Accountability Act (HIPAA)
B. Family Education Rights and Privacy Act (FERPA)
C. Personal Information Protection and Electronic Documents Act (PIPEDA)
D. Digital Millennium Copyright Act (DMCA)

A

D: Digital Millennium Copyright Act (DMCA)

The DMCA deals with intellectual property and not specifically with personal privacy.

144
Q

Digital rights management (DRM) tools might be used to protect all the following assets EXCEPT __________.

A. A trusted device
B. Proprietary software
C. Medical records
D. Financial data

A

A: A trusted device

DRM solutions are mainly designed to protect intellectual property assets (and mainly those covered by copyright, hence the name), but they can also be used to provide enhanced protection to other electronic information.

145
Q

The Cloud Security Alliance’s (CSA’s) Cloud Controls Matrix (CCM) addresses all the following security architecture elements EXCEPT ___________.

A. Physical security
B. IaaS
C. Application security
D. Business drivers

A

D: Business drivers

The CSA CCM does not deal with whether security controls are feasible or correct from a business decision, only whether they are applicable to an organization under certain regulations.

146
Q

DRM requires that every data resource is provisioned with __________.

A. A tracking device
B. An access policy
C. A hardware security module (HSM)
D. A biometric system

A

B: An access policy

For DRM to work properly, each resource needs to be outfitted with an access policy so only authorized entities may make use of that resource.

147
Q

Digital rights management (DRM) tools should enforce __________, which is the revocation of access based on time.

A. Persistence
B. Disabling screencap capabilities
C. Automatic expiration
D. Dynamic policy control

A

C: Automatic expiration

The question describes automatic expiration, one of the required traits for a DRM solution of any quality.

All the other answers are traits that should be included in DRM solutions but do not match the definition in the questions, so they are incorrect.

148
Q

In general, all policies within an organization should include each of the following elements EXCEPT __________.

A. The date on which the policy will expire
B. Assigning an entity to review the applicability of the possibility occasionally
C. The assignment of an entity to monitor and maintain the process described in the policy
D. A list of the laws, regulations practices, and / or standards that drove the creation of the policy

A

A: The data on which the policy will expire

Not all policies are temporary or have expected durations; usually, policy is an enduring piece of governance that will continue until such time as it is revoked.

149
Q

Data destruction in the cloud is difficult because __________.

A. Only law enforcement is permitted to destroy cloud data
B. The largest cloud vendors have prevented customers from destroying data
C. Cloud data renews itself automatically
D. The cloud is often a multitenant environment

A

D: The cloud is often a multitenant environment

Secure sanitization would affect storage resources where more than one customer stores their data; truly secure destructive measures would likely result in destroying data belonging to someone else.

150
Q

Who is responsible for performing archiving activities in a managed cloud environment?

A. The cloud customer
B. The cloud provider
C. The customer’s regulator
D. Depends on the contract

A

D: Depends on the contract

Many cloud providers will offer archiving services as a features of the basic cloud service; realistically, most providers are already performing this function to avoid inadvertent loss of customer data, so marketing it is a logical step.

151
Q

You are in charge of creating the BCDR plan and procedures for your organization.

Your organization has its production environment hosted by a cloud provider, and you have appropriate protections in place. Which of the following is a significant consideration for your BCDR backup?

A. Enough personnel at the BCDR recovery site to ensure proper operations
B. Good cryptographic key management
C. Access to the servers where the BCDR backup is stored
D. Forensic analysis capabilities

A

B: Good cryptographic key management

This is a difficult question that requires a great deal of thought. Option B is correct because appropriate cloud data security practices will required encrypting a great deal of the data, and having the keys will be necessary during contingency operations in order to access the backup; without the keys, you won’t be able to access your data.

152
Q

In software-defined networking (SDN), the northbound interface (NBI) usually handles traffic between the __________ and __________.

A. Cloud customer; ISP
B. SDN controllers; SDN applications
C. Cloud provider; ISP
D. Router; host

A

B: SDN controllers; SDN applications

The northbound interface (NBI) usually handles traffic between the SDN controllers and SDN applications.

153
Q

Which of the following terms describes a cloud storage area that uses a file system / hierarchy?

A. Volume storage
B. Object storage
C. Logical unit number (LUN)
D. Block storage

A

B: Object storage

Object storage is, literally, a means of storing objects in a hierarchy such as a file tree.

154
Q

What is probably the OPTIMUM way to avoid vendor lock-in?

A. Use non-proprietary data formats
B. Use industry-standard media
C. Use strong cryptography
D. Use favorable contract language

A

D: Use favorable contract language

The contract is probably the cloud customer’s best tool for avoiding vendor lock-in; contract terms will establish how easy it is to migrate your organization’s data to another provider in a timely , cost-effective manner.

155
Q

In a managed cloud services arrangement, who creates governance that will determine which controls are selected for the environment and how they are deployed?

A. The cloud provider
B. The cloud customer
C. The regulator(s)
D. The end user

A

A: The cloud provider

Because the cloud provider owns and operates the cloud data center, the provider will craft and promulgate the governance that determines the control selection and usage.

156
Q

What is the term that describes the situation when a malicious user / attacker can exit the restriction of a virtual machine (VM) and access another VM residing on the same host?

A. Host escape
B. Guest escape
C. Provider exit
D. Escalation of principles

A

B: Guest escape

The questions describes guest escape.

157
Q

What is the term that describes the situation when a malicious user / attacker can exist the restrictions of a single host and access other nodes on the network?

A. Host escape
B. Guest escape
C. Provider exit
D. Escalation of privileges

A

A: Host escape

The question describes host escape.

158
Q

__________ is / are probably the main cause of virtualization sprawl.

A. Malicious attackers
B. Lack of provider controls
C. Lack of customer controls
D. Ease of use

A

D: Ease of use

Because most cloud users don’t see direct costs in creating new VM instances (the bills usually go to a single point of contact in the organization, not the user or the user’s office), they may tend to create additional VMs at a significant rate, without realizing the attendant cost.

159
Q

A group of clinics decides to create an identification federation for their users (medical providers and clinicians).

If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called?

A. Cross-certification
B. Proxy
C. Single sign-on
D. Regulated

A

A: Cross-certification

The cross-certification federation model is also known as a ‘web of trust.’

160
Q

A group of clinics decide to create an identification federation for their users (medical providers and clinicians).

If they opt to hire a third party to review each organization for compliance with security governance and standards they all find acceptable, what is this federation model called?

A. Cross-certification
B. Proxy
C. Single sign-on
D. Regulated

A

B: Proxy

In the proxy federation model, the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others.

161
Q

A group of clinics decide to create an identification federation for their users (medical providers and clinicians).

If they opt to use the web of trust model for federation, who is / are the identity provider(s)?

A. Each organization
B. A trusted third party
C. The regulator overseeing their industry
D. All of their patients

A

A: Each organization

In a web of trust federation model, all of the participating organizations are identity providers; each organization will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials.

162
Q

Virtual machine (VM) configuration management (CM) tools should probably include __________.

A. Biometric recognition
B. Anti-tampering mechanisms
C. Log file generation
D. Hackback capabilities

A

C: Log file generation

Event logging is essential for incident management and resolutions; this can be set as an automated function of the CM tools.

163
Q

Which of the following probably poses the MOST significant risk to the organization?

A. Not having essential BCDR personnel available during a contingency
B. Not including all BCDR elements in the cloud contract
C. Returning to normal operations too soon
D. Telecommunications outages

A

C: Returning to normal operations too soon

A premature return to normal operations can jeopardize not only production, but personnel; if the contingency that caused the BCDR action is not fully complete / addressed, there may still be danger remaining.

164
Q

According to the European Union Agency for Network and Information Security (ENISA), a cloud risk assessment should provide a means for customers to accomplish all these assurance tasks EXCEPT __________.

A. Assess risks associated with cloud migration
B. Compare offerings from different cloud providers
C. Reduce the risk of regulatory noncompliance
D. Reduce the assurance burden on cloud providers

A

C: Reduce the risk of regulatory noncompliance

ENISA’s approach to cloud risk assessments does not specifically address the type of assurance, probably because of the wide variety of possible regulators and the difficulty in crafting a risk assessment that would address them all.

165
Q

When considering the option to migrate from an on-premises environment to a hosted cloud service, an organization should weigh the risks of allowing external entities to access the cloud data for collaborative purposes against __________.

A. Not securing the data in the legacy environment
B. Disclosing the data publicly
C. Inviting external personnel into the legacy workspace in order to enhance collaboration
D. Sending the data outside the legacy environment for collaborative purposes

A

D: Sending the data outside the legacy environment for collaborative purposes

The cloud greatly enhances opportunities for collaboration between organizations, mostly by giving external parties some limited access to the owner’s data in the cloud. While there is a risk in this situation, the truly comparable risk in the legacy environment would result from sending data outside the organization to external collaborators.

166
Q

Which of these does the cloud customer need to ensure protection of intellectual property created in the cloud?

A. Digital right management (DRM) solutions
B. Identity and access management (IAM) solutions
C. Strong contractual clauses
D. Crypto-shredding

A

C: Strong contractual clauses

This is not an easy question; the simple answer seems to be option A, which is true for data stored / saved / migrated to the cloud (and property that already has been created in the cloud, but for new intellectual property created in the cloud, strong contract language in favor of the customer’s rights is very necessary.

167
Q

What could be the result of failure of the cloud provider to secure the hypervisor in such a way that one user on a virtual machine can see the resource calls of another user’s virtual machine?

A. Unauthorized data disclosure
B. Inference attacks
C. Social engineering
D. Physical intrusion

A

B: Inference attacks

While it is possible that one guest VM seeing the resource calls of another VM could possibly allow one guest to see the other’s data, it’s much more likely that a users seeing another user’s use of resources, rather than raw data, would allow the viewer to infer something about the victim’s behavior / usage / assets.

168
Q

The physical layout of a cloud data center campus should include redundancies of all the following EXCEPT __________.

A. Physical perimeter security controls (fences, lights, walls, etc.)
B. The administration / support staff building
C. Electrical utility lines
D. Communications connectivity lines

A

B: The administration / support staff building

Administrative and support staff are usually not part of the critical path of a data center; they are nonfunctional-requirement elements, not functional requirements.

169
Q

There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them?

A. It costs more to conduct a test at the same locations as the primary workplace
B. You don’t want to wast travel budget on what is only a test
C. The risk of negative impact to both production and backup is too high
D. There won’t be enough room for everyone to sit in the primary facility

A

C: The risk of negative impact to both production and backup is too high

A recovery from backup into the production environment carries the risk of failure of both data sets – the production set and the backup set.

170
Q

Industry best practices dictate that cloud customers do not __________.

A. Create their own identity and access management (IAM) solutions
B. Create contract language that favors them over the provider
C. Retrain personnel for cloud operations
D. Encrypt data before it reaches the cloud

A

A: Create their own identity and access management (IAM) solutions

According to ENISA, custom IAM builds can become weak if not properly implemented.

171
Q

Which of the following would probably best aid an organization in deciding whether to migrate from a legacy environment to a particular cloud provider?

A. Rate sheets comparing a cloud provider to other cloud providers
B. Cloud provider offers to provide engineering assistance during the migration
C. The cost / benefit measure of closing the organization’s relocation site (hot site / warm site) and using the cloud for disaster recovery instead
D. SLA satisfaction survey from other (current and past) cloud customers

A

D: SLA satisfaction survey from other (current and past) cloud customers

Of the listed options, knowing how other customers feel about a provider may be the most valuable data point; it is the most realistic depiction of whether an organization realized projected / anticipated benefits after a migration.

172
Q

Cloud providers will probably not allow __________ as part of a customer’s penetration test.

A. Network mapping
B. Vulnerability scanning
C. Reconnaissance
D. Social engineering

A

D: Social engineering

Performing live deception and trickery against employees of the cloud provider (or its suppliers / vendors) could be construed as unethical and possibly illegal, especially without their knowledge and / or consent.

173
Q

Which of the following is a risk posed by the use of virtualization?

A. Internal threats interrupting service through physical accidents (spilling drinks, tripping over cables, etc.)
B. The ease of transporting stolen virtual machine images
C. Increased susceptibility of virtual systems to malware
D. Electromagnetic pulse

A

B: The ease of transporting stolen virtual machine images

Because virtual machine images are stored as imaged files, an attacker able to access the stored files would have a much easier time transporting those files than transporting actual drives / machines.

174
Q

What is the type of cloud storage arrangement that involves the use of associating metadata with the saved data?

A. Volume
B. Block
C. Object
D. Redundant

A

C: Object

In object storage, data objects / files are saved in the storage space along with relevant metadata such as content type and creation date.

175
Q

Typically, SSDs are __________.

A. Impossible to destroy physically
B. Not vulnerable to degaussing
C. Subject to a longer warranty
D. Protected by international trade laws

A

B: Not vulnerable to degaussing

Because SSDs do not use magnetic properties to store data, degaussing is not a suitable means of sanitizing SSDs.

176
Q

Of the following control techniques / solutions, which can be combined to enhance the protections offered by each?

A. Fences / firewalls
B. Asset inventories / personnel training
C. Data dispersion / encryption
D. Intrusion prevention solutions / intrusion detection solutions

A

C: Data dispersion / Encryption

Theoretically, all combinations of security controls are preferable to any one security control used by itself – this is the principle of layered defense. All of the potential responses are therefor true; however, of this list, the pairing that makes the most sense is option C.

177
Q

Where should multiple egress points be included?

A. At the power distribution substation
B. Within the data center
C. In every building on the campus
D. In the security operations center

A

C: In every building on the campus

Health and human safety is a paramount goal of security; all facilities must have multiple emergency egress points.

178
Q

The cloud data center campus physical access point should include all of the following EXCEPT __________.

A. Reception area
B. Video surveillance
C. Badging procedure
D. Mantrap structures

A

D: Mantrap structures

Usually, mantrap areas control access to sensitive locations within a facility, not an entrance to the facility.

179
Q

All security controls necessarily __________.

A. Are expensive
B. Degrade performance
C. Require senior management approval
D. Will work in the cloud environment as well as they worked in the legacy environment

A

B: Degrade performance

Security and productivity / operations are always trade-offs.

180
Q

It is best to use variables in __________.

A. Baseline configurations
B. Security control implementations
C. Contract language
D. BCDR

A

D: BCDR

When performing BCDR tests, it is useful to create scenarios that are unpredictable and vary from previous tests so as to better approximate conditions of an actual disaster.

181
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID / authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way fo accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the MOST likely reason for declining that option?

A. It is impossible to trust more than two organizations

B. If you work for the government, the maximum parties allowed to share data is five.

C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.

D. Data shared among that many entities loses its inherent value.

A

C: Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.

182
Q

Your are the IT security subject matter expert for a hobbyist collective that researches and archives old music.

If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure?

A. The third party
B. A cloud access security broker (CAB)
C. The various members of the collective
D. The cloud provider

A

C: The various members of the collective

This is the correct process, according to the law.

183
Q

Bob is designing a data center to support his organization, a financial services firm.

What Uptime Institute Tier rating should Bob try to attain to meet his company’s needs without adding extraneous costs?

A. 1
B. 2
C. 3
D. 4

A

C: 3

Tier 3 should probably suffice for Bob’s purposes, providing sufficient redundancy and resiliency. Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for an organization providing health and human safety services.

^ This is ‘from the book.’ IMHO this question is problematic in that Tier 4 is required / essential for critical functions within critical infrastructure sectors – e.g. money movement in the financial services sector.

The key phrase in this question is ‘…without adding extraneous cost,’ which is intended to be interpreted as ‘what is the lowest level Bob could justify.’

184
Q

Bob is designing a data center to support his organization, a financial services firm.

Bob’s data center will definitely have to be approved by regulators using a framework under which law?

A. Health Industry Portability and Accountability Act
B. Payment Card Industry
C. Gramm-Leach-Bliley
D. Sarbanes-Oxley Act

A

C: Gramm-Leach-Bliley

GLBA states requirements for securing personal account information in the financial and insurance industries; Bob’s company provides financial services, so he will definitely have to comply with GLBA.

185
Q

Bob is designing a data center to support his organization, a financial services firm.

Which of the following actions would BEST enhance Bob’s efforts to create redundancy and resiliency in the data center?

A. Ensure that all entrances are secured with biometric-based locks.
B. Purchase UPSs from different vendors.
C. Include financial background checks in all personnel reviews for administrators.
D. Make sure all raised floors have at least 24 inches of clearance.

A

B: Purchase UPSs from different vendors

Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer. The other suggestions are all apt but do not offer redundancy or resiliency

186
Q

Bob is designing a data center to support his organization, a financial services firm. How long should the UPS provide power to the systems in the data center?

A. Twelve hours
B. An hour
C. Ten minutes
D. Long enough to perform graceful shutdown of the data center systems

A

D: Long enough to preform graceful shutdown of the data center systems

Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power. However, the absolute baseline for battery power is just long enough for all systems to complete their transactions without losing data.

187
Q

You are the IT security manager for a video game software development company.

In order to test your products for security defects and performance issues, your firm decides to utilize a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of __________.

A. Static testing
B. Dynamic testing
C. Code review
D. Open-source review

A

B: Dynamic testing

Testing the product in a runtime context is dynamic testing.

188
Q

You are the IT security manager for a video game software development company.

In order to test your products for security defects and performance issues, your firm decides to utilize a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. In order to optimize this situation, the test will need to involve __________.

A. Management oversight
B. A database administrator
C. A trained moderator
D. Members of the security team

A

C: A trained moderator

The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, and will also help document the outcomes of testing.

189
Q

You are the IT security manager for a video game software development company.

In order to test your products for security defects and performance issues, your firm decides to utilize a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should MOST be excluded from the tests?

A. Management
B. Security personnel
C. Billing department representatives
D. The game developers

A

D: The game developers

It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test purposefully or otherwise.

The other parties don’t need to participate in the testing process but are not as undesirable as the developers.

190
Q

What is the MOST important factor when considering the lowest temperature setting within a data center?

A. System performance
B. Health and human safety
C. Risk of fire
D. Regulatory issues

A

B: Health and human safety

Bare skin sticks to cold metal.

Most modern systems don’t suffer performance degradation at the lower ends of the temperature spectrum; it’s the higher temperatures that are of concern for that aspect of the data center. Option B is preferable to option A.

191
Q

Which of the following is a true statement about the virtualization management toolset?

A. It can be regarded as something public facing.
B. It must be on a distinct, isolated management network (VLAN).
C. It connects physically to the specific storage area allocated to a given customer.
D. The responsibility for securely installing and updating it falls on the customer.

A

B: It must be on a distinct, isolated management network (VLAN)

All management functions should take place on a highly secure, isolated network.

192
Q

In order to ensure proper __________ in a secure cloud network environment, it is important to consider the use of DNSSEC, IPsec, and TLS.

A. Isolation
B. Motif
C. Multitenancy
D. Signal modulation

A

A: Isolation

Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies). In order to do this, the use of technologies like those listed in the question is warranted.

193
Q

DNSSEC provides all of the following EXCEPT __________.

A. Payload encryption
B. Origin authority
C. Data integrity
D. Authenticated denial of existence

A

A: Payload encryption

A DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options). This does not include payload encryption – confidentiality is not an aspect of DNSSEC.

194
Q

You run an online club for antique piano enthusiasts. In order to better share photo files and other data online, you want to establish a cloud-based environment where all your members can connect their own devices and files to each other, at their discretion. You do not want to centralize payment for such services as ISP connectivity, and you want to leave that up to the members.

Which cloud deployment model would best suit your needs?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

A

B: Community cloud

This is an optimum situation for the use of a community cloud model.

195
Q

You are the security manager for a small European appliance rental company. The senior management of your company is considering cloud migration for the production environment, which handles marketing, billing, and logistics.

Which cloud deployment model should you be MOST likely to recommend?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

A

A: Private cloud

Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location.

196
Q

ISO 31000 is most similar to which of the following regulations / standards / guidelines / frameworks?

A. NIST 800-37
B. COBIT
C. ITIL
D. GDPR

A

A: NIST 800-37

Both ISO 31000 and NIST 800-37 are risk management frameworks.

197
Q

Which of the following entities publishes a cloud-centric set of risk-benefit recommendations that includes a “Top 8” list of security risks an organization might face during a cloud migration, based on likelihood and impact?

A. NIST
B. ISO
C. ENISA
D. PCI

A

C: ENISA

The ENISA Cloud Computing: Benefits, Risks, and Recommendation for Information Security is the publication.

198
Q

Which of the following is probably LEAST suited for inclusion in the service-level agreement (SLA) between a cloud customer and cloud provider?

A. Bandwidth
B. Jurisdiction
C. Storage space
D. Availability

A

B: Jurisdiction

The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics. Jurisdiction is usually dictated by location instead, which should be included in the contact but is probably not useful to include in the SLA.

199
Q

Which of the following common aspects of cloud computing can aid in audit efforts?

A. Scalability
B. Virtualization
C. Multitenancy
D. Metered self-service

A

B: Virtualization

A ubiquitous baseline configuration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process.

200
Q

Which of the following does NOT typically represent a means for enhanced authentication?

A. Challenge questions
B. Variable keystrokes
C. Out-of-band identity confirmation
D. Dynamic end-user knowledge

A

B: Variable keystrokes

Variables, in general, aren’t useful for authentication; authentication requires a match against a template or a known quantity.

201
Q

Which common security tool can aid in the overall BC/DR process?

A. Honeypots
B. DLP
C. SIEM
D. Firewalls

A

B: DLP

DLP solutions typically have the capability to aid in asset valuation and locations, both important facets of the BCDR process.

202
Q

The Agile Manifesto for software development focuses largely on __________.

A. Secure build
B. Thorough documentation
C. Working prototypes
D. Proper planning

A

C: Working prototypes

The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs. The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, processes, and specific tools.

203
Q

How does REST make web service requests?

A. XML
B. SAML
C. URIs
D. TLS

A

C: URIs

REST calls web resources by using Uniform Resource Identifiers (URIs).

204
Q

How are virtual machines moved from active hosts when the host is being put into maintenance mode?

A. As a snapshotted image file
B. In encrypted form
C. As a live instance
D. Via portable media

A

C: As a live instance

Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device.

205
Q

Which of the following is NOT a typical mechanism used by IDS / IPS solutions to detect threats?

A. Signature-based detection
B. Content-based detection
C. Statistical-based detection
D. Heuristic detection

A

B: Content-based detection

IDS / IPS solutions do not often check the content of traffic.

206
Q

You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud SaaS provider, for business functions that cross several of the locations of your facilities, such as: 1) ordering parts 2) logistics and inventory 3) billing, and 4) marketing.

The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. What will MOST LIKELY affect the determination of who has ownership of the logo?

A. Whoever first used the logo
B. The jurisdiction where both businesses are using the logo simultaneously
C. Whoever first applied for legal protection of the logo
D. Whichever entity has the most customers that recognize the logo

A

C: Whoever first applied for legal protection of the logo

Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body.

In the case of conflicting usage (or infringement), courts will take may criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth.

But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

207
Q

You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. In reviewing provider options, management considers an offer from Cloud Services Corp., who has contracts with several cloud providers and data centers and has offered to tailor a package of services for your company’s needs. In this case, Cloud Services Corp. is considered a __________.

A. Cloud provider
B. Cloud customer
C. Cloud reseller
D. Cloud database

A

C: Cloud Reseller

A cloud reseller is a firm that contracts with both cloud providers and customer in order to arrange custom services.

208
Q

A company is considering a cloud migration to a PaaS environment. Which of the following facts might make the company LESS likely to choose the cloud environment?

A. The company want to reduce overhead costs.
B. The company operates proprietary software.
C. The company hopes to reduce energy costs related to operation of a data center.
D. The company is seeking to enhance its BCDR capabilities.

A

B: The company operates proprietary software

A customer using proprietary software in a PaaS environment faces the risk that updates to the underlying OS(s) and / or hardware infrastructure will not be compatible with the customer’s software and will affect productivity.

209
Q

What is the business advantage of shifting from capital expenditure in an on-premises environment to the operating expenditures of a cloud environment?

A. Reduces the overall costs
B. Reduces tax exposure
C. Reduces cash flow risk
D. Increases profit

A

C: Reduces cash flow risk

Spreading costs over time, a business can reduce the risk that there will be a lack of money at any given time, impacting operations.

210
Q

A virtual network interface card (NIC) exists at layer __________ of the OSI model.

A. 2
B. 4
C. 6
D. 8

A

A: 2

The virtualized NIC is part of the data-link layer.

211
Q

Which technology is MOST associated with tunneling?

A. IPSec
B. GRE
C. IaaS
D. XML

A

B: GRE

Generic routing encapsulation (GRE) is a tunneling mechanism, specifically designed for the purpose.

212
Q

Transport Layer Security (TLS) is a session encryption tool that uses __________ encryption to create a __________ session key.

A. Symmetric, symmetric
B. Asymmetric, symmetric
C. Asymmetric, asymmetric
D. Symmetric, asymmetric

A

B: Asymmetric, symmetric

TLS uses asymmetric encryption to create a symmetric session key.

213
Q

The Cloud Security Alliance (CSA) created the Trusted Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is NOT one of the CSA’s TCI fundamental principles?

A. Delegate or federate access control when appropriate.
B. Ensure the [ trusted cloud ] architecture is resilient, elastic, and flexible.
C. Ensure the [ trusted cloud ] architecture addresses and supports multiple levels of protection.
D. Provides economical services to all customers, regardless of point of origin.

A

D: Provides economical services to all customers, regardless of point of origin.

The TCI does not, specifically, require cost-effectiveness of cloud services.

214
Q

Which of the following is probably MOST important to include in a data archiving policy?

A. Data format and type
B. Data classification
C. Encryption procedures and standards
D. Data audit and review processes

A

A: Data format and type

In order to use the archive for recovery (either on a large scale for contingency operations or for granular recovery as a means of data discovery), the data needs to be of a format and type that can be utilized by the organization’s systems and environment. Saving data in the wrong format can be equivalent to losing the data.

215
Q

The destruction of a cloud customer’s data can be required by all of the following EXCEPT __________.

A. Statute
B. Regulation
C. The cloud provider’s policy
D. Contract

A

C: The cloud providers’s policy

The cloud provider cannot typically require the destruction of the customer’s data simply because of its own (provider’s) policy. If this is an aspect of the contract between the provider and customer, that is another issue (and listed as another option in this question).

216
Q

Which of the following data storage types is most associated with SaaS?

A. Content delivery network (CDN)
B. Databases
C. Volume storage
D. Data warehousing

A

A: Content delivery network (CDN)

CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often, multimedia).

217
Q

Your organization is developing software for wide use by the public. You have decided to test it in a cloud environment, in a PaaS model. Which of the following should be of particular concern to your organization for this situation?

A. Vendor lock-in
B. Backdoors
C. Regulatory compliance
D. High-speed network connectivity

A

B: Backdoors

Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly (or even purposefully) leave the backdoors in the software after development, creating a hidden and significant vulnerability.

218
Q

Which fo the following management risks can make an organization’s cloud environment unviable?

A. Insider trading
B. VM sprawl
C. Hostile takeover
D. Improper personnel selection

A

B: VM sprawl

Because the cost of creating new instances in the cloud environment is transparent to many users / offices, there is a significant likelihood that users / offices will create many new virtual machine (VM) instances without the knowledge / oversight of management. this can result in a very expensive surprise at the end of the payment period, when the organization receives the bill from the cloud provider.

219
Q

Which cloud data storage technique involves encrypting a data set, then splitting the data into pieces, splitting the key into pieces, then signing the data pieces and key pieces and distributing them to various cloud storage locations?

A. RAID
B. Secret sharing made short (SSMS)
C. Homomorphic encryption
D. Asymmetric encryption

A

B: Secret sharing made short (SSMS)

220
Q

Which of the following BCDR testing methodologies is least intrusive?

A. Walk-through
B. Simulation
C. Tabletop
D. Full test

A

C: Tabletop

221
Q

Which of the following is a file server that provides data access to multiple, heterogeneous machines / users on a network?

A. Storage area network (SAN)
B. Network-attached storage (NAS)
C. Hardware security module (HSM)
D. Content deliver network (CDN)

A

B: Network-attached storage (NAS)

This is a description of a NAS device.

A SAN typically presents storage devices to users as attached / mounted drives.

An HSM is designed for encryption generation and management.

A CDN typically replicates multimedia content at multiple, geographically diverse locations to ensure hight quality for recipients.

222
Q

You are the security manager for a retail company that is considering cloud migration to a public, SaaS solution both for your current internal production environment (an on-premises data center) and host your e-commerce presence. Which of the following is a new concern you should bring up to senior management for them to consider before the migration?

A. Regulatory compliance for your credit card processing transactions
B. Inadvertent disclosure by internal (company) personnel
C. Data disclosure through insufficiently isolated resources
D. Malicious intrusion by external entities

A

C: Data disclosure through insufficiently isolated resources

Because of the multitenant nature of public cloud services, processes are resources that are not properly isolated may create a situation where data could be disclosed to other cloud customers (neighboring tenants).

223
Q

When a data center is configured such that the backs of the devices face each other and the ambient temperature in the work area is cool, it is called __________.

A. Hot aisle containment
B. Cold aisle containment
C. Thermo-optimized
D. HVAC modulated

A

A: Hot aisle containment

This is a description of hot aisle containment. Cold aisle containment is the opposite configuration (fronts of devices facing each other), and the other two options are distractors.

224
Q

Disciplined cable management is crucial for cloud data centers because it provides greater assurance of only authorized lines operating in the environment and __________.

A. Reduces unproductive HVAC activity
B. Reduces the risk of slip, trip, and fall hazard
C. Greatly reduces the environmental footprint
D. Ensures regulatory compliance

A

A: Reduces unproductive HVAC activity

Unused or poorly managed cabling can impede efficient air flow, increasing HVAC and energy costs and increasing the difficulty of optimizing temperature.

225
Q

Fire suppression systems are often linked to a detection system. Common detection systems include all of the following EXCEPT __________.

A. Heat
B. Pressure
C. Flame
D. Smoke

A

B: Pressure

Pressure detection is not a common detection technology.

226
Q

A cloud provider conducting scheduled maintenance of the environment should do all the following EXCEPT __________.

A. Notify any customers who may be affected
B. Require re-verification of all user accounts
C. Follow approved change-management procedures / processes
D. Confirm that remaining resources are sufficient to manage the minimum load as dictated by SLAs.

A

B: Require re-verification of all user accounts

This action is pointless and excessive; all other options are actions the cloud provider should undertake when conducting scheduled maintenance.

227
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Which of the following tools / technologies / techniques may be very useful for your purposes?

A. Data leak protection (DLP)
B. Digital rights management (DRM)
C. Sandboxing
D. Web application firewall (WAF)

A

C: Sandboxing

Sandboxing allows software to be run in an isolated environment, which can aid in error detection.

228
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. What tool / technique / technology might you suggest to aid in identifying programming errors?

A. Vulnerability scans
B. Open source review
C. SOC audits
D. Regulatory review

A

B: Open source review

Open source review can detect flaws that a structure testing method might not.

229
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. In order for this to happen, the company will have to increase the involvement of __________.

A. Security personnel
B. Budget and finance representatives
C. Members of the user group
D. Senior management

A

C: Members of the user group

Agile requires interaction between developers and those who will use the software.

230
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The back end of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on for the front-end interface?

A. SOAP
B. REST
C. SAML
D. DLP

A

A: SOAP

SOAP is a web service programming format that requires the use of XML.

REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect.

SAML is a protocol for passing identity assertions over the Internet; option C is incorrect.

DLP is a data egress monitoring tool; option D is incorrect.

231
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management has decided that the company will deploy encryption, DLP, and DRM in the cloud environment for additional protection. When consulting with management, you explain that these tools will most likely reduce __________.

A. External threats
B. Internal threats
C. Software vulnerabilities
D. Quality of service

A

D: Quality of service

Every additional security measure might reduce a potential threat but will definitely reduce productivity and quality of service. There is always an overhead cost of security.

232
Q

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Many of your end users are located in the European Union, and will provider personal data as they utilize your software. Your company will not be allowed to use a cloud data center in which of the following countries?

A. Argentina
B. Israel
C. Korea
D. Switzerland

A

C: Korea

Korea does not currently have a federal privacy law that conforms to EU legislation.

233
Q

Which of the following is not a core principle included in the OECD privacy guidelines?

A. The individual must have the ability to refrain from sharing their data.
B. The individual must have the ability to correct errors in their data
C. The individual must be able to request a purge of their data
D. The entity holding the data must secure it

A

C: The individual must be able to request a purge of their data

This is an aspect of the current EU legislation, known colloquially as “the right to be forgotten” – it is not an aspect of the OECD principles.

234
Q

Which of the following tools incorporates and references the requirements listed in all the others?

A. ISO 27001
B. CSA Cloud Controls Matrix
C. FedRAMP
D. ENISA

A

B: CSA Cloud Controls Matrix

The CCM is a tool for determining control coverage for compliance with a variety of standards and regulations.

235
Q

Which of the following is appropriate to include in an SLA?

A. That the provider deliver excellent uptime
B. That the provider only host the customer’s data within specific jurisdictions
C. That any conflicts arising from the contract be settled within a particular jurisdiction
D. The specific amount of data that can be uploaded to the cloud environment in any given month

A

D: The specific amount of data that can be uploaded to the cloud environment in any given month

SLA elements should be objective measures (i.e. ‘specific amount’) that can be confirmed or denied at regular intervals (e.g. end of each month) to determine whether or not the SLA is being met.

B and C are useful elements to be included in the contract, but not specifically the SLA. And, A, is too ambiguous – ‘excellent’ is not a discrete value.

236
Q

Who should be the only entity allowed to declare that an organization can return to normal following contingency or BCDR operations?

A. Regulators
B. Law enforcement
C. The incident manager
D. Senior management

A

D: Senior management

Because of the costs, hazards, and risks involved with returning to normal operations, only senior management may decide to perform that function.

237
Q

An attacker is trying to break into a software-as-a-service (SaaS) environment of a consumer by brute-forcing user credentials obtained on the dark web. Due to this behavior, the cloud service provider issues an alert to the consumer indicating possible breach attempts and temporarily blocks the attacker from logging in. What sort of control is this?

A. Detective
B. Corrective
C. Compensating
D. Preventive

A

B: Corrective

Corrective controls involve physical, administrative, and technical measures designed to react to the detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to occur.

238
Q

ISO/IEC 27018 is the first international code of practice that focuses on protection of personal data in the cloud. Cloud service providers adopting this standard must operate under the following five key principles: consent, control, transparency, communication, and yearly audits. Please select the answer that best describes the principle of control.

A. Customers have explicit control of how their information is used
B. Cloud service providers have no control over how the customer data is used
C. Customers have no control over how their information is protected
D. Cloud service providers enforce controls on customers’ data to protect it

A

A: Customers have explicit control of how their information is used

As per the shared responsibility model, the customer has explicit control of how their information is used.

239
Q

Which critical properties need to be understood after mapping the various data phases but before deploying controls in a cloud environment?

A. People, process, technology
B. Policies, procedures, guidelines
C. Functions, actors, locations
D. All the above

A

C: Functions, actors, locations

After mapping the various data phases, along with data locations and device access, it is necessary to identify what can be done with the data (i.e., data functions) and who can access the data (i.e., the actors).

240
Q

Software-defined networks (SDN) are defined by three separate planes or layers. Please select the correct planes from the options below.

A. Orchestration, control, and data planes
B. Management, control, and data plane
C. Management, forwarding, and data planes
D. Management, control, and database planes

A

B: Management, control, and data plane

At the management plane all the business applications that manage the underlying control plane are exposed with northbound interfaces. Control of network functionality and programmability is directly made to devices at the control plane. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces. The network switches and routers located at the data plane are associated with the infrastructure. The process of forwarding data is accomplished at this plane, so it can also be referred to as a forwarding plane.

241
Q

What is the name of the transport mechanism in web services that is based on simple URLs and uses the HTTP methods GET, POST, PUT, and DELETE?

A. Simple Object Transport Protocol (SOAP)
B. Representational State Transfer (REST)
C. Extensible Markup Language (XML)
D. Distributed Component Object Model (DCOM)

A

B: Representational State Transfer (REST)

REST is broadly used as an alternative to SOAP because a URL can be used for making requests. Some specific scenarios may require additional information, but the majority of services found on the web today exclusively use REST and exchange all required information using a URL and four primary hypertext protocol calls: GET, POST, PUT, and DELETE.

242
Q

What is the correct order of the three phases of the initial handshake of TLS 1.3?

A. Key exchange, server parameters, authentication
B. Authentication, server parameters, key exchange
C. Server parameters, authentication, key exchange
D. Server parameters, key exchange, authentication

A

A: Key exchange, server parameters, authentication

In the key exchange phase, the client sends the ClientHello message, which contains: a random nonce (ClientHello.random), its offered protocol versions, a list of symmetric cipher/HKDF hash pairs, either a set of Diffie–Hellman key shares, a set of pre-shared key labels, or both, and potentially additional extensions.

The server processes the ClientHello and determines the appropriate cryptographic parameters for the connection.

The server then responds with its own ServerHello, which indicates the negotiated connection parameters. The combination of the ClientHello and the ServerHello determines the shared keys.