WGU C838 - MANAGING CLOUD SECURITY COMPLETE SIOLUTION PAC... - $45.95 Add To Cart
8 Items
WGU C838 Managing Cloud Security Final Exam Revised 2023/2024
This cloud model is composed of five essential characteristics, three service models, and four deployment models. Please match the characteristics below... [Show More] with their descriptions Characteristic Description 1. Broad Network a. The provider’s computing resources are combined to serve Access multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand 2. Metered Access b. Consumer can unilaterally provision computing capabilities as needed automatically 3. On-demand self- c. Capabilities are available over the network and accessed through service standard mechanisms that promote use by heterogeneous thin or thick client platforms 4. Resource d. Capabilities can be provisioned and released, in some cases Pooling automatically, to scale rapidly outward and inward commensurate with demand. 5. Rapid elasticity e. Cloud systems automatically control and optimize resource use by leveraging capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Answers 1c 2e 3b 4a 5d Question 2 What type of cloud deployment model is best for highly sensitive or proprietary information? a) Hybrid b) Private c) Public d) Community Answer B Question 3 Which of the following pose the greatest challenge to security? a) Process b) Technology c) People d) None of the other choices presented The correct answer is: c People When looking to secure the key assets of any organization, three primary components are essential people, processes, and technology. People tend to present the single largest challenge to security due to the possibility of a disgruntled, rogue, or simply careless employee or contractor exposing sensitive data either by accident or on purpose. Question 4 The hypervisor allows multiple OSs to share a single hardware host. Which statement pertaining to the hypervisor is FALSE? a) Type 1 hypervisor runs directly on the guest OSs and reduces the likelihood of malicious software. b) Type 2 hypervisor runs on host OSs and are more attractive to attackers. c) Type 2 hypervisor runs directly on the guest OSs and reduces the likelihood of malicious software. d) Type 1 hypervisor is also called bare metal hypervisors. Answer Answer C Type 2 security: Because Type 2 hypervisors are OS based, they are more attractive to attackers, given that there are far more vulnerabilities associated with the OS as well as other applications that reside within the OS layer. A lack of standardization on the OS and other layers can open up additional opportunities and exposures that might make the hypervisor susceptible to attack and compromise. Question 5 Cloud Computing Top Threats include: • Denial of Service, Data Remanence and Data Loss • Data Loss, Account or Service Traffic Hijacking and Malicious Insiders • Abuse of Cloud Services, Sufficient Due Diligence and Data Breaches • Secure Interfaces and Application Programming Interfaces (APIs) The correct answer is: B Data Loss, Account or Service Traffic Hijacking and Malicious Insiders Answer Nine critical threats to cloud security (ranked in order of severity): • Data Breaches disclosure of sensitive information to a party • Data Loss loss of information, deletion, overwriting, corruption or integrity related to the information stored, processed, or transmitted within cloud environment • Account or Service Traffic Hijacking attackers are able to monitor or eavesdrop on communications, capture relevant credentials, access and alter account and user provides, etc. • Insecure Interfaces and Application Programming Interfaces (APIs) third parties, organizations, customers, etc., adding on to the provider s cloud computing resources causing it to become insecure. • Denial of Service preventing legitimate users from accessing a resource or service; does not always require large volumes of traffic to be successful such as asymmetric application-level payload attacks. • Malicious Insiders people tend to present the single largest security challenge due to becoming rogue, disgruntled, or careless, exposing sensitive data by accident or on purpose • Abuse of Cloud Services • Insufficient Due Diligence • Shared Technology Vulnerability Issues Question 6 a) Critical cloud business continuity success elements include all, except: b) Understanding interdependencies and supply chain risks. c) Regularly auditing continuity capabilities and identifying on/off premise backup sites. d) Treating all assets and services as equal and prioritizing restoration. e) Understanding CSP and customer responsibilities. The correct answer is: C Treating all assets and services as equal and prioritizing restoration From the perspective of the cloud customer, business continuity elements include the relevant security pillars of availability, integrity, and confidentiality. The availability of the relevant resources and services is often the key requirement, along with the uptime and ability to access these on demand. Failure to ensure this results in significant impacts, including loss of earnings, loss of opportunities, and loss of confidence for the customer and provider. Two critical success factors for business continuity when utilizing cloud-based services are as follows: 1. Understanding CSP and customer responsibilities; • Customer responsibilities • CSP responsibilities • Understanding any interdependencies or third parties (supply chain risks) • Order of restoration (priority) • Appropriate frameworks and certifications held by the facility, services, and processes • Right to audit and make regular assessments of continuity capabilities • Communications of any issues or limited services 2. Identification of need for backups to be held onsite or offsite or with another CSP. Regularly auditing continuity capabilities and identifying on/off premise backup sites. • Penalties and compensation for loss of service • RTOs and RPOs • Loss of integrity or confidentiality • Points of contact and escalation processes • Failover to maintain compliance • Changes being communicated in a timely manner • Clearly defined responsibilities • Where usage of third parties is required per the agreed-upon SLA Question 7 A system design that does not create a single point of failure is the best defense against which of the following common threats? a) Denial of Service b) Abuse of Cloud Service c) Traffic Hijacking d) Malicious Insider The correct answer is: Denial of Service Question 8 Which of the following is true of "bolt-on " components to cloud APIs? a) Bolt-on components are good because they build extra security into an existing API. b) Bolt-on components are good because they increase productivity. c) Bolt-on components are bad because they increase complexity and decrease security. d) Bolt-on components are bad because they decrease the complexity of cloud security. The correct answer is: C Bolt-on components are bad because they increase complexity and decrease security. Regardless of productivity, the increased complexity that is introduced through bolt-on components is always a security risk. Bolt-on components may attempt to build extra security into an API, but the added complexity usually decreases security. Question 9 It is incumbent on the cloud professional to ensure that both Due Care and Due Diligence are exercised in the drive to the cloud. Due Diligence and Due Care are defined as: a) Due Care is the methodology required for certifying a site as "cloud ready", and Due Diligence is the process of accreditation of a site. b) Due Diligence is the act of investigating and understanding the risks a company faces, and Due Care is the development and implementation of policies and procedures to aid in protectng the company, its assets, and its people from threats. c) Due Care is the act of investigating and understanding the risks a company faces, and Due Diligence is the development and implementation of policies and procedures to aid in protectng the company, its assets, and its people from threats. d) Due Diligence is the development of remediation of risks to people, processes and technology, and Due Care is the act of citing risks in an implementation process in an organization. The correct answer is: B Due Diligence is the act of investigating and understanding the risk a company faces, and Due Care is the development and implementation of policies and procedures to aid in protecting the company, its assets, and its people from threats. Due Diligence = Do Detect Due Care = Do Correct Due Diligence is following Standards, Best Practices, Consensus of expert in order to identify potential threats what could affect you. Due care is what action your are going to take once the threats have been identified and how are you going to bring the threat level down to an acceptable level and maintain it at that level. Question 10 The Trusted Computer System Evaluation Criteria (TCSEC) are guidelines are known as the Common Criteria and have 7 Evaluation Assurance Levels. Which level indicates the highest testing evaluation? a) Level 7 is the highest level, indicating the most rigorous testing. b) Each level is separate and is not graded on a scale of lowest to highest. c) Level 1 is the highest level, indicating the most rigorous testing. d) Level 4 is the highest, as it is in the exact middle of one and seven. The correct answer is: A Level 7 is the highest level, indicating the most rigorous testing. The goal of CC certification is to ensure customers that the products they are buying have been evaluated and that a vendor-neutral third party has verified the vendor’s claims. To submit a product for evaluation, follow these steps: • The vendor must complete a Security Target (ST) description that provides an overview of the product‚„¢s security features. • A certified laboratory then tests the product to evaluate how well it meets the specifications defined in the protection profile. • A successful evaluation leads to an official certification of the product. The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested. To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level. [Show Less]
"Which phase of the cloud data lifecycle allows both read and process functions to be performed? (A) Share (B) Store (C) Create (D) Archive" - answ... [Show More] er Create "Which phase of the cloud data security lifecycle typically occurs simultaneously with creation? (A) Use (B) Share (C) Store (D) Destroy" - answer Store "Which phase of the cloud data life cycle uses content delivery networks? (A) Share (B) Create (C) Destroy (D) Archive" - answer Share "Which phase of the cloud data life cycle is associated with crypto-shredding? (A) Use (B) Store (C) Share (D) Destroy" - answer Destroy "Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security? (A) Obfuscation (B) Tokenization (C) Anonymization (D) Randomization" - answer Tokenization "Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model? (A) Sandbox encryption (B) Client-side encryption (C) Polymorphic encryption (D) Whole-instance encryption" - answer Whole-instance encryption "There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used? (A) Structured (B) Unstructured (C) Long-term storage (D) Short-term storage" - answer Structured "Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files? (A) Block (B) Object (C) Distributed (D) Relational database" - answer Object "Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data? (A) Tokenization (B) Dynamic masking (C) Proxy-based encryption (D) Format-preserving encryption" - answer Format-preserving encryption "Which encryption technique connects the instance to the encryption instance that handles all crypto operations? (A) Proxy (B) Database (C) Server-side (D) Externally managed" - answer Proxy "Which type of control should be used to implement custom controls that safeguard data? (A) Application level (B) Management plane (C) Options for access (D) Public and internal sharing" - answer Application level "Which element is protected by an encryption system? (A) Data (B) Public key (C) Ciphertext (D) Management engine" - answer Data "A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken? (A) The application collects a token. (B) The application stores the token. (C) The tokenization server generates the token. (D) The tokenization server returns the token to the application." - answer (B) The application stores the token "A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur? (A) Use (B) Share (C) Create (D) Archive" - answer Create "Which jurisdictional data protection includes dealing with the international transfer of data? (A) Privacy regulation (B) Financial modernization (C) Sarbanes-Oxley act (SOX) (D) Secure choice authorization (SCA)" - answer Privacy Regulation "Which jurisdictional data protection controls the ways that Financial institutions deal with the private information of individuals? (A) Sarbanes-Oxley act (SOX) (B) Gramm-Leach-Bliley act (GLBA) (C) Stored communications act (SCA) (D) Health insurance portability and accountability act (HIPAA)" - answer Gramm-Leach-Bliley act (GLBA) "Which jurisdictional data protection safeguards protected health information (PHI)? (A) Directive 95/46/EC (B) Safe harbor regime (C) Personal Data Protection Act of 2000 (D) Health Insurance Portability and Accountability Act (HIPAA)" - answer Health Insurance Portability and Accountability Act (HIPAA) "How is the compliance of the cloud service provider's legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud? (A) E-discovery process (B) Contractual agreements (C) Researching data retention laws (D) Third-party audits and attestations" - answer Third-party audits and attestations "Which security strategy is associated with data rights management solutions? (A) Static policy control (B) Continuous auditing (C) Unrestricted replication (D) Limited documents type support" - answer Continuous auditing [Show Less]
Which phase of the cloud data life cycle allows both read and process functions to be performed? A Create B Archive C Store D Share - Answer A Wh... [Show More] ich phase of the cloud data security life cycle typically occurs simultaneously with creation? A Share B Store C Use D Destroy - Answer B Which phase of the cloud data life cycle uses content delivery networks? A Destroy B Archive C Share D Create - Answer C Which phase of the cloud data life cycle is associated with crypto-shredding? A Share B Use C Destroy D Store - Answer C Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security? A Randomization B Obfuscation C Anonymization D Tokenization - Answer D Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model? A Sandbox encryption B Polymorphic encryption C Client-side encryption D Whole-instance encryption - Answer D There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used? A Short-term storage B Structured C Unstructured D Long-term storage - Answer B Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files? A Relational database B Block C Distributed D Object - Answer D Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data? A Dynamic masking B Format-preserving encryption C Proxy-based encryption D Tokenization - Answer B Which encryption technique connects the instance to the encryption instance that handles all crypto operations? A Database B Proxy C Externally managed D Server-side - Answer B Which type of control should be used to implement custom controls that safeguard data? A Public and internal sharing B Options for access C Management plane D Application level - Answer D Which element is protected by an encryption system? A Ciphertext B Management engine C Data D Public key - Answer C A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken? A The tokenization server returns the token to the application. B The tokenization server generates the token. C The application collects a token. D The application stores the token. - Answer D A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur? A Use B Create C Share D Archive - Answer B Which jurisdictional data protection includes dealing with the international transfer of data? A Financial modernization B Secure choice authorization (SCA) C Sarbanes-Oxley act (SOX) D Privacy regulation - Answer D Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals? A Stored communications act (SCA) B Health insurance portability and accountability act (HIPAA) C Gramm-Leach-Bliley act (GLBA) D Sarbanes-Oxley act (SOX) - Answer C Which jurisdictional data protection safeguards protected health information (PHI)? A Directive 95/46/EC B Safe harbor regime C Personal Data Protection Act of 2000 D Health Insurance Portability and Accountability Act (HIPAA) - Answer D How is the compliance of the cloud service provider's legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud? A Contractual agreements B Third-party audits and attestations C e-Discovery process D Researching data retention laws - Answer B Which security strategy is associated with data rights management solutions? A Unrestricted replication B Limited documents type support C Static policy control D Continuous auditing - Answer D Who retains final ownership for granting data access and permissions in a shared responsibility model? A Customer B Developer C Manager D Analyst - Answer A Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data? A Backup B Caching C Archiving D Saving - Answer C Which data retention method is stored with a minimal amount of metadata storage with the content? A File system B Redundant array C Object-based D Block-based - Answer D What is a key capability of security information and event management? A Intrusion prevention capabilities B Automatic remediation of issues C Centralized collection of log data D Secure remote access - Answer C Which data source provides auditability and traceability for event investigation as well as documentation? A Storage files B Packet capture C Network interference D Database tables - Answer B Which data source provides auditability and traceability for event investigation as well as documentation? A Network segmentation B Ephemeral storage C Database schema D Virtualization platform logs - Answer D Which technology is used to manage identity access management by building trust relationships between organizations? A Single sign-on B Multifactor authentication C Federation D Biometric authentication - Answer C Which term describes the action of confirming identity access to an information system? A Coordination B Concept C Access D Authentication - Answer D Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring? A Data loss prevention (DLP) B Content delivery network (CDN) C Cloud access security broker (CASB) D Web application firewall (WAF) - Answer C [Show Less]
WGU C838 Managing Cloud Security Final Exam Oa 100 Questions and Answers Latest Update 2023/2024
WGU C838 Certified Cloud Security Specialist You are the security subject matter expert (SME) for an organization considering a transition from the legacy... [Show More] environment into a hosted cloud provider 's data center. One of the challenges you 're facing is whether the cloud provider will be able to comply with the existing legislative and contractual frameworks your organization is required to follow. This is a _________ issue. a. Resiliency b. Privacy c. Performance d. Regulatory --------- CORRECT ANSWER ----- D 76. You are the security subject matter expert (SME) for an organization considering a transition from the legacy environ ment into a hosted cloud provider 's data center. One of the challenges you 're facing is whether the cloud provider will be able to allow your organization to substantiate and determine with some assurance that all of the contract terms are being met. This is a(n) ____________ issue. a. Regulatory b. Privacy c. Resiliency d. Auditability --------- CORRECT ANSWER ----- D 77. Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization? a. K ey length variances don 't provide any actual additional security. b. It would cause additional processing overhead and time delay. c. It might result in vendor lockout. d. The data subjects might be upset by this. --------- CORRECT ANSWER ----- B 78. Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization? a. It could increase the possibility of physical theft. b. Encryption won 't work throughout the environment. c. The protection might be disproportionate to the value of the asset(s). d. Users will be able to see everything within the organization. --------- CORRECT ANSWER ----- C 79. Which of the following is not an element of the identification component of identity and access management (IAM)? a. Provisioning b. Management c. Discretion d. Deprovisioning --------- CORRECT ANSWER ----- C 80. Which of the following entities is most likely to play a vital role in the identity provisioning aspect of a user 's experience in an organization? a. The accounting department b. The human resources (HR) office c. The maintenance team d. The purchasing office --------- CORRECT ANSWER ----- B 81. Why is the deprovisioning element of the identification component of identity and access management (IAM) so important? a. Extra accounts cost so much extra money. b. Open but unassigned accounts are vulnerabilities. c. User tracking is essential to performance. d. Encryption has to be maintained. --------- CORRECT ANSWER ----- B 82. All of the following are reasons to perform review and maintenance actions on user accounts except ____________. a. To determine whether the user still needs the same access b. To determine whether the user is still with the organization c. To determine whether the data set is still applicable to the user 's role d. To determine whether the user is still performing well --------- CORRECT ANSWER ----- D 83. Who should be involved in review and maintenance of user accounts/access? a. The user 's manager b. The security manager c. The accounting department d. The incident response team --------- CORRECT ANSWER ----- A 84. Which of the following protocols is most applicable to the identification process aspect of identity and access management (IAM)? a. Secure Sockets Layer (SSL) b. Internet Protocol security (IPsec) c. Lightweight Directory Access Protocol (LDAP) d. Amorphous ancillary data transmission (AADT) --------- CORRECT ANSWER ----- C 85. Privileged user (administrators, managers, and so forth) accounts need to be reviewed more closely than basic user accounts. Why is this? a. Privileged users have more encryption keys. b. Regular users are more trustworthy. c. There are extra controls on privileged user accounts. d. Privileged users can cause more damage to the organization. --------- CORRECT ANSWER ----- D 86. The additional review activities that might be performed for privileged user accounts could include all of the following except _____________. a. Deeper personnel background checks b. Review of personal financial accounts for privileged users c. More frequent reviews of the necessity for access d. Pat-down checks of privileged users to deter against physical theft --------- CORRECT ANSWER ----- D 87. If personal financial account reviews are performed as an additional review control for privileged users, which of the following characteristics is least likely to be a useful indicator for review purposes? a. Too much money in the account b. Too little money in the account c. The bank branch being used by the privileged user d. Specific senders/recipients --------- CORRECT ANSWER ----- C 88. How often should the accounts of privileged users be reviewed? a. Annually b. Twice a year c. Monthly d. More often than regular user account reviews --------- CORRECT ANSWER ----- D 89. Privileged user account access should be __________. a. Temporary b. Pervasive c. Thorough d. Granular --------- CORRECT ANSWER ----- A 90. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA 's Notorious Nine list, data breaches can be ____________. a. Overt or covert b. International or subterranean c. From internal or external sources d. Voluminous or specific --------- CORRECT ANSWER ----- C 91. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that operates in the cloud environment and suffers a data breach may be required to __________. a. Notify affected users b. Reapply for cloud service c. Scrub all affected physical memory d. Change regulatory frameworks --------- CORRECT ANSWER ----- A 92. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that suffers a data breach might suffer all of the following negative effects except __________. a. Cost of compliance with notification laws b. Loss of public perception/goodwill c. Loss of market share d. Cost of detection --------- CORRECT ANSWER ----- D 93. The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all the following data breach notification requirements except ____________. a. Multiple state laws b. Contractual notification requirements c. All standards-based notification schemes d. Any applicable federal regulations --------- CORRECT ANSWER ----- C 94. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, data loss can be suffered as a result of ____________ activity. a. Malicious or inadvertent b. Casual or explicit c. Web-based or stand-alone d. Managed or independent --------- CORRECT ANSWER ----- A 95. The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, all of the following activity can result in data loss except ____________. a. Misplaced crypto keys b. Improper policy c. Ineffectual backup procedures d. Accidental overwrite --------- CORRECT ANSWER ----- B 96. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, service traffic high jacking can affect all of the following portions of the CIA triad except ___________. a. Confidentiality b. Integrity c. Availability d. None. Service traffic high jacking can 't affect any portion of the CIA triad. --------- CORRECT ANSWER ----- D 97. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. The CSA recommends the prohibition of __________ in order to diminish the likelihood of account/service traffic high jacking. a. All user activity b. Sharing account credentials between users and services c. Multifactor authentication d. Interstate commerce --------- CORRECT ANSWER ----- B 98. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which aspect of cloud computing makes it particularly susceptible to account/service traffic high jacking? a. Scalability b. Metered service c. Remote access d. Pooled resources --------- CORRECT ANSWER ----- C 99. The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? a. Most of the cloud customer 's interaction with resources will be performed through APIs. b. APIs are inherently insecure. c. Attackers have already published vulnerabilities for all known APIs. d. APIs are known carcinogens. --------- CORRECT ANSWER ----- A/B 100. .The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? a. Cloud customers and third parties are continually enhancing and modifying APIs. b. APIs can have automated settings. c. It is impossible to uninstall APIs. d. APIs are a form of malware. --------- CORRECT ANSWER ----- A 75. Software developers should receive cloud-specific training that highlights the specific challenges involved with having a production environment that operates in the cloud. One of these challenges is ____________. a. Lack of management oversight b. Additional workload in creating governance for two environments (the cloud data center and client devices) c. Increased threat of malware d. The need for process isolation --------- CORRECT ANSWER ----- D 76. Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele? a. Anonymization b. Masking c. Encryption d. Training --------- CORRECT ANSWER ----- B 77. At which phase of the software development life cycle (SDLC) is user involvement most crucial? a. Define b. Design c. Develop d. Test --------- CORRECT ANSWER ----- A 78. At which phase of the SDLC should security personnel first be involved? a. Define b. Design c. Develop d. Test --------- CORRECT ANSWER ----- B 79. At which phase of the SDLC is it probably most useful to involve third-party personnel? a. Define b. Design c. Develop d. Test --------- CORRECT ANSWER ----- D 80. In SDLC implementations that include a Secure Operations phase, which of the following security techniques/tools are implemented during that phase? a. Vulnerability assessments and penetration testing b. Performance testing and security control validation c. Requirements fulfillment testing d. Threat modeling and secure design review --------- CORRECT ANSWER ----- A 81. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls ____________. a. Can lead to data breaches b. Causes electromagnetic interference c. Will affect quality of service d. Can cause regulatory noncompliance --------- CORRECT ANSWER ----- C 82. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls ____________. a. Can lead to DDoS b. Allows malware infections c. Increases the risk of adverse environmental effects d. Is an unnecessary expense --------- CORRECT ANSWER ----- D 83. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls ____________. a. Can lead to customer dissatisfaction b. Is a risk to health and human safety c. Brings down the organization 's stock price d. Negates the need for insurance --------- CORRECT ANSWER ----- A 84. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for a bring your own device (BYOD) workforce that work equally from the company offices and their own homes or other locations. The policies also dictate which APIs can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider 's permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Of the following, what is the most reasonable immediate action? a. Delete accounts of all users who had utilized unapproved APIs to access company data. b. Suspend access for all users who had utilized unapproved APIs to access company data. c. Block all unapproved APIs from accessing company data. d. Notify whomever you report to in the company hierarchy, and suggest bringing the matter to the attention of senior management immediately. --------- CORRECT ANSWER ----- D [Show Less]
WGU C838 MANAGING CLOUD SECURITY What NIST publication number defines cloud computing? - ANSWER- 800-145 What ISO/IEC standard provides informa... [Show More] tion on cloud computing? - ANSWER- 17788 What is cloud bursting? - ANSWER- Ability to increase available cloud resources on demand What are 3 characteristics of cloud computing? - ANSWER- Elasticity Simplicity Scalability What is a cloud customer? - ANSWER- Anyone purchasing cloud services What is a cloud user? - ANSWER- Anyone using cloud services What are the three cloud computing service models? - ANSWER- SaaS(Software as a service) PaaS(Platform as a service) IaaS(Infrastructure as a service) What is IaaS (Infrastructure as a Service)? - ANSWER- Cloud provider provides all the physical capability and administration, while the customer is responsible for logical resources. What is PaaS (Platform as a Service)? - ANSWER- A cloud computing service that provides the hardware and the operating system and is responsible for updating and maintaining both. What is SaaS (Software As A Service)? - ANSWER- Cloud provider manages everything. What are the four cloud deployment models? - ANSWER- Public Private Community Hybrid What cloud model is owned by a single organization? - ANSWER- Private What cloud model is an arrangement of two or more cloud servers? - ANSWER- Hybrid What cloud model is a shared setup between orgs? - ANSWER- Community What cloud model is open for free usage? - ANSWER- Public What is a cloud service provider? - ANSWER- Cloud service provider manages and provides entire hosting ability What is a Cloud Access Security Broker? - ANSWER- Third-party acting as an intermediary for identity and access management What do regulators do? - ANSWER- Ensure organizations are in compliance with regulatory framework. What word in the CIA triad describes: What protects information from unauthorized access/dissemination? - ANSWER- Confidentiality What word in the CIA triad describes: Ensuring that information is not subject to unauthorized modification? - ANSWER- Integrity What word in the CIA triad describes: Ensuring that authorized users can access the information when they are permitted to do so? - ANSWER- Availability What is a cloud architect? - ANSWER- Expert in cloud computing What is cloud os also known as? - ANSWER- PaaS NIST standard number that lists accredited and outmoded cryptosystems - ANSWER- FIPS 140-2 customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints. - ANSWER- vendor lock-m What is cloud migration? - ANSWER- Process of transitioning part of a company's data or services from onsite premises to the cloud What is cloud portability? - ANSWER- Move applications and data between cloud providers What offers a degree of assurance that nobody w/o authorization will be able to access other's data? - ANSWER- Encryption If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best? - ANSWER- PaaS What technology has NOT made cloud service viable? - ANSWER- Smart hubs What determines the critical paths, processes, and assets of an organization? - ANSWER- BIA Fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? - ANSWER- PaaS customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market. - ANSWER- Vendor lock-out What are four examples of things to know to decide how to handle risks within an org? - ANSWER- Inventory of all assets Valuation of each asset Critical paths, processes, and assets Clear understanding of risk appetite T/F: Assets are only tangible items. - ANSWER- False. Assets are everything owned or controlled by an org. The process of evaluating assets? - ANSWER- Business Impact Analysis(BIA) What is criticality? - ANSWER- Something an org could not operate or exist without In risk, what is the avoidance method? - ANSWER- Avoiding high risk In risk, what is the acceptance method? - ANSWER- Acceptable level of risk In risk, what is an example of the avoidance method? - ANSWER- Insurance In risk, what is the mitigation method? - ANSWER- Controls or countermeasures Assets can be what? - ANSWER- Tangible Intangible Personnel What does Business Impact Analysis do? - ANSWER- Defines which of the assets provide the intrinsic value of an organization. What is risk appetite - ANSWER- Level, Amount, or Type of risk that an org finds acceptable What is the IaaS boundary? - ANSWER- The provider is responsible for connectivity and power and the customer is in charge for installation of software. What is the PaaS boundary? - ANSWER- The provider is responsible for updates and administration of the OS and the customer monitors and reviews software events. What is the SaaS boundary? - ANSWER- The provider is responsible for system maintenance and the customer supplies and processes data to and in the system. What should encryption be used for in a cloud datacenter? - ANSWER- Long-term storage/archiving Protecting near-term stored files, such as snapshots of virtualized instances Preventing unauthorized access to specific datasets by authorized personnel What should encryption be used for in communications between cloud providers and users? - ANSWER- Creating secure sessions Ensuring the integrity and confidentiality of data in transit What are 4 controls/mechanisms a cloud provider should play a role in in layered defense? - ANSWER- Strong personnel controls Technological controls Physical controls Governance mechanisms In cloud layered defense what are examples of personnel controls? - ANSWER- background checks continual monitoring In cloud layered defense what are examples of technological controls? - ANSWER- encryption event logging access control enforcement In cloud layered defense what is an examples of physical controls? - ANSWER- access to overall campus In cloud layered defense what is an example of governance mechanisms? - ANSWER- auditing What are ways for securing devices in a datacenter? - ANSWER- Guess accounts removed no default passwords systems are patched, maintained and updated unused ports are closed limited physical access What is layered defense? - ANSWER- The practice of having multiple overlapping means of securing the environment with a variety of methods Who determines risk appetite? - ANSWER- senior management Experimental technology of processing encrypted data w/o decrypting it first? - ANSWER- Homomorphic T/F: Data owners remain legally responsible for all data they own - ANSWER- True What are four ways an org might categorize data? - ANSWER- Regulatory compliance business function function unit by project What are three examples of classification? - ANSWER- sensitivity jurisdiction criticality What is a data owner? - ANSWER- Collects or creates the data, and possesses the rights and responsibilities of the data What is a data custodian? - ANSWER- Manipulates, stores, or moves the data, and serves as a cloud provider What is datamining? - ANSWER- Data mining tries to automatically find interesting patterns in data using plethora of technologies What method would an org creates categories based on which rules apply to a specific dataset? - ANSWER- regulatory compliance What method would an org have specific categories for different uses of data? - ANSWER- business function What would a department or office be called that has its own category and keeps all the data it controls? - ANSWER- functional unit what dataset is defined by projects? - ANSWER- by project What data discovery method is used when the discovery effort is considered in response to a mandate with a specific purpose? - ANSWER- Label-based What data discovery method is used to collect all matching data elements for a certain purpose - ANSWER- Metedata-based What data discovery method is used to locate and identify specific kinds of data by delving into the datasets? - ANSWER- Content-based What data discovery method is used to create new data feeds from sets of data already existing within the environment? - ANSWER- data analytics T/F: Being in the cloud means organization may not be subject to many legal constructs simultaneously. - ANSWER- False T/F: Awareness and compliance with specific jurisdictions are challenges of cloud computing. - ANSWER- True T/F: Cloud user is responsible for managing virtualized images, stored data, and operational data. - ANSWER- False T/F: Cloud user is unaware about that where the data is exactly present at the moment in terms of both datacenters and geographic locations. - ANSWER- True What are four examples of Fair Use under copyright laws? - ANSWER- Academic Critique News Reporting Scholarly Research What are five examples of exceptions under copyright laws? - ANSWER- Fair use satire library preservation personal backup versions for people with physical disabilities What is copyright? - ANSWER- protection of written material or ideas What is a trademark? - ANSWER- a symbol, word, or words legally registered or established by use as representing a company or product. What is a patent? - ANSWER- legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life What are trade secrets? - ANSWER- Any form of knowledge or info that has economic value from not being known to others, or readily ascertainable by proper means and has been the subject of reasonable efforts by the owner to maintain secrecy What are rudimentary reference checks? - ANSWER- Content itself can automatically check for proper usage or ownership What is the presence of licensed media? - ANSWER- DRM engine on the media identifies the unique disk What are online reference checks? - ANSWER- Product key What is support-based licensing? - ANSWER- the need for continual help for content What are local agent checks? - ANSWER- Installed reference tool that checks the protected content against the user's license What are four examples of conflicts that are posed while employing DRM to the cloud? - ANSWER- API Replication Jurisdiction Enterprise What are six retention policies that should be included in data retention? - ANSWER- retention periods applicable regulation retention formats data classification archiving and retrieval procedures monitoring, maintenance, and enforcement What are four legacy examples of data destruction? - ANSWER- Physical destruction of media and hardware degaussing overwriting Cryptoshredding data retention policy: Retention period - ANSWER- how long data should be kept data retention policy: data classification - ANSWER- how and when data should be categorized data retention policy: retention format - ANSWER- how data is achieved and stored data retention policy: applicable regulation - ANSWER- senior management's decision to resolve conflict in policy What is jurisdiction? - ANSWER- geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled What is a data audit? - ANSWER- A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns. What does copyright not protect? - ANSWER- ideas, facts, titles, names, short phrases, blank forms Who is the data processor in the cloud motif? - ANSWER- Cloud provider What isn't included in data labels? - ANSWER- Data value What is the intellectual property protection for the tangible expression of a creative idea? - ANSWER- Copyright What federal agency accepts applications for new patents? - ANSWER- USPTO What is the intellectual property protection for a very valuable set of sales leads? - ANSWER- Trade secret What is the intellectual property protection for a useful manufacturing innovation? - ANSWER- Patent What is the intellectual property protection for the tangible expression of a creative idea? - ANSWER- Copyright Who is the data owner in a cloud motif? - ANSWER- cloud customer What are 3 data analytic modes? - ANSWER- Data Mining Agile business intelligence real-time analytics Data created should be _________ upon creation/upload - ANSWER- encrypted new digital content is generated or existing content is modified - ANSWER- create data is committed to a repository - ANSWER- store data is viewed, processed, or otherwise in some sort of activity - ANSWER- use information is made accessible to others - ANSWER- share data leaves active use and enters long-term storage - ANSWER- archive data is permanently removed using physical or digital means - ANSWER- destroy T/F: Archive phase is for short-term storage when planning security controls for the data - ANSWER- False T/F: Archive phase activities in the cloud will largely be driven by whether a user is using the same cloud provider for backups and its production environment - ANSWER- True T/F: In the archive phase, physical security of the data in short-term storage is also important - ANSWER- False T/F: In the archive phase, cryptography will, as with most data-related controls, be an essential consideration - ANSWER- True What is volume storage? - ANSWER- allocates a storage space within the cloud; this storage space is represented as an attached drive to the user's virtual machine What are two types of volume storage architecture? - ANSWER- File Block Volume storage is associated with what infrastructure model? - ANSWER- Infrastructure as a Service(IaaS) What is object-based storage? - ANSWER- Data is stored as objects What is a database? - ANSWER- Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps What is a content delivery network? - ANSWER- Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality What are three levels of encryption related to databases? - ANSWER- File-level Transparent application-level When the database is stored on a volume, what encryption type should be used? - ANSWER- file-level When wanting to encrypt the entire database or specific portions of it, what type of encryption should be used? - ANSWER- transparent When should application-level encryption be used with a database? - ANSWER- compromised administrative accounts other database and application-level attacks What is tokenization? - ANSWER- Practice of having two distinct databases: one with the live, actual sensitive data, and one with nonrepresentational tokens mapped to each piece of data What are the four goals of Security Information and Event Management(SIEM)? - ANSWER- Centralize collection of log data enhanced analysis capabilities dashboarding automated response What does DLP in egress monitoring stand for? - ANSWER- data loss, leak prevention, and protection What are the four major goals of DLP? - ANSWER- Additional security Policy Enforcement Enhanced Monitoring Regulatory compliance What is randomization - ANSWER- replacement of data with random characters What is hasing? - ANSWER- Using a one-way cryptographic function to create a digest of the original data What is shuffling - ANSWER- Using different entries from within the same data set to represent the data What is masking? - ANSWER- Hiding the data with useless characters What are nulls? - ANSWER- deleting the raw data from the display before it is represented or displaying null What is key recovery? - ANSWER- A procedure that involves multiple people, each with access to only a portion of the key What is block storage? - ANSWER- A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance What is the U.S. Commerce Department controls on technology exports? - ANSWER- Export Administration Regulations(EAR) What is the U.S. State Department controls on technology exports? - ANSWER- International Traffic in Arms Regulations(ITAR) T/F: Cryptographic keys for encrypted data stored in the cloud should be stored with cloud provider. - ANSWER- False What is the practice of obscuring raw data where only a portion is displayed for operational purposes? - ANSWER- Masking What are third-party providers of IAM functions for the cloud environment? - ANSWER- Cloud Access Security Broker(CASB) T/F: The goals of DLP include elasticity - ANSWER- False T/F: Risk and responsibilities will be shared between the cloud provider and customer - ANSWER- True T/F: The customer is concerned with dat, whereas the provider is concerned with security and operation - ANSWER- True T/F: The customer wants to refute control, deny insight, and refrain from disclosing any information used for malicious purpose - ANSWER- False T/F: The customer is legally liable for their data even if the provider was negligent. - ANSWER- True What is a private cloud? - ANSWER- a cloud that is owned and operated by an organization for its own benefit. What are 5 risks private cloud owners face? - ANSWER- Personnel threats Natural disasters External attacks regulatory noncompliance malware What are 3 risk associated with a community cloud? - ANSWER- Resiliency through shared ownership Access and control lack of centralized standards What are the 3 main issues with a public cloud? - ANSWER- vendor lock-in vendor lock-out multitenant environments What are 4 things to consider to avoid vender lock-in? - ANSWER- Ensure favorable contract terms for portability Avoid proprietary formats Ensure no physical limitations to moving Check for regulatory constraints What are 4 factors to consider to avoid vender lock-out? - ANSWER- Provider longevity Core competency Jurisdictional suitability Supply chain dependencies Legislative environment What are 4 risks in a multitenant environment? - ANSWER- Conflict of interest Privilege escalation Information bleed Legal activity What are 3 risks associated with Infrastructure as a Service(Iaas)? - ANSWER- Personnel threats External threats Lack of specific skillsets what are 4 risks associated with Platform as a service(Paas)? - ANSWER- Interoperability issues Persistent backdoors Virtualization Resource Sharing What are 3 risks associated with Software as a service(SaaS)? - ANSWER- Proprietary formats Virtualization Web application security What are 4 risk with virtualization? - ANSWER- Attacks on the hypervisor Guest escape Information bleed Data seizure What is a type 1 hypervisor? - ANSWER- Installed on top of a bare metal install, bootable software what is a type 2 hypervisor? - ANSWER- Applications that run on a standard OS What are 8 threats to a private cloud? - ANSWER- malware internal threats external attackers man in the middle social engineering theft or loss of devices regulatory violations natural disasters What three additional concerns from a private cloud apply to a community cloud - ANSWER- Loss of policy control loss of physical control lack of audit access What are three additional threats to public clouds from community and private clouds? - ANSWER- rogue administrator privilege escalation contractual failure What are three methods of using cloud backups for business continuity / disaster recover(BC/DR)? - ANSWER- Private architecture, cloud service as a backup Cloud operations, cloud provider as backup Cloud operations, third-party cloud backup provider What are some examples of cloud computing external threats? - ANSWER- malware, hacking, man-in-the-middle What is a personnel threats? - ANSWER- Malicious or negligent insider who can cause negative impact, as they have physical access to the resources What is resource sharing? - ANSWER- Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously What is an interoperability issue? - ANSWER- Customer's software may not function properly with each new adjustment in the environment if the OS is updated by the provider What is a data seizure? - ANSWER- Legal activity that might results in a host machine being confiscated or inspected by law enforcement or plaintiffs' attorneys What is guest escape? - ANSWER- improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance What is information bleed? - ANSWER- Possibility that processing performed on one virtualized instance may be detected by other instances on the same host What are three techniques to enhance the portability of data and avoid vendor lock-in - ANSWER- Favorable contract terms Avoid proprietary data formats No physical limitations to moving What are six countermeasures against internal threats? - ANSWER- Least privilege mandatory vacation separation of duties skills and knowledge testing extensive and comprehensive training programs aggressive background checks What are 3 countermeasures that can be applied to cloud operations against internal threats? - ANSWER- DLP solutions Financial penalties against the cloud provider's personnel broad contractual protections What are 3 dependencies that must be considered after cloud migration? - ANSWER- The cloud provider's vendors, utilities, and suppliers What 3 models are generally available for cloud BCDR? - ANSWER- Private architecture, cloud backup cloud provider, back from same provider cloud provider, backup from another cloud provider T/F: After cloud migration and taking account new factors related to data breach impacts; Legal liability can't be transferred to the cloud provider - ANSWER- True What are three methods that can attenuate harm caused by privilege escalation? - ANSWER- Automated analysis tools Extensive access control and authentication tools and techniques Analysis and review of all log data by trained, skilled personnel on a frequent basis What word describes the general ease and efficiency of moving data from one provider to another? - ANSWER- Portability Who's responsibility involves infrastructure and physical security? - ANSWER- cloud provider Who's responsibility involves data security and governance? - ANSWER- Enterprise Vulnerability assessment, firewall, honeypot, and IDS/IPS are methods used for what? - ANSWER- securing a network What are three methods to protect data in transit? - ANSWER- Encryption Virtual private network Strong authentication What creates a secure tunnel across an untrusted network? - ANSWER- Virtual private network What reduces the possibility that someone would be unable to acquire raw data in plaintext? - ANSWER- Encryption What uses robust tokens and requires mutifactor verification reducing unauthorized user access? - ANSWER- Strong authentication What cloud service type: Cloud provider maintains physical security control of the facility and the cloud customer provides all other security - ANSWER- PaaS What cloud service type: Cloud provider maintains infrastructure's physical security and the cloud customer is responsible for access and administration. - ANSWER- SaaS What cloud service type: Cloud provider is responsible for physical security of the facility and systems. - ANSWER- IaaS Removing unnecessary services and libraries, closing unused ports, limiting administrator access, ensuring event logging is enabled, are examples of what? - ANSWER- hardening Who facilitates the data access method: The customer will provision, manage, and remove user accounts without input or cooperation with the cloud provider if the cloud customer retains control. - ANSWER- Customer directly administers access Who facilitates the data access method: The user submits a request to the provider, either directly or through some point of contact, the provider verifies and then assigns - ANSWER- Provider administers access on behalf of the customer Who facilitates the data access method: The user requests to a local administrator, and the administrator verifies the account and then assigns the appropriate access and permissions - ANSWER- Third-party administers access on behalf of the customer How many SOC report categories are there? - ANSWER- 3 What SOC report audits the financial reporting instruments of a corporation and consists of two subclasses - ANSWER- SOC 1 What SOC intends to report audits of controls on an organization's security, availability, processing integrity, and privacy - ANSWER- SOC 2 What SOC contains no actual data about the security controls of the audit target and is also known as seal of approval - ANSWER- SOC 3 What helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider? - ANSWER- shared policy In all cloud models, security controls are driven by what? - ANSWER- business requirements What are 3 things the provider will offer to address shared monitoring and testing responsibilities in a cloud configuration? - ANSWER- SIM, SEIM, and SEM logs DLP solution results Access to audit logs and performance data What would a cloud provider offer to customers to enhance customer trust in provider? - ANSWER- Audit and performance log data What are 3 examples that cloud provider would offer to enhance the customer's trust? - ANSWER- Shared administration SLAs Audits Who is responsible for the liability and responsibility for any data loss or disclosure? - ANSWER- Customer What ensures trust in the provider's performance and duties? - ANSWER- the contract What does a cloud provider not allow physical access to their datacenters? - ANSWER- To keep the physical layout and controls confidential How many subtypes of SOC 2 are there? - ANSWER- 2 What is SOC 2 Type 1? - ANSWER- Reviews the design of controls What is SOC 2 Type 2? - ANSWER- Detail report that provides how controls are implemented and maintained, or their function What term is used for moving an entire application to the cloud without any significant change? - ANSWER- forklifting What are 4 examples of issues that developers and administrators must deal with? - ANSWER- multitenancy third-party admins deployment models(Public, Private, Community, Hybrid) service models(IaaS, PaaS, and SaaS) What are 5 common cloud application deployment pitfalls? - ANSWER- On-Premises Apps do not always transfer poor documentation not all apps are cloud ready tenancy separation use of secure, validated APIs, possible data bleed What are the 4 core stages of cloud-secure development life cycle, in order? - ANSWER- Defining Designing Development Testing What is the focus in the definition phase? - ANSWER- business needs of the application are identified What is the focus in the design phase? - ANSWER- overall design of the application, including look and language used What is the focus in the development phase? - ANSWER- perform static and dynamic application security testing(DAST) What is the focus in the testing phase? - ANSWER- penetration testing and vulnerability scanning against an application are performed What is the focus in the disposal phase? - ANSWER- once the software has completed its job or replaced with a newer version, it must be securely discarded. What are the 7 ISO/IEC 27034-1 standard categories? - ANSWER- Business Context Regulatory Context Technical Context Specifications Roles, Responsibilities, and Qualifications Processes Application Security Control (ASC) Library What are the 3 key elements in ISO/IEC 27034-1 - ANSWER- organizational normative framework (ONF) application normative framework (ANF) application security management process (APSM). What does IAM stand for and what two categories is IAM divided into? - ANSWER- Identity and Access Management What is identity management? - ANSWER- process where individuals are given access to system resources by associating user rights with a given identity What is access management? - ANSWER- part of the process that deals with controlling access to resources once they have been granted What are 5 ways access management uses, to control access? - ANSWER- authentication authorization policy management federation identity repositories Within access management what does authentication do? - ANSWER- establishes an identity of user What is an example of access management authentication - ANSWER- username and password What is an example of access management authorization? - ANSWER- comparing authentication with ACL What is an example of access management policy management? - ANSWER- enforces authentication and authorization based on business needs and management decisions What does access management federation do? - ANSWER- allows organization to exchange of information between trusted organizations What are identity repositories? - ANSWER- directory services for the administrator of user accounts and their associated attributes What are all of access management resources stored in? - ANSWER- identity repository directory What are 5 examples of directory services? - ANSWER- X.500 LDAP Active directory Novell eDirectory metadata and replication and synchronization What are two general types of federation? - ANSWER- web-of-trust model third-party identifier What is a web of trust model? - ANSWER- each member of the federation has to approve each other member for inclusion What is a third-party identifer? - ANSWER- outsource responsibilities to an external party. Identity provider and replying parties are terms that apply to what concept? - ANSWER- federation What are 3 federation standards? - ANSWER- WS-Federation OAuth OpenID Connect What encryption technique ensures privacy when communicating between applications? - ANSWER- transport layer security(TLS) What encrypts all of the system's data at rest in one instance? - ANSWER- Whole-instance encryption What encrypts only a partition instead of the entire disk? - ANSWER- volume encryption What encrypts data transmission between servers? - ANSWER- secure sockets layer(SSL) What does STRIDE stand for in threat modeling? - ANSWER- Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege What does SDLC stand for? - ANSWER- Software Development Life Cycle What are 10 examples in threat modeling of common application vulnerabilities? - ANSWER- Injection Broken Authentication Cross-Site Scripting(XSS) insecure direct object access security misconfigurations sensitive data exposure missing function-level access control cross-site request forgery(CSRF) using components with known vulnerabilities invalidated redirects and forwards What is white box testing? - ANSWER- The tester is using knowledge of the program's internals. What is black box testing? - ANSWER- The tester is testing without knowledge of the internals. What are 4 cloud application assurance and validation methods? - ANSWER- Approved APIs Secure code reviews runtime application self-protection securing open source software What allows applications to consume web services from the application, to expand its capabilities? - ANSWER- approved APIs What identifies and mitigates codes in an application that has exposed a potential vulnerability? - ANSWER- secure code reviews What protects itself without human intervention and assists in the prevention of successful attack? - ANSWER- runtime application selfprotection What allows users to make modifications that they choose in order to add or enhance the functionality? - ANSWER- securing open source software What cloud model removes and reduces the authority and execution of security controls in the environment - ANSWER- deployment model What is SAML - ANSWER- A standard for exchanging authentication and authorization data between security domains What is the most widely used federation standard? - ANSWER- Security Assertion Markup Language(SAML) What is an API? - ANSWER- A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool What is SAST? - ANSWER- A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability What is ONF? - ANSWER- A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization What is data masking? - ANSWER- A method for creating similar but inauthentic datasets used for software testing and user training. What are three descriptions of SOAP? - ANSWER- Reliant on XML Standards-based Works over numerous protocols Normative Framework is a subset of what? - ANSWER- organizational normative framework What does DAM stand for? - ANSWER- database activity monitoring What are two types of DAMs? - ANSWER- Agent(Host) Network(Network) What is purpose of ISO/IEC 27034-1? - ANSWER- Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security What best describes DAST? - ANSWER- Test performed on an application or software product while it is being executed in memory in an operating system What does DAST stand for? - ANSWER- Dynamic application security testing What is sandboxing best used for? - ANSWER- To isolate untrusted code changes for testing in a nonproduction environment. What best describes REST? - ANSWER- Lightweight and scalable What are web application firewalls designed to protect against? - ANSWER- XSS and SQL injection What best describes data masking? - ANSWER- Data masking is used to create a similar, inauthentic dataset used for training and software testing. What is the industry standard for uptime in cloud service provision? - ANSWER- five nines(99.999) What is power conditioning? - ANSWER- involves adjusting the voltage from the line How many uptime institute tiers are there? - ANSWER- four What are the minimum requirements for a tier 1 datacenter? - ANSWER- dedicated space for IT systems UPS system cooling system power generation for at least 12 hours What is the appeal to a tier 1 datacenter? - ANSWER- cost What are the characteristics of a tier 2 datacenter? - ANSWER- tier 1 requirements no interrupted operations personnel activity may cause downtime unplanned failures of components or systems cause downtime What are the characteristics of a tier 3 datacenter? - ANSWER- tier 2 requirements dual power supplies for all IT systems critical operations can continue without interruption unplanned failures may cause downtime planned maintenance may cause downtime What are the characteristics of a tier 4 datacenter? - ANSWER- tier 3 requirements multiple components of IT and electrical multiple facilities personnel activity will not cause downtime scheduled maintenance will not cause downtime What is security redundancy? - ANSWER- Multiple security controls protecting the same assets with various technology What is personnel redundancy? - ANSWER- Multiple personnel who administer and support IT What is power line redundancy? - ANSWER- communication lines are replicated on opposite sides of each building What are two types of clustering? - ANSWER- Tightly loosely What is tightly coupled cluster? - ANSWER- storage devices are directly connected to a shared physical backplane What is a loosely coupled cluster? - ANSWER- cluster is independent of the others, logically connected What are two options for storage? - ANSWER- volume object What are four traits in a secure KVM? - ANSWER- secure data port tamper label soldered circuit board air-gapped pushbutton What is initial training? - ANSWER- personnel that join the organization What is recurring training? - ANSWER- continual updating of security knowledge that builds on the fundamentals What is refresher training? - ANSWER- personnel who need additional lessons What does SAST stand for? - ANSWER- static application security testing What is static application security testing? - ANSWER- direct review of source code comprising an application what is dynamic application security testing? - ANSWER- reviews outcomes of the application no information about environment provided What term describes encrypted chunks of data? - ANSWER- data dispersion What are 5 things monitored in a data center? - ANSWER- OS Logging Hardware Network Temperature Humidity What tool is used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters? - ANSWER- OS logging What is used to measure performance indicators such as CPU temperature, fan speed, and drive temperature? - ANSWER- hardware monitoring What helps to check not only the hardware and the software but the distribution facets such as SDN control planes? - ANSWER- network monitoring What is the 4 maintenance processes? - ANSWER- Upgrade Update Date Implementation What maintenance process describe the process that the replacement or secure disposal of older elements for new ones - ANSWER- upgrade what maintenance process describes the vendors issuing the ongoing maintenance instructions? - ANSWER- Update What maintenance process describe to combine the benefits of both manual and automated approaches? - ANSWER- Date What maintenance process describes the operator decides which patch needs to be issued and when to be issued? - ANSWER- implementation What is a baseline? - ANSWER- the minimum level of security and performance of a system in an organization What are the four steps of change management in normal operations? - ANSWER- CMB meetings CM Testing deployment documentation What change management step reviews and analyzes change and exception requests - ANSWER- change management board(CMB) meetings What change management step takes place in an isolated sandbox network that mimics all the systems? - ANSWER- change management(CM) testing What change management step makes modification in accordance with appropriate guidance - ANSWER- deployment What change management step reflects all the modifications to the environment in the asset inventory? - ANSWER- documentation In what BC/DR testing example describes how the participants would perform their tasks in a given BC/DR scenario? - ANSWER- tabletop testing In what BC/DR testing example describes the organization's responses during the test and performing some minimal actions? - ANSWER- dry run In what BC/DR testing example detects the shortcomings in a plan and it has the greatest impact on the productivity? - ANSWER- full test What BC/DR concept calculates how long an interruption in service will take to kill an organization? - ANSWER- maximum allowable downtime What BC/DR concept measures the time it takes to recover operational capability after a service interruption? - ANSWER- recovery time objective What BC/DR concept is the goal of limiting the loss of information from an unplanned event? - ANSWER- recovery point objective What are 5 items included in a BC/DR plan? - ANSWER- circumstances under which an event or disaster is declared List of assets inventoried deemed critical actions, tasks, and activities who is authorized to make the declaration essential points of contact What are three essential BC/DR concepts? - ANSWER- MAD(maximum allowable downtime) RTO(recovery time objective) RPO(recovery point objective) T/F: During maintenance mode you must initiate enhanced security controls. - ANSWER- False What can a localized incident or disaster be addressed in a cost-effective manner? - ANSWER- joint operating agreements What tool can reduce confusion and misunderstanding during a BC/DR response? - ANSWER- checklist What are the three general bodies of law in the United States? - ANSWER- criminal law civil law administrative law What is the specialized body of law unique to the United States military? - ANSWER- Uniform code of military justice (UCMJ) What involves all legal matters where government is in conflict with any person, group, or organization that violates statutes? - ANSWER- criminal law Who creates statutes? - ANSWER- Federal, state, and local legislatures Where in the world can you be prosecuted for criminal violations and damages to whatever damages result from a data breach? - ANSWER- European Union(EU) What are the three general bodies of law in the United States deal with personal and community-based law? - ANSWER- civil law What is an agreement between parties to engage in some specified activity, usually for mutual benfit? - ANSWER- Contracts What are 4 contracts that you should be familiar with? - ANSWER- service-level agreements privacy-level agreements operational-level agreement payment card industry data security standards contracts What does SLA mean? - ANSWER- service-level agreement What does PLA mean? - ANSWER- privacy-level agreements What does OLA mean? - ANSWER- operational-level agreement What does PCI DSS stand for? - ANSWER- Payment Card Industry Data Security Standard What refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed as a result of wrongful acts by others? - ANSWER- Tort law What are laws created by executive decision and function? - ANSWER- administrative law What term describes intangible assets that are the property of the mind, also known as ideas? - ANSWER- intellectual property What term describes the protection of expressions of ideas? - ANSWER- copyrights What protection is for intellectual property used to immediately identify a brand? - ANSWER- trademarks What do patents protect? - ANSWER- formulas processes patterns inventions plants What term describes a court acknowledging the ownership of private business materials, such as client lists, processes, recipes? - ANSWER- trade secrets What term is used to describe the processes associated with determining what legal jurisdiction will hear a dispute when one occurs? - ANSWER- doctrine of the proper law What refers to a collation of developments in common law that help the courts stay up with the changes? - ANSWER- restatement (second) conflict of law What law enhance laws restricting the government from putting wire taps on phone calls, updating them to include electronic communication in the form of data? - ANSWER- the electronic communication privacy act(ECPA) What law restrict government from forcing ISPs to disclose customer data the ISP might possess? - ANSWER- The stored communications act What law allows banks to merge with and own insurance companies - ANSWER- Graham-Leach-Bliley Act(GLBA) What law increases transparency into publicly traded corporations' financial activities. Includes provisions for securing data and expressly names the traits of confidentiality, integrity, and availability? - ANSWER- Sarbanes-Oxley Act(SOX) What law protect patient records and data, known as electronic protected health information? - ANSWER- Health insurance portability and accountability act(HIPAA) What law prevent academic institutions from sharing student data with anyone other than parents of students? - ANSWER- family educational rights and privacy act(FERPA) What law update copyright provisions to protect owned data in an internet enabled world. Makes cracking of access controls on copyrighted media a crime, and enables copyright holders to require any site on the internet to remove content that may belong to the copyright holder? - ANSWER- The digital millennium copyright act(DMCA) Who administrates GLBA? - ANSWER- FDIC FFIEC Who administrates SOX? - ANSWER- SEC Who administrates FERPA? - ANSWER- department of education What is the only country that has no federal law ensuring individual personal privacy? - ANSWER- United States What is the first major EU data privacy law? - ANSWER- EU Data Protection Directive 95/26 EC What EU data directive principle says "the individual must be informed that personal information about them is being gathered or created?" - ANSWER- notice What EU data directive principle addresses every individual can choose whether to disclose their personal information? - ANSWER- choice What EU data directive principle says an individual must be told the specific use the information will be put to? - ANSWER- purpose What EU data directive principle states the individual is allowed to get copies of any of their own information held by an entity? - ANSWER- access What EU data directive principle states the individual must be allowed to correct any of their own information if it is inaccurate? - ANSWER- integrity What EU data directive principle states any entity holding an individual's personal information is responsible for protecting that information and is ultimately liable for any unauthorized disclosure of that data? - ANSWER- security What EU data directive principle states all entities that have any personal data of any EU citizen understand that they are subject toe enforcement actions by the EU authorities? - ANSWER- enforcement What is a data subject? - ANSWER- This is the person whos data is being stored. What is a data controller? - ANSWER- This is the person who has overall control over all the Information/Data. What is a data processor? - ANSWER- Performing any manipulation, storage or transmission of PII What does PIPEDA stand for? - ANSWER- Personal Information Protection and Electronic Documents Act What act conforms to the EU Data Directive and Privacy Regulation? - ANSWER- PIPEDA What personal privacy principle informs an individual that personal information about them is being gathers or created? - ANSWER- notice What personal privacy principle includes whether the information will be shared with any other entity? - ANSWER- purpose What personal privacy principle allows an individual to get copies of any of their own information held by any entity? - ANSWER- access What personal privacy principle allows an individual to correct any of their own information if it is inaccurate? - ANSWER- integrity What is the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes? - ANSWER- eDiscovery What are the 5 ISO/IEC standards for international digital forensics? - ANSWER- 27037:2012 27041:2015 27042:2015 27043:2015 27050-1:2016 what ISO/IEC standard is a guide for collecting, identifying, and preserving electronic evidence? - ANSWER- 27037:2012 what ISO/IEC standard is a guide for incident invetigations? - ANSWER- 27041:2015 what ISO/IEC standard is a guide for digital evidence analysis? - ANSWER- 27042:2015 what ISO/IEC standard is a incident investigation principles and processes? - ANSWER- 27043:2015 what ISO/IEC standard is an overview and principles for eDiscovery? - ANSWER- 27050-1:2016 What identifier is the characteristics and traits of an individual that could reveal the identity of that person? - ANSWER- indirect What identifier could reveal a specific individual with specific data elements? - ANSWER- direct What is the purpose of gap analysis? - ANSWER- To begin the benchmarking process What is the best example of a key component of regulated PII? - ANSWER- Mandatory breach reporting What is the least challenging part of eDiscovery in the cloud? - ANSWER- Forensic analysis What statute addresses security and privacy matters in the financial industry? - ANSWER- GLBA What does the doctrine of proper law refer to? - ANSWER- How jurisdictional disputes are settled What is the best advantage of external audits? - ANSWER- Independence What SOC report subtype represents a point in time? - ANSWER- Type I [Show Less]
WGU Course C838 - Managing Cloud Security Which phase of the cloud data life cycle allows both read and process functions to be performed? A Create... [Show More] B Archive C Store D Share correct answerA Which phase of the cloud data security life cycle typically occurs simultaneously with creation? A Share B Store C Use D Destroy correct answerB Which phase of the cloud data life cycle uses content delivery networks? A Destroy B Archive C Share D Create correct answerC Which phase of the cloud data life cycle is associated with crypto-shredding? A Share B Use C Destroy D Store correct answerC Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security? A Randomization B Obfuscation C Anonymization D Tokenization correct answerD Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model? A Sandbox encryption B Polymorphic encryption C Client-side encryption D Whole-instance encryption correct answerD There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used? A Short-term storage B Structured C Unstructured D Long-term storage correct answerB Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files? A Relational database B Block C Distributed D Object correct answerD Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data? A Dynamic masking B Format-preserving encryption C Proxy-based encryption D Tokenization correct answerB Which encryption technique connects the instance to the encryption instance that handles all crypto operations? A Database B Proxy C Externally managed D Server-side correct answerB Which type of control should be used to implement custom controls that safeguard data? A Public and internal sharing B Options for access C Management plane D Application level correct answerD Which element is protected by an encryption system? A Ciphertext B Management engine C Data D Public key correct answerC A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken? A The tokenization server returns the token to the application. B The tokenization server generates the token. C The application collects a token. D The application stores the token. correct answerD A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur? A Use B Create C Share D Archive correct answerB Which jurisdictional data protection includes dealing with the international transfer of data? A Financial modernization B Secure choice authorization (SCA) C Sarbanes-Oxley act (SOX) D Privacy regulation correct answerD Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals? A Stored communications act (SCA) B Health insurance portability and accountability act (HIPAA) C Gramm-Leach-Bliley act (GLBA) D Sarbanes-Oxley act (SOX) correct answerC Which jurisdictional data protection safeguards protected health information (PHI)? A Directive 95/46/EC B Safe harbor regime C Personal Data Protection Act of 2000 D Health Insurance Portability and Accountability Act (HIPAA) correct answerD How is the compliance of the cloud service provider's legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud? A Contractual agreements B Third-party audits and attestations C e-Discovery process D Researching data retention laws correct answerB Which security strategy is associated with data rights management solutions? A Unrestricted replication B Limited documents type support C Static policy control D Continuous auditing correct answerD Who retains final ownership for granting data access and permissions in a shared responsibility model? A Customer B Developer C Manager D Analyst correct answerA Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data? A Backup B Caching C Archiving D Saving correct answerC Which data retention method is stored with a minimal amount of metadata storage with the content? A File system B Redundant array C Object-based D Block-based correct answerD What is a key capability of security information and event management? A Intrusion prevention capabilities B Automatic remediation of issues C Centralized collection of log data D Secure remote access correct answerC Which data source provides auditability and traceability for event investigation as well as documentation? A Storage files B Packet capture C Network interference D Database tables correct answerB Which data source provides auditability and traceability for event investigation as well as documentation? A Network segmentation B Ephemeral storage C Database schema D Virtualization platform logs correct answerD [Show Less]
$45.95
445
0
Beginner
Reviews received
$45.95
DocMerit is a great platform to get and share study resources, especially the resource contributed by past students.
Northwestern University
I find DocMerit to be authentic, easy to use and a community with quality notes and study tips. Now is my chance to help others.
University Of Arizona
One of the most useful resource available is 24/7 access to study guides and notes. It helped me a lot to clear my final semester exams.
Devry University
DocMerit is super useful, because you study and make money at the same time! You even benefit from summaries made a couple of years ago.
Liberty University