WGU C838 MANAGING CLOUD SECURITY
What NIST publication number defines cloud computing? - ANSWER-
800-145
What ISO/IEC standard provides
... [Show More] information on cloud computing? -
ANSWER- 17788
What is cloud bursting? - ANSWER- Ability to increase available cloud
resources on demand
What are 3 characteristics of cloud computing? - ANSWER- Elasticity
Simplicity
Scalability
What is a cloud customer? - ANSWER- Anyone purchasing cloud
services
What is a cloud user? - ANSWER- Anyone using cloud services
What are the three cloud computing service models? - ANSWER-
SaaS(Software as a service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)? - ANSWER- Cloud provider
provides all the physical capability and administration, while the
customer is responsible for logical resources.
What is PaaS (Platform as a Service)? - ANSWER- A cloud computing
service that provides the hardware and the operating system and is
responsible for updating and maintaining both.
What is SaaS (Software As A Service)? - ANSWER- Cloud provider
manages everything.
What are the four cloud deployment models? - ANSWER- Public
Private
Community
Hybrid
What cloud model is owned by a single organization? - ANSWER-
Private
What cloud model is an arrangement of two or more cloud servers? -
ANSWER- Hybrid
What cloud model is a shared setup between orgs? - ANSWER-
Community
What cloud model is open for free usage? - ANSWER- Public
What is a cloud service provider? - ANSWER- Cloud service provider
manages and provides entire hosting ability
What is a Cloud Access Security Broker? - ANSWER- Third-party
acting as an intermediary for identity and access management
What do regulators do? - ANSWER- Ensure organizations are in
compliance with regulatory framework.
What word in the CIA triad describes: What protects information from
unauthorized access/dissemination? - ANSWER- Confidentiality
What word in the CIA triad describes: Ensuring that information is not
subject to unauthorized modification? - ANSWER- Integrity
What word in the CIA triad describes: Ensuring that authorized users
can access the information when they are permitted to do so? -
ANSWER- Availability
What is a cloud architect? - ANSWER- Expert in cloud computing
What is cloud os also known as? - ANSWER- PaaS
NIST standard number that lists accredited and outmoded cryptosystems
- ANSWER- FIPS 140-2
customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints. - ANSWER- vendor lock-m
What is cloud migration? - ANSWER- Process of transitioning part of a
company's data or services from onsite premises to the cloud
What is cloud portability? - ANSWER- Move applications and data
between cloud providers
What offers a degree of assurance that nobody w/o authorization will be
able to access other's data? - ANSWER- Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct
software development and testing, which cloud service model would
probably be best? - ANSWER- PaaS
What technology has NOT made cloud service viable? - ANSWER-
Smart hubs
What determines the critical paths, processes, and assets of an
organization? - ANSWER- BIA
Fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? - ANSWER- PaaS
customer is unable to recover or access their own data due to the cloud
provider going into bankruptcy or otherwise leaving the market. -
ANSWER- Vendor lock-out
What are four examples of things to know to decide how to handle risks
within an org? - ANSWER- Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items. - ANSWER- False. Assets are
everything owned or controlled by an org.
The process of evaluating assets? - ANSWER- Business Impact
Analysis(BIA)
What is criticality? - ANSWER- Something an org could not operate or
exist without
In risk, what is the avoidance method? - ANSWER- Avoiding high risk
In risk, what is the acceptance method? - ANSWER- Acceptable level of
risk
In risk, what is an example of the avoidance method? - ANSWER-
Insurance
In risk, what is the mitigation method? - ANSWER- Controls or
countermeasures
Assets can be what? - ANSWER- Tangible
Intangible
Personnel
What does Business Impact Analysis do? - ANSWER- Defines which of
the assets provide the intrinsic value of an organization.
What is risk appetite - ANSWER- Level, Amount, or Type of risk that
an org finds acceptable
What is the IaaS boundary? - ANSWER- The provider is responsible for connectivity and power and the customer is in charge for installation of software.
What is the PaaS boundary? - ANSWER- The provider is responsible for
updates and administration of the OS and the customer monitors and
reviews software events.
What is the SaaS boundary? - ANSWER- The provider is responsible for
system maintenance and the customer supplies and processes data to and
in the system.
What should encryption be used for in a cloud datacenter? - ANSWER-
Long-term storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and users? - ANSWER- Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered defense? - ANSWER- Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls? -
ANSWER- background checks
continual monitoring
In cloud layered defense what are examples of technological controls? -
ANSWER- encryption
event logging
access control enforcement
In cloud layered defense what is an examples of physical controls? -
ANSWER- access to overall campus
In cloud layered defense what is an example of governance
mechanisms? - ANSWER- auditing
What are ways for securing devices in a datacenter? - ANSWER- Guess
accounts removed
no default passwords
systems are patched, maintained and updated
unused ports are closed
limited physical access
What is layered defense? - ANSWER- The practice of having multiple
overlapping means of securing the environment with a variety of
methods
Who determines risk appetite? - ANSWER- senior management
Experimental technology of processing encrypted data w/o decrypting it
first? - ANSWER- Homomorphic
T/F: Data owners remain legally responsible for all data they own -
ANSWER- True
What are four ways an org might categorize data? - ANSWER-
Regulatory compliance
business function
function unit
by project
What are three examples of classification? - ANSWER- sensitivity jurisdiction
criticality
What is a data owner? - ANSWER- Collects or creates the data, and
possesses the rights and responsibilities of the data
What is a data custodian? - ANSWER- Manipulates, stores, or moves
the data, and serves as a cloud provider
What is datamining? - ANSWER- Data mining tries to automatically
find interesting patterns in data using plethora of technologies
What method would an org creates categories based on which rules
apply to a specific dataset? - ANSWER- regulatory compliance
What method would an org have specific categories for different uses of
data? - ANSWER- business function
What would a department or office be called that has its own category
and keeps all the data it controls? - ANSWER- functional unit
what dataset is defined by projects? - ANSWER- by project
What data discovery method is used when the discovery effort is
considered in response to a mandate with a specific purpose? -
ANSWER- Label-based
What data discovery method is used to collect all matching data
elements for a certain purpose - ANSWER- Metedata-based
What data discovery method is used to locate and identify specific kinds
of data by delving into the datasets? - ANSWER- Content-based
What data discovery method is used to create new data feeds from sets
of data already existing within the environment? - ANSWER- data
analytics
T/F: Being in the cloud means organization may not be subject to many
legal constructs simultaneously. - ANSWER- False
T/F: Awareness and compliance with specific jurisdictions are
challenges of cloud computing. - ANSWER- True
T/F: Cloud user is responsible for managing virtualized images, stored
data, and operational data. - ANSWER- False
T/F: Cloud user is unaware about that where the data is exactly present at the moment in terms of both datacenters and geographic locations. -
ANSWER- True
What are four examples of Fair Use under copyright laws? - ANSWER- Academic
Critique
News Reporting
Scholarly Research
What are five examples of exceptions under copyright laws? -
ANSWER- Fair use
satire
library preservation
personal backup
versions for people with physical disabilities
What is copyright? - ANSWER- protection of written material or ideas
What is a trademark? - ANSWER- a symbol, word, or words legally registered or established by use as representing a company or product.
What is a patent? - ANSWER- legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life
What are trade secrets? - ANSWER- Any form of knowledge or info that has economic value from not being known to others, or readily ascertainable by proper means and has been the subject of reasonable efforts by the owner to maintain secrecy
What are rudimentary reference checks? - ANSWER- Content itself can
automatically check for proper usage or ownership
What is the presence of licensed media? - ANSWER- DRM engine on
the media identifies the unique disk
What are online reference checks? - ANSWER- Product key
What is support-based licensing? - ANSWER- the need for continual
help for content
What are local agent checks? - ANSWER- Installed reference tool that
checks the protected content against the user's license
What are four examples of conflicts that are posed while employing
DRM to the cloud? - ANSWER- API
Replication
Jurisdiction
Enterprise
What are six retention policies that should be included in data retention?
- ANSWER- retention periods applicable regulation retention formats data classification
archiving and retrieval procedures
monitoring, maintenance, and enforcement
What are four legacy examples of data destruction? - ANSWER-
Physical destruction of media and hardware degaussing overwriting Cryptoshredding
data retention policy: Retention period - ANSWER- how long data
should be kept
data retention policy: data classification - ANSWER- how and when
data should be categorized
data retention policy: retention format - ANSWER- how data is achieved
and stored
data retention policy: applicable regulation - ANSWER- senior
management's decision to resolve conflict in policy
What is jurisdiction? - ANSWER- geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled
What is a data audit? - ANSWER- A powerful tool to regularly review,
inventory, and inspect usage and condition of the information that an
organization owns.
What does copyright not protect? - ANSWER- ideas, facts, titles, names,
short phrases, blank forms
Who is the data processor in the cloud motif? - ANSWER- Cloud
provider
What isn't included in data labels? - ANSWER- Data value
What is the intellectual property protection for the tangible expression of
a creative idea? - ANSWER- Copyright
What federal agency accepts applications for new patents? - ANSWER-
USPTO
What is the intellectual property protection for a very valuable set of
sales leads? - ANSWER- Trade secret
What is the intellectual property protection for a useful manufacturing
innovation? - ANSWER- Patent
What is the intellectual property protection for the tangible expression of
a creative idea? - ANSWER- Copyright
Who is the data owner in a cloud motif? - ANSWER- cloud customer
What are 3 data analytic modes? - ANSWER- Data Mining
Agile business intelligence
real-time analytics
Data created should be _________ upon creation/upload - ANSWER-
encrypted
new digital content is generated or existing content is modified -
ANSWER- create
data is committed to a repository - ANSWER- store
data is viewed, processed, or otherwise in some sort of activity -
ANSWER- use
information is made accessible to others - ANSWER- share
data leaves active use and enters long-term storage - ANSWER- archive
data is permanently removed using physical or digital means -
ANSWER- destroy
T/F: Archive phase is for short-term storage when planning security
controls for the data - ANSWER- False
T/F: Archive phase activities in the cloud will largely be driven by whether a user is using the same cloud provider for backups and its production environment - ANSWER- True
T/F: In the archive phase, physical security of the data in short-term
storage is also important - ANSWER- False
T/F: In the archive phase, cryptography will, as with most data-related
controls, be an essential consideration - ANSWER- True
What is volume storage? - ANSWER- allocates a storage space within the cloud; this storage space is represented as an attached drive to the user's virtual machine
What are two types of volume storage architecture? - ANSWER- File
Block
Volume storage is associated with what infrastructure model? -
ANSWER- Infrastructure as a Service(IaaS)
What is object-based storage? - ANSWER- Data is stored as objects
What is a database? - ANSWER- Provides some sort of structure for
stored data; it is backend storage in the datacenter, accessed by users
utilizing online apps
What is a content delivery network? - ANSWER- Acts as a form of data
caching, usually near geophysical locations of high use demand,
improves bandwidth and provides quality
What are three levels of encryption related to databases? - ANSWER-
File-level
Transparent
application-level
When the database is stored on a volume, what encryption type should
be used? - ANSWER- file-level
When wanting to encrypt the entire database or specific portions of it,
what type of encryption should be used? - ANSWER- transparent
When should application-level encryption be used with a database? -
ANSWER- compromised administrative accounts
other database and application-level attacks
What is tokenization? - ANSWER- Practice of having two distinct
databases: one with the live, actual sensitive data, and one with
nonrepresentational tokens mapped to each piece of data
What are the four goals of Security Information and Event Management(SIEM)? - ANSWER- Centralize collection of log data enhanced analysis capabilities
dashboarding
automated response
What does DLP in egress monitoring stand for? - ANSWER- data loss,
leak prevention, and protection
What are the four major goals of DLP? - ANSWER- Additional security
Policy Enforcement
Enhanced Monitoring
Regulatory compliance
What is randomization - ANSWER- replacement of data with random
characters
What is hasing? - ANSWER- Using a one-way cryptographic function to
create a digest of the original data
What is shuffling - ANSWER- Using different entries from within the
same data set to represent the data
What is masking? - ANSWER- Hiding the data with useless characters
What are nulls? - ANSWER- deleting the raw data from the display
before it is represented or displaying null
What is key recovery? - ANSWER- A procedure that involves multiple
people, each with access to only a portion of the key
What is block storage? - ANSWER- A blank volume that the customer
or user can put anything into and it might allow more flexibility and
higher performance
What is the U.S. Commerce Department controls on technology exports?
- ANSWER- Export Administration Regulations(EAR)
What is the U.S. State Department controls on technology exports? -
ANSWER- International Traffic in Arms Regulations(ITAR)
T/F: Cryptographic keys for encrypted data stored in the cloud should be
stored with cloud provider. - ANSWER- False
What is the practice of obscuring raw data where only a portion is
displayed for operational purposes? - ANSWER- Masking
What are third-party providers of IAM functions for the cloud
environment? - ANSWER- Cloud Access Security Broker(CASB)
T/F: The goals of DLP include elasticity - ANSWER- False
T/F: Risk and responsibilities will be shared between the cloud provider
and customer - ANSWER- True
T/F: The customer is concerned with dat, whereas the provider is
concerned with security and operation - ANSWER- True
T/F: The customer wants to refute control, deny insight, and refrain from
disclosing any information used for malicious purpose - ANSWER-
False
T/F: The customer is legally liable for their data even if the provider was
negligent. - ANSWER- True
What is a private cloud? - ANSWER- a cloud that is owned and operated
by an organization for its own benefit.
What are 5 risks private cloud owners face? - ANSWER- Personnel threats
Natural disasters External attacks regulatory noncompliance
malware
What are 3 risk associated with a community cloud? - ANSWER-
Resiliency through shared ownership
Access and control
lack of centralized standards
What are the 3 main issues with a public cloud? - ANSWER- vendor
lock-in
vendor lock-out
multitenant environments
What are 4 things to consider to avoid vender lock-in? - ANSWER-
Ensure favorable contract terms for portability
Avoid proprietary formats
Ensure no physical limitations to moving
Check for regulatory constraints
What are 4 factors to consider to avoid vender lock-out? - ANSWER- Provider longevity
Core competency
Jurisdictional suitability
Supply chain dependencies
Legislative environment
What are 4 risks in a multitenant environment? - ANSWER- Conflict of interest
Privilege escalation
Information bleed
Legal activity
What are 3 risks associated with Infrastructure as a Service(Iaas)? -
ANSWER- Personnel threats
External threats
Lack of specific skillsets
what are 4 risks associated with Platform as a service(Paas)? -
ANSWER- Interoperability issues
Persistent backdoors
Virtualization
Resource Sharing
What are 3 risks associated with Software as a service(SaaS)? -
ANSWER- Proprietary formats
Virtualization
Web application security
What are 4 risk with virtualization? - ANSWER- Attacks on the hypervisor Guest escape
Information bleed
Data seizure
What is a type 1 hypervisor? - ANSWER- Installed on top of a bare
metal install, bootable software
what is a type 2 hypervisor? - ANSWER- Applications that run on a
standard OS
What are 8 threats to a private cloud? - ANSWER- malware internal threats external attackers man in the middle social engineering theft or loss of devices regulatory violations
natural disasters
What three additional concerns from a private cloud apply to a
community cloud - ANSWER- Loss of policy control
loss of physical control
lack of audit access
What are three additional threats to public clouds from community and private clouds? - ANSWER- rogue administrator
privilege escalation
contractual failure
What are three methods of using cloud backups for business continuity /
disaster recover(BC/DR)? - ANSWER- Private architecture, cloud
service as a backup
Cloud operations, cloud provider as backup
Cloud operations, third-party cloud backup provider
What are some examples of cloud computing external threats? -
ANSWER- malware, hacking, man-in-the-middle
What is a personnel threats? - ANSWER- Malicious or negligent insider
who can cause negative impact, as they have physical access to the
resources
What is resource sharing? - ANSWER- Programs and instances run by
the customer that will operate on the same devices used by other
customers, sometimes simultaneously
What is an interoperability issue? - ANSWER- Customer's software may
not function properly with each new adjustment in the environment if
the OS is updated by the provider
What is a data seizure? - ANSWER- Legal activity that might results in
a host machine being confiscated or inspected by law enforcement or
plaintiffs' attorneys
What is guest escape? - ANSWER- improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance
What is information bleed? - ANSWER- Possibility that processing
performed on one virtualized instance may be detected by other
instances on the same host
What are three techniques to enhance the portability of data and avoid
vendor lock-in - ANSWER- Favorable contract terms
Avoid proprietary data formats
No physical limitations to moving
What are six countermeasures against internal threats? - ANSWER- Least privilege mandatory vacation separation of duties skills and knowledge testing
extensive and comprehensive training programs aggressive background checks
What are 3 countermeasures that can be applied to cloud operations
against internal threats? - ANSWER- DLP solutions
Financial penalties against the cloud provider's personnel
broad contractual protections
What are 3 dependencies that must be considered after cloud migration?
- ANSWER- The cloud provider's vendors, utilities, and suppliers
What 3 models are generally available for cloud BCDR? - ANSWER-
Private architecture, cloud backup
cloud provider, back from same provider
cloud provider, backup from another cloud provider
T/F: After cloud migration and taking account new factors related to
data breach impacts; Legal liability can't be transferred to the cloud provider - ANSWER- True
What are three methods that can attenuate harm caused by privilege escalation? - ANSWER- Automated analysis tools
Extensive access control and authentication tools and techniques Analysis and review of all log data by trained, skilled personnel on a frequent basis
What word describes the general ease and efficiency of moving data
from one provider to another? - ANSWER- Portability
Who's responsibility involves infrastructure and physical security? -
ANSWER- cloud provider
Who's responsibility involves data security and governance? -
ANSWER- Enterprise
Vulnerability assessment, firewall, honeypot, and IDS/IPS are methods
used for what? - ANSWER- securing a network
What are three methods to protect data in transit? - ANSWER-
Encryption
Virtual private network
Strong authentication
What creates a secure tunnel across an untrusted network? - ANSWER-
Virtual private network
What reduces the possibility that someone would be unable to acquire
raw data in plaintext? - ANSWER- Encryption
What uses robust tokens and requires mutifactor verification reducing
unauthorized user access? - ANSWER- Strong authentication
What cloud service type: Cloud provider maintains physical security control of the facility and the cloud customer provides all other security
- ANSWER- PaaS
What cloud service type: Cloud provider maintains infrastructure's physical security and the cloud customer is responsible for access and administration. - ANSWER- SaaS
What cloud service type: Cloud provider is responsible for physical
security of the facility and systems. - ANSWER- IaaS
Removing unnecessary services and libraries, closing unused ports,
limiting administrator access, ensuring event logging is enabled, are examples of what? - ANSWER- hardening
Who facilitates the data access method:
The customer will provision, manage, and remove user accounts without input or cooperation with the cloud provider if the cloud customer retains control. - ANSWER- Customer directly administers access
Who facilitates the data access method:
The user submits a request to the provider, either directly or through some point of contact, the provider verifies and then assigns -
ANSWER- Provider administers access on behalf of the customer
Who facilitates the data access method:
The user requests to a local administrator, and the administrator verifies the account and then assigns the appropriate access and permissions - ANSWER- Third-party administers access on behalf of the customer
How many SOC report categories are there? - ANSWER- 3
What SOC report audits the financial reporting instruments of a
corporation and consists of two subclasses - ANSWER- SOC 1
What SOC intends to report audits of controls on an organization's security, availability, processing integrity, and privacy - ANSWER- SOC 2
What SOC contains no actual data about the security controls of the
audit target and is also known as seal of approval - ANSWER- SOC 3
What helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider? - ANSWER- shared policy
In all cloud models, security controls are driven by what? - ANSWER-
business requirements
What are 3 things the provider will offer to address shared monitoring and testing responsibilities in a cloud configuration? - ANSWER- SIM,
SEIM, and SEM logs
DLP solution results
Access to audit logs and performance data
What would a cloud provider offer to customers to enhance customer
trust in provider? - ANSWER- Audit and performance log data
What are 3 examples that cloud provider would offer to enhance the customer's trust? - ANSWER- Shared administration
SLAs
Audits
Who is responsible for the liability and responsibility for any data loss or
disclosure? - ANSWER- Customer
What ensures trust in the provider's performance and duties? -
ANSWER- the contract
What does a cloud provider not allow physical access to their datacenters? - ANSWER- To keep the physical layout and controls confidential
How many subtypes of SOC 2 are there? - ANSWER- 2
What is SOC 2 Type 1? - ANSWER- Reviews the design of controls
What is SOC 2 Type 2? - ANSWER- Detail report that provides how
controls are implemented and maintained, or their function
What term is used for moving an entire application to the cloud without
any significant change? - ANSWER- forklifting
What are 4 examples of issues that developers and administrators must
deal with? - ANSWER- multitenancy
third-party admins
deployment models(Public, Private, Community, Hybrid)
service models(IaaS, PaaS, and SaaS)
What are 5 common cloud application deployment pitfalls? - ANSWER-
On-Premises Apps do not always transfer poor documentation not all apps are cloud ready tenancy separation
use of secure, validated APIs, possible data bleed
What are the 4 core stages of cloud-secure development life cycle, in
order? - ANSWER- Defining
Designing
Development
Testing
What is the focus in the definition phase? - ANSWER- business needs of
the application are identified
What is the focus in the design phase? - ANSWER- overall design of the
application, including look and language used
What is the focus in the development phase? - ANSWER- perform static
and dynamic application security testing(DAST)
What is the focus in the testing phase? - ANSWER- penetration testing
and vulnerability scanning against an application are performed
What is the focus in the disposal phase? - ANSWER- once the software
has completed its job or replaced with a newer version, it must be
securely discarded.
What are the 7 ISO/IEC 27034-1 standard categories? - ANSWER- Business Context
Regulatory Context
Technical Context
Specifications
Roles, Responsibilities, and Qualifications
Processes
Application Security Control (ASC) Library
What are the 3 key elements in ISO/IEC 27034-1 - ANSWER-
organizational normative framework (ONF)
application normative framework (ANF)
application security management process (APSM).
What does IAM stand for and what two categories is IAM divided into?
- ANSWER- Identity and Access Management
What is identity management? - ANSWER- process where individuals are given access to system resources by associating user rights with a given identity
What is access management? - ANSWER- part of the process that deals
with controlling access to resources once they have been granted
What are 5 ways access management uses, to control access? -
ANSWER- authentication
authorization
policy management
federation
identity repositories
Within access management what does authentication do? - ANSWER-
establishes an identity of user
What is an example of access management authentication - ANSWER-
username and password
What is an example of access management authorization? - ANSWER-
comparing authentication with ACL
What is an example of access management policy management? - ANSWER- enforces authentication and authorization based on business needs and management decisions
What does access management federation do? - ANSWER- allows
organization to exchange of information between trusted organizations
What are identity repositories? - ANSWER- directory services for the
administrator of user accounts and their associated attributes
What are all of access management resources stored in? - ANSWER-
identity repository directory
What are 5 examples of directory services? - ANSWER- X.500
LDAP
Active directory Novell eDirectory
metadata and replication and synchronization
What are two general types of federation? - ANSWER- web-of-trust
model
third-party identifier
What is a web of trust model? - ANSWER- each member of the
federation has to approve each other member for inclusion
What is a third-party identifer? - ANSWER- outsource responsibilities to
an external party.
Identity provider and replying parties are terms that apply to what
concept? - ANSWER- federation
What are 3 federation standards? - ANSWER- WS-Federation
OAuth
OpenID Connect
What encryption technique ensures privacy when communicating
between applications? - ANSWER- transport layer security(TLS)
What encrypts all of the system's data at rest in one instance? -
ANSWER- Whole-instance encryption
What encrypts only a partition instead of the entire disk? - ANSWER-
volume encryption
What encrypts data transmission between servers? - ANSWER- secure
sockets layer(SSL)
What does STRIDE stand for in threat modeling? - ANSWER- Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
What does SDLC stand for? - ANSWER- Software Development Life
Cycle
What are 10 examples in threat modeling of common application
vulnerabilities? - ANSWER- Injection
Broken Authentication
Cross-Site Scripting(XSS) insecure direct object access security misconfigurations sensitive data exposure missing function-level access control cross-site request forgery(CSRF) using components with known vulnerabilities invalidated redirects and forwards
What is white box testing? - ANSWER- The tester is using knowledge
of the program's internals.
What is black box testing? - ANSWER- The tester is testing without
knowledge of the internals.
What are 4 cloud application assurance and validation methods? -
ANSWER- Approved APIs
Secure code reviews
runtime application self-protection
securing open source software
What allows applications to consume web services from the application,
to expand its capabilities? - ANSWER- approved APIs
What identifies and mitigates codes in an application that has exposed a
potential vulnerability? - ANSWER- secure code reviews
What protects itself without human intervention and assists in the prevention of successful attack? - ANSWER- runtime application selfprotection
What allows users to make modifications that they choose in order to add or enhance the functionality? - ANSWER- securing open source software
What cloud model removes and reduces the authority and execution of security controls in the environment - ANSWER- deployment model
What is SAML - ANSWER- A standard for exchanging authentication
and authorization data between security domains
What is the most widely used federation standard? - ANSWER- Security
Assertion Markup Language(SAML)
What is an API? - ANSWER- A set of routines, standards, protocols,
and tools for building software applications to access a web-based
software application or tool
What is SAST? - ANSWER- A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability
What is ONF? - ANSWER- A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization
What is data masking? - ANSWER- A method for creating similar but
inauthentic datasets used for software testing and user training.
What are three descriptions of SOAP? - ANSWER- Reliant on XML
Standards-based
Works over numerous protocols
Normative Framework is a subset of what? - ANSWER- organizational
normative framework
What does DAM stand for? - ANSWER- database activity monitoring
What are two types of DAMs? - ANSWER- Agent(Host)
Network(Network)
What is purpose of ISO/IEC 27034-1? - ANSWER- Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
What best describes DAST? - ANSWER- Test performed on an application or software product while it is being executed in memory in an operating system
What does DAST stand for? - ANSWER- Dynamic application security
testing
What is sandboxing best used for? - ANSWER- To isolate untrusted
code changes for testing in a nonproduction environment.
What best describes REST? - ANSWER- Lightweight and scalable
What are web application firewalls designed to protect against? -
ANSWER- XSS and SQL injection
What best describes data masking? - ANSWER- Data masking is used to
create a similar, inauthentic dataset used for training and software
testing.
What is the industry standard for uptime in cloud service provision? -
ANSWER- five nines(99.999)
What is power conditioning? - ANSWER- involves adjusting the voltage
from the line
How many uptime institute tiers are there? - ANSWER- four
What are the minimum requirements for a tier 1 datacenter? -
ANSWER- dedicated space for IT systems
UPS system
cooling system
power generation for at least 12 hours
What is the appeal to a tier 1 datacenter? - ANSWER- cost
What are the characteristics of a tier 2 datacenter? - ANSWER- tier 1
requirements
no interrupted operations
personnel activity may cause downtime
unplanned failures of components or systems cause downtime
What are the characteristics of a tier 3 datacenter? - ANSWER- tier 2
requirements
dual power supplies for all IT systems
critical operations can continue without interruption
unplanned failures may cause downtime
planned maintenance may cause downtime
What are the characteristics of a tier 4 datacenter? - ANSWER- tier 3
requirements
multiple components of IT and electrical
multiple facilities
personnel activity will not cause downtime
scheduled maintenance will not cause downtime
What is security redundancy? - ANSWER- Multiple security controls
protecting the same assets with various technology
What is personnel redundancy? - ANSWER- Multiple personnel who
administer and support IT
What is power line redundancy? - ANSWER- communication lines are
replicated on opposite sides of each building
What are two types of clustering? - ANSWER- Tightly
loosely
What is tightly coupled cluster? - ANSWER- storage devices are
directly connected to a shared physical backplane
What is a loosely coupled cluster? - ANSWER- cluster is independent of
the others, logically connected
What are two options for storage? - ANSWER- volume
object
What are four traits in a secure KVM? - ANSWER- secure data port tamper label soldered circuit board
air-gapped pushbutton
What is initial training? - ANSWER- personnel that join the
organization
What is recurring training? - ANSWER- continual updating of security
knowledge that builds on the fundamentals
What is refresher training? - ANSWER- personnel who need additional
lessons
What does SAST stand for? - ANSWER- static application security
testing
What is static application security testing? - ANSWER- direct review of
source code comprising an application
what is dynamic application security testing? - ANSWER- reviews
outcomes of the application no information about environment provided
What term describes encrypted chunks of data? - ANSWER- data
dispersion
What are 5 things monitored in a data center? - ANSWER- OS Logging
Hardware
Network
Temperature
Humidity
What tool is used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters? - ANSWER- OS logging
What is used to measure performance indicators such as CPU temperature, fan speed, and drive temperature? - ANSWER- hardware monitoring
What helps to check not only the hardware and the software but the distribution facets such as SDN control planes? - ANSWER- network monitoring
What is the 4 maintenance processes? - ANSWER- Upgrade
Update
Date
Implementation
What maintenance process describe the process that the replacement or
secure disposal of older elements for new ones - ANSWER- upgrade
what maintenance process describes the vendors issuing the ongoing
maintenance instructions? - ANSWER- Update
What maintenance process describe to combine the benefits of both
manual and automated approaches? - ANSWER- Date
What maintenance process describes the operator decides which patch needs to be issued and when to be issued? - ANSWER- implementation
What is a baseline? - ANSWER- the minimum level of security and
performance of a system in an organization
What are the four steps of change management in normal operations? -
ANSWER- CMB meetings
CM Testing
deployment
documentation
What change management step reviews and analyzes change and exception requests - ANSWER- change management board(CMB) meetings
What change management step takes place in an isolated sandbox
network that mimics all the systems? - ANSWER- change
management(CM) testing
What change management step makes modification in accordance with
appropriate guidance - ANSWER- deployment
What change management step reflects all the modifications to the environment in the asset inventory? - ANSWER- documentation
In what BC/DR testing example describes how the participants would
perform their tasks in a given BC/DR scenario? - ANSWER- tabletop
testing
In what BC/DR testing example describes the organization's responses during the test and performing some minimal actions? - ANSWER- dry run
In what BC/DR testing example detects the shortcomings in a plan and it
has the greatest impact on the productivity? - ANSWER- full test
What BC/DR concept calculates how long an interruption in service will take to kill an organization? - ANSWER- maximum allowable downtime
What BC/DR concept measures the time it takes to recover operational
capability after a service interruption? - ANSWER- recovery time
objective
What BC/DR concept is the goal of limiting the loss of information from
an unplanned event? - ANSWER- recovery point objective
What are 5 items included in a BC/DR plan? - ANSWER- circumstances
under which an event or disaster is declared List of assets inventoried deemed critical actions, tasks, and activities who is authorized to make the declaration
essential points of contact
What are three essential BC/DR concepts? - ANSWER- MAD(maximum allowable downtime)
RTO(recovery time objective)
RPO(recovery point objective)
T/F: During maintenance mode you must initiate enhanced security
controls. - ANSWER- False
What can a localized incident or disaster be addressed in a cost-effective
manner? - ANSWER- joint operating agreements
What tool can reduce confusion and misunderstanding during a BC/DR
response? - ANSWER- checklist
What are the three general bodies of law in the United States? -
ANSWER- criminal law
civil law
administrative law
What is the specialized body of law unique to the United States military?
- ANSWER- Uniform code of military justice (UCMJ)
What involves all legal matters where government is in conflict with any
person, group, or organization that violates statutes? - ANSWER-
criminal law
Who creates statutes? - ANSWER- Federal, state, and local legislatures
Where in the world can you be prosecuted for criminal violations and damages to whatever damages result from a data breach? - ANSWER- European Union(EU)
What are the three general bodies of law in the United States deal with
personal and community-based law? - ANSWER- civil law
What is an agreement between parties to engage in some specified
activity, usually for mutual benfit? - ANSWER- Contracts
What are 4 contracts that you should be familiar with? - ANSWER-
service-level agreements
privacy-level agreements
operational-level agreement
payment card industry data security standards contracts
What does SLA mean? - ANSWER- service-level agreement
What does PLA mean? - ANSWER- privacy-level agreements
What does OLA mean? - ANSWER- operational-level agreement
What does PCI DSS stand for? - ANSWER- Payment Card Industry
Data Security Standard
What refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed as a result of wrongful acts by others? - ANSWER- Tort law
What are laws created by executive decision and function? - ANSWER-
administrative law
What term describes intangible assets that are the property of the mind,
also known as ideas? - ANSWER- intellectual property
What term describes the protection of expressions of ideas? - ANSWER-
copyrights
What protection is for intellectual property used to immediately identify
a brand? - ANSWER- trademarks
What do patents protect? - ANSWER- formulas processes patterns inventions
plants
What term describes a court acknowledging the ownership of private business materials, such as client lists, processes, recipes? - ANSWER- trade secrets
What term is used to describe the processes associated with determining
what legal jurisdiction will hear a dispute when one occurs? -
ANSWER- doctrine of the proper law
What refers to a collation of developments in common law that help the
courts stay up with the changes? - ANSWER- restatement (second)
conflict of law
What law enhance laws restricting the government from putting wire taps on phone calls, updating them to include electronic communication in the form of data? - ANSWER- the electronic communication privacy act(ECPA)
What law restrict government from forcing ISPs to disclose customer
data the ISP might possess? - ANSWER- The stored communications
act
What law allows banks to merge with and own insurance companies -
ANSWER- Graham-Leach-Bliley Act(GLBA)
What law increases transparency into publicly traded corporations' financial activities. Includes provisions for securing data and expressly names the traits of confidentiality, integrity, and availability? -
ANSWER- Sarbanes-Oxley Act(SOX)
What law protect patient records and data, known as electronic protected
health information? - ANSWER- Health insurance portability and
accountability act(HIPAA)
What law prevent academic institutions from sharing student data with
anyone other than parents of students? - ANSWER- family educational
rights and privacy act(FERPA)
What law update copyright provisions to protect owned data in an
internet enabled world. Makes cracking of access controls on
copyrighted media a crime, and enables copyright holders to require any site on the internet to remove content that may belong to the copyright holder? - ANSWER- The digital millennium copyright act(DMCA)
Who administrates GLBA? - ANSWER- FDIC
FFIEC
Who administrates SOX? - ANSWER- SEC
Who administrates FERPA? - ANSWER- department of education
What is the only country that has no federal law ensuring individual
personal privacy? - ANSWER- United States
What is the first major EU data privacy law? - ANSWER- EU Data
Protection Directive 95/26 EC
What EU data directive principle says "the individual must be informed
that personal information about them is being gathered or created?" -
ANSWER- notice
What EU data directive principle addresses every individual can choose
whether to disclose their personal information? - ANSWER- choice
What EU data directive principle says an individual must be told the
specific use the information will be put to? - ANSWER- purpose
What EU data directive principle states the individual is allowed to get
copies of any of their own information held by an entity? - ANSWER-
access
What EU data directive principle states the individual must be allowed
to correct any of their own information if it is inaccurate? - ANSWER-
integrity
What EU data directive principle states any entity holding an individual's personal information is responsible for protecting that information and is ultimately liable for any unauthorized disclosure of that data? - ANSWER- security
What EU data directive principle states all entities that have any
personal data of any EU citizen understand that they are subject toe
enforcement actions by the EU authorities? - ANSWER- enforcement
What is a data subject? - ANSWER- This is the person whos data is
being stored.
What is a data controller? - ANSWER- This is the person who has
overall control over all the Information/Data.
What is a data processor? - ANSWER- Performing any manipulation,
storage or transmission of PII
What does PIPEDA stand for? - ANSWER- Personal Information
Protection and Electronic Documents Act
What act conforms to the EU Data Directive and Privacy Regulation? -
ANSWER- PIPEDA
What personal privacy principle informs an individual that personal
information about them is being gathers or created? - ANSWER- notice
What personal privacy principle includes whether the information will
be shared with any other entity? - ANSWER- purpose
What personal privacy principle allows an individual to get copies of
any of their own information held by any entity? - ANSWER- access
What personal privacy principle allows an individual to correct any of
their own information if it is inaccurate? - ANSWER- integrity
What is the process of identifying and obtaining electronic evidence for
either prosecutorial or litigation purposes? - ANSWER- eDiscovery
What are the 5 ISO/IEC standards for international digital forensics? - ANSWER- 27037:2012
27041:2015
27042:2015
27043:2015
27050-1:2016
what ISO/IEC standard is a guide for collecting, identifying, and
preserving electronic evidence? - ANSWER- 27037:2012
what ISO/IEC standard is a guide for incident invetigations? -
ANSWER- 27041:2015
what ISO/IEC standard is a guide for digital evidence analysis? -
ANSWER- 27042:2015
what ISO/IEC standard is a incident investigation principles and
processes? - ANSWER- 27043:2015
what ISO/IEC standard is an overview and principles for eDiscovery? -
ANSWER- 27050-1:2016
What identifier is the characteristics and traits of an individual that could
reveal the identity of that person? - ANSWER- indirect
What identifier could reveal a specific individual with specific data
elements? - ANSWER- direct
What is the purpose of gap analysis? - ANSWER- To begin the
benchmarking process
What is the best example of a key component of regulated PII? -
ANSWER- Mandatory breach reporting
What is the least challenging part of eDiscovery in the cloud? -
ANSWER- Forensic analysis
What statute addresses security and privacy matters in the financial
industry? - ANSWER- GLBA
What does the doctrine of proper law refer to? - ANSWER- How
jurisdictional disputes are settled
What is the best advantage of external audits? - ANSWER-
Independence
What SOC report subtype represents a point in time? - ANSWER- Type
I [Show Less]