Learnzapp Flashcards

Question

NAT ( Network address translation) NAT & Security PAT - Port address translation

Answer 1

PAT Allows mulitple systems to share the same public IP Address assigning unique ports to each communication

Answer 2

subdivides larget networks

Answer 3

Enable VLAN Trunking Assign Switch ports to VLAN

Answer 4

firewall rule contents source, destination IP, Ports, action (allow , deny) implicit deny (default deny)

Answer 5

1. Network hardware vs Host based software firewalls 2. Open source or proprietary 3.Hardware appliance vs Virtual Appliance

Answer 6

Serve as IaaS firewalls Maintaining network SG is customer's responsibility

Answer 7

Firewalls Routers Servers VPN Concentrators

Answer 8

Works at n/wk layer (layer3) supports the layer 2 tunneling protocol provides secure transport difficult to configure

Answer 9

problem: fail to brand new attacks advantage: low false positive rate

Answer 10

high false postiitve

Answer 11

zero trust shifts the focus away from perimeter protection onto strong identity and access mgmt

Answer 12

Enforce security policies in the cloud

Answer 13

remediate endpoint security issues

Answer 14

baselines are generic they cover uncertain future

Answer 15

Initiation, security Certification, security Accreditation, continuous monitoring phase

Answer 16

doesnt provide content filtering it provides remote log-on port forwarding command execution

Answer 17

storage devices are clustered in groups, providing increased performance, flexibility, and reliability.

Answer 18

tightly coupled architecture also enhances performance a the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not.

Answer 19

A loosely coupled cluster, on the other hand, allows for greater flexibility.

Answer 20

provide the clinets - temp iP Address, default gateway, time server sync doesn't provide Encryption protocols

Answer 21

Data on Magnetic swipe cards is not usually encrypted

Answer 22

SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the United States. SSL is a way to conduct secure online transactions. SABSA is an architecture framework.

Answer 23

SOC1 - Financial reporting SOC2- deals with CIA SOC3: attestation by the auditor SOC 2 reports were not designed for dissemination outside the target organization

Answer 24

Statutory compliance refers to state and federal laws. They cannot force a customer to stay with a cloud provider.

Answer 25

provides services - Key escrow, single sign-on, IAM

Answer 26

Federal Express is a private company; only federal entities are required to comply with FedRAMP.

Answer 27

Elliptical curve cryptography (ECC) uses algebraic elliptical curves that result in much smaller keys that can provide the same level of safety as much larger ones used in traditional key cryptography

Answer 28

Virtual machine introspection (VMI) is an agentless means of ensuring a VM's security baseline does not change over time by examining things such as physical address, network settings, and installed OS. These ensure that the baseline has not been inadvertently or maliciously tampered with.

Answer 29

Virtualization technologies have been the driving force behind enabling cloud computing to become a real and scalable service due to the savings, sharing, and allocation of resources across multiple tenants and environments.

Answer 30

A demilitarized zone (DMZ) isolates network elements that are public facing and would otherwise be vulnerable to attack.

Answer 31

A Type 1 hypervisor uses a minimal piece of software to manage the underlying resources. A Type 2 hypervisor is a piece of software installed on top of or as part of a device's operating system.

Answer 32

A hybrid cloud is a combination of two or more distinct cloud infrastructures that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

Answer 33

Cloud migration is the process of transitioning all or part of a company's data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the Internet on an on-demand basis.

Answer 34

Corporate governance is defined as the relationship between shareholders and other stakeholders in the organization versus the senior management.

Answer 35

Something is said to be auditable when it is in a state of readiness for auditing. Cloud providers are often required to maintain a state of auditability as a way of maintaining compliance

Answer 36

Cloud server hosting is a type of hosting in which hosting services are available to customers on demand via the Internet as opposed to being provided by a single server or virtual server. In a cloud services model, multiple connected servers that a cloud server comprises provide the hosting environment.

Answer 37

Public key infrastructure (PKI) is a framework of programs, procedures, communication protocols, and public key cryptography that enables a diverse group of individuals to communicate securely.

Answer 38

Turnstiles are a physical security barrier to prevent piggybacking/tailgating (an unauthorized person coming through an entrance behind someone who is authorized), but they don’t really present much protection for intellectual property in this case. Egress monitoring (often referred to as “DLP” solutions) is a great way to reduce the likelihood of intellectual property leaving the owner’s control in an unexpected/unapproved manner. Likewise, strong encryption is useful in the cloud to reduce the impact of theft either from leakage to other cloud tenants or from insider threats (such as malicious admins in the employ of the cloud provider). Finally, digital watermarks aid protection of intellectual property by proving original ownership, which is essential for enforcing intellectual property rights (in the case of software design, mainly copyright protections).

Answer 39

PCI DSS requires that the CCV (or, sometimes, “CVV” for “card verification value”) only be used in the transaction, not stored. The data described in all the other options may be stored after the transaction is complete.

Answer 40

SSAE 18 is the current AICPA audit standard, as of 2018.

Answer 41

SABSA is an IT architecture framework SABSA is a means of looking at security capabilities from a business perspective;

Answer 42

COBIT is designed for all types of business, regardless of their purpose;

Answer 43

TOGAF is a means to incorporate security architecture with the overall business architecture;

Answer 44

ITIL was specifically designed to address service delivery entities

Answer 45

NIST SP 800-53 contains guidance for selecting security controls in accordance with the Risk Management Framework. NIST 800-53 is a standard, not a law,

Answer 46

SOX affects publicly traded corporations

Answer 47

The SOC 1 report provides information about financial reporting mechanisms of the target only and is of little interest to the IT security professional, The SOC 1 audit report is not for security controls; it is for financial reporting controls.

Answer 48

The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

Answer 49

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail The SOC 3 report is an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

Answer 50

Because PCI DSS is strictly voluntary, and the PCI Council is not a government body but a consortium of private interests, they cannot detain or imprison anyone. They can, however, assess fees, suspend processing privileges, and require more auditing, s

Answer 51

The PCI merchant levels are based on how many transactions a compliant entity engages in over the course of a year. Level 1: Merchants that process more than 6 million card transactions per year Level 2: Merchants that process between 1 million and 6 million card transactions per year Level 3: Merchants that process between 20,000 and 1 million card transactions per year Level 4: Merchants that process fewer than 20,000 card transactions per year

Answer 52

Merchant level 1 is for the merchants that engage in the most transactions per year (six million or more). It carries with it the requirement for the most comprehensive, detailed, and repeated security validation actions.

Answer 53

The Federal Information Processing Standard (FIPS) Publication 140-2 defines four levels of security for cryptographic modules, with each level offering increasing physical protection: Level 1 The lowest level of security, requiring production-grade equipment and externally tested algorithms Level 2 Improves physical security with pick-resistant locks and role-based authentication Level 3 Provides a high probability of detecting and responding to physical access attempts, with physical tamper-resistance and identity-based authentication Level 4 The highest level of security, with tamper-active hardware that erases its contents if it detects changes in normal operating conditions

Answer 54

The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom.

Answer 55

The vendor/manufacturer of a given product will pay to have it certified, with the premise that certification costs are offset by premium prices that certified products command and that customers won’t purchase uncertified products.

Answer 56

NIST publishes the list of validated crypto modules. The other choices are government or non-government organizations that are not involved with publishing the list of cryptographic modules that meet FIPS 140-2 requirements.

Answer 57

Vendors seeking HSM certification under FIPS 140-2 send their products to independent laboratories that have been validated as Cryptographic Module Testing Laboratories under the National Voluntary Laboratory Accreditation Program (the Accreditation Program is run by NIST, which approves the laboratories). As of this writing, 21 labs in the United States and Canada are accredited.

Answer 58

FIPS 140-2 is only for SBU Sensitive but unclassified (SBU) data FIPS 140-2 is the federal standard for the accreditation and distinguishing of secure and well-architected cryptographic modules produced by private sector vendors who see to or are in the process of having their solutions and services certified by the US government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified.

Answer 59

method for reducing the risk of broken authentication and session management Do not use custom authentication schemes.

Answer 60

Check access each time a direct object reference is called by an untrusted source.

Answer 61

attacker trying to do with an injection attack: Trick the application into running commands.

Answer 62

reduce risk by: Do not use custom authentication schemes.

Answer 63

HTML escape all HTML attributes.

Answer 64

Remediation: Ensure that all HTTP resource requests include a unique, unpredictable token.

Answer 65

Example: Having unpatched software in the production environment technique to reduce: Perform periodic scans and audits of the environment. Follow a published, known industry standard for baseline configurations. A repeatable patching process that includes updating libraries as well as software

Answer 66

reduce by: Set the default to deny all access to functions, and require authentication/authorization for each access request.

Answer 67

Remediation: Update to current versions of component libraries as soon as possible. Review all updates/lists/notifications for components your organization uses.

Answer 68

techniques to reduce : Destroying sensitive data as soon as possible Using proper key management when encrypting sensitive data Disabling autocomplete on forms that collect sensitive data Extensive user training on proper data handling techniques

Answer 69

The particular vulnerabilities exist only in a context not being used by developers.

Answer 70

Train users to recognize invalidated links. Don’t use redirects/forwards in your applications.

Answer 71

A forward is a situation when instead of an external URL, your website or web application causes the browser to go to different parts of the site. Redirects and forwards are technically identical, the only difference is the type of destination: external URLs vs. internal pages.

Answer 72

LDAP is used in constructing and maintaining centralized directory services, which are vital in all aspects of IAM

Answer 73

Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value

Answer 74

The CSA points out that data breaches come from a variety of sources, including both internal personnel and external actors

Answer 75

Service traffic hijacking can affect all portions of the CIA triad.

Answer 76

Denial-of-service attacks staged from multiple machines against a specific target is the definition of a DDoS.

Answer 77

Events are anything that can occur in the IT environment, whereas incidents are unscheduled events.

Answer 78

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information.

Answer 79

The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities

Answer 80

The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers

Answer 81

The cross-certification model of federated identity requires all participants to review and confirm all the others

Answer 82

The community cloud is defined by its joint ownership of assets among a member group.

Answer 83

A private cloud is the best option for work in highly regulated industries or industries that involve very sensitive assets.

Answer 84

European appliance rental company Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location.

Answer 85

Big data refers to extremely large data sets used to determine patterns and trends such as purchasing or travel trends of large groups of people.

Answer 86

Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in.

Answer 87

A cloud reseller is a firm that contracts with both cloud providers and customers in order to arrange custom services. The cloud computing reseller purchases hosting services and then resells them.

Answer 88

Cloud carrier is a term describing the intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP.

Answer 89

when the amount of cash you receive from your operations is less than all expenditures and bills from the sales

Answer 90

X.509 is the certificate standard for communicating public key information.

Answer 91

Storage, Remote access, Secure sessions The data on magnetic swipe cards isn't usually encrypted.

Answer 92

Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chunk; parity bits serve the same purpose in a traditional RAID configuration

Answer 93

EMS resides on client machines Discovers data assets according to classification/categorization Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. E-discovery/forensics Data exfiltration Data categorization/classification

Answer 94

DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here. DRM is often deployed to ensure that copyrighted material (frequently software) is only delivered to and used by licensed recipients.

Answer 95

experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first

Answer 96

International traffic in arms regulations (ITAR) is a Department of State program The International Traffic in Arms Regulations (ITAR) are a set of U.S. government regulations that control the export of defense articles and services. The ITAR are administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC).

Answer 97

The Export Administration Regulations (EAR) govern the export and re-export of some commodities, software and technology.

Answer 98

EAR focuses on dual-use items, while ITAR targets defense-related items. Export administration regulations (EAR) is a Commerce Department program International traffic in arms regulations (ITAR) is a Department of State program.

Answer 99

A content delivery network (CDN) is a service that distributes data.

Answer 100

Data dispersion uses parity bits, data chunks, and encryption. Data dispersion uses chunks of data, erasure coding, and encryption. Parity bits and disk striping are characteristic of RAID implementations Cloud-bursting is a feature of scalable cloud hosting

Answer 101

Copyrights are designed to protect tangible expressions of creative works, like books, articles, music, and so on Copyrights are protected tangible expressions of creative works.

Answer 102

Logos and symbols and phrases and color schemes that describe brands are trademarks.

Answer 103

Confidential recipes unique to the organization are trade secrets. Confidential sales and marketing materials unique to the organization are trade secrets.

Answer 104

Patents protect processes (as well as inventions, new plantlife, and decorative patterns).

Answer 105

Personal cloud storage is the storage of a single user's data in the cloud, allowing them access from anywhere on the Internet.

Answer 106

Volume storage consists of volumes that are attached to virtual storage and act or behave just like a physical drive or array.

Answer 107

SSMS is a method of bit splitting that uses the three phases: encryption, using an information dispersal algorithm, and splitting the encryption key using the secret sharing algorithm. The fragments are signed and distributed to different cloud storage services, making it difficult to decrypt without both arbitrarily chosen data and encryption key fragments.

Answer 108

Information rights management (IRM) is a means to prevent unauthorized copying and limitation of distribution to only those who pay for content.

Answer 109

In crypto-shredding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data. All other steps outline the crypto-shredding process.

Answer 110

Data dispersion is basically RAID in the cloud, with data elements parsed and stored over several areas/devices instead of stored as a unit in a single place. RAID (and data dispersion) does aid in BC/DR activities by increasing the robustness and resiliency of stored data, but BC/DR is a much more general discipline, so it is not the optimum answer for the question. SDN is used for abstracting network control commands away from production data, and CDN is usually used for ensuring quality of streaming media. Where RAID used data striping across multiple drives, with data dispersion this technique is referred to as “chunking,” or sometimes “sharding” when encryption is also used.

Answer 111

Mapping to existing access control lists (ACLs) is the trait that allows DRM tools to provide additional access control protections for the organization’s assets. The other options are not characteristics associated with DRM solutions. Continuous audit trail is the trait that allows DRM tools to log and exhibit all access to a given object. The other options are not characteristics associated with DRM solutions. Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual property moves into the public domain. The other options are not characteristics associated with DRM solutions. Persistence is the trait that allows DRM protection to follow protected files wherever they might be stored/copied. The other options are not characteristics associated with DRM solutions.

Answer 112

Encrypting specific tables within the database is one of the options of transparent encryption;

Answer 113

Application-level encryption involves encrypting the data before it enters the fields of the database; it is much more difficult to search and review data that has been encrypted, so this reduces the functionality of the database.

Answer 114

Event monitoring tools can help detect external hacking efforts by tracking and reporting on common hack-related activity, such as repeated failed login attempts and scanning. Event monitoring tools can be used to predict system outages by noting decreases in performance; repeated performance issues can be an indicator a device is failing. Event monitoring tools can detect repeated performance issues, which can be used by administrators and architects to enhance performance/productivity. Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the data center; also, some system monitoring metrics, such as CPU temperature, can directly indicate inadequate HVAC performance Detecting ambient heating, ventilation, and air-conditioning (HVAC) problems Incident evidence

Answer 115

The DMCA deals with intellectual property and not specifically with personal privacy. It is not included in the CSA CCM.

Answer 116

For DRM to work properly, each resource needs to be outfitted with an access policy so that only authorized entities may make use of that resource

Answer 117

The proper procedure for crypto-shredding requires two cryptosystems: one to encrypt the target data, the other to encrypt the resulting data encryption keys. All the other answers are incorrect.

Answer 118

Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes.

Answer 119

Enforcement of copyright is usually a tortious civil action, as a conflict between private parties.

Answer 120

heoretical technique would allow encrypted data to be manipulated without decrypting it first

Answer 121

theoretical technology would allow superposition of physical states to increase both computing capacity and encryption keyspace?

Answer 122

Every additional security measure might reduce a potential threat but definitely will reduce productivity and quality of service. There is always an overhead cost of security DLP tools can function better if appropriate and accurate classification and labeling is applied throughout the environment and done on a consistent basis.

Answer 123

A vulnerability combined with a specific threat is defined as a risk.

Answer 124

Business impact analysis (BIA) is designed to identify and ascertain the value of assets in addition to the critical paths and processes.

Answer 125

Mean time to repair (MTTR) is the time required to repair a device that has failed or is in need of repair. The term mean indicates the average time as opposed to the actual or past experiences.

Answer 126

The term that best describes the amount an organization should expect to lose on an annual basis due to one type of incident is annual loss expectancy (ALE) and is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE).

Answer 127

Heating, ventilation, and air-conditioning (HVAC) systems separate the cool air from the heat caused by servers. They provide air management including racks with built-in ventilation or alternate cold/hot aisles.

Answer 128

The backs of the devices face each other and the ambient temperature in the work area is cool, it is called

Answer 129

Cold aisle containment is a configuration where the fronts of devices face each other.

Answer 130

Recovery point objective (RPO) is a term used in BC and DR describing the tolerable amount of data that might be lost due to an outage before severe consequences are experienced.

Answer 131

The maximum tolerable downtime/maximum allowable downtime (MTD/MAD) is a point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible.

Answer 132

SDN is the idea of separating the network control plane from the actual network forwarding plane. This allows for greater control over networking capabilities and for integration of such things as APIs. a means to centralize logical control of all networked nodes in the environment, abstracted from the physical connections to each

Answer 133

The NBI usually handles traffic between the SDN controllers and SDN applications.

Answer 134

Single sign-on (SSO) is similar to federation, but it is limited to a single organization; federation is basically SSO across multiple organizations.

Answer 135

The cross-certification federation model is also known as a web of trust.

Answer 136

Liquid propane does not spoil, which obviates necessity for continually refreshing and restocking it and might make it more cost-effective

Answer 137

The UPS is intended to last only long enough to save production data currently being processed. The exact quantity of time will depend on many variables and will differ from one datacenter to the next.

Answer 138

A UPS can provide line conditioning, adjusting power so that it is optimized for the devices it serves and smoothing any power fluctuations; it does not offer any of the other listed functions.

Answer 139

Mobile cloud storage is defined as a form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere

Answer 140

The purpose of the transfer switch is to redirect power consumption from utility power to generator power; this should be done fast enough to ensure power is available when the batteries fail.

Answer 141

Controls are mechanisms designed to restrict a list of possible actions down to allowed or permitted actions.

Answer 142

Security Assertion Markup Language (SAML) is based on XML. HTTP is used for port 80 web traffic; HTML is used to present web pages

Answer 143

Remote access for customer to racked devices in the data center; electrical utilities; connectivity to an Internet service provider (ISP)/the Internet

Answer 144

The ISP between the cloud customer and provider

Answer 145

VMs are snapshotted and simply stored as files when they are not being used; an attacker who gains access to those file stores could ostensibly steal entire machines in highly portable, easily copied formats. Therefore, these cloud storage spaces must include a significant amount of controls.

Answer 146

Snapshotted VM images are usually kept in object storage, as files.

Answer 147

the situation when a malicious user or attacker can exit the restrictions of a single host and access other nodes on the network

Answer 148

the situation when a malicious user or attacker can exit the restrictions of a virtual machine (VM) and access another VM residing on the same host

Answer 149

A secure baseline configuration, applied and maintained automatically, ensures the optimum security footprint with the least attack surface.

Answer 150

The cross-certification federation model is also known as a web of trust. In a web of trust federation model, all of the participating organizations are identity providers; each organization will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials. service providers : each organisation identity provider : each organisation

Answer 151

In the proxy federation model, the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others

Answer 152

Cloud providers may be reluctant to grant physical access, even to their customers, on the assumption that allowing access would disclose information about security controls. In some cases, cloud customers won’t even know the location(s) of the data center(s) where their data is stored a cloud audit will depend on which information a cloud provider discloses, which makes auditing difficult and less trustworthy They frequently rely on third parties: Because cloud audits are often the result of third-party assertions, recipients of cloud audit reports may be more skeptical of the results than they would have been of traditional audits, in which the recipients may have performed firsthand.

Answer 153

Automated vulnerability scan on system startup Automatic registration with the configuration management system

Answer 154

Having the backup within the same environment can allow easy rollback to a last known good state or to reinstantiate clean VM images after minor incidents (e.g., a malware infection in certain VMs).

Answer 155

you don’t need to include full copies of these governance documents include: Tasking for the office responsible for maintaining/enforcing the plan Contact information for essential entities, including BC/DR personnel and emergency services agencies Checklists for BC/DR personnel to follow

Answer 156

Risk should always be considered from a business perspective. Risk is often balanced by corresponding oppurtunity

Answer 157

Legal seizure of another firm’s assets Resource exhaustion Multitenancy

Answer 158

While it is possible that one guest VM seeing the resource calls of another VM could possibly allow one guest to see the other’s data, it’s much more likely that a user seeing another user’s use of resources, rather than raw data, would allow the viewer to infer something about the victim’s behavior/usage/assets.

Answer 159

According to ENISA, custom IAM builds can become weak if not properly implemented.

Answer 160

Revoking credentials that might be lost when a device goes missing is a way to mitigate the possibility of those credentials being used by an unauthorized person.

Answer 161

The RTO must always be less than the MAD. The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time. RTOs vary for every organization; there is no set answer for all organizations. Options A and B might be correct for a given organization but incorrect in the general case because it’s impossible to know an organization’s RTO without knowing more about the organization. The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time.

Answer 162

Cloud providers will probably not allow ____________social engineering_______ as part of a customer’s penetration test.

Answer 163

A cloud customer performing a penetration test without the provider’s permission is risking ... Prosecution A penetration test requires the tester to analyze the security of an environment from the perspective of an attacker; this also includes actually taking action that would result in breaching that environment.

Answer 164

Security controls operating on a guest VM OS are only active while the VM is active; when the VM is stored, it is snapshotted and saved as a file, so those controls won’t be active either.

Answer 165

Legal liability in multiple jurisdictions Loss of availability due to DDoS

Answer 166

The virtualized NIC is part of the Data-Link layer.

Answer 167

CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often multimedia).

Answer 168

FM-200 is used as a replacement for older Halon systems specifically because it (unlike Halon) does not deplete the ozone layer.

Answer 169

Optimized for cloud deployments, the converged networking model combines the underlying storage and IP networks to maximize the benefits of a cloud workload.

Answer 170

Hot site: A fully functional data center that's usually kept ready around the clock. It's a near duplicate of an organization's primary site, with complete backups of user data and full computer systems. Hot sites are the most expensive option and are best for businesses with zero tolerance for downtime and data loss Warm site: A data center that's equipped with some or all of the hardware, software, and network services found in a working data center, but doesn't have live data. Warm sites are a good option for businesses with a lower budget and a need for flexible and fast recovery Cold site: An empty operational space with basic facilities like air conditioning, power, and communication lines. Cold sites have no or little equipment or hardware, and no network connectivity or data synchronization. Before a cold site can be used, backup data and additional hardware must be sent to the site and installed.

Answer 171

A content delivery network (CDN) run by a major provider can handle large-scale DDoS attacks more easily than any of the other solutions. Using DDoS mitigation techniques via an ISP is the next most useful capability, followed by both increases in bandwidth and increases in the number of servers in the web application cluster.

Answer 172

full packet capture provides the most accurate reconstruction of user activity, but it is costly to implement due to data storage requirements.

Answer 173

When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment can't be readily adapted to the other provider's service, thus causing delays during an actual failover.

Answer 174

A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization

Answer 175

A set of routines, standards, protocols, and tools for building software applications to access a web based software application or tool

Answer 176

there is a one-to-many ratio of Organizational Normative Framework (ONF) to Application normative framework (ANF); each organization has one Organizational Normative Framework (ONF) and many ANFs (one for each application in the organization). Therefore, the Application normative framework (ANF) is a subset of the Organizational Normative Framework (ONF).

Answer 177

A standard for exchanging authentication and authorization data between security domains

Answer 178

Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security

Answer 179

Host based or network based A DAM can recognize and block malicious SQL traffic.

Answer 180

WAFs operate at Layer 7 of the OSI model.

Answer 181

Test performed on an application or software product while it is being executed in memory in an operating system. Also called fuzz testing, dynamic testing methods should include known bad inputs in order to determine how the program will handle the “wrong” data (will it fail into a state that is less secure than normal operations, etc.).

Answer 182

A test environment that isolates untrusted code changes for testing in a nonproduction environment Sandboxing is often used for testing applications in development or carving out resources that cannot then touch other parts of the same system. A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth noting, though, that some malware is sandbox-aware, so additional antimalware measures are advisable.

Answer 183

Initial, Recurring, Refresher

Answer 184

Federation is an arrangement that can be made among multiple enterprises allowing them to use the same identification data to obtain access to all enterprises' resources within the group.

Answer 185

Representational State Transfer (REST) relies on stateless, client-server, cacheable communications. It is a software architecture consisting of guidelines and best practices for creating scalable web services.

Answer 186

OpenID is one form of authentication used to enable SSO and enables the user to log into more than one application or website using the same credentials.

Answer 187

Return on investment (ROI) is a term used to describe a profitability ratio. It is generally calculated by dividing net profit by net assets.

Answer 188

A cross-site scripting (XSS) attack occurs when an application receives untrusted data and then sends it to a web browser without proper validation, allowing an attacker to execute scripts in the user's browser, hijack sessions, or engage in other malicious behavior. reduce techniques: Put untrusted data in only allowed slots of HTML documents. HTML escape when including untrusted data in any HTML elements. Use the attribute escape when including untrusted data in attribute elements. Use an auto-escaping template system. HTML escape JSON values in an HTML context and read the data with JSON.parse. Sanitize HTML markup with a library designed for the purpose.

Answer 189

API Gateway Database WAF

Answer 190

Process isolation can reduce the possibility of side-channel attacks in an environment with shared resources.

Answer 191

Organizational Normative Framework (ONF), Application Normative Framework (ANF)

Answer 192

Extensible Markup Language (XML), JavaScript Open Notation (JSON)

Answer 193

The data owner is responsible for the disposition of the data under their control; this includes access decisions.

Answer 194

an informal industry term for moving applications from a traditional environment into the cloud

Answer 195

Cloud migration is the process of transitioning all or part of a company's data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the Internet on an on-demand basis.

Answer 196

OpenID Connect is a federation protocol that uses representational state transfer (REST) and JavaScript Object Notation (JSON); it was specifically designed with mobile apps in mind, instead of only web-based federation. WS-Federation is a federation protocol that is part of the WS-Security family of standards and reliant on Simple Object Access Protocol (SOAP)

Answer 197

open federated protocols like SAML, OAuth 2.0, and OpenID Connect.

Answer 198

For high-risk operations and data that is particularly sensitive

Answer 199

Which security tool can perform content inspection of Secure File Transfer Protocol (SFTP) communications? The XML gateway can provide this functionality"; it acts as a reverse proxy and can perform content inspection on many traffic protocols.

Answer 200

Running an application on an endpoint without installing it Running an application in a non-native environment

Answer 201

TLS maintains the confidentiality and integrity of communications, often between a web browser and a server. TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made

Answer 202

Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities.

Answer 203

DAST:Path coverage SAST: Code coverage

Answer 204

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) By offloading privacy data to a tokenizing third party, merchants can free themselves of the contractual burdens for protecting cardholder data at rest.

Answer 205

Installing malware on systems owned by someone else may be illegal in many jurisdictions. While on-premises sandboxes are fine for this purpose, it may be a felony if performed in the cloud.

Answer 206

ISO 27034 addresses the sets of controls used in software throughout the environment.

Answer 207

Open source software includes programs where customers (or even the public) can view the software’s source code. Open source review can detect flaws /programming defects that a structured testing method might not.

Answer 208

REST calls web resources by using uniform resource identifiers (URIs).

Answer 209

The Agile method reduces the dependence and importance of documentation in favor of functioning software versions.

Answer 210

Threat modeling (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD), Architecture, Threats, Attack Surfaces, and Mitigations (ATASM), Process for Attack Simulation and Threat Analysis (PASTA))

Answer 211

The STAR program's open certification framework contains three levels: self-assessment (Level 1), third-party audit (Level 2), and continuous auditing (Level 3).

Answer 212

An SOC Type I report is designed around a specific point in time as opposed to a report of effectiveness over a period of time. An SOC Type II report is designed around a period of time as opposed to a specific point in time.

Answer 213

The doctrine of the proper law refers to how jurisdictional disputes are settled.

Answer 214

The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

Answer 215

The doctrine of plain view allows law enforcement to act on probable cause when evidence of a crime is within their presence

Answer 216

The Restatement (Second) Conflict of Law is the basis used for determining which laws are most appropriate in a situation where conflicting laws exist.

Answer 217

The Stored Communication Act, passed in 1995, is old, in bad need of updating, and unclear with regard to newer technologies.

Answer 218

KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or indicative of something important.

Answer 219

International Organization for Standardization (ISO) 31000:2009 specifically focuses on design implementation and management

Answer 220

International Organization for Standardization (ISO) 27017 is about cloud specific security controls

Answer 221

is an industry standard that provides guidance for eDiscovery programs.

Answer 222

National Institute of Standards and Technology (NIST) 800-92 is about log management,

Answer 223

European Union Agency for Network and Information Security (ENISA) specifically identifies the top 8 security risks based on likelihood and impact. European Union Agency for Network and Information Security (ENISA) identifies 35 types of risks organizations should consider but goes further by identifying the top eight security risks based on likelihood and impact.

Answer 224

to addressing security risks in a supply chain

Answer 225

International Organization for Standardization (ISO) 31000:2009 is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices

Answer 226

National Institute of Standards and Technology (NIST) SP 800-37 is the Guide for Implementing the Risk Management Framework (RMF), a methodology for handling all organizational risk in a holistic, comprehensive, and continual manner.

Answer 227

Key risk indicators (KRIs) try to predict future risk, while key performance indicators (KPIs) examine events that have already happened. The other answers are just distractors.

Answer 228

An inventory of cloud service security controls that are arranged into separate security domains

Answer 229

The acceptable use policy (AUP) is designed to make clear to employees what is acceptable as well as unacceptable use of company-owned computing equipment and data such as email.

Answer 230

ISO 20000-1 describes service management. ISO 27001 describes an information security management system. ITIL is not an ISO standard, nor is COBIT—in fact, they're their own standards.

Answer 231

ISO 27001 describes an information security management system (ISMS) as a set of interrelated elements that organizations use to manage and control information security risks to protect and preserve the confidentiality, integrity, and availability of information.

Answer 232

ISO standard for collecting, preserving, and identifying electronic evidence.

Answer 233

The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Answer 234

ISO publishes and maintains the Common Criteria program.

Answer 235

The Diffie-Hellman key exchange process is designed to allow two parties to create a shared secret (symmetric key) over an untrusted medium RADIUS is an outmoded access control service for remote users. RSA is an encryption scheme. TACACS is a network access protocol set used through a centralized server.

Answer 236

The collection limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict data collection to only information that is necessary for the transaction, and only with the knowledge and permission of the individual. The data quality principle requires any entity that gathers personally identifiable information (PII) about a person to ensure that the data remains valid and accurate and allows for corrections by the data subject The purpose specification principle requires any entity that gathers personally identifiable information (PII) about a person to clearly state the explicit purpose for which the PII will be used. The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected. The security safeguards principle requires any entity that gathers personally identifiable information (PII) about a person to protect that data against unauthorized access and modification The openness principle requires any entity that gathers personally identifiable information (PII) about a person to allow that person to access the information.

Answer 237

Voluntary for non–European Union (EU) entities

Answer 238

The Department of Commerce manages the Privacy Shield program in the United States; the Departments of State and Interior do not. There is no Department of Trade.

Answer 239

The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001 NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37

Answer 240

The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

Answer 241

File hashes can serve as integrity checks for both configuration management (to determine which systems are not configured to the baseline) and audit purposes (as artifacts/common builds of systems for audit review).

Answer 242

The Reporting phase of forensic investigation usually involves presenting findings to

Answer 243

The FTC is in charge of the Privacy Shield program.

Answer 244

The CMM is a way of determining a target’s maturity in terms of process documentation and repeatability

Answer 245

The PCI DSS is extremely thorough and wide reaching. Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier. All PCI DSS–compliant merchants must meet all the control and audit requirements of the standard;

Answer 246

patent : 20 years copy right : life of the author + 70 years then Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose. This material certainly exceeds the time of any copyright protection. trademark: 10 years from the date of registration, with a potentially unlimited number of 10-year renewal terms. renew it with the U.S. Patent and Trademark Office (USPTO) trade secrets: Unlike patents, which typically have a shelf life of twenty years, trade secrets last indefinitely. Trade secrets last as long as the secret can be kept

Answer 247

Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks.

Answer 248

The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing. It relies largely on member participation for developing standards

Answer 249

The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls.

Answer 250

Intellectual property disputes are usually settled in civil court, as a conflict among private parties.

Answer 251

Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body. In the case of conflicting usage (or infringement), courts will take many criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth. But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

Answer 252

SLA elements should be objective, numeric values, for repeated activity. Eg: The specific amount of data that can be uploaded to the cloud environment in any given month

Answer 253

Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well-being of its citizens. Violations generally consist of both monetary and/or loss of liberty punishments.

Answer 254

Tort law refers the body of laws that provide remedies to individuals who have been caused harm by unreasonable acts of others. Negligence is the most common type of tort lawsuit.

Answer 255

Spoliation is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit.

Answer 256

The DMCA criminalizes the production or dissemination of technology, devices, or services intended to circumvent copyright techniques used to protect digital media such as video and audio recordings; this includes some decryption tools.

Answer 257

Typically, a discovery tool is a primary component of a DLP solution. This might be employed for purposes of identifying and collecting pertinent data

Answer 258

Contracts are agreements between parties to exchange goods and services

Answer 259

legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter

Answer 260

focuses on design implementation and management.

Answer 261

Voluntary for non–European Union (EU) entities

Answer 262

The AICPA, the OECD, and the EU have all outlined certain basic expectations for entities that are privacy data controllers; these expectations are extremely similar in the documentation produced by all three

Answer 263

Purpose specification principle Use limitation principle

Answer 264

Cryptography for the two main types of APIs is required; this is TLS for representational state transfer (REST) and message-level encryption for Simple Object Access Protocol (SOAP).

Answer 265

SLA elements should be objective, numeric values, for repeated activity.

Answer 266

Your company operates under a high degree of regulatory scrutiny

Answer 267

The customer is still responsible for some software licensing and maintenance activities (and therefore costs) in infrastructure as a service (IaaS) and platform as a service (PaaS) models; In a software as a service (SaaS) model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud provider’s operations can allow them to reduce the per-seat cost of software considerably.

Answer 268

for contingency backup and archiving purposes. Tier 1 data center should suffice; it is the cheapest, and you need it only for occasional backup purposes (as opposed to constant access). The details of location and market are irrelevant. Tier 1: to support an organization that wants to conduct IT operations Tier 1 data centers are expected to help protect Lime Highlight created at 1:29 PM on 9/6/24against human error, not outages or disasters. They're also expected to have redundancy for chillers, pumps, UPS devices, and generators but are likely to have to shut down for maintenance activities.

Answer 269

Tier 2 facilities provide more redundancy than Tier 1 facilities. Tier 2 facilities are intended to ensure that critical operations are not interrupted due to planned maintenance.

Answer 270

The Tier 3 design is known as a “concurrently maintainable site infrastructure.” As the name indicates, the facility features both the redundant capacity components of aTier 2 build and the added benefit of multiple distribution paths where only a sole path is needed to serve critical operations at any given time.

Answer 271

Tier 4 data centers are the highest level described by the Uptime Institute. They have independent and physically isolated systems providing redundancy and resiliency at both the component and distribution path levels, ensuring that events that compromised one system would not take out the redundant system.

Answer 272

Uptime Percentage: Tier 1: 99.671 Tier 2: 99.741 Tier 3: 99.982 Tier 4: 99.995

Answer 273

south korea The United States

Answer 274

company’s collaboration needs.

Answer 275

highly sensitive industries, including aerospace and pharmaceuticals.

Answer 276

The TCI does not, specifically, require cost-effectiveness of cloud services.

Answer 277

Management plane breach allows an attacker to gain full control of the environment and can affect all aspects of the CIA triad.

Answer 278

One type of cloud storage wherein cloud and enterprise storage both reside inside the enterprise behind the firewall.

Answer 279

This form of cloud storage involves the enterprise and storage service being separate, with data stored outside the confines of the enterprise environment.

Answer 280

This form of cloud storage applies to storing mobile device data in the cloud while providing access to the stored data from anywhere.

Answer 281

A set of processes and structures used to effectively manage all risks to an enterprise.

Answer 282

Situations where humidity is too high may result in the buildup of moisture and corrosion of equipment. If humidity falls too low, it may result in static electricity issues. Humidity issues generally do not contribute to fires or physical access control failures

Answer 283

Inert gas systems use no water and are unlikely to damage sensitive electronic equipment, even if discharged. Wet pipe, dry pipe, and preaction systems all use water and may damage or destroy electronic equipment if activated or damaged.

Answer 284

To be used in a secure manner, certificates must take advantage of a hash function that is not prone to collisions. The MD2, MD4, MD5, and SHA-1 algorithms all have demonstrated weaknesses and would trigger a vulnerability. The SHA-256 algorithm is still considered secure.

Answer 285

The recipient of a message encrypted using an asymmetric encryption algorithm decrypts that message using their own private key. Therefore, Alice should use her own private key to decrypt the message that Bob encrypted using Alice's public key.

Answer 286

The purpose of an uninterruptible power supply (UPS) is to provide power to systems for a short period of time. They provide immediate backup power from a battery that should be quickly replaced by long-term backup power from a generator or similar source. For this reason, you should only expect the UPS to last for about 10 minutes

Answer 287

There are two possible techniques for revoking a digital certificate: updating the certificate's status using the Online Certificate Status Protocol (OCSP) and adding the certificate to a Certificate Revocation List (CRL). Of these, OCSP provides faster updates and is the preferred method. It is not possible to change the public or private keys associated with an existing digital certificate.

Answer 288

Ephemeral storage is temporary storage associated with a server instance. It will be deleted if the server is terminated, but it will not be deleted if the server is simply stopped or rebooted. Stopping a server allows it to be restarted at a later time, which requires access to the ephemeral storage. Terminating a server completely deletes it and the ephemeral storage.

Answer 289

Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements.

Answer 290

RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Answer 291

SOAP uses an XML-based approach to interoperability, allowing systems to interact more easily

Answer 292

Broadcast packets sent by a machine inside the VLAN will reach all other machines in that VLAN. Broadcast packets sent from a machine outside the VLAN will not reach machines inside the VLAN. Broadcast packets sent by a machine inside the VLAN will not reach machines outside the VLAN.

Answer 293

Threat definition Target identification Facility characteristics

Answer 294

Role-based

Answer 295

Synthetic agents can simulate user activity in a much faster, broader manner and perform these actions 24/7 without rest.

Answer 296

Inference is an attack strategy, not a reason for implementing tokenization. All the other answers are good reasons to implement tokenization, and they are therefore not correct

Answer 297

It may require trust in additional third parties beyond the primary cloud service provider. Significantly greater processing overhead Some risk to availability, depending on the implementation

Answer 298

a data discovery approach that offers insight to trends of trends, using both historical and predictive approaches

Answer 299

a data discovery approach used by e-commerce retailers to discern and predict shoppers’ needs?

Answer 300

Egress monitoring solutions

Answer 301

a cryptographic one-way function applied to data in a database to allow it to be referenced without using the actual data

Answer 302

management plane of a cloud datacenter

Answer 303

SAML is an XML-based protocol, and Kristen knows that an XML firewall that is SAML-aware with appropriate rules for identity-based protection would be her best option. IDS systems cannot rate-limit even if they are SAML-aware. WAFs are designed for web applications rather than specifically for XML and SAML-based filtering, and a DAM is a database-specific tool.

Answer 304

A. ASVS uses a three-level code validation assurance level model, with level 3 requiring critical applications to meet in-depth validation and testing requirements.

Answer 305

A virtual trusted platform module (vTPM) is the only solution that will meet Jack's needs. HSMs (hardware security modules) are used to create, store, and manage secrets, including cryptographic keys and certificates, but aren't used for boot security.

Answer 306

ISO 20000-1 describes service management. ISO 27001: information security management system (ISMS), the organisation’s entire security program, cyber security control objectives ISO 27002: covers cybersecurity control implementation ISO 27017: designed for cloud service providers ISO 27018 describes privacy requirements for cloud providers ISO 27034 mandates a framework for application security within an organization (ONF, ANF) ISO 27037 : collecting, preserving, and identifying electronic evidence. ISO 27050 : guidance for eDiscovery programs ISO 27701 : industry standard guidance for information privacy programs. ISO 28000 : specifies security management systems ISO31000 - focuses on design implementation and management. ISAE 3402 : International Standard on Assurance Engagements ISAE 3410 - Assurance Engagements on Greenhouse Gas Statements SSAE 16 SSAE 18 : Statement on Standards for Attestation Engagements 18, is a set of auditing standards that help businesses evaluate the controls of their service providers