LearnZapp Practice 4

Question 1

Access should be granted based on all of the following except _______

A. Policy
B. Business needs
C. Performance
D. Acceptable risk

Answer 1

C. Performance

Explanation:
Performance should not determine who gets access to which data

Question 2

Which of the following methods of addressing risk is most associated with insurance?

A. Transference
B. Avoidance
C. Acceptance
D. Mitigation

Answer 2

A. Transference

Explanation:
Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance involves taking on the risk, and transference usually involves insurance

Question 3

Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?

A. Anonymization
B. Masking
C. Encryption
D. Training

Answer 3

B. Masking

Explanation:
Masking allows customer service representatives to review clients sales and account information without revealing the entirety of those records

Question 4

In order for American companies to process personal data belong to EU citizens, they must comply with the Privacy Shield program. The program is administered by the US Department of Transportation and the ____________

A. US State Department
B. Fish and Wildlife
C. Federal Trade Commission
D. Federal Communication Commission (FCC)

Answer 4

C. Federal Trade Commission

Explanation:
The FTC is the local US enforcement arm for the most Privacy Shield Activity

Question 5

Which type of web application monitoring most closely measures actual activity?

A. Synethetic performance monitoring
B. Real user monitoring
C. SIEM
D. DAM

Answer 5

B. Real user monitoring

Explanation:
RUM harvests infomration from actual user activity, making it the most realistic depiction of user behavior

Question 6

Which of the following is a risk posed by the use of virtualization?

A. Internal threats interrupting service through physical accidents
B. The ease of transporting stolen virtual images
C. Increased susceptibility of virtual systems to malware
D. Electromagnetic pulse

Answer 6

B. The ease of transporting stolen virtual images

Explanation:
Because virtual machines are stored as imaged files, an attacker able to access the stored files would have a

Question 7

Your company operates in a highly cooperative market, with a high degree of information sharing between participants. Senior management wants to migrate to a cloud enviornment but is concerned that providers will not meet the companys collab needs. WHich deployment model would best suit the compmanys needs?

A. Public
B. Private
C. Community
D. Hybrid

Answer 7

C. Community

Explanation:
A community cloud entails all participants to have some degree of ownership and responsibility for the cloud environment; this is the preferred model for coop ownership and collaboration among a group with a shared

Question 8

An event is something that can be measured within the environment. An incident is a ___________ event

Deleterious
B. Negative
C. Unscheduled
D. Major

Answer 8

C. Unscheduled

Explanation:
All the activity in the environment can be considered events. Any event that was not planned or known is an incident. In the security industry, we often ascribe negative effects to the term incident, but incidents are not always mlaicious

Question 9

Why is the deprovisioning element of the identification component of identitiy and access management so important?

A. Extra accounts costs so much extra money
B. Open but assigned accounts are vulnerabilities
C. User tracking is essential to peformance
D. Encryption has to be mantained

Answer 9

B. Open but assigned accounts are vulnerabilities

Explanation:
Unused accounts that remain open can serve as attack vectors

Question 10

According to the CSA, which of the followinig is not an aspect of due dilligence that the cloud customer should be concerned with when considering a migration to a cloud provider?

A. Ensuring that any legacy applications are not dependent on internal security contorols before moving them to the cloud environment
B. Reviewing all contract elements to approprioately define each parttys roles, responsibilities and requirements
C. Assessing the providers financial standing and soundness
D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment

Answer 10

D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment

Explanation:
The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular leve2l of control

Question 11

A hosted based firewall in a virtualized cloud environment might have aspects of all the following types of controls except ________

A. Administrative
B. Deterrent
C. Corrective
D. Preventive

Answer 11

B. Deterrent

Explanation:
A firewall uses aspects of adminnistrative controls. The firewall policy is a set of rules that dictate the type of traffic and source/destination of that traffic

Question 12

What is an important term in the field of data forensics that refers to maintaining control of evidenbe?

A. eDiscovery
B. Probably cause
C. Chain of custody
D. The Doctrine of Property

Answer 12

C. Chain of custody

Explanation:
Chain of custody refers to documenting control of evidence from the time it is collected until it is presented to the court

Question 13

Which of the follopwing factors would probably most affect the design of a cloud data center?

A. Geographic location
B. Functional purpose
C. Cost
D. Aesthetic intent

Answer 13

A. Geographic location

Explanation:

Question 14

APIs are defined as which of the following?

A. A set of protocols, and tools for building software applications to access a web based sofdtware application or tool
B. A set of standards for building software applications to access a web based software application or tool
C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool
D. A set of routiunes and tools for building software applications to access web based software applications

Answer 14

C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool

Explanation:

Question 15

Dynamic software security testing should include _________

A. Source code review
B. User training
C. Pentest
D. Known bad data

Answer 15

D. Known bad data

Explanation:
Also known as fuzz testing, dynamioc methods should ionclude known bad inputs in order to determine how the program will handle the wrong data

Question 16

Which of the following best describes data masking?

A. A method where the last few numbers in a dataset are not obscured. These are often used for authentication
B. A method for creating similar but inauthentic datasets used for software testing and user training
C. A method used to protect prying eyes from data such as social security numbers and credit card data
D. Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number

Answer 16

B. A method for creating similar but inauthentic datasets used for software testing and user training

Explanation:

Question 17

Where should multiple egress points be included?

A. At thee power distribution substation
B. Within the data center
C. In every building on the campus
D. In thje security operations center

Answer 17

C. In every building on the campus

Explanation:
Health and human safety is a paramount goal of securityy

Question 18

Which of the following best represents the REST approach tyo APIs?

A. Built on protocol standards
B. Lightweight and scalable

C. Relies heavily on XML
D. Only supports XML output

Answer 18

B. Lightweight and scalable

Explanation:l

Question 19

In the EU, with its implementation of privacy directives and regulations, treats individual privacy as _______

A. a passing fad
B. A human right
C .A legal obligation
D. A business expense

Answer 19

B. A human right

Explanation:

Question 20

What artifact which should already exist within the organization - can be used to determine the critical assets necessary to protect in the BCDR activity?

A. Quantitative risk analysis
B. Qualitative risk analysis
C. Business impact analysis
D. Risk appetite

Answer 20

C. Business impact analysis

ExplanatiON:
The BIA is designed for this purpose; to determine the critical path of assets/resources/data within the organization

Question 21

Which of the following is not a risk management framework?

A. NIST SP 800-37
B. ENISA
C. KRI
D. ISO 31000-2009

Answer 21

C. KRI

Explanation:
Key risk indicators are useful but they are not a framework

Question 22

Which of the following is not a factor an organization might use in the cost benefit analysis when deciding whether to migrate to a cloud environment?

A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with whichc cloud provider might be selected

Answer 22

D. Branding associated with whichc cloud provider might be selected

Explanation:
The brand associated with the cloud provider should not influence the cost-benefit analysis

Question 23

Which of the following best describes the Organizational normative Framework?

A. A container for components of an applications security, best practices, catalogued and leveraged by the organization
B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization
C. A set of application security and best practices catalogued and leveraged by the organization
D .A framework of containers for some of the components of application security, best practices, catalogued and lneveraged by the organization

Answer 23

B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization

Explanation:

Question 24

Which kind of SSAEW audit report is a cloud customner most likely to receive from a cloud provider?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3

Answer 24

D. SOC 3

Explanation:
The SOC 3 is the least detailed, so thje provider is not concerned about revealing it

Question 25

REST is best described by which of the following?

A. Relies on stateful communications
B. Does not require caching
C. Does not rely on best practices for web services
D. Relies on stateless, client server, cacheable communications

Answer 25

D. Relies on stateless, client server, cacheable communications

Explanation:
RESt relies on stateless, client server, cacheable communications. It is a software architecture consisting of guidelines and best practices for creating scalable web services

Question 26

What should the priomary focus of datacenter redundancy and contingency planning?

A. Critical path/operations
B. Health and human sdafety
C. Infrastructrure suyporting the production environment
D. Power and HVAC

Answer 26

B. Health and human sdafety

Explanation:
Regardless of the tier level or purpose of any datacenter, design focus for security should always consider health and human safety paramount

Question 27

Which of the following is not typically included as a basic phase of the SDLC?

A. Define
B. Design
C. Describe
D. Develop

Answer 27

C. Describe

Explanation:
Describe is not a common phase in the SDLC

Question 28

Which of the following is a good business case for the use of data masking?

A. The shipping department should get only a masked version of the customers address
B. The customer service department should get only a masked version of the customers social security number
C. The billing department should get only a masked version of the customers credit card number
D. HR department should get only a masked version of the employees driverss license number

Answer 28

B. The customer service department should get only a masked version of the customers social security number

Explanation:
The customer service reps may need to see a partial version of the customers SS number to verirfy that the customer is who they claim to be, but that representative does not need to see the full number, which would create an unnecessary risk

Question 29

Anonymization is the process of removing _____ from data sets

A. Access
B. Cryptographic keys
C. Numeric values
D. identifying information

Answer 29

D. identifying information

Explanation:
Anonymization is the process of removing identifiers from data sets so that the data analysis tools and techqniues cannot be used by malicious entities to divine personal or sensitive data from non sensitive aggregated data sets. All the other answers are incorrect because they are not part of the anonytmization process

Question 30

WHat does the doctrine of the proper law refer to?

A. How jurisdictional disputes are settled
B. The law that is applied after the first law is applied
C. The determination of what law will apply to a case
D. The proper handling of eDiscoverey materials

Answer 30

A. How jurisdictional disputes are settled

Explanation:
The doctrine of the proper law referes to how jurisdictional disputes are settled

Question 31

Which of the following best describes SAST?

A. a set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability
B. A set of technologies that ananlyze bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability
C. A set of technologies that analyze application source code, byte code and binaries for coding and design problems that would indicate a security problem or vulnerability
D. A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability

Answer 31

C. A set of technologies that analyze application source code, byte code and binaries for coding and design problems that would indicate a security problem or vulnerability

Explanation:
All the possible answers are good, and are, in fact, correct, however C is the most complete and therefore the best answer

Question 32

Lack of industry wide standards for cloud computing creates a potential for ______

A. Privacy data breach
B. Privacy data disclosure
C. Vendor lock in
D. Vendor lock out

Answer 32

C. Vendor lock in

Explanation:
Without uniformity of data formats and service mechanisms, there is no assurance that a customer would be able to easily move their cloud operation from one provider to another; this can result in lock in

Question 33

If personal financial account reviews are peerformed as an additional review control for privileged users, which of the following characteristics is least likely to be a useful indicator for review p]urposes?

A. Too much moneyh in the account
B. Too little money in thhe account
C. The bank branch being used by the privileged user
D. Specific senders/recipients

Answer 33

C. The bank branch being used by the privileged user

Explanation:
Which bank branch a privileged user frequents is unlikely to be of consequence. too much money can inidcate that the privileged user is accepting payment from someone other than the emp]loyer

Question 34

To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except :

A. Access to audit logs and performance data
B. SIM, SIEM and SEM logs
C. DLP solution results
D. Security control administration

Answer 34

D. Security control administration

Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer

Question 35

To deploy a set of microservices to clients instead of buiilding one monolithic application, it is best to use an ______ to coordinate client requests

A. XML Gateway
B. API Gateway
C. WAF
D. DAM

Answer 35

B. API Gateway

Explanation:
An API Gateway translates requests from clients into multiple requests to many microservices and delivers the content as a whole via an API it assigns to that client/session

Question 36

What is the intellectual property protection for the tangible expression of a creative idea?

A. Copyright
B. Patent
C. Trademark
D. Trade secret

Answer 36

A. Copyright

Explanation:
Copyrights are protected tangible expressions of creative works

Question 37

Privileged user (administrators, managers and so forth) accounts need to be reviewed mroe closely than basic user accounts. Why is this?

A. Privileged users have more encryption keys
B. Regular users are more trustworthy
C. There are extra controls on privileged user accounts

Answer 37

D. Privileged users can cause more damage to the organization

Explanation:
The additional capabilities of privileged users make their activities riskier to the organization, so these accounts bear extra review

Question 38

Tokenization is a method of obscuring data that, other than encryption, can be used to comply with ______ standards

A. GLBA
B. PCI
C. COPA
D> SOX

Answer 38

B. PCI

Explanation:
PCI requires that credit card numbers and other cardholder data be obscrubed when stored for any length of time

Question 39

Patching can be viewed as a configuration modification and therefore subject to the organizations configuration management program and methods. What may also be an aspect of p]atching in terms of configuration management?

A. Patching doesnt need to be performed as a distinct effort; patching can go through the normal change request process like all other modifications
B. Any patches suggested or required by vendors to maintain compliance with service contracts must be made immaditately regardless of internal process restrictions
C. Any patches suggested by third parties should not be considered as they may invalidate service contracts or warranties
D. The configuration or change management committee or board may grant blanket approval for patches (at a certain impact level) without the need to go through the formal change process

Answer 39

D. The configuration or change management committee or board may grant blanket approval for patches (at a certain impact level) without the need to go through the formal change process

ExplanatIon:
In order to ensure timely application of patches, patching may receive blanket approval and only be reviewed by the committee of board after the fact for final approval

Question 40

All of the following techniques are used in OS hardening except _______

A. Removinig default accounts
B. Disallowingff local save of credentials
C. Removing unnecessary services
D. Preventing all administrative access

Answer 40

D. Preventing all administrative access

Explanation:
Administrative access may be limited but not prevented

Question 41

Access control to virtualization management tools should be ______

A. Rule based
B. Role based
C. User based
D. Discretionary

Answer 41

B. Role based

Explanation:
It is important to limit access to the virtualization toolset to those admins, engineers and architects who are vital for supporting the virtualized environment and nobody else

Question 42

Which of the following best describes the purpose and scope of ISOI 27034 1?

A. Describes international privacy standards for cloud computing
B. Provides an overview of application security that introduces definitive concepts, principles and processes involved in application secuirty
C. Serves as a newer replacement for NIST 800 53 r4
D. Provides an overview of network and infrastructrure security designed to secure cloud applications

Answer 42

B. Provides an overview of application security that introduces definitive concepts, principles and processes involved in application secuirty

Explanation:
Option B is a desceription of the standard; the others are not

Question 43

All of the following can be used to properly apportion clouid resources except _______
A. Reservations
B. Shares
C. Cancellations
D. Limits

Answer 43

C. Cancellations

Explanation:
Cancellations is not a term used to describe a resource allotment method

Question 44

According to the ISC^2 Cloud Secure Data Life Cycle which phase colmes immediately before the Share phase?

A. Create
B. Destroy
C. use
D. Encrypt

Answer 44

C. use

Explantion:
Create, Store, Use, Share, Archive, Destroy

Question 45

Which of the following cloud environment accounts should only be granted on a temporary basis?

A. Remote users
B. Senior management
C. Internal users
D .External Vendors

Answer 45

D .External Vendors

Explanation:
If external vendors need access to the cloud environment, that access should only be granted on an extremely limited and temporary basis

Question 46

Which are the two most widely used API formats?

A. SOAP and REST
B. DAST and SAST
C. GLBA and PCI
D. ONF and ANF

Answer 46

A. SOAP and REST

Explanation:
APIs are a set of routines, standards, protocols and tools for building software applications to access a web based software app or tool

Question 47

Which of the following is not a way to apportion resources in a pooled environment?

A. Reservations
B. Limits
C. Tokens
D. Shares

Answer 47

C. Tokens

Explanation:
Tokenization is a method for obscuring or protecting data using two distinct databases, not a resource allocation method

Question 48

WHich of the following is not a method for reducing the risk of XSS attacks?

A. Put untrustted data in only allowed slots of HTML documents
B. HTML escape when including untrusted data in any HTML elements
C. Use the attribute escape when including untrsted data in attribute elements
D. Encrypt all HTML documents

Answer 48

D. Encrypt all HTML documents

Explanation:
In many cases, HTML documents are meant to be seen by the public or new users who do not yet have the trust associations (accounts) with the organization, so encrypting every HTML document would be counter to the purpose. Moreover, total encryption of everytrhing, even material that is not particularly sensitive or valuable, incurs an additional cost with no appreicable benefit

Question 49

A generator transfer switch should bring backup power online within what time frame?

A. 10 seconds
B. Before the recovery point objective is reached
C. Before the UPS duration is exceeded
D. Three days

Answer 49

C. Before the UPS duration is exceeded

Explanation:
Generator power should be online before battery backup fails. The specific amount of time will vary between datacenters

Question 50

A group of clinics decides to create an identification federation for their users (medical poroviders and clinicians). In this federation, all of the participating organizations would need to be in compliance with that US federal regulation?

A. GLBA
B. FMLA
C. PCI DSS
D. HIPAA

Answer 50

D. HIPAA

Explanation:
While its likely the participating organizations will be subject to other federal regulations, HIPAA covers electronic patient info.

Question 51

Which of the following frameworks identifies the top 8 security risks based on likelihood and impact?

A. NIST 800 53
B. ISO 27000
C. ENISA
D. COBIT

Answer 51

C. ENISA

Explanation:
ENISA specifically identifies the top 8 security risks based on likelihood and impact

Question 52

The field of digital forensics does not include the practice of securely ________ data

A. Collecting
B. Creating
C. Analyzing
D. Presenting

Answer 52

B. Creating

Explanation:
With rare exceptions, digital forensics does not include creation of data (other than forensic reports regarding the analysis of data). While this could arguably be considered an aspect of digital forensics as well, the other options are more suited to describing digital forensics,

Question 53

Which of the following is not a risk management framework?

A. Hex GBL
B. COBIT
C. NIST SP 800-37
D. ISO 31000-2009

Answer 53

A. Hex GBL

Explanation:
Hex GBL is a reference to a computer part

Question 54

Which of the following is an attack vector that should be specifically addressed in PaaS environments?

A. Fire
B. Insider threat
C. SQL Injection
D. Physical intrusion

Answer 54

C. SQL Injection

Explanation:
PaaS environments often included databases: SQL injection is a common form of attacking databases.

Question 55

Data dispersion provides protection for all the following security aspects except ___________

A. Protecting confidentiality against external attack on the storage area
B. Loss of availability due to single storage device failure
C. Loss due to seize by law enforcement in a multitenant enviropnment
D. Protecting against loss due to user error

Answer 55

D. Protecting against loss due to user error

Explanation:
Data dispersion cant aid in adventent loss caused by an errant user;l if the user accidentally deletes/corrupts a file, that file will be deleted/corrupted across all the storage spaces where it is dispersed

Question 56

At which phase of the SDLC is it probably most useful to involve third party personnel?

A. Define
B. Design
C. Develop
D. Test

Answer 56

D. Test

Explanation:
During testing, getting outside perspecotive iss invaluable, for both performance and security purposes; internal development and review capabilities are enhanced by auhmentation from external parties

Question 57

You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and publish stories about it under the title computer related attack

A. A criminal trial
B. A civil case
C. Both criminal and civil proceedings
D. Federal rackeeting charges

Answer 57

C. Both criminal and civil proceedings

Explanation:
The battery is a crime and may be prosecured as such, and the act may also result in the victim suing the attacker

Question 58

Which type of cloud storage combines public and privatge cloud storage where some critical information stays inside the enterprise and other information resides outside?

A. Hybrid
B. Community
C. DIstributed
D. Encrypted

Answer 58

A. Hybrid

Explanation:
Hybrid cloud storage is a combination of public cloud storage and private cloud storage, where some critical data resides in the enterprises private cloud and other data is stored and accessible from a public cloud storage provider

Question 59

_____________ storage is used when files are stored with additional metadata and are accessible through APIs and web interfaces

A. Object
B. RAID
C. Consent
D .Redundant

Answer 59

A. Object

Explanation:
Object files are stored with additional metadata such as cxontent type, redundancy requirements, creation dates and so on and are then accessible via APIs and or through a web interface

Question 60

Which of the following standards addresses a companys entire security program, involving all aspects of various security disciplines?

A. ISO 27001
B. ISO 27002
C. NIST 800-37
D. SSAE 18

Answer 60

A. ISO 27001

Explanation:
The ISO 27001 standard reviews an organizations security in terms of an information security management system, which involves a holistic view of the entire security program

Question 61

In which court must the defendat be determine to have acted in a certain fashion according to the preponderance of the evidence?

A. Civil court
B. Criminal court
C. Religious court
D. TRreibal court

Answer 61

A. Civil court

Explanation:
Civil courts are held to the preponderance of evidence standard

Question 62

Which of the following best describes risk?

A. Preventable
B. Everlasting
C. The likelihood that a threat will exploit a vulnerability
D. Transient

Answer 62

C. The likelihood that a threat will exploit a vulnerability

Explanation:
Option C is the definition of risk and risk is never preventable; it can be obviated, reduced, attenuated and minimized, but never completely prevented. A risk may be everlasting or transient, indicating that risk itself is not limited to being either

Question 63

Which of the following is true about two person integrity?

A. It forces all employees to distrust one another
B. It requires two different IAM matrices
C. It forces collusion for unauthorized access
D. It enables more thieves to gain access to the facility

Answer 63

C. It forces collusion for unauthorized access

Explanation:
By creating a need for two identity assertions or authentication elements to access assets, two person integrity prevents a single person from gaining unauthorized access and forces a would be criminal to join up with at least one other person to conduct a crime

Question 64

Who publishes the list of cryptographic modules validated according to the FIPS 140-2?

A. The US Office of Management and Budget
B. ISO
C. ISC^2
D. NIST

Answer 64

D. NIST

Explanation:
NIST publishes the list of validated crypto modules

Question 65

Which styyandard contains guidance for selecting, implementing and managing information security controls mapped to an information security management system (ISMS) framework?

A. ISO 27002
B. PCI DSS
C. NIST SP 800-37
D. HIPAA

Answer 65

A. ISO 27002

Explanation:
ISO 27002 is used for choosing security controls in order to comply with ISMS, which is contained in ISO 27001

Question 66

_______ is the legal concept whereby a cloud customer is held to a reasonable expectation for prodividing security of its users and clients privacy data

A. Due care
B. Due dilligence
C. Liability
D. Reciprocity

Answer 66

A. Due care

Explanation:Due dilligence is the process and activities used to ensure that due care is maintained

Question 67

Whioch ofd the following best defines risk?

A. Threat coupled with a breach
B> Vulnerability coupled with an attack
C. Threat coupled with a threat actor
D. Threat coupled with a vulnerability

Answer 67

D. Threat coupled with a vulnerability

Explanation:
The best definition of risk is that of a threat coupoled with a vulnerability

Question 68

When a company is first starting and has no defined processes and little documentation, it can be said to be at level _____ of the CMM

A. 1
B. 2
C. 3
D. 4

Answer 68

A. 1

Explanation:
Level 1 is the intial level of maturity for a copmanyt and its processes; activity may be performed in an ad hoc manner

Question 69

You are the security managher of a small firm that has just purchased an egress monitoring solution to implement in your cloud based production environment. You understand that all of the following aspects of cloud computing may make proper deployment of the tool difficult or costly except _____

A. Data will not remain in one place or form in the cloud
B. The cloud environment will include redundant and resilient architecture
C. There will be a deleterious impact on produjction upon installing the tool
D. You might not have sufgficient proper admionistrative rights in the cloud infrastructure

Answer 69

B. The cloud environment will include redundant and resilient architecture

Explanation:
The fact that cloud data centers are designed with multiple redundancies of all systems and components wont really haver any bearing on your decision and implementation of your egress monitoring solution

Question 70

If a hospital is considering using a cloud data center, which Uptime Institue Tier should it require?

A. 2
B. 4
C. 8
D. X

Answer 70

B. 4

Explanation:Tier 43 is the highest in the Uptime Institute standard; it is the only suitable tier for life critical systemns

Question 71

You are the IT director for a European cloud service provider. In reviewing possible certifications your copmany may want to acquire for its data centers, you consider the possibilities of the CSA STAR program the Uptime Institute and _______

A. NIST SP 800-37
B. FedRAMP
C. ISO 27034
D. EuroCloud Star Auidit (ECSA)

Answer 71

D. D. EuroCloud Star Auidit (ECSA)

Explanation:
ECSA is designed as a cloud service cert motif for organizations located in Europe

Question 72

What is thee term that describes the situation when a malicious user or attacker can exist the restrictions of a single host and access other nodes on the network?

A. Host esscape
B. Guest escape
C. Provider exit
D. Escalation of privileges

Answer 72

A. Host esscape

Explanation:

Question 73

You are the IT security manager for a video game software development company. WHich of the following is most likely to be your primary concern on a daily basis?

A. Health and human safetry
B. Security flaws in your products
C. Security flaws in your org
D. Regulatory compliance

Answer 73

C. Security flaws in your org

Explanation:

Question 74

Which comes first?

A. Accreditation
B. Operation
C. Maintenance
D. Certification

Answer 74

D. Certification

Explanation:
In the cert/accreeditation model of system approval, certification is the fundamental step

Question 75

For which use cases would it probably be best to use dynamic masking?

A. Crating a test environment for a new application
B. Allowing a customer service rep limited access to account data
C. Sending IR notifications
D. Implementing BCDR

Answer 75

B. Allowing a customer service rep limited access to account data

Explanation:
Dynamically masking a users account info each time a customer sevice rep accesses that data is an efficient, secure means of masking data as necessary

Question 76

You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hostiung its testing environment. Management is interested in adopting an Agile development style. This will be typifieed by which of the following traits?

A. Daily meetings
B. A specific shared toolset
C. Defined plans that dictate all efforts
D. Addressing customer needs with an exhaustive intial contract

Answer 76

A. Daily meetings

Explanation:
Agile development often involves daily meetings (called Scrums)

Question 77

From a customer perspective, all of the following are benefits of IaaS cloud servciers except ____

A. Reduced cost of ownership
B. Reduced energy costs
C. Metered usage
D. Reduced costs of administering the OS in the cloud environment

Answer 77

D. Reduced costs of administering the OS in the cloud environment

Explanation:
In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer

Question 78

Which of the following is a risk associated with automated patching, especiallyt in the cloud?

A. Snapshot/saved virutal machine images wont take a patch
B. Remote acceess disallows patching
C. Clod servbice providers arent responsible for patching
D. PAtches arent applied among all cloud data centers

Answer 78

A. Snapshot/saved virutal machine images wont take a patch

Explanation:
When a VM instance is inactive, it is saved as a snapshot image in a file; patches cant be applied until the instance is running

Question 79

You process credit cards and determined that the costs of maintaining an encrypted storage capability in order to meet compliance requirements are prohibitive. What other technology can you use instead to meet those regulatory needs?

A. Obfuscation
B. Masking
C. Tokenization
D. Hashing +

Answer 79

C. Tokenization

Explanation:
Tokenization is an approved alternative to encryp]tion for complying with PCI requirements

Question 80

Which phase of the BCDR process can reesult in a second disaster?

A. Event anticipation
B. Creating BCDR p[lans and policy
C. Return to normal operations
D. Indicent intiation

Answer 80

C. Return to normal operations

Explanation:
Returning to normal operations can result in a second disaster if the conditions created by the intial disaster have not been fully addressed/resolved

Question 81

You aree in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?

A. 10 inches
B. 8 inches
C. 18 inches
D. 2 feet

Answer 81

D. 2 feet

Explanation:
The minimum recommended height of a raised floor in a data center is 24 inches

Question 82

Which of the following is a cloud provider likely to provide to its customers in order to enhance the customers trust in the provider?

A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access

Answer 82

C. Audit and performance log data

Explanation:
The provider may share audit and performance log data with the customer. The provider will most likely not share any of the other options

Question 83

According to the CSA, all of the following activity can result in data loss except:

A. Misplaced crypto keys
B. Improper policy
C. Ineffectual backup procedures
D. Accidental overwrite

Answer 83

B. Improper policy

Explanation:
Bad policy wont explicitly lead to data loss but it might hinder efforts to counter data loss. However, misplaced crypto keys can result in a self imposed denial or service

Question 84

Your companys assets have a high degree of sensitivity and value, and your company has decided to retain control and ownership of the encryption key management system. In order to do so, your company wil have to have which of the following cloud service/deployment models?

A. Public
B. IaaS
C. Hybrid
D. SaaS

Answer 84

C. Hybrid

Explanation:
Managing the encryption keys on premises necessitates some elements of a hybrid cloud model; the key management is done on premises and the production takes place in the cloud

Question 85

A hypervisor thats runs inside another OS is a Type ______ hypervisor

A. 1
B. 2
C. 3
D. 4

Answer 85

B. 2

Explanation:
The question describes a Type 2 Hypervisor

Question 86

During maintenance mode for a given node in a virtualized environment, which of the following conditions is not accurate?

A. Generation of new instances is prevented
B. Admin access is prevented
C. Alerting mechanisms are suspended
D. Events are logged

Answer 86

B. Admin access is prevented

Explanation:
Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity

Question 87

Risk appetitee for an organization is determined by which of the following?

A. Reclusion evaluation
B. Senior management
C. Legislative mandates
D. Contractual agreement

Answer 87

B. Senior management

Explanation:
Senior management decides the risk appetite of the organization

Question 88

Which of the following is a popular API construction model?

A. SSO
B. GUI
C. REST
D. HTML

Answer 88

C. REST

Explanation:
REST is a method for designing APIs at the moment.

Question 89

All security controls necessarily _______

A. Are expensive
B. Degrade performance
C. Require senior management approval
D. Will work in the cloud environment as well as they worked in the traditional environment

Answer 89

B. Degrade performance

Explanation:
Security and productivity/operations are always trade offs

Question 90

In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure

A. Vendor
B. Customer
C. State
D. Administrator

Answer 90

B. Customer

Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent

Question 91

The Reporting phase of forensic investigation usually involves presenting findings to ________

A. Senior management
B. Regulators
C. The court
D. Stakeholders

Answer 91

C. The court

Explanation:
The ultimate recipient of all forensic evidentiary collection and analysis - the entity getting the reports - will be the couirt, in order to make a final determination of its merits and insights

Question 92

Under ISO 27034, every application within a given organization will have an attendant set of controls assigned to it; the controls for a given application are listed in the _______

A. ONF
B. ANF
C. TTF
D> FTP

Answer 92

B. ANF

Explanation:
Each application in an organization compliant with ISO 27034 will be assigned an ANF, which lists all the controls assigned to that application

Question 93

The Privacy Shield program allows US companies to collect and process privacy information about EU citizens. The program is included in which law?

A. FISMA
B. GDPR
C. HIPAA
D. Sarbanes Oxley Act

Answer 93

B. GDPR

Explanation:
The GDPR copntains the provisions under which the Privacy Shield program was implemented.

Question 94

Internal data center conditions that exceed the American Society of HVAC guidelines for humidity could lead to an increase of the potential for all of the following except _________

A. Biological intrusion
B. Electrical shorting
C. Corrosion/oxidation
D. Social engineering

Answer 94

D. Social engineering

Explanation:
Being damp does not make people susceptible to trickery

Question 95

A special piece of numeric code that allows encryption hardware or software to encrypt and then decrypt a message is called an _________

A. HSM
B. Encryption key
C. Elliptical curve
D. Hash

Answer 95

B. Encryption key

Explanation:
An encryption key is the numeric string that allows fore encryption andf decryption to occur

Question 96

Which of the following entities would not be covered by the PCI DSS?

A. A bank issuing credit cards
B. A retailer accepting credit cards as payment
C. A business that processes credit card payments on behalf of a retailer
D. A company that offers credit card repayment counseling

Answer 96

D. A company that offers credit card repayment counseling

Explanatione:
PCI DSS applies only those those entities thatrr want to engage in the business of taking or processing credit card payments, which would include options A, B and C.

Question 97

Cloud administration almost necessarily violates the principles of the ___________ security model

A. Brewer Nash (Chinese Wall)
B. Graham Denning
C. Bell LaPadula
D. Biba

Answer 97

A. Brewer Nash (Chinese Wall)

Explanation:
Brewer Nash was specifically created for managed services arrangements, where an administrator for a given customer might also have access to a competitors data/environment; the model requires administrators not be assigned to competing customers

Question 98

Countermeasures for protecting cloud operations against internal threats include all of the following except:

A. Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel
B. Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel
C. DLP Solutions
D. Scalability

Answer 98

D. Scalability

Explanation:
Scalability is a feature of cloud computing, allowing users to dictate an increase or decrease in services as needed, not a means to counter internal threats

Question 99

According to OWASP recommendations, active software security testing should include all of the following except __________

A. Session initiation testing
B. Input validation testing
C. Testing for error handling
D. Testing for weak cryptography

Answer 99

A. Session initiation testing

Explanation:
While session management testing is included in the OWASP guide to active software security testing, session initiation is not. All of the other options are included in the OWASP guide to active security testing

Question 100

Volume storage encryption in an IaaS arrangement will protect against data loss due to all of the following activities except _______

A. Physical loss or theft of a device
B. Disgruntled users
C. Malicious cloud admins accessing the data
D. Virtual machine snapshots stolen from storage

Answer 100

B. Disgruntled users

Explanation:
An authorized user will still be able to access and decrypt the data for which they have been granted permissions so encryption will not offer any protections for that threat

Question 101

Which form of BCDR tresting has the least impact on operations?

A. Tabletop
B. Dry run
C. Full test
D. Structured test

Answer 101

A. Tabletop

Explanation:
The tabletopp testing involves only essential personnel and none of the production assets