Pluralsight CCSP Domain 2

Question 1

Data Protection Laws

Answer 1

• GDPR - privacy
• SOx - financial
• GLBA - financial
• HIPAA - health information

Question 2

Data Roles and Responsibilities
* Data Owner / Processor
* Custodian
* Subject
* User

Answer 2

• **Data Owner **- ensure data has appropiate level of protection; known as data controller or processor in the cloud
• Custodian - has custody or posession of data at certain point of time (i.e. personnel who perform backups or user requesting data)

Question 3

IPS, On Prem Responsibility Zones (CSP or Consumer)

Answer 3

Question 4

Data Lifecycle: Use

Answer 4

• User Training
• Data hiding
• -Encryption
• -Masking
• -Obfuscation
• -Anonymization
• DLP
• DRM/IRM

Question 5

Qualities of Symmetric Encryption Algorithms

Answer 5

Question 6

Who holds the keys in SaaS? How can keys be transmitted? How are keys stored?

Answer 6

Question 7

Who holds the keys in PaaS? How can keys be transmitted? How are keys stored?

What is transparent encryption?

Answer 7

Question 8

Homomorphic Encryption

Answer 8

processing encrypted material without first decrypting it

Question 9

Who holds the keys in IaaS? How can keys be transmitted? How are keys stored?

Answer 9

Question 10

Key Management
* Escrow
* Split Knowledge / Multi-Party
-Dual Control
* Hardware Security Module (HSM)
* Outsourced Key Management
-PKI
-CASB

Answer 10

Question 11

Asymmetric Encryption
* What is it used for?
* Is it fast or slow?

Answer 11

Question 12

What part of CIA triad does hashing protect?
Define Hashing

Answer 12

Question 13

Hashing Benefits

Answer 13

Question 14

Masking and Obfuscation

Answer 14

Question 15

Anonymization

Answer 15

Question 16

Who is responsible for masking and anonymization in the cloud for IaaS, PaaS, and SaaS?

Answer 16

Question 17

Tokenization

Answer 17

Question 18

All control typically resides with CSP in SaaS except for what?

Answer 18

Question 19

Chain of Custody

Answer 19

Unbroken record of all activities associated with evidence from the time it is recognized as evidence until it is submitted to court; clear documentation must record which people had access to the evidence, where it was stored, what access controls were placed, and what modifications were perforemd;

this is difficult in the cloud; chain of custody provides non repudiation which means no one can deny taking part of a transaction

Important to have defined procedures and NDAs

Question 20

Capabilities of Virtualization

Answer 20

Question 21

• Type 1 Hypervisor
• Traditional OS vs Type 1 Hypervisor (image)

Answer 21

• Modern Hardware Hypervisor
• Bare-metal, embedded, or native
• Work directly on hardware/host
• Small form factor, a few hundred megabytes
• Type 1 attacks are restricted to the hypervisor and the machine

Question 22

Type 2 Hypervisor

Answer 22

• OS or Hosted Application Hypervisor
• Software Hypervisor
• Attackers prefer Type 2 because of the larger surface area for attack; They can attack the hypervisor itself and the OS under it, and the machine directly;

Question 23

Virtualization Attacks

Answer 23

• Guest Escape - poorly configured or designed VM or hypervisor that allows user to leave their virtualized instance; this allows user to access other VMs on the same host or they can attack the host itself;
• Host Escape - user can leave their own virtualized instance and leave the host machine, accessing other devices on the network
• Information Bleed or side-channel/covert channel attack - processing perfoemd on one VM may be detected by other instances on the same host; this does not have to involve the raw data itself, but may be indicative of the processing occuring (i.e. detecting a certain operation is being performed and lasts a certain duration); attackers can narrow down a list of attacks to use
• Data Seizure - legal activity might result in a host machine being confiscated or inspected by cops, the host machine might include virtualized instances belonging to your organization even though your organization was not the target;

Question 24

Responsiblity Zones - On prem, IaaS, PaaS, SaaS

Answer 24

Question 25

Data Lifecycle * Protecting data when in use

Answer 25

Question 26

Protecting data when stored

Answer 26

Question 27

Data Classification Procedure

Answer 27

Question 28

Examples of Structured Data and Unstructured Data

Answer 28

Question 29

Example of semi-structured data

Answer 29

Question 30

Bit splitting

Answer 30

Question 31

Erasure Coding aka FEC (Forward Error Correction)

Answer 31

Question 32

Types of Data Storage

Answer 32

Question 33

* Volume aka * Object aka

Answer 33

* Volume aka Block/Raw disk storage * Object aka File storage

Question 34

Clustered Storage and Coupling

Answer 34

* Storage devices clustered in groups, provide increased performance, flexibility, and reliability; 1. Tightly coupled - storage devices are directly connected to a shraed phsyical backplance; cluster is aware of others and has same policies and urle sets; more restrictive; scales well for greater and *greater power *as it increases 2. Loosely coupled - *greater flexibility*; logically connected, don't share proximate physical framework, distantly physically connected through communication media; performance does not scale

Question 35

Volume / Block / Raw Disk Storage

Answer 35

Question 36

File Storage

Answer 36

Question 37

Object Storage

Answer 37

Question 38

Object Storage Benefits

Answer 38

Question 39

Threats to Data (in storage, and transmission)

Answer 39

* Storage - alteration, disclosure, and loss * Transmission - MiTM

Question 40

Data protection

Answer 40

VPN * TLS * IPsec * WPA3 * Replication * Encryption * Hashing * Access controls

Question 41

DLP identifies sensitive data based on:

Answer 41

* Labels * Keywords * Strings

Question 42

DRM/IRM

Answer 42

Question 43

Encryption Benefits

Answer 43

Question 44

Bastion Host

Answer 44

method for remote access to secure environment; it is an extremely hardened device that provides access to one application; publicly available on the internet

Question 45

Federated identity management

Answer 45

manage identities across multiple organizations; i.e. SSO

Question 46

Federated identity management

Answer 46

manage identities across multiple organizations; i.e. SSO

Question 47

Shares in the cloud

Answer 47

if there are not enough resources, CSPP must prioritze which systems will receive limited resoureces available

Question 48

examples of internal and external redundancy

Answer 48

Internal - PDUs, power feeds to rack, cooling units, networking, storage units, physical access points External - power feeds, power substations, generators, network cicuites, building access points, and cooling infrastructures

Question 49

due care vs due diligence

Answer 49

* Due care - ensure policies and procedures are in place * due diligence - follow up to make sure that those policies and procedures are being implemented

Question 50

GLBA vs SOX

Answer 50

SOX protects financial information of public companies, and GLBA protects the financial data of customers

Question 51

Cryptography vs Encryption

Answer 51

Cryptography is the science of concealing messages with a secret code. Encryption is the way to encrypt and decrypt data. The first is about studying methods to keep a message secret between two parties (like symmetric and asymmetric keys), and the second is about the process itself

Question 52

Optical disks vs SSD

Answer 52

optical disks are better for long term storage bc they withstand environmental factors better even though they are slower and and have less storage

Question 53

Data mapping

Answer 53

determing how data moves and the kind of protection needed at each stage