Pocket Prep 3

Question 1

Jonathan is working for a bank and is in need of advice. They have performed a quantitative and qualitative risk assessment and have uncovered that there is a concern that a bad actor could gain access to their system through a web portal with very little social engineering. They are concerned because there are laws that they must follow to protect the information that a bad actor could access in this manner. They have decided that the best option is to reprogram the web portal to reduce the chance of access.

What have they decided to do?

A. Transferring risk
B. Avoiding risk
C. Mitigate the risk
D. Accepting risk

Answer 1

C. Mitigate the risk

Explanation:
After risk has been identified and evaluated, either through qualitative or quantitative assessments, the decision must be made on how to respond to risk. There are four main categories for responding to risk: accepting risk, avoiding risk, transferring risk, and mitigating risk.

By reprogramming, they have fixed and hopefully prevented that path of access for the bad actor. This is a mitigation.

Transferring the risk means that someone else will be responsible or partially responsible when something happens. The most common example here is insurance.

Avoiding the risk would see them close that web portal.

Accepting the risk means they effectively do nothing. They accept that something could happen and will deal with it if it does.

Question 2

Vendor management is more intense with the cloud as opposed to traditional equipment vendor management for an on-premises data center. When managing a vendor, a corporation must first negotiate a contract that will match their needs. If a company is planning on moving their data storage into a cloud provider’s Platform as a Service (PaaS), they need to assess many variables to ensure that they choose the right vendor.

What is most critical for them to evaluate before signing contracts?

A. Explore escrow options
B. Assess the vendor
C. Assess vendor lock-in risks
D. Assess vendor viability

Answer 2

C. Assess vendor lock-in risks

Explanation:
When moving data into the cloud, it is critical to assess the format or changes that will happen to the data. One of the most important things to plan when moving into the cloud is how to move out. If the vendor makes any changes to the data files that would make it very difficult to pull the data out and move it someplace else in the future, it is probably not a good choice for a business. When moving to the cloud, it would be good to believe that you are in the right place with the right vendor, but things do change for businesses and it may be necessary to change vendors in the future for a currently unknown reason.

This is all part of assessing the vendor. However, the question is specific to the data, and lock-in risks are specific to the data. So assessing for a lock-in risk is very important.

Assessing the vendor would include viability. If the cloud provider is new, it may not be able to survive into the future. If the vendor goes bankrupt, that would be a big problem for a corporation.

Escrow is critical to discuss regarding storage of keys and software source code. If a company is moving to Platform or Software as a Service (PaaS or SaaS), a good thing to investigate is where the source code is. If that vendor goes bankrupt, would it be possible for the customer to get the source code to load and run that software somewhere else to protect the functionality of the business?

Question 3

Volume storage is a storage type where a virtual machine has storage allocated to it and configured as a hard drive or file system. When storage is carved or sliced into manageable units across storage devices, likely in a Storage Area Network (SAN), they are identified and locatable using which of the following?

A. Logical Unit Numbers (LUNs)
B. World Wide Node Name ((WWNN)
C. Internet Protocol (IP) address
D. World Wide Port Name (WWPN)

Answer 3

A. Logical Unit Numbers (LUNs)

Explanation:
In storage systems, the main storage is sliced into smaller segments, called Logical Unit Numbers (LUNs). These logical units are a chunk of the virtualized storage and appear as drives to virtual machines. A LUN can be part of a physical drive, or it can span several drives in arrays, probably RAID arrays.

In Fibre Channel, the servers are located using WWNN and the physical ports are identified by WWPN. (It might help to know these for the test.)

IP addresses are what we have been using for decades now, and they are used in iSCSI to identify the storage servers on the network.

Question 4

High availability and single points of failure are MOST related to which of the following best practices?

A. Configuration Management and Change Management
B. Redundancy
C. Scheduled Downtime and Maintenance
D. Logging and Monitoring

Answer 4

B. Redundancy

Explanation:
Some best practices for designing, configuring, and securing cloud environments include:

Redundancy: A cloud environment should not include single points of failure (SPOFs) where the outage of a single component brings down a service. High availability and duplicate systems are important to redundancy and resiliency.
Scheduled Downtime and Maintenance: Cloud systems should have scheduled maintenance windows to allow patching and other maintenance to be performed. This may require a rotating maintenance window to avoid downtime.
Isolated Network and Robust Access Controls: Access to the management plane should be isolated using access controls and other solutions. Ideally, this will involve the use of VPNs, encryption, and least privilege access controls.
Configuration Management and Change Management: Systems should have defined, hardened default configurations, ideally using infrastructure as code (IaC). Changes should only be made via a formal change management process.
Logging and Monitoring: Cloud environments should have continuous logging and monitoring, and vulnerability scans should be performed regularly.

Question 5

Damien is working for a real estate company that is working on their plans to move to an online document service that would allow their customers to sign contracts no matter what computer platform they have in their possession. So, interoperability is a critical aspect that they are concerned with. What best describes interoperability?

A. The ability for two or more systems to exchange information and mutually use that information
B. The ease with which resources can be rapidly expanded as needed by a cloud customer
C. The ability for two customers to share the same pool of resources while being isolated from each other
D. The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider

Answer 5

A. The ability for two or more systems to exchange information and mutually use that information

Explanation:
Correct answer: The ability for two or more systems to exchange information and mutually use that information

Interoperability is defined in ISO/IEC 17788 as the ability for two or more systems to exchange information and mutually use that information. As a simple example, a Windows machine and a Mac that can exchange a Word document, where both can use it.

The ability for two customers to share the same pool of resources while being isolated from each other is known as multitenancy.

The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider is known as on-demand self-service.

The ease with which resources can be rapidly expanded as needed by a cloud customer is called rapid elasticity.

Question 6

FISMA is a piece of legislation that pertains specifically to which of the following?

A. The collection and storing of protected health information
B. Any organization which deals with credit card information
C. The storing of personally identifiable data (PII)
D. Any systems that will interact with federal agencies

Answer 6

D. Any systems that will interact with federal agencies

Explanation:
Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in the Federal Information Security Management Act (FISMA). The requirements are used to ensure compliance with security controls required by the federal government.

Health information would be protected under the Health Insurance Portability and Accountability Act (HIPAA).

Credit cards are managed according to the Payment Card Industry Data Security Standard (PCI DSS)

PII is managed according to the European GDPR, Canadian PIPEDA, Australian Privacy Act of 1988, and so on.

Question 7

During which phase of the SDLC should unit tests be developed and executed regularly?

A. Deployment
B. Testing
C. Development
D. Design

Answer 7

C. Development

Explanation:
The Software Development Lifecycle (SDLC) describes the main phases of software development from initial planning to end-of-life. While definitions of the phases differ, one commonly-used description includes these phases:

Requirements: During the requirements phase, the team identifies the software's role and the applicable requirements. This includes business, functional, and security requirements.
Design: During this phase, the team creates a plan for the software that fulfills the previously identified requirements. Often, this is an iterative process as the design moves from high-level plans to specific ones. Also, the team may develop test cases during this phase to verify the software against requirements.
Development: This phase is when the software is written. It includes everything up to the actual build of the software, and unit testing should be performed regularly through the development phase to verify that individual components meet requirements.
Testing: After the software has been built, it undergoes more extensive testing. This should verify the software against all test cases and ensure that they map back to and fulfill all of the software’s requirements.
Deployment: During the deployment phase, the software moves from development to release. During this phase, the default configurations of the software are defined and reviewed to ensure that they are secure and hardened against potential attacks.
Operations and Maintenance (O&M): The O&M phase covers the software from release to end-of-life. During O&M, the software should undergo regular monitoring, testing, etc., to ensure that it remains secure and fit for purpose.

Question 8

A DLP solution sends a message to security personnel. This is likely part of which of the following stages of the DLP process?

A. Mapping
B. Enforcement
C. Discovery
D. Monitoring

Answer 8

B. Enforcement

Explanation:
Data loss prevention (DLP) solutions are designed to prevent sensitive data from being leaked or accessed by unauthorized users. In general, DLP solutions consist of three components:

Discovery: During the Discovery phase, the DLP solution identifies data that needs to be protected. Often, this is accomplished by looking for data stored in formats associated with sensitive data. For example, credit card numbers are usually 16 digits long, and US Social Security Numbers (SSNs) have the format XXX-XX-XXXX. The DLP will identify storage locations containing these types of data that require monitoring and protection.
Monitoring: After completing discovery, the DLP solution will perform ongoing monitoring of these identified locations. This includes inspecting access requests and data flows to identify potential violations. For example, a DLP solution may be integrated into email software to look for data leaks or monitor for sensitive data stored outside of approved locations.
Enforcement: If a DLP solution identifies a violation, it can take action. This may include generating an alert for security personnel to investigate and/or block the unapproved action.

Mapping is not a stage of the DLP process.

Question 9

Jose works for a small regional bank that is building their Business Continuity Plan (BCP) for the first time. As he builds the business case that he will present to the Board of Directors and C-suite, he is identifying risks that will be addressed by this plan.

If he is working to ensure that the customers will have enough access to the online portal for their needs, even through disruptions within the data center, what parameter must he ensure that the alternate plan meets?

A. Maximum Tolerable Downtime
B. Recovery Service Level
C. Maximum Tolerable Outage
D. Recovery Time Objective

Answer 9

B. Recovery Service Level

Explanation:
The Recovery Service Level (RSL) is the level of service (percentage of normal) that the alternate site must be able to support. For example, if the server normally handles 400 calls an hour from customers but needs to be able to at least handle 300 calls an hour so that the customers’ basic needs are met, then that is the RSL. RSL would be 75% of normal functionality.

The Maximum Tolerable Outage (MTO) is the amount of time that a corporation can survive being in this alternate state. Using the above example, since they are only at 75% functionality, they may only be able to handle that state for three days.

The Recovery Time Objective (RTO) is the amount of time that it takes to do the recovery work. This would take the server from not functioning to functioning at some level. The level needed is the RSL.

The Maximum Tolerable Downtime (MTD) is the amount of time that the system can be offline, not working, or non-functional.

Question 10

An engineer has recently started working for an organization and is concerned about which regulations might affect how long they need to retain or store financial and accounting data. Which of the following regulations does this engineer need to be aware of to address the organization’s concerns?

A. Health Insurance Portability and Accountability Act (HIPAA)
B. Gramm-Leach-Bliley Act (GLBA)
C. Sarbanes-Oxley Act (SOX)
D. Asia Pacific Economic Cooperation (APEC)

Answer 10

C. Sarbanes-Oxley Act (SOX)

Explanation:
The Sarbanes-Oxley Act (SOX) regulates accounting and financial practices within an organization. IT engineers need to be aware of SOX, as it can affect which type of data needs to be stored/retained and for how long.

HIPAA is concerned with the storage of Protected Health Information (PHI), not financial data.

GLBA is related to SOX, but it regulates the storage of personal data, not financial data.

APEC is an international agreement among 21 countries around the Pacific Rim that promotes free trade and discusses the handling of personal data.

Question 11

A large information security vendor that sells handware and software tools has its own DevOps team. Management recently decided that they must follow the guidance from OWASP regarding application logging. There are many things that they are concerned with regarding their customers’ personal data protection. They have been analyzing what they are creating through the lens of threat modeling. What they have determined is that the clocks need to be pulled from the atomic clock sources on the planet.

Which of the following recommendations applies to this scenario?

A. Integrity of log files
B. Time synchronization
C. Identity attribution
D. Differing classification schemes

Answer 11

B. Time synchronization

Explanation:
Correct answer: Time synchronization

The OWASP data event logging cheat sheet does not recommend network traffic logs. However, other logging recommendations by OWASP include:

Synchronize time across all servers and devices
Differing classification schemes
Identity attribution
Application-specific logs
Integrity of log files

The full logging cheat sheet is available on OWASP’s website.

Question 12

Which of the following ways is how a business addresses regulatory compliance challenges in the cloud?

A. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts
B. Security policies, golden images, Cloud Service Customer (CSC) defined service level agreements, contracts
C. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, containers
D. Security policies, annual audits, Cloud Service Provider (CSP) defined service level agreements, contracts

Answer 12

A. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts

Explanation:
Correct answer: Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts

There are many things that a business should do to address regulatory compliance challenges in the cloud or simply secure the corporation’s information and information systems. It begins with having security policies. The process is first governance and board of directors oversight. Then risk management must be done to understand the threat environment more completely. Then we can create security policies.

One of the things the policies should specify is that audits should be performed. The customer might need to be audited by a third party if there is a legal compliance requirement. Otherwise, knowing that the CSP has been audited by a third party and what the results of that audit are would be beneficial to know (SOC reports and such). Depending on the customer and the provider, it is possible that the customer could be involved in the actual audit of the cloud service provider.

Side note: A third party audit is an audit done by an external company such as Deloitte or pwc. It is now third because first, there is the CSC. Second, there is the CSP. So, adding an external auditor brings the count to three. It is possible to go to a fourth party if the audit company hires contractors to do some of the work.

The CSC should define the Service Level Agreements (SLA) that they require. The CSP may need to help them work this out, but the customer should specify what they need.

The SLAs are part of the contracts that need to be established with the CSP.

What is not part of this is golden images or containers. The golden image is our stable virtual machine image that should be used to deploy a specific virtual machine. Containers are a contained environment that is portable to run specific code. Having golden images certainly can help with compliance, but it would not be in the same category as the rest of these options.

Question 13

An attacker deleting log files maps to which letter of the STRIDE acronym for cybersecurity threat modeling?

A. I
B. D
C. R
D. E

Answer 13

C. R

Explanation:
Microsoft’s STRIDE threat model defines threats based on their effects, including:

Spoofing: The attacker pretends to be someone else
Tampering: The attacker damages data integrity
Repudiation: The attacker can deny that they took some action that they did take
Information Disclosure: The attacker gains unauthorized access to sensitive data
Denial of Service: The attacker can harm the availability of a service
Elevation of Privilege: The attacker can access resources that they shouldn’t be able to access

Deleting log files is likely an effort to cover the attacker’s tracks and is related to repudiation (R).

Question 14

Dakota is the information security manager for a social media corporation. They have been concerned about a particular Denial of Service attack coming in from a particular part of the world. She needs to configure a device that has the ability to block specific Internet Protocol (IP) addresses.

Which network device can she have configured to block this type of traffic?

A. Switch
B. Router
C. Intrusion Detection System (IDS)
D. Firewall

Answer 14

D. Firewall

Explanation:
The firewall is the main device that is used to manage the flow of traffic in and out of the network based on rules configured on the firewall. Firewalls can be virtual devices or physical devices, and they can be configured to block specific IP addresses or ranges.

Routers route traffic based on IP addresses. It is possible that they can be configured with Access Control Lists (ACL), but firewalls are designed to block traffic specifically. So “firewall” is a better answer.

Switches are designed to forward traffic. The typical switch forwards based on Media Access Control (MAC) addresses. It could be a layer 3 switch that uses IP addresses, but they are not designed to block traffic.

IDS devices can detect intruders. However, they do not block traffic. They are passive in nature.

Question 15

Which of the following is PRIMARILY a concern in multi-cloud environments?

A. Availability
B. Performance
C. Interoperability
D. Resiliency

Answer 15

C. Interoperability

Explanation:
Some important cloud considerations have to do with its effects on operations. These include:

Availability: The data and applications that an organization hosts in the cloud must be available to provide value to the company. Contracts with cloud providers commonly include service level agreements (SLAs) mandating that the service is available a certain percentage of the time.
Resiliency: Resiliency refers to the ability of a system to weather disruptions. Resiliency in the cloud may include the use of redundancy and load balancing to avoid single points of failure.
Performance: Cloud contracts also often include SLAs regarding performance. This ensures that the cloud-based services can maintain an acceptable level of operations even under heavy load.
Maintenance and Versioning: Maintenance and versioning help to manage the process of changing software and other systems. Updates should only be made via clear, well-defined processes.
Reversibility: Reversibility refers to the ability to recover from a change that went wrong. For example, how difficult it is to restore on-site operations after a transition to an outsourced service (like a cloud provider).
Portability: Different cloud providers have different infrastructures and may do things in different ways. If an organization’s cloud environment relies too much on a provider’s unique implementation or the provider doesn’t offer easy export, the company may be stuck with that provider due to vendor lock-in.
Interoperability: With multi-cloud environments, an organization may have data and services hosted in different providers’ environments. In this case, it is important to ensure that these platforms and the applications hosted on them are capable of interoperating.
Outsourcing: Using cloud environments requires handing over control of a portion of an organization’s infrastructure to a third party, which introduces operational and security concerns.

Question 16

An engineer has been tasked with ensuring that only authorized systems and users have access to sensitive information. This is done using a set of controls to protect the data. Which tool can be used to control the transmission of data to ensure only approved content is sent?

A. Software Defined Networking (SDN)
B. Data Loss Prevention (DLP)
C. Transport Layer Security (TLS)
D. Intrusion Prevention System (IPS)

Answer 16

B. Data Loss Prevention (DLP)

Explanation:
Data Loss Prevention (DLP) can be used to discover and protect content both at rest and in transit. If DLP is used to protect data in transit, the DLP tool analyzes content to determine if there is anything in the transmission that is not allowed. A simple example is a user sending a clear text email that contains a credit card number.

Intrusion Prevention System (IPS) analyzes traffic looking for content from a bad actor that is intruding on the network or end device (depending on placement). It is looking for malicious traffic. The DLP tool is looking for content that is not allowed.

Transport Layer Security (TLS) is used to encrypt traffic to protect it from prying eyes. If DLP is in use for data in transit, then it is necessary to take further action for a DLP tool to analyze that traffic. But the question is looking for controlling approved content. TLS does not care if it is approved, unapproved, malicious, etc. It is simply a protocol that is used to encrypt traffic.

Software Defined Networking (SDN) is not a security feature per se. It is an improvement to the way our switched and routed networks have worked up until today.

Question 17

Jarrell is working within the Security Operation Center (SOC) at a financial organization. He is using the logs from a tool that has the ability to indicate that traffic has been seen passing a switch that should not have made it past the firewall. What tool are these logs likely from?

A. Network Intrusion Prevention System (NIPS)
B. Host-based anti-malware
C. File Integrity Monitor (FIM)
D. Network Intrusion Detection System (NIDS)

Answer 17

D. Network Intrusion Detection System (NIDS)

Explanation:
An IDS is an intrusion detection system. It will capture traffic and detect possible attacks or intrusions. An NIDS is a network intrusion detection system that captures all network traffic seen passing through a switch because it is usually on a SPAN port of a switch.

A NIPS would see the traffic that is on a wire. It is possible that it is behind a switch. However, the wording of the question hints at the SPAN port, so an NIDS is the better answer.

A FIM sits in front of a file server to watch user activity. All that traffic should, probably, be getting to the server.

Host-based anti-malware software is looking at the traffic as it arrives at the end station.

Question 18

Jax is a cloud security analyst working for a large manufacturing company. An Indication of Compromise (IoC) has been discovered by their Security Information and Event Manager. In analysing the IoC, Jax discovered that there is an issue that needs to be addressed. One of the things that Jax needs to identify is the severity of the flaw or weakness that is behind the IoC.

What could she use to do that?

A. Common Vulnerability Scoring System
B. National Vulnerability Database
C. Common Vulnerabilities and Exposures
D. Common Weakness Enumeration

Answer 18

A. Common Vulnerability Scoring System

Explanation:
The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess and communicate the severity of security vulnerabilities in computer systems and software. The purpose of CVSS is to provide a consistent and objective way to evaluate the potential impact and exploitability of vulnerabilities, enabling organizations to prioritize their response and allocate resources effectively.

The National Vulnerability Database (NVD) is a comprehensive repository of information about known vulnerabilities and security issues in software and hardware products. It is maintained by the National Institute of Standards and Technology (NIST) in the United States and serves as a central resource for vulnerability management, risk assessment, and cybersecurity research.

Common Weakness Enumeration (CWE) is a community-developed list of common software weaknesses and vulnerabilities. It provides a standardized language and taxonomy for describing and categorizing software security weaknesses that can be found in various stages of the software development lifecycle. CWE is maintained by MITRE Corporate (CWE.MITREdotorg).

Common Vulnerabilities and Exposures (CVE) is a community-driven dictionary of publicly known information security vulnerabilities and exposures. It provides a standardized naming scheme and unique identifiers for known vulnerabilities, making it easier for organizations and security professionals to track and manage security risks.

Question 19

Which of the following common contractual terms is LEAST related to SLAs?

A. Right to Audit
B. Access to Cloud/Data
C. Metrics
D. Assurance

Answer 19

B. Access to Cloud/Data

Explanation:
A contract between a customer and a vendor can have various terms. Some of the most common include:

Right to Audit: CSPs rarely allow customers to perform their own audits, but contracts commonly include acceptance of a third-party audit in the form of a SOC 2 or ISO 27001 certification.
Metrics: The contract may define metrics used to measure the service provided and assess compliance with service level agreements (SLAs).
Definitions: Contracts will define various relevant terms (security, privacy, breach notification requirements, etc.) to ensure a common understanding between the two parties.
Termination: The contract will define the terms by which it may be ended, including failure to provide service, failure to pay, a set duration, or with a certain amount of notice.
Litigation: Contracts may include litigation terms such as requiring arbitration rather than a trial in court.
Assurance: Assurance requirements set expectations for both parties. For example, the provider may be required to provide an annual SOC 2 audit report to demonstrate the effectiveness of its controls.
Compliance: Cloud providers will need to have controls in place and undergo audits to ensure that their systems meet the compliance requirements of regulations and standards that apply to their customers.
Access to Cloud/Data: Contracts may ensure access to services and data to protect a customer against vendor lock-in.

Question 20

A large organization is beginning to move their data center operations into the cloud. Their cloud information security manager, Willow, is working with the cloud network architects to ensure that their transition is seamless for the users. They will maintain their Identity and Access Management (IAM) technology in their data center for a while. Data will be stored and processed in the cloud.

What technology can they use for IAM that will allow the data center and the cloud to work together?

A. Security Assertion Markup Language (SAML)
B. Domain Name Service (DNS)
C. Dynamic Host Configuration Protocol (DHCP)
D. Lightweight Directory Access Protocol (LDAP)

Answer 20

D. Lightweight Directory Access Protocol (LDAP)

Explanation:
Lightweight Directory Access Protocol (LDAP) is a widely adopted protocol for accessing and managing directory services, which stores and organizes information about users, groups, devices, and other resources in a hierarchical structure. LDAP can be used as the underlying protocol for cloud-based directory services, where organizations can store and manage user accounts, groups, and other directory-related information. Cloud-based directory services allow for scalability, availability, and centralized management of directory data across multiple cloud instances or regions.

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization information between different entities involved in a web-based Single Sign-On (SSO) process. It enables seamless and secure authentication and authorization across multiple systems and domains without the need for users to provide credentials repeatedly. This is for IAM, but it is not a technology that is typically used in data centers, making LDAP a better answer here.

Domain Name Service (DNS) is a fundamental protocol used on the internet to translate domain names into IP addresses. It serves as a distributed directory service that enables the translation of human-readable domain names, such as www.example.com, into the corresponding IP addresses, such as 192.0.2.1. It is not used for IAM.

Dynamic Host Configuration Protocol (DHCP) is a network protocol commonly used in Local Area Networks (LANs) to dynamically assign IP addresses and network configuration parameters to devices. It allows for automated and centralized management of IP address allocation, simplifying the configuration process for network administrators and reducing the chances of IP address conflicts. It, too, is not used for IAM.