Pocket Prep CCSP Flashcards

Question

Which of the following types of security tests would be considered a "white-box" test? A. Penetration testing B. SAST C. Vulnerability Scanning D. DAST

Answer 1

B. SAST Explanation: Static application security testing (SAST) is a "white-box" type of test, meaning that the tester has knowledge of and access to the source code. Both penetration testing and dynamic application security testing (DAST) are considered "black-box" tests because the individual performing these tests are not given any special knowledge of the environment. Vulnerability scanning is neither a "white-box" or "black-box" test. Vulnerability scans are run against systems using known attacks and methodologies to verify that systems are properly hardened against them.

Answer 2

C. Security by design Explanation: Security by design refers to the inclusion of security at every stage of the development process, rather than after an application has been released or in reaction to a security exploit or vulnerability. From application feasibility to retirement, security is an integral element of the process.

Answer 3

B. Evidence and Custody Explanation: The major components of a data loss prevention (DLP) implementation include discovery and classification, monitoring, and enforcement. Evidence and custody is not a common component of DLP implementations.

Answer 4

D. Unstructured Data Explanation: Unstructured data refers to any data that cannot be qualified as structured data. Unstructured data doesn't conform to any defined data structures or formats. Examples of unstructured data include emails, pictures, videos, and text files. Unmorphed and morphed data are not actual types of data.

Answer 5

A. Any time data is considered new Explanation: The create phase is the initial phase of the cloud data lifecycle. While it may sound like data must be newly created from scratch in this phase, that is not the case. Rather, any time data can be considered new, it is in the create phase. This encompasses data which is newly created, data that is being imported from elsewhere, and also data that already exists but has been modified into a new form.

Answer 6

D. WSUS ``` Explanation: The WSUS (Windows Server Update Service) is a free toolset offered by Microsoft to help with patch management. WSUS downloads patches and allows the administrators of the servers to control the installation of the patches in a centralized and automated manner. ```

Answer 7

D. Analytical Explanation: Analytical artificial intelligence (AI) is solely cognitive-based, focusing on a system's ability to analyze past data and make future decisions.

Answer 8

A. WSUS Explanation: An IDS is an intrusion detection system. It will capture traffic and detect possible attacks or intrusions. A NIDS is a network intrusion detection system that captures all network traffic, while HIDS is a host intrusion detection system that only captures traffic for one specific host. WSUS is a tool available to help with patch management and not a tool to help detect intrusions.

Answer 9

A. The estimated number of times a threat will successfully exploit a vulnerability in a given year Explanation: ARO stands for annualized rate of occurrence, which is defined by the estimated number of times a threat will successfully exploit a vulnerability in a given year. By multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO), you are able to determine the annual loss expectancy (ALE).

Answer 10

D. PCI DSS Explanation: The PCI DSS (payment card industry data security standard) is a series of 12 compliance requirements, one of which being that physical access to cardholder data must be restricted.

Answer 11

C. National Identification Number Explanation: PII (personally identifiable information) is broken up into direct identifiers and indirect identifiers. Birth date, gender, and zip code would all be indirect identifiers because they would require more information along with them to identify a specific person. National identification numbers and social security numbers are direct identifiers because they can identify a specific person without the need for additional information.

Answer 12

A. Privileged Access Explanation: Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism. Standard configurations are agreed-upon baselines and aid in managing change, which provides protection for virtualization systems.

Answer 13

B. Redundant ISP Explanation: The best strategy for ensuring that a means of communication with a cloud vendor is always available when an interruption occurs would be to implement a redundant ISP. All the other options are aspects that should be used in cloud access.

Answer 14

C. Generator Explanation: Cloud providers will need to have multiple independent power feeds in case a power feed goes down. In addition, they will also typically have a generator or battery backup to serve in the meantime when a power feed goes out. Cloud providers will likely have a backup internet provider for redundancy, but it will not help in the case of a power outage, nor will additional firewalls or routers.

Answer 15

C. Cost-Benefit Analysis Explanation: When considering implementing a new BCDR strategy, organizations should first perform a cost-benefit analysis. This will provide insight to the stakeholders if the BCDR strategy is worth implementing. The cost-benefit analysis will compare the costs of a disaster and the impact of downtime against the cost of implementing the BCDR solution.

Answer 16

D. Legal Hold Explanation: Organizations or individuals may need to archive and retain data that meets specific requirements to be used in legal court proceedings. This type of data retention is known as legal hold.

Answer 17

C. Software Configuration Management Explanation: Software configuration management (SCM) technologies are used to manage software assets and to ensure that changes are made in a timely and accurate manner. SCM enables changes to be rolled back. At the time of deployment, as well as during updates and patches, SCM tools are employed. Configuration management software enables auditing and reviewing configurations to ensure processes are being followed.

Answer 18

B. Intrusion Prevention System Explanation: An intrusion prevention system helps protect a network from malicious activity and intrusions, and therefore, is NOT considered a physical or environmental control.

Answer 19

C. Power distribution units Explanation: Internal redundancy includes power distribution units, power feeds to racks, cooling units, networking, storage units, and physical access points. External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure.

Answer 20

C. Homomorphic Encryption Explanation: Encryption technologies are rapidly evolving. One new technology, which is still in the early phases of development and testing, is homomorphic encryption. Homomorphic encryption would allow for the manipulation of encrypted files without needing to unencrypt them. Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data. Labeling is a technology which can be used to group data elements together.

Answer 21

A. Orchestration Explanation: Orchestration is a technique for synchronizing and orchestrating the operations of multiple apps that work together to complete a business activity. These are managed groups of applications, and their actions are choreographed based on the rules you establish.

Answer 22

C. Authorization Explanation: Authorization is the process of granting access to resources. Identification is the process of pinpointing either a system or individual in a way where they are distinct from any other identity. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Answer 23

D. Data De-Identification Explanation: Methods of data de-identification include obfuscation, anonymization, and masking.

Answer 24

B. Cloud Service Customer (CSC) Explanation: An organization or individual who purchases a cloud service is known as a cloud service customer (CSC).

Answer 25

C. Cabling Explanation: The four key physical components of a cloud environment include CPU, disk, memory, and network. These components are the aspects that a cloud provider must ensure they have adequate resources for. There should be resources in these categories for both the current needs of cloud customers and future needs for the foreseeable future. Cabling is not considered one of the key physical aspects of the cloud environment.

Answer 26

D. Tabletop Explanation: In a tabletop exercise, participants are provided with scenarios and asked to describe how they will carry out their assigned activities in a certain business continuity/disaster recovery scenario. This enables members to comprehend their roles amid disaster. All other options are types of business continuity and disaster recovery plan tests.

Answer 27

A. VUM Explanation: VUM (vSphere Update Manager) is a utility which is built into VMware. VUM is able to automate patches of both the vSphere hosts as well as the virtual machines running under them. VUM also provides a dashboard which gives administrators a glimpse into their patching status across the environment.

Answer 28

A. Ensure that there are no single point of failure Explanation: Many cloud customers expect their systems to be available at all times. In order to maintain high-availability, it's critical to ensure that there are not any single points of failure. While its good practice to perform updates and upgrades outside a business' normal operating hours, many organizations today have locations across the globe and operate 24 hours a day. This means, that downtown at any time is going to be unacceptable. Cloud providers must find a way to perform updates and upgrades without causing any downtime. Backing up systems is very important, but all systems must be backed up, not just a select few. Maintenance can't be scheduled only a few times a year. It must be done whenever necessary so it's important to be able to do the maintenance without causing any downtime to the customer.

Answer 29

C. HIPAA Explanation: HIPAA, also known as the Health Information Portability and Accountability Act of 1996, is a major piece of legislation which focused on protecting PHI (protected health information). HIPAA focuses on the security controls and confidentiality of medical records, rather than on specific technologies being used.

Answer 30

B. Firmware Explanation: The BIOS is a form of firmware. It is typically stored in read-only memory. The BIOS is crucial for secure booting processes, as it verifies the hardware and firmware configurations of a system before allowing the operating system or applications to execute. All other selections are components of the system.

Answer 31

C. Structured Data Explanation: Structured data is data that has a known format and content type. One example of structured data is the data that is housed in relational databases. This data is housed in specific fields that have a known structure and potential values of data. Having the data organized in these fields makes it easy to search and analyze.

Answer 32

C. Cloud Service Broker Explanation: Businesses will work with a cloud service broker to identify solutions that meet their cloud computing requirements. The broker will package services in the customer's best interest. This may entail the use of multiple CSP services.

Answer 33

E. IaaS and PaaS Explanation: The CSP is fully responsible for patch management of the underlying physical infrastructure, but IaaS and PaaS customers commonly have patch management responsibilities. In a SaaS environment, the customer has no responsibility for patching.

Answer 34

C. Broken Authentication Explanation: Broken authentication is one of the OWASP Top 10 vulnerabilities. Broken authentication occurs when an issue with a session token or cookie makes it possible for an attacker to gain unauthorized access to a web application. This can occur when session tokens are not properly validated, making it possible for an attacker to hijack the token and gain access. Another example of this can occur when cookies are not properly destroyed after a user logs out, making it possible for the next user to gain access with their cookies.

Answer 35

D. Full-Interruption Explanation: In a full-interruption BCDR test, a real life scenario is carried out as realistically as possible. During a full-interruption test, all of the production systems are shut down at the primary site, and operations are shifted to the backup site according to the disaster recovery plan.

Answer 36

B. Semi-Open Explanation: There are four types of blockchain: private, public, consortium, and hybrid. Semi-open is not a type of blockchain.

Answer 37

C. ITIL Explanation: Your organization is most likely using IT Infrastructure Library (ITIL) because it is an IT best practices framework. Its five core subjects are: Service strategy, Service design, Service transition, Service operation, and Continual improvement. NIST CSF provides cybersecurity guidance, not IT best practices. ISO 27001 provides requirements for an information security management system (ISMS). COBIT 5 is a business framework for governance of IT.

Answer 38

D. SaaS Explanation: Software as a Service (SaaS) is a cloud service in which the cloud provider manages and maintains everything from the application/software itself, to the servers they run on and the platform they were built on. The cloud client is not responsible for anything to do with managing the program; they can simply access it over the Internet.

Answer 39

C. Metadata Explanation: Metadata is information about data, including the type of data, when the data was created, where the data is stored, and more.

Answer 40

D. DAM Explanation: Those who provide database activity monitor (DAM) services, as well as CSPs who provide services that are customized for their database offers, can do much more than monitor database consumption and usage patterns. Data discovery, data classification, and privileged use are all features that can be monitored in databases. Database compliance, contractual requirements, and regulatory requirements such as PCI-DSS, HIPAA, and GDPR needs can be addressed by database activity monitors.

Answer 41

A. To prevent log manipulation Explanation: Log manipulation occurs when a malicious actor is able to delete or modify the logs on a system. Sending or copying the logs to a centralized location such as a SIEM prevents this since the attacker may be able to delete them on the system itself, but will likely not have gotten access to the SIEM to change them there as well.

Answer 42

C. High costs for the environment Explanation: The organization should be cautious due to the fact that standalone hosting will cost more than pooled resources and multi-tenancy. The organization will need to gather and analyze their requirements to identify if the costs of standalone hosting are justifiable. All the other options are characteristics of standalone hosting.

Answer 43

C. Sensitive Data Exposure Explanation: When creating and managing a web application it's vital to keep sensitive user information private. Many web applications use data such as credit card information, authentication data, and other personally identifiable information. The OWASP Top 10 addresses these items under the sensitive data exposure vulnerability and states that applications should implement various security controls to protect sensitive user data.

Answer 44

B. Technology Provided Explanation: The cloud service provider (CSP) is responsible for providing the technology, but the customer is accountable for its use. Additionally, the client is accountable for setting up the environment and enforcing organizational policies.

Answer 45

B. CDN Explanation: A content delivery network (CDN) is a form of load balancing specifically designed for web servers. Its major purpose is to accelerate users' access to web resources that are geographically dispersed. CDNs enable users in remote places to access web data via servers located closer to their location than the original web server. Software defined storage (SDS), software defined networking (SDN) and raw device mapping (RDM) are incorrect options.

Answer 46

B. Network Security Group Explanation: A network security group (NSG) protects a group of cloud resources. It provides a set of security rules or virtual firewall for those resources. This gives the customer additional control over security. A cloud gateway adds an additional layer of security by transferring data between the customer and the CSP away from the public internet. Contextual-based security leverages contextual information such as identification to assist in securing cloud resources. External access attempts from the public internet can be blocked by ingress controls. Egress controls are a technique for preventing internal resources from connecting to unauthorized and potentially harmful websites.

Answer 47

D. Web Application Firewall Explanation: By filtering HTTP/HTTPS traffic, a web application firewall (WAF) specifically addresses attacks on applications and external services. A WAF can assist in defending against SQL injection, cross-site scripting, and cross-site request forgery attacks.

Answer 48

C. Tenant Explanation: Any cloud customer who is sharing access to a pool of resources is known as a tenant.

Answer 49

B.Erasure Coding Explanation: Erasure encoding is a technique employed by data dispersion to encrypt data with parity bits added. This is quite similar to the concept of RAID storage parity bit calculation. On the segments, a mathematical calculation is performed and the results are stored with the data. If segments are lost, the parity bit enables the data to be recovered. All other options are toolsets and technologies commonly used as data security strategies.

Answer 50

A. Availability Explanation: The organization is currently experiencing service availability issues. Due to the fact that this failure is not covered by the SLA's requirements, the organization may file a claim against the service provider.

Answer 51

D. Level 4 ``` Explanation: The FIPS (Federal Information Processing Standard) 140-2 standard defines four levels of security. Level 1 is the lowest level of security and level 4 provides the highest level of security and tamper protection. Levels 2 and 3 are in between. ```

Answer 52

C. Cloud Auditor Explanation: A cloud auditor is uniquely tasked with the responsibility of auditing cloud systems and cloud-based applications. The cloud auditor is responsible for evaluating the cloud service's efficiency and finding control gaps between the cloud customer and the cloud service provider, as well as the cloud broker, if one is utilized. All the other options are types of auditors.

Answer 53

D. Abuse or nefarious use of cloud services Explanation: Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service. Often times, when using a free trial, the attacker will configure everything using a fake identity so attacks can't be traced back to him.

Answer 54

A. Federation Explanation: Federation is a set of base policies and technologies which allow systems to accept credentials without requiring an established user base to be present. This works by establishing policies and guidelines that each member of the federation must adhere to.

Answer 55

D. Continuity Management Explanation: Continuity management, sometimes known as business continuity management, is concerned with restoring systems and devices after a disaster or unexpected outage has occurred. Business continuity and disaster recovery (BCDR) plans are a part of continuity management.

Answer 56

B. All Applications Explanation: A denial of service attack occurs when a system is flooded with useless data from an attacker in an attempt to overload the system resources, making the system unavailable to valid users. All applications are possible targets for denial of service attacks. In order to help prevent denial of service attacks, developers should limit how many operations can be performed by non-authenticated users.

Answer 57

C. Cloud Service Integrator Explanation: A cloud service integrator is someone who connects (or integrates) existing systems and services to the cloud for a cloud customer.

Answer 58

D. SQL Injection Explanation: A SQL injection attack occurs when an attacker is able to send a properly formatted SQL SELECT statement through one of the input fields in the web applications. This malicious query can return information about the database that should not be publicly available. In order to prevent injection attacks, it's important to ensure that any data sent through an input field is properly sanitized and validated.

Answer 59

A. It has been structurally tested Explanation: The possible EAL (evaluation assurance level) scores are as follows: EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4- Methodically designed, tested, and reviewed EAL5 - Semi-formally designed and tested EAL6 - Semi-formally verified design and tested EAL7 - Formally verified design and tested

Answer 60

C. Patching Explanation: Patching is used to fix bugs found in software, apply security vulnerability fixes, introduce new software features, and much more. Regardless of the types of applications and systems involved, all software will require regular patching. Before patches are applied, they should be properly tested and validated. There should be a process in place for patch management in each organization.

Answer 61

D. Maintenance Explanation: The management plan for operations in a cloud environment includes scheduling, orchestration, and maintenance. In a cloud environment it's vital to ensure that careful planning and management are put in place to operate systems.

Answer 62

C. Cloud Service Partner Explanation: A cloud service partner is a third-party provider of cloud-based services (infrastructure, storage and application, and platform services) through the CSP with which it is associated. The third-party cloud service partner makes use of the cloud service provider's service in this scenario.

Answer 63

D. NIST RMF Explanation: The NIST Risk Management Framework acts as a guide for risk management practices used by United States federal agencies. NIST developed the NIST CSF to assist commercial enterprises in developing and executing security strategies. FedRAMP is a cloud-specific version of NIST 800-53 that contains policies and procedures to assist cloud service providers in adopting security controls and risk assessment. ISO 31000 are “Risk Management - Guidelines,” to be used during the risk management process.

Answer 64

C. Information Security Management System Explanation: ISO/IEC 27001 provides guidelines for creating and managing an ISMS. All other options would not use ISO/IEC 27001 as a guideline.

Answer 65

A. SaaS Explanation: Data sanitization in cloud environments already differs from that of on-prem environments since physical destruction methods are not possible. However, of the three types of cloud service models (which include IaaS, PaaS, and Saas), SaaS requires special consideration because the data is often far more interconnected than in the other two service models. DaaS is not an accepted cloud service model.

Answer 66

D. Structured Data Explanation:

Answer 67

C. Generators Explanation: External redundancy includes power feeds/lines, power substations, generators, generator fuel tanks, network circuits, building access points, and cooling infrastructure. Internal redundancy includes power distribution units, power feeds to rack, cooling units, networking, storage units, and physical access points.

Answer 68

A. A healthcare organization that needs to keep all of its patients data secure, no matter the cost Explanation: Private clouds are the most expensive of the cloud deployments, but they are also the most secure. This is because the owner of the private cloud controls and retains ownership of all the data in that cloud. Healthcare organizations have to meet HIPAA requirements and, therefore, patient data must be kept extremely safe.

Answer 69

B. Implement the plan Explanation: The steps of developing a BCDR plan are as follows: Define scope, gather requirements, analyze, assess risk, design, implement, test, report, and finally, revise. Once an organization has completed all of the design phase, they are ready to implement their BCDR plan. Even though the plan has already gone through design, it will likely require some changes (both technical and policy-wise) during implementation.

Answer 70

B. Continuous Auditing Explanation: Continuous auditing ensures that you can provide an in-depth report on usage and access history for all files that are protected by data rights management.

Answer 71

D. An organizations that only requires certain items are kept very secure, but cant afford a full private cloud Explanation: Hybrid clouds are the best solution for any organization that requires the security of a private cloud for some, but not all, of their data. By only needing some of the data to be kept in a private cloud, the expense of building a full private cloud can be greatly reduced.

Answer 72

B. Anonymization Explanation: Anonymization is a method used in data de-identification. Unlike masking or obfuscation, in which the data is replaced, hidden, or removed entirely, anonymization is the process of removing any identifiable characteristics from data. It is often used in conjunction with another method such as masking.

Answer 73

D. Advanced Persistent Threat Explanation: Many types of malware and malicious programs are loud and aim to disrupt a system or network. Advanced persistent threats are the opposite. Advanced persistent threats (APTs) are attacks which attempt to steal data and stay hidden on the system or network for as long as possible. The longer the APT can stay in the system, the more data it is able to collect.

Answer 74

A. IaaS Explanation: Infrastructure as a Service (IaaS) providers will provide cloud customers with everything they need from a hardware standpoint, including routers, switches, firewalls, and servers. The customer will still be responsible for managing all of the software and operating systems, but will not need to manage any hardware.

Answer 75

C. Parallel Explanation: In a parallel test, team members replicate the procedures necessary in the event of a disaster. Their objective is to ensure that critical business operations can continue to function in parallel if existing systems are affected by a disaster. All other options are types of business continuity and disaster recovery plan tests.

Answer 76

A. Portability Explanation: Portability is the feature that allows data to move between multiple cloud providers without any issues. Interoperability is a term used to describe the ease with which components of an application can be moved or reused. Resiliency is the ability to recover quickly after an issue has occurred. Auditability is the ease with which a cloud environment can be audited.

Answer 77

D. Multi-tenancy Explanation: Resource pooling is one of the many benefits of cloud computing. Multiple clients share a set of resources, such as servers, storage, and application services, and each customer pays only for the resources they consume. This can create a problem when resources are pooled, since multi-tenancy may result, and a competitor or rival may share physical hardware with you. If the system is compromised, particularly the hypervisor, sensitive data may be exposed.

Answer 78

D. Data Breach Explanation: A data breach occurs when data is leaked or stolen, either intentionally or unintentionally.

Answer 79

D. There is never an appropriate scenario in which to accept a risk Explanation: There are times when a company may choose to simply accept a risk rather than do anything to deal with it. This is often done when the cost of mitigating the risk outweighs the cost of simply dealing with the consequences if the risk was to occur.

Answer 80

A. Reversibility Explanation: Reversibility is the ability of a cloud customer to quickly remove all data, applications, and anything else that may reside in the cloud provider's environment, and move to a different cloud provider with minimal impact on operations.

Answer 81

B. Ensuring the confidentiality and integrity of their data Explanation: While things like uptime, cost, and preventing vendor lock-in are all important concerns, the primary concern when reviewing cloud providers should always be ensuring the confidentiality and integrity of data. Because of this, it's vital that cloud customers know where and how their data is going to be stored at all times.

Answer 82

D. PHI Explanation: You are safeguarding protected health information that may be contained within the medical records you are accountable for. These can be in the form of lap reports, visit summaries or other types of medical records. Personally identifiable information (PII) is unique to an individual, such as a Social Security number or phone number. Payment card industry (PCI) is not a data type. Personal data (PD) is not a known acronym.

Answer 83

C. Ownership Retention Explanation: Private clouds are a must for organizations that need to retain complete ownership of their entire cloud environment. Public, hybrid, and community clouds can't offer this.

Answer 84

C. Public Cloud Explanation: A public cloud would be the best option for this student because it is the least expensive and will allow her to pay only for the resources that she uses. Since she is planning to use the server as a lab environment, it's unlikely that security will be a large concern for this student.

Answer 85

C. Quanitative Assessment Explanation: The two main types of assessments used in the risk management process are quantitative assessments and qualitative assessments. Qualitative assessments are nonnumerical assessments. Quantitative assessments use values such as single loss expectancy (SLE), annual loss expectancy (ALE), and annual rate of occurrence (ARO) for a numeric approach.

Answer 86

C. Object Explanation: Object storage is a storage type used in IaaS cloud environments which operates as an API or a web service call. In object file storage, files are stored in an independent system and given a value for retrieval and reference.

Answer 87

D. TLS Handshake Protocol Explanation: TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established. During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

Answer 88

B. Requirement Gathering and Feasibility Explanation: The initial step of the software development lifecycle (SDLC) is to gather all of the requirements and determine their feasibility. This is determined through setting goals, reviewing the timeline for the project, performing cost analysis, and reviewing possible risks of the project.

Answer 89

B. Cluster Explanation: A cluster is a group of hosts that are combined together to achieve the same purpose, such as redundancy, configuration synchronization, fail over, or to minimize downtime. Clusters can be groups of hosts that are physically or logically grouped together. Clusters are handled as one unit, meaning that resources are pooled and shared between the hosts within the group.

Answer 90

D. Content and File Storage Explanation: Each cloud service model uses a different method of storage as shown below: Software as a Service (SaaS) - content and file storage, information storage and management Platform as a Service (PaaS) - structured, unstructured Infrastructure as a Service (IaaS) - volume, object

Answer 91

B. Excess electrostatic discharge Explanation: The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

Answer 92

C. Regression Testing Explanation: Regression testing is carried out during the maintenance phase of the software development lifecycle to ensure that changes to the software program do not break existing functionality, introduce new vulnerabilities, or resurface previously addressed problems.

Answer 93

B. GLBA Explanation: The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks. HIPAA is concerned with the privacy of protected healthcare information and healthcare facilities. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

Answer 94

B. When the cost to mitigate the risk outweights the cost to simply deal with the risk if it were to occur Explanation: There are some instances where organizations will choose to accept risk rather than to do anything to deal with it. This is typically done whenever the cost to mitigate the risk outweighs the cost to simply deal with the risk when or if it were to occur. Accepting the risk would never be a good option if the risk being realized could financially overwhelm an organization.

Answer 95

C. Clipping Level Explanation: Many systems and apps allow you to customize what data is written to log files based on the importance of the data. The clipping level determines which events, such as user authentication events, informational system messages, and system restarts, are written in the logs and which are ignored. Clipping levels are used to ensure that the correct logs are being accounted for.

Answer 96

B. Cost-benefit analysis Explanation: Any organization that is considering a move from an on-premises solution to the cloud should first perform a cost-benefit analysis to ensure that the decision makes sense for its company.

Answer 97

B. Threat Modeling Explanation: Threat modeling is the processing of finding threats and risks that face an application or system once it has gone live. This is an ongoing process that will change as the risk landscape changes and is, therefore, an activity that is never fully completed. DREAD and STRIDE, which were both conceptualized by Microsoft, are two prominent models recommend by OWASP.

Answer 98

B. TLS Record Protocol Explanation: TLS (transport layer security) is broken up into two main phases: TLS Handshake Protocol and TLS Record Protocol. During the TLS Handshake Protocol, the TLS connection between the two parties is negotiated and established. During the TLS Record Protocol, the actual secure communications method for transmitting data occurs.

Answer 99

D. GDPR Explanation: The European Union implemented GDPR (general data protection regulation), which covers the entire European Union and the European Economic Area. GDPR focuses on the protection of private and personal user data for all EU citizens, regardless of where the data was created, collected, processed, or stored. Any organization that has a data breach where protected or private user information is viewed or stolen by an attacker must report it to the applicable government agencies within 72 hours.

Answer 100

C. It has been methodically designed, tested and reviewed Explanation: The possible EAL (evaluation assurance level) scores are as follows: EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4- Methodically designed, tested, and reviewed EAL5 - Semi-formally designed and tested EAL6 - Semi-formally verified design and tested EAL7 - Formally verified design and tested

Answer 101

C. Policy and Procedures Explanation: Policies and procedures are a primary control in protecting systems and communications. Defining the objective, scope, roles, and responsibilities of all security actions, policies and procedures establishes a codified framework for all security actions.

Answer 102

C. RPO Explanation: The recovery point objective (RPO) is defined as the amount of data and information which must be restored and recovered after a disaster to meet business continuity and disaster recovery objectives.

Answer 103

B. Multitenancy Explanation: In an IaaS environment, resources are hosted on a cloud system which is often shared by other cloud customers. Therefore, the cloud provider must take precautions to ensure that the data between the multiple clients is not accessible by the others. This can pose a risk if the cloud provider doesn't take great care in keeping that separation.

Answer 104

D. TPMs Explanation: TPMs (Trusted Platform Modules) and virtualization hosts have BIOS settings in place that control hardware configurations and security technologies to prevent unauthorized access to the BIOS. It's important to ensure that access to the BIOS is locked down for all systems to prevent unauthorized changes to the systems at the BIOS-level.

Answer 105

A. RAID and SANs Explanation: Storage in the cloud is very similar to storage used in a traditional datacenter. The storage consists of RAID (redundant array of inexpensive disks) an SANs (storage area networks). These are connected to the virtualized server structure.

Answer 106

B. Secure API calls and web services Explanation: Data in use is protected through secure API calls and web services, which make use of technologies such as digital signatures. Data in transit is best protected through encrypted transport methods like TLS. To protect data at rest, encryption methods such as AES should be used.

Answer 107

D. Denial of Service Explanation: A denial of service attack occurs when an attacker (or attackers) flood systems with so much useless traffic that the resources are unable to respond to legitimate traffic. Denial of service is listed as one of the Cloud Security Alliance's Treacherous Twelve, but is not on the OWASP Top 10 list. XML external entities, injection, and broken access control are all listed on the OWASP Top 10 list and not the Cloud Security Alliance's Treacherous Twelve list.

Answer 108

B. Network traffic logs Explanation: The OWASP data event logging cheat sheet does not recommend network traffic logs. However, other logging recommendations by OWASP include: ``` Synchronize time across all servers and devices Differing classification schemes Identity attribution Application-specific logs Integrity of log files ``` The full logging cheat sheet is available here: cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

Answer 109

B. LUN Explanation: In a volume storage system, the main storage is sliced into smaller segments, called LUNs (logical units) that are then assigned to a virtual machine by a hypervisor and mounted to that machine. A SAN is a storage area network, and not a small segment of storage. The terms LAN and VLAN refer to types of networks and are not applicable to this question.

Answer 110

C. Legal Hold Explanation: When an organization is told that a regulatory body is commencing an inquiry against it, a legal hold should be immediately imposed. The organization must pause all data deletion actions relevant to the investigation until the matter is resolved. A legal hold has significant ramifications for data retention.

Answer 111

D. Management Plane Explanation: The management plane in a cloud environment can be used to create, stop and start virtual machines, as well as provision the virtual machines with the needed resources. Because the management plane has access to all the virtual machines from a high level it's very important that security measures are taken to prevent unauthorized access to the management plane.

Answer 112

A. MFA Explanation: Multi-factor authentication (MFA) is an authentication method in which a user is required to provide two or more types of factors proving they are who they claim to be. For example, a user would need both a password and a randomly generated code sent to their smartphone to access an application. MFA factors are broken up into categories such as something you know (passwords, pin), something you are (biometrics), something you have (key card, smartphone), and something you do (behavioral).

Answer 113

D. Physical, logical or virtual boundaries around network resources Explanation: A trust zone is a physical, logical, or virtual boundary around network resources. Before a cloud provider can implement trust zones, they must undergo threat and vulnerability assessments to determine where their weaknesses are within the environment. This will help to determine where trust zones would be most useful.

Answer 114

D. Encryption Explanation: The main method for protecting data at rest is to use encryption methods such as AES. Data in transport is protected by encrypted transport methods such as TLS. To protect data in use, secure API calls and web services must be used.

Answer 115

B. Governance Explanation: Governance is the system by which the provisioning and usage of cloud services are directed and controlled. Governance will put a framework in place to ensure compliance with regulatory obligations. All other options are shared cloud considerations.

Answer 116

C. Machine Learning Explanation: Artificial intelligence relies heavily on machine learning. Machine learning enables a solution to learn and develop on its own without the need for extra programming. Intrusion detection, email filtering, and virus scanning are all examples of current machine learning usage. Blockchain, quantum computing and artificial intelligence are other related technologies.

Answer 117

A. Testing must use limited information about the application Explanation: Testing that must use limited information about the application is called grey-box testing and occurs after functional testing and deployment. Functional testing is performed on an entire system and the following are important considerations: Testing must be realistic, must exercise all requirements, and be bug free.

Answer 118

B. Gather requirements Explanation: After defining the scope, the next step of developing a BCDR plan is to gather requirements. This stages determines what should be included in the plan and looks at items such as the recovery time objective (RTO) and recovery point objective (RPO). It will be necessary during this stage to identify critical systems within the environment.

Answer 119

A. Monitoring the risk Explanation: After a risk has been responded to, whether by accepting, transferring, avoiding, or mitigating the risk, it must still be monitored. Monitoring the risk is an ongoing process to determine if the same threats and risk still exist in the same form. Monitoring risk serves as a way to ensure that current risk evaluations and mitigation meet current regulatory requirements.

Answer 120

D. Broken Authentication Explanation: The OWASP Top 10 is an up to date list of the most critical web application vulnerabilities and risks. Broken authentication refers to the ability for an attacker to hijack a session token and use it to gain unauthorized access to an application. This risk can be mitigated by adding proper validation processes to ensure that session tokens are being submitted by the valid and original obtainer of the token.

Answer 121

B. Inventory of critical parties Explanation: The first step in communicating with vendors is to compile a list of all key third parties on which the business relies. This inventory will serve as the basis for risk management operations with third parties or vendors. Additionally, contact with vendors will be nearly entirely driven by contract and service level agreement obligations. All other options are not steps in establishing communications with vendors.

Answer 122

A. Unit Testing Explanation: The coding phase of the SSDLC covers the generation of software components as well as integrations and the build of the overall solution. Unit testing is part of the coding process. This is a developer's test of the modules that are being developed as part of a larger architecture. All of the module's pathways must be tested.

Answer 123

A. HIPAA Explanation: In the United States, any protected health information (PHI) must be kept secure and confidential. The Health Insurance Portability and Accountability Act (HIPAA) places controls on how PHI must be handled and protected.

Answer 124

D. Broken Access Control Explanation: Broken access control vulnerabilities may enable authenticated users to view unlawful and sensitive data, perform unauthorized functions, and modify access privileges. It is imperative that applications perform checks when each function is accessed to ensure the user is properly authorized to access it.

Answer 125

A. Resiliency Explanation: Resilience is the ability to continue operating under adverse or unexpected conditions. Many organizations plan a resiliency strategy that includes internal resources and the capabilities of the cloud. A cloud strategy allows the company to continue to operate during and after an event such as a natural disaster or severe weather event. Performance, governance and privacy are other shared cloud considerations.

Answer 126

A. Regulators Explanation: CSPs are likely to have contracts or some form of agreement with vendors, partners, and customers, but rarely (if ever) with a regulator. The CCSP is responsible for ensuring their cloud environment is in compliance with all regulatory obligations applicable to their organization.

Answer 127

A. REST Explanation Representational State Transfer (REST) is a software architectural scheme which support multiple data types, including both JSON and XML. Simple Object Access Protocol (SOAP) supports only the use of XML-formatted data types, so it would not work for the organization. DAST and SAST are testing methodologies and are not API types.

Answer 128

B. Management Plane Explanation: The management plane allows for cloud providers to manage all the hosts from a centralized location instead of needing to log into each individual server when needing to perform tasks. The management plane is typically hosted on its own dedicated server.

Answer 129

A. Hashing Explanation: If multiple files contain the exact same data, they will produce the same hash value as long as the same hashing algorithm is used. In this way, hashing can verify integrity. In order to do this, a hash value must be created for the original data. Next time the data is accessed, the same hashing algorithm can be used to verify integrity. If the hash value is different from the first hash value, then the data has changed in some way.

Answer 130

B. Non-repudiation Explanation: Nonrepudiation is the ability to confirm the origin or authenticity of data to a high degree of certainly. Nonrepudiation is typically done through methods such as hashing and digital signatures.

Answer 131

D. RISK_DREAD = (Damage + Reproductibility + Exploitability + Affected Users + DIscoverability) /5 Explanation: DREAD looks at the categories of damage potential, reproducibility, exploitability, affected users, and discoverability. Risk is given a value of 0 to 10 in each category, with 10 being the highest risk value. The algorithm used in DREAD is RISK_DREAD = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

Answer 132

B. 64.4 - 80.6 degrees F Explanation: Due to the amount of systems running, data centers produce a lot of heat. If the systems in the data center overheat, it could fry the systems and make them unusable. In order to protect the systems, adequate and redundant cooling systems are needed. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that the ideal temperature for a data center is 64.4 - 80.6 degrees F.

Answer 133

C. VLANs can be used across multiple datacenters without concerns for geographical location Explanation: VLANs are not dependent on the physical infrastructure at all, so this makes them ideal for network segmentation across multiple datacenters without the need to worry about the geographical location.

Answer 134

A. Defining SLA terms Explanation: Receiving communications from CSPs doesn't imply much responsibility. However, cloud customers have a critical accountability to define SLA terms. This will ensure that the CSC receives the proper level of communication, and through the correct channels from the CSP. All other options support communications with relevant parties.

Answer 135

C. Containers Explanation: A wrapper that contains all of the configuration, code, and libraries needed for an application, which can be rapidly deployed across a cloud environment, is known as a container.

Answer 136

D. A smart refrigerator that can send a grocery list to the owner via a push notification to their mobile phone Explanation: The Internet of Things (IoT) refers to non-traditional devices (such as lamps, refrigerators, and other home devices) having access to the Internet to perform various processes.

Answer 137

D. DNS Explanation: The Domain Name Service (DNS) is how computers translate IP addresses to domain names. When a user wants to communicate with another machine, the user's machine queries a device within the DNS table to get the correct address. All other options are other basic networking practices or protocols.

Answer 138

D. Cloud Application Portability Explanation: The ability to move an application between multiple cloud providers is known as cloud application portability, while cloud data portability refers, instead, to the ability to move data between cloud providers. Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within an environment.

Answer 139

C. Aggregation Explanation: Security information and event management (SIEM) systems are able to take data and logs from a large number of sources and house it in one single indexed system. This process is known as aggregation.

Answer 140

A. Chain of Custody Explanation: During an investigation, it's important that there is a paper trail which can document where evidence was and who was handling it at any given time. This process is known as chain of custody. Chain of custody is crucial in investigations so that evidence is usable in court.

Answer 141

B. NIST Explanation: The National Institute of Standards and Technology (NIST) is a part of the United States government which is responsible for publishing security standards applicable to any systems used by the federal government and its contractors.

Answer 142

D. Broken Authentication Explanation: Broken authentication occurs when applications do not have the proper controls or processes in place to secure their authentication and session tokens. This type of vulnerability allows for attackers to hijack session tokens and use them for their own nefarious purposes.

Answer 143

C. Vendor Lock-In Explanation: Vendor lock-in is the term used to describe the scenario in which a cloud customer is stuck using one cloud provider for one reason or another. Vendor lock-in can occur when the cloud provider has implemented technologies that make it difficult for the customer to move their data without hassle to another provider.

Answer 144

D. Change Management Explanation: The change management process is concerned with the impact of change on the organization. This change can include the implementation of new systems or simply configuration changes to already existing systems. Change management allows for changes in the organization to only be made by following a strict and structured procedure.

Answer 145

D. Asset Inventory and Risk Assessment Explanation: Identification and mapping of data locations within an organization is crucial for asset inventory and risk assessment tasks. According to a common adage, you cannot secure your assets if you are unaware they exist. Mapping enables a business to keep track of its assets, which is crucial for risk assessment and asset protection. All other options are important activities within an organization. However, they are not reliant on mapping the location of data within the organization.

Answer 146

B. Indirect Identifier Explanation: PII (personally identifiable information) is broken up into direct and indirect identifiers. Because a birth date is not enough information to identify just one single person, it is an indirect identifier. An example of a direct identifier would be a social security number. Nondescript and descript identifiers are not real types of PII.

Answer 147

C. Cloud Application Explanation: When an application resides in the cloud and is accessed via the network, instead of being locally installed on a user's computer, it is known as a cloud application. A measured service is a method for billing for cloud services. A tenant is the term used to describe one or more cloud customers sharing the same pool of resources. IaaS stands for infrastructure as a service and is a cloud service category in which the provider supplies infrastructure devices such as servers, network devices, etc.

Answer 148

D. Identity Providers Explanation: Identity providers create and manage security principals (users, devices, and software). On-premises and cloud-based identity providers can be synchronized so that users can access on-premises and cloud-based applications using their existing on-premises credentials. Identity providers support identity federation. Identity federation allows multiple parties to trust the use of a central identity provider. This eliminates the requirement for each application to create its own user credentials.

Answer 149

A. Application Virtualization Explanation: Sandboxing can be done with application virtualization by employing containers, which allow applications to be bundled with all dependencies and rigorous configuration management. While testing code or apps, sandboxing isolates components while protecting the operating system and other applications. Encryption, Tokenization and Orchestration are other ways to protect components such as operating systems and applications.

Answer 150

D. Data classification and control Explanation: Information rights management (IRM) can be used as a means for data classification and control. It isn't used as a means for data modification or data deletion.

Answer 151

B. Permissions can be modified after a document has been shared Explanation: Dynamic policy controls allow data owners to modify the permissions for their protected data even after it has been shared with others. All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 152

B. DHCP Explanation: The Dynamic Host Configuration Protocol (DHCP) assigns an IP address and other networking information to devices in the network automatically. This facilitates the creation of a centralized management system. New hosts can be activated with DHCP, as well as hosts that need to be auto-scaled, dynamically optimized, or relocated between physical hardware programmatically. DHCP allows network information to be readily updated and changed as needed. IPSEC, DNS and SSL are other networking protocols that work together with DHCP.

Answer 153

C. All options are correct Explanation: Privacy concerns are present during and after a contract, as well as during data erasure or destruction.

Answer 154

C. Crypto-shredding Explanation: The optimal solution would be cryptographic shredding. Crypto-shredding encrypts the data and then destroys the encryption key, rendering the data unrecoverable. All other options are data security methods. However, there is a possibility that data can be recovered after it has been destroyed.

Answer 155

D. Problem management Explanation: Problem management is focused on preventing potential issues from occurring within a system or process. All other options are types of management strategies.

Answer 156

D. Internet Service Capability Explanation: The three main cloud service categories are infrastructure service capability, platform service capability, and software service capability.

Answer 157

A. Data warehouse Explanation: A data warehouse is structured storage in which data has been normalized to fit a defined data model. All other selections are data storage mechnisims

Answer 158

D. Artificial Intelligence Explanation: Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

Answer 159

B. Data at rest Explanation: In order to protect data at rest (DAR), data loss prevention (DLP) solutions must be deployed on each of the systems that house data, including any servers, workstations, and mobile devices. This is the simplest of DLP solutions but, in order to be most effective, it may also require network integration.

Answer 160

A. SIEM Explanation: An organization's logs are valuable only if the organization makes use of them to identify activity that is unauthorized or compromising. Due to the volume of log data generated by systems, the organization can implement a System Information and Event Monitoring (SIEM) system to overcome these challenges. The SIEM system provides the following: ``` Log centralization and aggregation Data integrity Normalization Automated or continuous monitoring Alerting Investigative monitoring ``` All other options are security solutions implemented within an organization.

Answer 161

A. Management plane Explanation: The management plane is used by cloud providers to manage all of the hosts from one centralized location. If the management plane were to be compromised, the attacker would have complete control over the entire cloud environment.

Answer 162

A. LUNs Explanation: Volume storage is where storage is allocated to a virtual machine and configured as a typical hard drive and file system on that server. In a volume storage system, the main storage system is sliced into pieces called LUNs (logical units) and then allocated to a particular virtual machine by the hypervisor.

Answer 163

D. Store Explanation: While security controls are implemented in the create phase in the form of SSL/TLS, this only protects data in transit and not data at rest. The store phase is the first phase in which security controls are implemented to protect data at rest.

Answer 164

D. Data classification Explanation: In any cloud deployment model, IaaS, PaaS, or SaaS, the cloud consumer will be responsible for any control over the data they store in the cloud. This includes its classification. All other options are functions in the cloud. However, the cloud deployment model being used will determine who is responsible.

Answer 165

B. Data can be distributed across many data centers in different geographical locations Explanation: Data dispersion is the concept that data can be distributed across many data centers in different geographical locations. This is a key benefit in cloud environments because it provides disaster recovery. Having data in numerous geographical locations reduces the risk of traditional problems posed by disaster scenarios.

Answer 166

C. Due to being software-based, they are more vulnerable to flaws and exploits than type 1 hypervisors. Explanation: Since type 1 hypervisors are tied into the physical hardware of the machine, it can be more difficult to inject malicious code. However, type 2 hypervisors are software-based and operate independent of the hardware. This can make type 2 hypervisors more susceptible and vulnerable to flaws and software exploits than type 1 hypervisors.

Answer 167

C. Create, Store, Use, Share, Archive, Destroy Explanation: Create, Store, Use, Share, Archive, Destroy are the phases in the cloud data lifecycle, in order. All other options are in the incorrect order.

Answer 168

C. SOAP does not allow for caching, making it less scalable and having lower performance than REST. Explanation: SOAP does not allow for caching, making it less scalable and having lower performance than REST. Because of this, SOAP is typically used only when there are restrictions which prevent the use of REST in the environment. REST is more flexible and supports a variety of data formats, including both JSON and XML, while SOAP only allows the use of XML-formatted data.

Answer 169

B. HIDS Explanation: A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. A network intrusion detection system (NIDS) is similar to a HIDS, but rather than running on a single host, it analyzes all of the traffic on the network. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

Answer 170

C. PHI Explanation: PHI, which stands for protected health information, includes a wide spectrum of data about an individual and their health. Medical history, treatment, lab results, demographic information, and health insurance information is all considered to be PHI.

Answer 171

B. TLS 1.3 Explanation: TLS (transport layer security) has replaced SSL (secure sockets layer) as the best encryption of network traffic. Currently TLS 1.3 is the latest form of TLS and should be used, as it provides maximum security and high performance.

Answer 172

A. eDiscovery Explanation: eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

Answer 173

C. A centralized group in an organization that handles security issues ``` Explanation: A SOC (security operations center) is a centralized group within an organization that handles security issues. ``` A NOC (network operations center) is a centralized group within an organization that handles network configurations. SOC engineers are not likely to handle general help desk tickets or collect evidence for a forensics investigation.

Answer 174

D. ISO/IEC 27001 Explanation: The ISO/IEC 27001, with its newest update of 27001:2013 is widely considered to be the gold standard in regard to the security of information systems and their data.

Answer 175

A, Availability and bandwidth Explanation: In the cloud, the primary performance issues are network availability and bandwidth. A network is a critical component of cloud services. If the network is down, the service will be unavailable. If the service is unavailable, performance will be impacted. All other options are minor cloud performance concerns.

Answer 176

A. Cloud service provider Explanation: In a shared security model, the cloud service provider controls the hypervisor. If the hypervisor is compromised, all virtual machines running on it may be vulnerable as well. As a result, the CSP's role in securing the hypervisor is important. All other options are roles related to the cloud.

Answer 177

A. Tokenization Explanation: Tokenization is a method used to protect data without needing to go through the process of encryption. In tokenization, an application is used to replace confidential data with an arbitrary value (known as a token). The application has the ability to map the token back to the original data when needed.

Answer 178

A. Spoofing identity Explanation: The STRIDE threat model has six threat categories, including spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. When a user is able to gain access to something they shouldn't by using another user's account, this is known as spoofing identity. It's important to have controls in place to prevent users from leveraging another user's account to gain additional permissions.

Answer 179

B. User education Explanation: Due diligence on vendors, a trusted cloud service provider, security built into system design, encryption, and CSP security configuration management tools are all risk mitigation strategies in the cloud environment. User education is critical, but it is not as successful as the countermeasures outlined above

Answer 180

D. Create Explanation: Any time data can be considered new, it is in the create phase. Data can be considered new whenever it is newly created, moved from one system to another, or modified into a new form.

Answer 181

B. SOX Explanation: SOX (Sarbanes-Oxley Act) regulates accounting and financial practices within an organization. IT engineers need to be aware of SOX, as it can affect which type of data needs to be stored/retained, and for how long.

Answer 182

C. Clustered storage Explanation: A cluster is taking two or more systems and treating them as one entity. Clustered storage is the process of taking two or more storage servers and combining them to increase performance, capacity, and reliability. Storage clusters are used in cloud environments because high availability is extremely important.

Answer 183

D. REST ``` Explanation: The REST (representational state transfer) API relies on the HTTP protocol and supports a variety of data formats including both XML and JSON. It allows for caching, which increases performance and scalability. ```

Answer 184

D. Discovery and classification Explanation: DLP is made up of three common stages which include discovery and classification, monitoring and, finally, enforcement. Discovery and classification is the first phase, as the security requirements of the data must be addressed.

Answer 185

B. Incident classification Explanation: Incident management exists to help organizations plan for incidents, identify when they occur, and restore normal operations as quickly as possible with minimum adverse impact. This is referred to as a capability, or the combination of procedures and resources needed to respond to incidents. It generally comprises of three key elements: incident response plan (IRP), incident response team (IRT), and root-cause analysis. Incident classification ensures an incident is dealt with correctly. It is important to determine how critical an incident is and prioritize the response appropriately.

Answer 186

C. Ignoring risk Explanation: After risk has been identified and evaluated, either through qualitative or quantitative assessments, the decision must be made on how to respond to risk. There are four main categories for responding to risk, which include accepting risk, avoiding risk, transferring risk, and mitigating risk. Ignoring the risk is not one of the four categories.

Answer 187

D. Destroy Explanation: As the name suggests, the destroy phase is where data is removed completely from a system (or "destroyed") and should be unable to be recovered. In cloud environments, methods such as degassing and shredding can't be used because they require physical access to the hardware. Instead, in cloud environments, techniques like overwriting and cryptographic erasure are used to destroy the data.

Answer 188

B. Management Explanation: The management principle of the Generally Accepted Privacy Principles (GAPP) focuses on ensuring that organizations have well documented privacy policies and procedures. In addition, this information is communicated to necessary parties, and official measures are taken to ensure accountability.

Answer 189

D. Private cloud, cloud service backup Explanation: The organization is using their own private data center with backups being replicated to the cloud.

Answer 190

A. Users Explanation: The individuals using the public internet are responsible for security. Security is a shared responsibility. The CSP, CSC or ISP would not be responsible.

Answer 191

A. ISO/IEC 27050 Explanation: ISO/IEC 27050 provides internationally accepted standards related to eDiscovery processes and best practices. All other options are technology standards set forth by the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

Answer 192

B. Design Explanation: Security is extremely important to consider when implementing a cloud data center. Due to its importance, security should be taken into consideration in the design phase so that it doesn't have to be added as an afterthought later on.

Answer 193

D. Vulnerability Scan Explanation: By running a vulnerability scan, the organization can easily identify a server responding to FTP requests. This vulnerability indicates a system that does not conform to the baseline configuration and that requires immediate remediation action.

Answer 194

A. IT-related Risk Explanation: Supply chain management entails a plethora of dangers, one of which is cloud computing. By protecting supply-chain management software in the cloud and securely linking providers globally via cloud services, risk associated with information technology is reduced.

Answer 195

B. BCDR Explanation: A business continuity and disaster recovery (BCDR) plan lays out the steps for what an organization must do immediately following a disaster or critical failure. BCDR plans should be regularly tested to ensure that they will work in the event of a real situation. BCDR plans cover what to do in the event of scenarios such as natural disasters, acts of war, equipment failures, and utility failures.

Answer 196

B. eDiscovery Explanation: eDiscovery is the process of searching for and collecting electronic data of any kind (emails, digital images, documents, etc.) so that the data can be used in either civil legal proceedings or criminal legal proceedings.

Answer 197

D. PaaS Explanation: Each cloud service model uses a different method of storage as shown below: Platform as a Service (PaaS) - structured, unstructured Infrastructure as a Service (IaaS) - volume, object Software as a Service (SaaS) - content and file storage, information storage and management DaaS is not a real type of cloud service model.

Answer 198

B. The location where the data is stored and the local laws and jurisdictions that apply to it Explanation: When using a cloud environment as a BCDR solution, it's likely that data will be housed in numerous cloud datacenters in various geographical locations. It's important to take into consideration what types of regulations and jurisdictions are applicable to the locations where your data is being stored.

Answer 199

C. Hosted eDiscovery Explanation: With Hosted eDiscovery, your cloud service provider incorporates eDiscovery into contractual responsibilities that can be executed as needed. However, a list of pre-selected forensic solutions may have limitations. SaaS-based eDiscovery is hosted on the cloud and is used to collect, store, and evaluate evidence by investigators and law firms. Third-party eDiscovery is not bound by contract and can be engaged to undertake eDiscovery operations on an as-needed basis. On-premises eDiscovery is a distractor.

Answer 200

B. DHCP Explanation: DHCP (dynamic host configuration protocol) runs on a centralized server and is able to dynamically assign network configurations such as IP address, DNS server address, and other settings to systems on the network. This removes the need for administrators to go around to each computer and statically assign network information.

Answer 201

C. PCI DSS ``` Explanation: PCI DSS (Payment Card Industry Data Security Standard) is a regulatory requirement that applies to financial and retail environments, specifically those that accept payment cards. ```

Answer 202

C. Sensitive data exposure Explanation: Even with proper encryption methods put in place, sensitive data is still at risk if the client's browser is insecure. In order to help mitigate this vulnerability, web applications can perform checks against client browsers to ensure they meet security standards. If the browser doesn't meet the security standards, it will not be granted access to the web application.

Answer 203

A. Lower RPOs and RTOs Explanation: The capacity to operate in geographically remote locations and to provide increased hardware and data redundancy results in lower recovery time objectives (RTOs) and recovery point objectives (RPOs) for disaster recovery and business continuity. The recovery service level (RSL) measures the percentage of the total production service level that needs to be restored to meet BCDR objectives.

Answer 204

A. Hashing Explanation: Hashing is a process that can be used to verify the integrity of data. This is because if you use the same hashing algorithm on the same data time and time again, the hash value that is generated will be the same. If the data is changed, the hash value will be different, confirming that the integrity of the data is not intact. While encryption, key management, and tokenization can help you to protect data, they can't guarantee the integrity of the data.

Answer 205

D. SSDLC Explanation: Including security in the Software Development Lifecycle (SDLC) aids in the creation of secure software. The Secure Software Development Lifecycle (SSDLC) is expected to yield software solutions that are more secure against attack, minimizing the risk of important business and consumer data being exposed.

Answer 206

A. IPS Explanation: An intrusion prevention system (IPS) is placed at the network level. It analyzes all traffic on the network in the same way as an IDS. However, rather than simply alerting administrators when an intrusion is detected, it can actually stop and block the malicious traffic and prevent an attack from occurring automatically.

Answer 207

C. RTOs are an IT decision. Explanation: Recovery time objectives are a business decision and not an IT decision. IT's responsibility is to assist the organization with RTO options and costs. To make the best decision, the organization requires complete information on RTO solutions and associated expenses. Once a decision is reached, it is up to IT to implement it and make all attempts to adhere to the business RTO.

Answer 208

B. CASB Explanation: One of the services provided by a Cloud Access Security Broker (CASB) is the monitoring of Identity and Access Management (IAM) in your cloud. A CASB does not provide any other services. A cloud access security broker (CASB) sits between the cloud application and the customer. This service keeps track of all activities and ensures that corporate security requirements are followed.

Answer 209

B. Overwriting Explanation: Michael will not be able to perform incineration, shredding, or degaussing because these require physical access, which is not available in a public cloud. Overwriting is the process of writing a pattern of ones and zeros over the data. For especially sensitive data, it may be best to overwrite the data more than once.

Answer 210

D. APIs Explanation: Cloud environments rely heavily on APIs (application programming interfaces) for both access and function. SOAP (simple object access protocol) and REST (representation state transfer) are two examples of commonly used APIs.

Answer 211

D. The percentage of the performance level which must be restored to meet BCDR objectives Explanation: Recovery service level (RSL or RSL%) is a newer term used to describe the percentage of the performance level which needs to be restored to meet BCDR objectives. For example, an RSL of 50% would specify that the DR system would need to operate at a minimum of 50% of the performance level of the normal production system.

Answer 212

C. RPO Explanation: RPO stands for recovery point objective, and it is the minimum amount of data that would be needed to be retained and recovered for an organization to function at a level which is acceptable to stakeholders. The RPO does not mean that the organization has to be operating at full capacity, just at an acceptable level where crucial systems are online.

Answer 213

D. European Union Explanation: The General Data Protection Regulation, or GDPR, is a regulation and law which affects all countries in the European Union (EU) and the European Economic Area. The purpose of the GDPR is to protect data on all citizens of the EU, regardless of where the data is created, stored, or processed. While similar legislation has and will be implemented in other parts of the world, GDPR specifically covers the EU.

Answer 214

B. An earthquake Explanation: Business continuity and disaster recovery (BCDR) plans are likely to be initiated as a result of the following: natural diaster (earthquakes, floods, tornadoes, etc.), terrorist attacks or acts of war, equipment failures, utility failures or disruptions, and service provider failures. The other items listed should not result in the initiation of a BCDR plan.

Answer 215

A. Configuration management Explanation: Configuration management is required. Configuration management technologies aid in cloud deployment management by centrally storing and archiving cloud configurations. It enables the tracking of configuration changes and the identification of the individuals who made the changes. These provisions enable you to guarantee that your cloud conforms with applicable regulations. All other selections are operational controls and standards within an organization.

Answer 216

A. Reproducibility Explanation: The DREAD threat model looks at five categories, including damage potential, reproducibility, exploitability, affected users, and discoverability. Reproducibility is the measure of how easy an exploit is to reproduce.

Answer 217

A. MTR Explanation: When performing a quantitative assessment, the values needed are the single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE). MTR stands for mean time to recovery, which is not used when performing a quantitative assessment.

Answer 218

C. APIs Explanation: In a cloud environment, the key functionality of applications and the management of the cloud are based on APIs (application programming interfaces). It's very important that APIs are implemented in a secure and appropriate manner. When possible, TLS (transport layer security) should be used for API communication.

Answer 219

A. Redirecting legitimate users to compromised or spoofed systems ``` Explanation: A DHCP (dynamic host configuration protocol) is used to automatically configure network settings on systems without the need for admins to do this manually on each computer. DHCP servers must be kept secure. If a DHCP server were to be compromised, the attacker would have access to change network settings that are given out by the DHCP server. This would allow them to redirect legitimate users to compromised or spoofed systems. ```

Answer 220

A. Security Explanation: The private cloud deployment model is the most secure cloud deployment model. However, private clouds do not offer an easier setup, less expense, or more scalability than the other cloud deployment methods.

Answer 221

C. Open-source software has less risk because it's inexpensive. Explanation: The widespread idea that open-source software carries fewer risks due to its low cost is false. Risk is defined by the asset being protected, not by the cost of the software being employed. Losing your data to low-priced software does not mitigate the expense of a data breach and exfiltration

Answer 222

B. Cross-site scripting Explanation: A cross-site scripting attack is a type of injection attack. It occurs when an attacker is able to inject malicious code into a web application. While this type of attack is mainly used to execute scripts and hijack a user's session, it can also be used to deface or edit a web page without going through any authentication processes. The web application runs the scripts injected without validating them.

Answer 223

A. Systems aren't able to be simply physically isolated and preserved in a cloud environment Explanation: When eDiscovery must be done within a traditional data center, it's possible to physically isolate the system and preserve the data. In a cloud environment, however, many cloud customers are using the same hardware, so it's not possible to physically isolate a system and preserve it. Instead, special measures must be taken to achieve eDiscovery in a cloud environment.

Answer 224

C. Virtual images are susceptible to attacks whether they are running or not Explanation: Virtual images are susceptible to attacks, even when they are not running. Due to this, it's extremely important to ensure the security of where the images are housed. Ensuring that the management plane and the hypervisor are secured is the first step to ensuring the virtual images are secure. The management plane is the most important component to secure first because a compromise of the management plane would lead to a compromise of the entire environment.

Answer 225

A. Data retention Explanation: OS baselines establish and enforce known good states of system configuration, and focus on ensuring least privilege and other security OS and application best practices. Each configuration option should match a risk mitigation (security control objective). Data retention and other data-specific requirements are not commonly part of an OS baseline

Answer 226

B. 72 hours Explanation: Under GDPR, data controllers must notify the applicable government agencies within 72 hours of a data breach or leak of personal or private information; however, there are some exemptions for law enforcement and national security agencies. GDPR is mostly focused on scenarios where the data is viewable by a malicious party, rather than instances where the data is erased or encrypted.

Answer 227

D. To avoid one row of racks pushing hot air directly into another row Explanation: Heating and cooling within a data center is a very important component. Servers and network equipment use a lot of energy which, in turn, produces a lot of hot air. In order to avoid one row of racks pushing hot air directly into another row, many data centers will use the concept of hot/cold aisles. This practice includes alternating rows of physical racks in order to have hot and cold rows for optimal air flow.

Answer 228

A. Obfuscation Explanation: Obfuscation is the process of replacing, concealing, or erasing sensitive data from a data set. By substituting random or replaced data for sensitive data fields, it can be swiftly employed without exposing sensitive information to systems. Substitution, shuffling, value variance, nullification, and encryption are all methods for concealing data.

Answer 229

D. GAPP Explanation: GAPP (Generally Accepted Privacy Principles) is a privacy standard developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. GAPP contains ten main privacy principles and is focused on managing and preventing threats to privacy.

Answer 230

A. Bastion host Explanation: A bastion host is a method for remote access to a secure environment. The bastion host is an extremely hardened device that is typically focused on providing access to one application or for one particular usage. Having the device set up in this focused manner makes hardening it more effective. Bastion hosts are made publicly available on the Internet

Answer 231

C. The Gramm-Leach-Bliley Act Explanation: Although it is officially named the Financial Modernization Act of 1999, it is most commonly known as and referred to as the Gramm-Leach-Bliley Act, or GLBA. This name pays tribute to the lead sponsors and authors of the act. GLBA is focused on protecting personally identifiable information (PII) as it related to financial institutions.

Answer 232

A. Hashing algorithm Explanation: The three basic components of an encryption system include the data itself, the encryption engine, and the encryption keys. Hashing is a separate technology from encryption used to verify the integrity of data. Hashing algorithms are used in hashing and are not a part of encryption.

Answer 233

A. Create phase Explanation: The create phase is an ideal time to implement technologies such as SSL/TLS technologies with the data that is inputted or imported. It should be done in the create phase so that the data is protected initially before any further phases.

Answer 234

A. Database Explanation: Databases store data in fields, following a related pattern. All other options are cloud storage architectures.

Answer 235

B. SDN Explanation: Within a software defined network (SDN), decisions regarding where traffic is filtered or sent to and the actual forwarding of traffic are completely separate from each other. A VLAN (virtual local private network) is used to expand a local area network beyond physical/geographical limitations. A VPN (virtual private network) securely provides access to a private network over a public network. A SAN (storage area network) is used for mass storage.

Answer 236

D. Jump servers Explanation: A jump server, sometimes called a jump box, is a hardened and monitored system on the network that has one purpose, which is to be used as a means to access and manage devices in a separate security zone. The jump server will span two different security zones, which makes this possible

Answer 237

D. Virtualization Explanation: Sometimes, the terms virtualization and cloud computing are used interchangeably. However, they are two very separate concepts. Cloud computing is defined by NIST as "enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources." Virtualization is the underlying technology that makes cloud computing possible.

Answer 238

D. Encrypt and authenticate packets during transmission between two servers Explanation: IPsec can be used to encrypt and authenticate packets during transmission between two systems. Examples of this include between two servers, between two network devices, and between network devices and servers. DNSSEC is used to add an additional layer of security to the DNS protocol. A VPN is used as a way to extend a private network over public network. A VLAN is used to create a logical isolation and separation within a network.

Answer 239

B. Identification Explanation: Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together. Auditing is the process of ensuring compliance with policy, guidelines and regulations.

Answer 240

D. Full ownership of hardware Explanation: Using a cloud provider for a business continuity and disaster recovery (BCDR) solution comes with many benefits, including cost benefits, scalability, and access from anywhere. Full ownership of hardware is not an advantage of a cloud BCDR solution as the cloud customer doesn't typically have ownership of the hardware. The hardware will belong to the cloud provider.

Answer 241

C. Each level of the virtualization infrastructure, as well as wherever the client accesses the management plane Explanation: Logging is imperative for a cloud environment. Role-based access should be implemented, and logging should be done at each and every level of the virtualization infrastructure, as well as wherever the client accesses the management plane (such as web portal).

Answer 242

D. Budget Explanation: The risks associated with a business continuity and disaster recovery (BCDR) plan include changes in location, maintaining redundancy, having proper failover mechanisms, having the ability to bring services online quickly, and having functionality with external services. Budget is something that should already be factored in and accounted for and, therefore, should not pose any risks to your BCDR plan.

Answer 243

A. DNSSEC ``` Explanation: DNS security (DNSSEC) extensions is a set of specifications primarily aimed at reinforcing the integrity of DNS. It provides cryptographic authentication of DNS data using digital signatures. ``` Software defined permitter (SDP), Public Key Infrastructure (PKI), and Fully Qualified Domain Name (FQDN) are distractors.

Answer 244

B. Centralized logs Explanation: Logging is the process of documenting events or activities that occur against an asset. Logging is crucial for any business since it serves as the primary repository of information about previous events. Security information and event management (SIEM) technology is used to centralize these logs. A SIEM technology enables the collection, analysis, aggregation, correlation and reporting of suspected security incidents in a centralized manner. SIEM solutions can ingest a variety of different forms of log data from hardware, software, and data sources. Logging and a SIEM solution operate in tandem to centralize data and make it visible where it is needed.

Answer 245

C. Identity Provider Explanation: The organization would act as the identity provider, while the relying party would act as the service provider. The identity provider is the organization that generates tokens for users.

Answer 246

B. Agentless Explanation: Agentless backups generally interact directly with your hypervisor to snapshot and backup your VMs. All other options do not apply.

Answer 247

C. The ease with which components of an application or service can be moved or reused Explanation: Interoperability is the ease with which components of an application or service can be moved or reused. The ability for two customers to share the same pool of resources while being isolated from each other is known as multitenancy. The ability of customers to make changes to their cloud infrastructure with minimal input from the cloud provider is known as on-demand self-service. The ease with which resources can be rapidly expanded as needed by a cloud customer is called rapid elasticity.

Answer 248

B. External auditor Explanation: An external auditor is not employed by the company being audited. An external auditor may be necessary to ensure compliance with information security regulations. Because the external auditor's primary objective is to ensure compliance, they do not act as a trusted counsel, but rather as a regulator with enforcement authority. All other options are types of auditors.

Answer 249

D. iSCSI Explanation: iSCSI allows for the transmission of SCSI commands over a TCP-based network. SCSI allows systems to use block-level storage that behaves like a SAN would on physical servers, but leverages the TCP network within a virtualized environment. iSCSI is the most commonly used communications protocol for network-based storage.

Answer 250

D. Secure means of remotely accessing machines Explanation: RDP is considered an insecure protocol and should be used only with a private network. If used over the internet, a VPN should be considered a strict requirement. Additionally, filtering should be applied on the firewall to allow only those with permitted access to connect. RDP is GUI accessible, available for Linux, Mac and Windows devices and uses a client-server operation.

Answer 251

C. Multitenancy Explanation: Multitenancy is the main factor, from a legal perspective, which differentiates a cloud environment from a traditional data center. Multitenancy is a concept in cloud computing in which multiple cloud customers may be housed in the same cloud environment and share the same resources. Because of this, the cloud provider has legal obligations to all cloud customers housed on its hardware.

Answer 252

C. The pricing for cloud computing may be less predictable than that of a traditional data center. Explanation: In a traditional data center, it is fairly easy to map out costs for the year, including necessary equipment upgrades and licensing. In a cloud environment with metered pricing, resources are added right as they are needed and, therefore, the cost can change over time, making it unpredictable.

Answer 253

A. Privacy Explanation: Confidentiality, integrity, and availability are the three core aspects of security. This is often known as the CIA triad. In recent years, as mobile and cloud computing have increased, privacy has become the fourth major aspect of security. While privacy could technically be consolidated within confidentiality, it's often thought of as its own aspect due to its importance.

Answer 254

A. Framing risk Explanation: In regard to risk treatment and the risk management process, the first stage is framing risk. Framing risk refers to determining what risk and levels are to be evaluated.

Answer 255

A. Every piece of software in the environment Explanation: Any piece of software, from major software suites to small utility scripts, can have possible vulnerabilities. This means that every program and every piece of software in the environment carries an inherent amount of risk with it. Any software that is installed in a cloud environment should be properly vetted and regularly audited.

Answer 256

C. SOAP is unable to use the FTP protocol for transmission. Explanation: While the simple object access protocol (SOAP) most commonly uses the HTTP protocol for transmission, it is possible for it to use the FTP protocol and other communication protocols as well.

Answer 257

A .OpenID Explanation: OpenID is an authentication protocol based on OAuth 2.0 specifications. OpenID provides an easy and flexible way for developers to support authentication across an organization. It provides web-based applications with a method for authentication that is not dependent on particular devices or clients to access it.

Answer 258

B. Cluster Explanation: Clusters are a collection of resources linked together by a software agent that enables communication, resource sharing, and task routing inside the cluster. Clusters are an important aspect of resource pooling, which is fundamental to cloud computing. They are used to provide most of the resources required in modern computing systems, such as processing, storage, network traffic handling, and application hosting. All other options are logical infrastructure found in the cloud.

Answer 259

C. Privileged access Explanation: Privileged access must be strictly limited and should enforce least privilege and separation of duty. Therefore, it is not a virtualization system protection mechanism. Standard configurations, commonly referred to as baselines, can be used to safeguard virtualization systems. All other options are protection techniques for virtualized systems.

Answer 260

B. RTO Explanation: The recovery time objective (RTO) is a time measurement of the speed in which each system must be brought back up and running after a disaster occurs in order to meet business continuity and disaster recovery (BCDR) objectives.

Answer 261

C. Masking Explanation: The organization is trying to deploy masking. Masking obscures data by displaying only the last four digits of a Social Security or credit card number. As a result, the data is incomplete in the absence of the blocked/removed content. All other options are data security strategies.

Answer 262

B. Correlation Explanation: Security information and event management (SIEM) systems are very useful because they are able to correlate data. This means that not only can the data be stored in one place through aggregation, but it can also be searched using specific items such as an IP address or timestamp.

Answer 263

A. SAN Explanation: iSCSI, Fibre Channel, and Fiber channel over Ethernet (FCoE) are storage area network technologies that create dedicated networks for data storage and retrieval.

Answer 264

B. Redundant Explanation: Cloud customers have high expectations for availability and resiliency. In order to meet these expectations, all systems must be redundant to ensure there is no downtime for the customer.

Answer 265

A. Honeypot Explanation: A honeypot consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored and that seems to contain information or a resource of value to attackers. All other options are incorrect.

Answer 266

C. Analysis Explanation: The analysis phase of the SDLC is when requirements of the project are put into a project plan. This plan will outline the specifications for the features and functionality of the software or application to be created. At the end of the analysis phase of the SDLC, there will be formal requirements and specifications ready for the development team to turn into actual software.

Answer 267

C. SSAE Explanation: The statement on standards for attestation engagements (SSAE) is a set of standards defined by the AICPA to be used when creating SOC reports. SOC 1 reports assist with compliance with regulations. Statement on Auditing Standards (SAS) reports have been replaced by SSAE reports. The International Standard on Assurance Engagements (ISAE) is similar to SOC Type 2 reports. Generally Accepted Privacy Principles (GAPP) is not a reporting standard.

Answer 268

D. Any capability which is offered by a cloud provider Explanation: A cloud service is any capability which is offered by a cloud provider and it's not limited to just software or applications, but also full platforms and infrastructure.

Answer 269

B. Virtualization Explanation: Without virtualization, cloud environments as we know them would not be possible. This is because cloud environments are built on virtualization technology. It is virtualization which allows for cloud providers to leverage a pool of resources for various customers and the ability to offer such scalability and on-demand self-service.

Answer 270

B. OWASP Explanation: Popular SIEM products include Splunk, LogRhythm, and ArcSight. OWASP stands for the Open Web Application Security Project, and it is not a SIEM product.

Answer 271

D. Fault tolerance does not provide any support against software failures. Explanation: The majority of system availability issues are software related rather than hardware related. Unfortunately, fault tolerance is solely used to help with hardware failures and doesn't do anything to mitigate software failures. This is a major disadvantage to using fault tolerance.

Answer 272

B. Cost Explanation: Modern applications rely on sophisticated systems comprised of a variety of components and technologies, and may be located throughout the world. Cloud computing has exacerbated these complexities, as users increasingly rely on consumable services rather than owned and maintained equipment. The distributed IT model has made creating and scaling considerably more affordable and simple than ever before. However, that being said, common challenges caused by the distributed IT model include communications, coordination of activities, and governance.

Answer 273

B. Relocation of data Explanation: Segment dispersion can create complications in cloud environments. If data is distributed to regions with varying legal and regulatory requirements, the organization may become subject to unforeseen laws and regulations. All other options are cloud data concepts.

Answer 274

B. Location Explanation: Location is the major and primary concern when building a data center. It's important to understand the jurisdiction where the data center will be located. This means understanding the local laws and regulations under that jurisdiction. Additionally, the physical location of the data center will also drive requirements for protecting data during threats such as natural disasters.

Answer 275

C. Network segmentation Explanation: Network segmentation is the process of separating different parts of the network and/or restricting access to certain areas of the network. Network segmentation can be done using physical separation methods or software/virtual separation methods.

Answer 276

B. Budgetary restraints Explanation: As with any new system or plan being implemented, it's important to assess the risks of the changes. Budgetary restraints are not a main risk when developing a BCDR plan. The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues.

Answer 277

B. DLP Explanation: Data is at a greater risk during the share phase of the lifecycle because it is leaving the system in which it is created on or for. To help mitigate some of that risk, DLP (Data Loss Prevention) technologies can be implemented to prevent modification.

Answer 278

C. An IDS can only detect intrusions, while an IPS can prevent intrusions ``` Explanation: An IDS (intrusion detection system) detects malicious traffic and potential intrusions. It can alert about the possible intrusion, but it isn't able to prevent the intrusion. An IPS (intrusion prevention system) is able to both detect and prevent the intrusion by blocking the malicious traffic in real time. ```

Answer 279

A.Recover Explanation: During the recovery and eradication phases of an incident response, new countermeasures are implemented. You must restore regular operation to your organization's impacted systems. All other options are phases of incident response.

Answer 280

A. To collect logs and store them in a centralized location Explanation: SIEM (security information and event management) systems are used to collect logs and store them in a centralized location. Having logs in one centralized location can make it easier to troubleshoot events as they occur. In addition, having the logs in a centralized location and not just on the device they originate from can prevent the risk of log manipulation.

Answer 281

D. Design Explanation: While the requirements for risk mitigation and minimization may be determined during the requirement gathering and feasibility stage of the software development lifecycle (SDLC), they are not integrated with the programming designs until the design phase of the SDLC.

Answer 282

B. Injection Explanation: An injection attack occurs when an attacker sends (injects) malicious code or commands to an application's input or data fields. The goal of the attacker is to get the application to execute the code as part of its normal processing. The best way to prevent injection attacks is by ensuring that all data and input fields include proper input validation.

Answer 283

B. Social engineering Explanation: The Open Web Application Security Project (OWASP) Top 10 is a regularly updated report of the current top 10 vulnerabilities that affect web applications. The current top 10 include: ``` Injection Broken authentication Sensitive data exposure XML external entities Broken access control Security misconfigurations Cross-site scripting Insecure deserialization Using components with known vulnerabilities Insufficient logging and monitoring ```

Answer 284

C. TLS Explanation: Transport layer security (TLS) has replaced Secure Socket Layer (SSL) as the preferred encryption method for traffic across a network. TLS has two layers: TLS handshake protocol and TLS record protocol. TLS is used to secure everything from web traffic to email.

Answer 285

D. SLE x ARO = ALE Explanation: In order to find the annual loss expectancy, you must first know the single loss expectancy and the annual rate of occurrence. In order to determine the annual loss of expectancy, multiply the single loss expectancy value by the annual rate of occurrence.

Answer 286

B. Role-based access controls Explanation: Both the management plane and virtualized infrastructure are high priority targets for attackers. It's very important to implement role-based access controls so that only those individuals who truly need access to these will have it. If too many people have access to the management plane without needing it, there is more of a chance it will become compromised.

Answer 287

B. Archive Explanation: The data retention policy will have an effect on the data lifecycle's archive phase. The remaining options correspond to stages of the cloud data lifecycle that are unaffected by the data retention policy.

Answer 288

D. SOC-2 Type-2 Explanation: A SOC-2 Type-2 attestation report is the most desirable attestation report to receive from vendors providing cloud services. A SOC for Service Organizations: Trust Services Criteria (SOC-2) provides information about the control objectives relating to security, availability, processing, integrity, confidentiality, and/or privacy. The scope of the Type-2 report is limited to a specified time period and includes information about the controls' presentation, system and design suitability, and operational efficacy in achieving the related control objective. The scope of a Type 1 report is determined by a single precise date, rather than an extended time period, as with a Type 2 report. The other options are acceptable attestation reports. However, the SOC-2 Type-2 is the most preferred and may require an NDA.

Answer 289

B. Input and involvement from the cloud provider Explanation: Because the border routers in a cloud environment are used by more than just one cloud customer, any packet capture done on the border routers will require the involvement of the cloud provider. This is true for all cloud types such as IaaS, PaaS, and SaaS.

Answer 290

A. Government agency Explanation: Your organization is a government agency. Government agencies are affected by the Federal Information Security Management Act (FISMA). The law defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. It requires that government agencies conduct vulnerability scans. None of the other organizations are affected by FISMA.

Answer 291

A. Regulatory requirements Explanation: While there are many factors that come into play when setting encryption levels and retention timelines, the most important will be whether there are regulatory requirements that must be adhered to. The regulatory requirements will likely set the minimum encryption levels and retention timelines.

Answer 292

D. Account sharing Explanation: Account sharing is never permitted. Each user on a network should have their own account. Having shared accounts reduces accountability for those using the account and makes it harder to audit who access which devices and when.

Answer 293

B. Archive Explanation: Step 5 of the cloud secure data life cycle is archive. At this step, the data is taken from a location of active access and moved to a static repository. Here, the data can be preserved for a long period of time in case it is needed in the future.

Answer 294

A. Virtualization Explanation: Virtualization is the key driver and base technology used in cloud computing. Without virtualization, cloud computing is not possible. Multitenancy, resource pooling, and rapid elasticity are all features of cloud computing; they are not the key aspects that make cloud computing possible.

Answer 295

A. IDCA ``` Explanation: The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, security, connectivity, and much more. ```

Answer 296

C. HTTP Explanation: The simple object access protocol (SOAP) is used to exchange information between web services. SOAP works by encapsulating its data in a SOAP envelope, then uses common communication protocols to transmit the data. SOAP most commonly leverages HTTP as its communication protocol, but other protocols may also be used.

Answer 297

D. Requirements Explanation: Threat modeling should be performed early in the requirements phase of the SSDLC. The steps are as follows: ``` Define security requirements. Create an application overview. Identify threats. Mitigate threats. Validate threat mitigation. ```

Answer 298

B. Gap analysis Explanation: The current and future IT resource requirements of a business are diverse. To move forward, you must close the gap between where you are now and where you want to be. You can identify all areas in which gaps exist by means of a gap analysis. A feasibility study's output will include data that can be used to conduct a gap analysis. You can supplement that report with additional information to generate your own data for identifying and tracking progress toward closing the gap. Risk and vulnerability assessments are incorrect.

Answer 299

A. VLAN Explanation: VLANs (virtual local area networks) can be used to segment the network without needing to use physical segmentation methods. Because VLANs are not dependent on physical network devices, they can be used across multiple datacenters without concern for geographical location.

Answer 300

D. Insecure deserialization Explanation: Insecure deserialization is listed as on the OWASP Top 10, but it is not one of the CSA's Treacherous Twelve. The twelve included are: ``` Data breaches Insufficient identity, credentials, and access management Insecure interfaces and APIs System vulnerabilities Account hijacking Malicious insiders Advanced persistent threats Data loss Insufficient due diligence Abuse and nefarious use of cloud services Denial of service Shared technology issues ```

Answer 301

A. Reversibility Explanation: Reversibility refers to the process by which customers can retrieve their data and applications and providers can remove data after an agreed-upon period. Reversibility would be critical if a customer switched cloud providers. Auditiability, resiliency and interoperability are other shared cloud considerations.

Answer 302

B. Honeypot Explanation: A honeypot is a system used to trick attackers into thinking it is an actual production system. The honeypot is kept separated and isolated from all other systems on the network. When an attack gains access to a honeypot, it allows administrators to monitor the behavior of the attack and see what they are trying to accomplish on the network.

Answer 303

A. Cloud deployment model Explanation: A cloud deployment model is the way in which a cloud environment is delivered. The four cloud deployment models are public, private, hybrid, and community.

Answer 304

D. IaaS does not provide much scalability Explanation: One pro of IaaS is that, since the cloud customer doesn't have to manage the physical hardware, it offers excellent scalability.

Answer 305

A. Containers Explanation: Containers are a type of virtualized storage that does not present significant compliance concerns on its own. For regulated customers, data location and multitenancy are frequently the primary compliance concerns. GDPR and other privacy requirements place a premium on data custodianship.

Answer 306

B. DNSSEC Explanation: DNSSEC (domain name system security) is a protocol that works as a security addition to the standard DNS (domain name system) protocol. DNSSEC works by ensuring all FQDN (fully qualified domain name) responses are validated.

Answer 307

D. Snapshot Explanation: CSPs and virtualization technologies offer snapshots as a form of backup. A snapshot will capture all the data on a drive at a point in time and freeze it. The snapshot can be used for a number of reasons including: rolling back or restoring a virtual machine to its snapshot state, creating a new virtual machine from the snapshot which serves as an exact replica of the original server and, lastly, copying the snapshot to object storage for eventual recovery. The other options are incorrect.

Answer 308

B. Perform a clean install of the OS Explanation: The first step in creating a baseline image is to perform a clean install of the operating system. This ensures that changes from other images won't be applied to the new image. Once the image is installed, then the other tasks can be performed.

Answer 309

C. Deletion Explanation:The typical attributes of information rights management (IRM) implementations include auditing, expiration, policy control, protection, and support for applications and formats. Deletion is not a typical attribute of an IRM implementation.

Answer 310

C. Security professionals Explanation: It is the security professionals' responsibility to protect their organizations from the threats to cloud computing and mitigate the risks where feasible.

Answer 311

B. Cloud Service Provider (CSP) Explanation: A company or other entity offering cloud services is known as a cloud service provider (CSP).

Answer 312

C. Unauthorized access to data Explanation: Individuals who gain unauthorized access to data are the most common and well understood threat to storage. The unauthorized access can be from an outside attacker, a malicious insider, or a user who may not be malicious but still has access to something they shouldn't.

Answer 313

C. Create Explanation: Data should be classified during the create phase of the data lifecycle. This is the best time to classify data because its value and sensitivity are known by the creator.

Answer 314

C. Cloud Service Customer (CSC) Explanation: In a shared responsibility continuum, the customer takes the larger security role in an IaaS model and the smaller security role in a SaaS model. The cloud service customer would take a balanced role in the PaaS model.

Answer 315

D. ISO/IEC 27018 Explanation: ISO/IEC 27018 is a standard privacy requirement for cloud service providers to adhere to. It is focused on five key principals: communication, consent, control, transparency, and independent and yearly audits. All other options are other standard privacy requirements.

Answer 316

B. Jurisdiction Explanation: When determining a location for a cloud data center, jurisdiction is a major concern. There will most likely be jurisdictional requirements, which could affect the design of the data center. It's vital to note the laws and regulations for the jurisdiction, as well. Encryption, storage, and the management plane are not physical aspects of a cloud data center.

Answer 317

B. RTO Explanation: RTO refers to the recovery time objective. This is not used in a quantitative assessment. ALE (annual loss expectancy), SLE (single loss expectancy), and ARO (annual rate of occurrence) make up the basis for a quantitative assessment.

Answer 318

D. Requirement gathering and feasibility, analysis, design, development/coding, testing, maintenance Explanation: The software development lifecycle (SDLC) is a process/framework for development and coding. The SDLC is made up of six phases to be carried out in the following order: ``` Requirement gathering and feasibility Analysis Design Development/coding Testing Maintenance ```

Answer 319

D. SLA Explanation: Levels of communication service from the CSP should be defined and agreed upon by both parties. This is why it is vital for customers to be accountable for setting SLA terms. SLAs may be adjusted to provide further flexibility, albeit at a significant expense. All other options are various documents that are not applicable to communications.

Answer 320

A. Framework for how to develop, alter, and maintain software Explanation: SDLC stands for the software development lifecycle. It is a framework for how to develop, alter, and maintain software. The framework outlines the software development process from beginning (requirement gathering and feasibility) to end (maintenance).

Answer 321

C. The cloud service customer retains ultimate responsibility for the data's security, regardless of whether cloud or non-cloud services are employed. Explanation: Regardless of whether cloud or non-cloud services are utilized, the data owner (the cloud service customer (CSC)) is ultimately responsible for the data's security. Cloud security encompasses more than data protection; it also encompasses applications and infrastructure.

Answer 322

A.Electric utilities Explanation: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) is a not-for-profit organization that collaborates with industry stakeholders to set standards for the operations and monitoring of the power system and its enforcement. All other options are types of organizations.

Answer 323

A. HIPAA Explanation: HIPAA (The Health Insurance Portability and Accountability Act) is an industry specific regulatory requirement for U.S. health care organizations.

Answer 324

B. Cloud Controls Matrix Explanation: The Cloud Controls Matrix (CCM) outlines a detailed approach for handling controls in a cloud environment. The Cloud Controls Matrix was developed and published by the Cloud Security Alliance.

Answer 325

C. Shares Explanation: In the event that there are not enough resources to serve all hosts, cloud providers must prioritize and weigh which systems will receive the limited resources available. This concept is known as shares. Reservations refer to the minimum amount of resources that each cloud customer will receive, and limits refer to the maximum that they will receive.

Answer 326

D. Cryptographic erasing Explanation: Cryptographic erasing is a method of data sanitation. Cryptographic erasing is performed using encryption and the destruction of the encryption keys as a method of data destruction.

Answer 327

D. DREAD Explanation: DREAD is a model that was conceptualized by Microsoft and recommended by OWASP. DREAD focuses on coming up with a quantitative value for assessing risk. SDLC, REST, and TOGAF are not threat models.

Answer 328

D. Quality Assurance ``` Explanation: Quality assurance (QA) is centered on service delivery of the application service built in the modern DevOps / DevSecOps process, and it occurs at all phases to assure continuous improvement and quality tracking. When more functional and requirements testing is done, QA is most effective. Testing may be automated to make it even more efficient. ```

Answer 329

C. ITIL Explanation: Uptime Institute, National Fire Protection Association (NFPA), and International Data Center Authority (IDCA) are all institutions which create standards used to govern the design and building of data centers. ITIL (formerly an acronym for Information Technology Infrastructure Library), provides detailed practices for IT service management. These practices focus on aligning IT services with the needs of business instead of creating data center design and building standards.

Answer 330

D. Orchestration Explanation: Orchestration is the term used to describe the large use of automation a cloud environment. The automation is used for tasks such as provisions, scaling, allocating resources, and much more. Orchestration must be used in a way that it doesn't violate a cloud customer's SLA requirements.

Answer 331

B.Data sanitation Explanation: There are many types of data sanitation but not all of them are applicable to cloud environments. For example, physical methods of data destruction, such as incineration, are not available in cloud environments. Cryptographic erasure and overwriting are two examples of data sanitation for cloud environments.

Answer 332

B. Private cloud Explanation: A private cloud is owned, managed, and controlled by a single organization. Unlike a public cloud, hybrid cloud, or community cloud, there is no chance that resources will be shared with another organization on a private cloud.

Answer 333

A. 10 Explanation: The Generally Accepted Privacy Principles (GAPP) is a standard that consists of the 10 key principles listed below. In addition, GAPP is also made up of over 70 privacy objectives and associated methods for measuring and evaluating criteria. ``` Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement ```

Answer 334

A. Security Explanation: The Trust Service Criteria is made up of 5 key principles: Availability, Confidentiality, Process integrity, Privacy, and Security. Security is always required as part of a SOC 2 audit. The other four principles are optional. The security principle is made up of seven categories: Change management, Communications, Logical and physical access controls, Monitoring of controls, Organization and management, Risk management, and Design and implementation controls.

Answer 335

B. Transparency Explanation: GAPP was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. It includes ten key privacy principles as listed below: ``` Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement ```

Answer 336

C. Data de-identification Explanation: The three types of data discovery include metadata, labels, and content analysis. Data de-identification refers to processes such as masking, obfuscation, and anonymization of data and not to a method of data discovery.

Answer 337

B. Immutable architecture Explanation: Due to the immutability of cloud infrastructure, it is feasible to easily decommission all virtual infrastructure components utilized by an older version of software and deploy a new virtual infrastructure in cloud settings. Immutable infrastructure is a solution to the problem of systems deviating from baseline settings over time.

Answer 338

A. Cloud service customer Explanation: The consumer will always be responsible for configuring resiliency functions such as automated data replication, failover between CSP availability zones, and network load balancing. The CSP's response is to preserve the capabilities that provide these solutions, but the consumer must construct their cloud system to suit their own resiliency requirements. All other options are roles that support cloud services.

Answer 339

D. RAM and CPU Explanation: Computing and processing capabilities are defined as memory (RAM) and the CPU of the system and environment. This is the same in both cloud environments and traditional datacenters, however, the management of these items are different depending on whether it's a cloud environment or a traditional datacenter.

Answer 340

B. IoT Explanation: The Internet of Things (IoT) refers to the ability of non-traditional computing devices (such as lamps, thermostats, and other smart devices) to access the Internet.

Answer 341

B. Building Explanation: Organizations that are able to build their own data centers will have the most input into everything from physical security to all other aspects of the setup. However, buying or leasing space in an already built data center is a much quicker and easier option for many organizations.

Answer 342

B. Create, store, use, share, archive, destroy Explanation: The phases of the cloud data lifecycle are as follows: Create: Any time data is considered new (this can be brand new data, data migrated from another system, or existing data which is modified), it is in the create phase. Store: Data is stored immediately after it is created. Storing methods include files residing on a file server, remote object storage, and data written to a database. Use: When data is consumed or processed by an application or user, it is in the use phase. Share: When data is made available for use outside of the system it was created in, this is known as the share phase. Archive: The final stage is archive, in which data is moved to long-term storage and no longer considered active. Destroy: As the name suggests, the destroy phase is where data is removed completely. In cloud environments, this is done using methods such as overwriting and cryptographic erasure.

Answer 343

D. VMware Explanation: VUM (virtual update manager) was developed by VMware. It is used to update both the vSphere hosts and the virtual machines which are running under them.

Answer 344

C. Vulnerability scanning Explanation: Vulnerability scanning is often run by organizations against their own systems. It uses known attacks and methodologies to ensure that systems are hardened against known vulnerabilities and threats. Runtime application self-protection (RASP) is a security mechanism that is allows an application to protect itself by responding and reacting to ongoing events and threats. Penetration tests are typically done by a third-party. During a penetration test, the tester will try to break into systems using the same techniques that an actual attacker would use. Static application security testing (SAST) is a test in which the tester has special knowledge of and access to the source code to manually review it for vulnerabilities and weaknesses.

Answer 345

A. Unstructured data Explanation: Unstructured data is all data that doesn't fall into the structured data category. This means that the data doesn't conform to a defined data structure or format. Unstructured data can be binary data or text, and it can be entered via human input or machine generated.

Answer 346

C. Labeling Explanation: Labeling is the process of adding “labels” to data elements. These labels are more informal than metadata and, in order for them to work, they must be configured with consistency throughout the entire organization. Labels are used to group data elements together and provide information about them.

Answer 347

D. Reinforced walls Explanation: Reinforced walls may help to mitigate the risk of certain types of natural disasters. Encryption, multitenancy, and rapid elasticity will not help in the event of a natural disaster.

Answer 348

A. Cross-site scripting Explanation: Cross-site scripting is a type of injection attack in which a malicious actor can send data to a user's browser without going through proper validation. This is listed on the OWASP Top 10, which is an up to date report of the most critical risks and vulnerabilities that affect web applications. Insecure interfaces and APIs, malicious insiders, and advanced persistent threats are not listed on the OWASP Top 10; however, they are listed on the Cloud Security Alliance's Treacherous Twelve, a list similar to the OWASP Top 10 that covers risks and vulnerabilities specifically associated with cloud-based applications and systems.

Answer 349

D. Change management Explanation: The change management process, one of the most well-known components of IT operations, includes all of the processes and procedures needed to make configuration changes to IT systems or to implement any new IT systems into the environment.

Answer 350

D. Thousands Explanation: A traditional data center will likely house thousands of computers for a large enterprise corporation. This means that they will have incredible cooling and utility requirements. On the other hand, a major cloud environment may house hundreds of thousands of servers across many physical locations with their own cooling and utility requirements. In the cloud environment, however, the concern for these requirements is moved away from the cloud customer to the cloud provider.

Answer 351

A. A reservation Explanation: A minimum resource that is granted to a cloud customer within a cloud environment is known as a reservation. With a reservation, the cloud customer should always have, at the minimum, the amount of resources needed to power and operate any of their services. On the flip side, limits are the opposite of reservations. A limit is the maximum utilization of memory or processing allowed for a cloud customer.

Answer 352

D. Testing Explanation: During the testing phase of the SLDC, the completed code is reviewed for problems. It's checked to ensure that it is functioning and operating as expected. This includes having quality assurance check the software for defects and bugs. During testing, the code is also checked using security scans to ensure that it is secure.

Answer 353

D. SaaS Explanation: Software as a Service (SaaS) is a type of cloud service in which the cloud provider maintains and manages everything on the back-end (including the infrastructure, platform, and server OS), and the cloud customer can simply access the software without needing to do any maintenance on it.

Answer 354

D. Canadian Institute for Chartered Accountants Explanation: The Generally Accepted Privacy Principles (GAPP) standard was developed by the American Institute of Certified Public Accountants and the Canadian Institute for Chartered Accountants. The standard includes ten key privacy principles to manage and prevent threats to privacy.

Answer 355

A. DAM Explanation: It is possible to detect malicious commands being executed on your organization's database and to prevent them from being executed with the help of a database activity monitor (DAM). In addition, suspicious activity is monitored, and alerts are sent out when anomalies are discovered.

Answer 356

D. Parallel test Explanation: A parallel test is a type of test for business continuity and disaster recovery (BCDR) plans in which the recovery site is brought online to a state of operational readiness, but operations at the primary site are also maintained and active.

Answer 357

D. Archive Explanation: The data archiving policy will have an effect on the cloud data lifecycle's archive phase. The remaining options correspond to phases of the data lifecycle that are unaffected by the data archive policy.

Answer 358

A. Malicious insider Explanation: A malicious insider is an individual who has been granted appropriate access to complete their job, but then uses that access for unauthorized uses.

Answer 359

B. 4 Explanation: The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include: Tier I: Basic Capacity Tier II: Redundant Capacity Components Tier III: Concurrently Maintainable Tier IV: Fault Tolerance

Answer 360

A. Operational impact Explanation: Typically, collecting forensic evidence in the cloud has no operational impact. When it comes to collecting forensic evidence, data ownership, multitenancy, and jurisdiction are key considerations for both cloud providers and cloud clients

Answer 361

A. SQL injection Explanation: An SQL injection attack occurs when an attacker sends malicious SQL statements to the application via data input fields. In order to prevent these types of attacks, developers can use techniques such as whitelist input validation, using prepared statements, and escaping all user supplied input.

Answer 362

A. XML external entities Explanation: During development, it's not uncommon for developers to leave comments or notes in their code. While this is not inherently an issue, it can become an issue when the comments and notes are not removed before the code is published. An XML external entity occurs when a developer leaves references to items such as the directory structure of the application, configuration about the hosting system, or any other information about the inner workings of the application itself, in the code. This information can be used by an attacker, if found, to gain unauthorized access to the application.

Answer 363

A. Responsibility is shared between the cloud customer and the cloud provider Explanation: In a Platform as a Service (PaaS) model, platform security is a responsibility that is shared between both the cloud provider and the cloud customer. In an SaaS model, platform security is solely the responsibility of the cloud provider and in an IaaS model, platform security is solely the responsibility of the cloud customer.

Answer 364

C. Cloud service operations manager Explanation: A cloud service operations manager is a role within a cloud service provider. The cloud service operations manager will provide audit data when requested or required, manage inventory and assets, prepare systems for the cloud, and also manage and maintain services.

Answer 365

D. Data at rest Explanation: Data at rest (DAR) refers to data that is in an idle state. This means that the data isn't currently being moved between systems and it's not currently being used by an application. The best way to protect data at rest is by using file level and storage level encryption methods. The encryption methods will vary depending on how the data is stored.

Answer 366

A. NIDS Explanation: A network intrusion detection system (NIDS) analyzes all of the traffic on the network and detects possible intrusions. It can send an alert out to administrators to investigate. A host intrusion detection system (HIDS) runs on a single host and analyzes all inbound and outbound traffic for that host to detect possible intrusions. An intrusion prevention system (IPS) works in the same manner as a NIDS, but it also has the capability to prevent attacks rather than just detect them. A honeypot is an isolated system used to trick an attacker into believing that it is a production system.

Answer 367

D. XML external entities Explanation: XML external entities refer to references, such as the application directory structure or the configuration of the hosting system, that should be removed from the code, but are left in by accident. These items can provide information to an attacker that may allow them to circumvent authentication measures to gain access.

Answer 368

C. It is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment. Explanation: Many believe that moving from a traditional data center model to a cloud environment is a completely simple, easy, and seamless process. This is not the case in most situations. In fact, it is unlikely that an application from a traditional data center model can simply be picked up and dropped into a cloud environment without requiring any code changes. Many data centers use legacy systems that are not programmed to work in a rapidly changing cloud environment. In most cases, controls and configurations that have been in place at a traditional data center will need to be reworked and reengineered to function in a cloud environment.

Answer 369

B. After replacing a hard drive, a user smashed the old hard drive with a hammer so that data couldn't be recovered from it Explanation: Data sanitation means that data is removed (or sanitized) from old equipment or an old environment. In this scenario, destroying a hard drive prevents the data from being recovered; therefore, this data has been sanitized. In a cloud environment, sanitizing data becomes more difficult, since methods such as destruction, shredding, and incineration are not options in the cloud.

Answer 370

D. Documentation Explanation: Monitoring your security controls should begin with documentation that details the purpose and implementation of each control. Additionally, you should have process documentation on how to monitor each security control. A vulnerability assessment is an effective method of determining the efficiency of your controls indirectly, while SIEM tools and a Security Operations Center are critical components of security monitoring.

Answer 371

D. Reporting Explanation: Security and information event management (SIEM) systems provide a great number of functions, including reporting, compliance, dashboards, alerting, aggregation, and correlation. Despite all of these functions, SIEMs are not able to block malware, encrypt data, or backup data.

Answer 372

A. Availability Explanation: Resource pooling allows a cloud customer to quickly scale resources up or down as needed. The CSP ensures that resources are available when the cloud customer needs them. Resource pooling occurs when a cloud service provider groups its resources for shared use between multiple cloud customers. This also allows the CSP to scale resources up and down on a per-customer basis. All other options are security principles.

Answer 373

B. Password and fingerprint scan Explanation: In multi-factor authentication (MFA), users must have two separate and unique factor types. MFA factors include something you know (password, pin, passphrase), something you have (key card, smart card), and something you are (biometrics). Of the options given, the password and fingerprint scan combination is the only option which includes two unique types of factors.

Answer 374

D. Approved Application Programming Interface Explanation: An approved API is critical for ensuring the security of system components we are interacting with. Enforcing the usage of APIs to reduce the number of ways for accessing application services simplifies their monitoring and protection.

Answer 375

C. Qualitative assessment Explanation: There are two main assessment types that can be done for assessing risk: qualitative assessments and quantitative assessments. While quantitative assessments are data driven, focusing on items such as single loss expectancy, annual rate of occurrences, and annual loss expectancy, qualitative assessments are descriptive in nature and not data driven.

Answer 376

D. Something the user is Explanation: In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

Answer 377

C. Single sign-on Explanation: Through the usage of single sign-on (SSO), an organization's users can authenticate once and share their identity attributes across numerous cloud services. This enables users to submit their credentials only once, rather than each time an application is accessed. Configuration of single sign-on occurs at two levels: the identity provider and the application. Applications are configured to have a high level of trust in identity providers. A successful authentication results in the issuance of a digital security token signed with the identity provider's private key. This means that the application does not receive the user's actual credentials. Instead, apps will use the public key of the identity provider to authenticate the digitally signed token.

Answer 378

A. Political borders Explanation: When it comes to evaluating cloud providers' services, customers are not constrained by political borders. The opportunity to expand into new locations introduces a new set of risks for organizations. Having data stored in many foreign jurisdictions creates legal and regulatory challenges. Customers of cloud computing are impacted by a variety of legal requirements, varying legal systems and frameworks between countries, and the complexities of conflicting law.

Answer 379

A. Hypervisor Explanation: In an IaaS environment, the cloud customer will likely have access to logs from the operating system, the virtual devices, and the applications that they are using. However, it's unlikely that the cloud customer will have access to any logs from the hypervisor itself. If the cloud customer wanted logs from the hypervisor, they would need to work with the cloud provider and have something written into their contract. Even though the cloud customer has access to the logs from the operating systems, virtual servers and devices, and the applications, they will still likely need some method to aggregate all of these logs.

Answer 380

B. Two layers Explanation: Database storage systems are generally encrypted with two layers of encryption. First, the files on the database can be protected through a file system level encryption. Second, encryption can be used within the application itself.

Answer 381

A. Infrastructure as Code (IaC) Explanation: The use of Infrastructure as Code, in which the system architecture is defined in a definition file that the CSP uses to spin up a virtual infrastructure. The definition files are frequently used to establish virtual infrastructure in PaaS setups. All other options are incorrect.

Answer 382

B. SOC 1 Type 1 Explanation: A SOC 1 Type 1 report is focused on the effectiveness of controls during a set point in time. A SOC 1 Type 2 report is focused on the effectiveness of controls over a period of at least six months rather than a finite period in time. SOC 1 Type 3 and 4 do not exist.

Answer 383

C. Insufficient due diligence Explanation: When a security team or organization doesn't perform proper due diligence (such as performing risk assessments and ensuring that the new cloud provider has the proper security procedures in place) it creates threats and problems that could have been addressed before moving to the new environment. Through active due diligence, such as training and maintaining proper procedures, many common threats and risks can be avoided.

Answer 384

D. SOC 3 Explanation: SOC 3 reports are meant to be consumed and reviewed by the general public. SOC 3 allows for a much wider audience than the other reports listed. SOC 3 reports are meant to be consumed by a large audience to instill confidence that the organization's systems are secure.

Answer 385

D. Unstructured data Explanation: Unstructured data is a data type that can't be easily used (or used at all) in a structured, rigid, or formatted database.

Answer 386

C. Define objectives Explanation: Audit planning is made up of four main steps which occur in the following order: Define objectives Define scope Conduct the audit Lessons learned and analysis Defining the objectives must be the first step of the audit plan because it will lay the groundwork for the rest of the plan.

Answer 387

B. Data is secure no matter where it is stored. Explanation: Persistent protection ensures that data is preserved or protected regardless of the location of the data, including reproduction of the data. All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 388

A. Confidentiality Explanation: Customers often select standalone hosts because they ensure that their data will not be commingled with other tenants. This is helpful for compliance purposes and also supports data confidentiality. Standalone hosts are not well-known for ensuring data integrity and availability. However they do help support other technologies.

Answer 389

B. PHI Explanation: PHI (protected health information) is a subset of PII (personally identifiable information). PHI applies to any entity defined under the U.S. HIPAA (health information portability and accountability act) laws. Any information that can be tied to a unique individual as it related to their past, current, or future health status is considered PHI.

Answer 390

A. Undergo a SOC 2 audit Explanation: A SOC 2 (Service Organization Control 2) audit reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. A cloud provider may choose to have a SOC 2 audit done and make the report available to the public. This allows for potential customers to have a sense of confidence that the environment is secure without needing to do an audit of their own.

Answer 391

A. GDPR Explanation: The General Data Protection Regulation (GDPR) was officially implemented by the European Union (EU) on May 25, 2018. GDPR is a massive undertaking to give users full control over their personal data and how it is used.

Answer 392

C. Restriction Explanation: The Generally Accepted Privacy Principles (GAPP) includes 10 key privacy principles and over 70 privacy objectives and methods for measuring and evaluating criteria. The 10 key privacy principles are listed below: ``` Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third parties Security for privacy Quality Monitoring and enforcement ```

Answer 393

A. Availability Explanation: A host cluster is a pool of hosts connected together to operate as a single host. The cluster helps protect against failures of a single machine, through redundancy. This provides availability assurance. A clustered host is not well known for ensuring data integrity and confidentiality. However, they do help support other technologies.

Answer 394

B. Community cloud Explanation: A community cloud is a type of cloud that exists between public and private clouds. The community cloud was designed to meet the requirements of multiple organizations operating in the same industry. Universities frequently form research consortiums, which can be supported by a community cloud.

Answer 395

D. Virtualization Explanation: The cloud service provider (CSP) is always responsible for managing the virtualized environment. Virtualization enables server sharing, and the CSP allocates resources to a diverse set of services and clients. While the consumer is always responsible for their data, the operating system, networking, and storage responsibilities change according to the cloud service model. Storage, networking, databases and orchestration are other cloud building block technologies.

Answer 396

D. Elasticity Explanation: Elasticity increases and decreases resources as needed, but unlike scalability, elasticity is done automatically. Elastic resources are based on the current needs and resources are added and removed dynamically to meet those needs from a variety of geographical locations.

Answer 397

D. BICSI Explanation: BICSI (Building Industry Consulting Service International) has been around since 1977. Of the all the standards that BICSI has developed, the ANSI/BICSI 002-2014 is the most prominent. This standard is "Data Center Design and Implementation Best Practices." In this standard, items such as hot/cold aisle setups, power specifications, and energy efficiency are all covered.

Answer 398

A. BIA ``` Explanation: A BIA (business impact analysis) can be done to identify the most important systems to an organization. The BIA can help to identify which services and systems need to be prioritized and which can endure a longer outage. ```

Answer 399

B. RDP Explanation: RDP (remote desktop protocol) is a proprietary technology, developed by Microsoft, that allows a user to connect to another remote computer over the network and utilize a GUI to control the remote computer. Microsoft has also created clients so that Linux and UNIX systems can utilize RDP to connect Microsoft systems.

Answer 400

C. Vendor lock-in Explanation: Cloud customers should avoid vendor-lock in. Vendor lock-in occurs when an organization is unable to easily move from one cloud provider to another without incurring extremely high costs. Vendor lock-in can occur when a specific cloud provider requires the cloud customers to purchase expensive proprietary systems.

Answer 401

A. United States Explanation: Of this list, the United States is the only locale that does not have a unified privacy law at the federal level. However, some states do have privacy laws, such as the California Consumer Privacy Act (CCPA). All other options have national or regional data privacy regulations.

Answer 402

D. Dynamic Explanation: Obfuscation of data can be done statically or dynamically. The static technique creates a new data set as a copy of the original data and uses only the concealed copy. When the customer support agent accesses the data via the dynamic method, the data is masked as it is used. All other options are incorrect.

Answer 403

C. Multiple cloud customers sharing the same computing resources of a cloud provider Explanation: Multitenancy refers to when multiple cloud customers share the same computing resources of the cloud provider. With multitenancy, it's very important that the cloud provider has security measures put in place so that confidential data is not visible to the other organizations that share the same resources.

Answer 404

A. RASP Explanation: Runtime Application Self-Protection (RASP) is a security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time. Dynamic application security testing (DAST) is a "black-box" type of security test, meaning that the tester is not given any special information about the systems they are testing. Static application security testing (SAST) is a "white-box" type of test, meaning that the tester has knowledge of and access to the source code. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities in the system.

Answer 405

C. ARO and SLE Explanation: In order to find annual loss expectancy, you must first know the values for annual rate of occurrence (ARO) and single loss expectancy (SLE). The equation used to find annual loss expectancy (ALE) is SLE X ARO = ALE.

Answer 406

A. Repudiation Explanation: The STRIDE threat model has six threat categories, which include spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privileges. Logs being erased or wiped is a type of repudiation threat. Keeping accurate and comprehensive logs is vital to an organization, as it can prevent a user from denying that they made a change when they actually did.

Answer 407

B. Single sign-on Explanation: Single sign-on (SSO) allows an individual to authenticate once using a single set of authentication credentials and be given access to other independent systems. SSO is beneficial for many reasons, one being that it allows users to create one strong set of credentials that they will remember, rather than having them create many weaker passwords that they are likely to forget.

Answer 408

B. take the level of concern away from the cloud customer and place it onto the cloud provider. Explanation: While it may seem that a cloud infrastructure is completely different from that of a traditional data center, all the components that exist in a traditional data center are still needed in the cloud. The main difference is that within a cloud environment, the responsibility and level of concern is moved away from the cloud customer to the cloud provider.

Answer 409

D. Governance, risk, and compliance Explanation: Whichever deployment approach is adopted, the organization is ultimately responsible for governance, risk, and compliance. All other options may be under the organization's control depending on the cloud model used.

Answer 410

A. Testing Explanation: During the testing phase, security scans are run against the actual code and the completed application as it runs. This is also the phase in which the code is checked for syntax errors and problems. The output of the testing phase is a report which outlines the deficiencies and successes found during the testing phase.

Answer 411

B. Consent Explanation: The ISO/IEC 27018 is a standard which is focused on the security of cloud computing. The five key principles of ISO/IEC 27018 include communication, consent, control, transparency, and independent and yearly audits. Consent refers to cloud providers getting explicit permission from a cloud customer before they can use their data or information in any way.

Answer 412

A. TLS handshake protocol and TLS record protocol Explanation: TLS (transport layer security) replaced SSL (secure socket layer) as the standard method for encryption of traffic across a network. TLS is made up of two main layers. The first layer is the TLS handshake protocol. This protocol is what negotiates and establishes the actual TLS connection. The second layer is the TLS record protocol. The TLS record protocol is the actual secure communication method for transferring the data.

Answer 413

B. Compute parameters Explanation: The compute parameters and processing power of a cloud environment is made up by the number of CPUs and the amount of RAM in the system or environment. In a cloud environment, compute parameters can be more difficult to manage and plan due to resource pooling and multitenancy.

Answer 414

D. Backup methods Explanation: As soon as the data enters the store phase, it's important to immediately employ the use of backup methods on top of security controls to prevent data loss.

Answer 415

C. Ephermeral Explanation: Temporary storage and data are stored in ephemeral storage solely for processing purposes. Ephemeral storage is not intended to provide long-term data storage. Ephemeral storage is similar to random access memory (RAM) and other non-permanent storage technologies. All other options are different forms of storage that are utilized for different purposes.

Answer 416

A. Federation Explanation: Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity systems while keeping their autonomy. Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Auditing is the process of ensuring compliance with policy, guidelines, and regulations.

Answer 417

A. Data steward Explanation: While the data owner maintains sole responsibility for the data and the controls surrounding that data, there is sometimes the additional role of data steward, who will oversee data access requests and the utilization of the data.

Answer 418

B. A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors. Explanation: A compromised hypervisor can have serious consequences. If an attacker can compromise a hypervisor, they will then have access to all the virtual machines that are hosted on that hypervisor. In addition, the attacker could use the hypervisor as a launching pad for additional attacks on other hypervisors, since each hypervisor plays a central role in the cloud environment.

Answer 419

A. Accept the risk Explanation: For some risks, the cost to mitigate the risk would outweigh the cost of accepting the risk and dealing with any potential fall out that would come if the risk was realized. In these scenarios, the organization will often simply accept the risk and deal with the exploit when or if it were to occur.

Answer 420

C. Problem management Explanation: The focus of problem management is to identify and analyze potential issues in an organization to determine the root cause of that issue. Problem management is responsible for implementing processes to prevent the issues from occurring in the future.

Answer 421

A. Dynamic optimization Explanation: Dynamic optimization is the process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn't become overloaded. Distributed resource scheduling is a method for providing high availability, workload distribution, and balancing of jobs in a cluster. When a host is in maintenance mode, no virtual machines can run under that physical host. High availability is the concept that systems experience little to no downtime.

Answer 422

C. SOX Explanation: The Sarbanes-Oxley Act (SOX) regulates how long financial records must be kept. SOX is enforced by the Securities and Exchange Commission (SEC). SOX was passed as a way to protect stakeholders and shareholders from improper practices and errors.

Answer 423

B. MDM Explanation: MDM (mobile device management) is the term used to describe the management and maintenance of mobile devices (such as tablets and mobile phones) that have access to corporate resources. Usually, MDM software will be installed on the devices so that the IT staff can manage the devices remotely in the case of a lost or stolen device.

Answer 424

C. Data lake Explanation: A data lake is an unstructured data storage mechanism with data often stored in files or blobs. All other options are data storage mechanisms.

Answer 425

C. Define objectives, define scope, conduct the audit, lessons learned Explanation: There are four main steps in audit planning as listed below in the correct order: Define objectives Define scope Conduct the audit Lessons learned (and analysis)

Answer 426

A. Object storage Explanation: Object storage utilizes a flat system and assigns files and objects a key value (ID) that can be used to retrieve the files later. This differs from traditional storage, which uses a directory and tree structure.

Answer 427

C. Management plane Explanation: The management plane provides access to manage all the hosts within a cloud environment. If the management plane were to be compromised, the attacker would then have full control over the cloud environment. The severity of a compromised management plane outweighs that of a compromised hypervisor, virtual machine, or router. For this reason, only a limited and highly vetted group of administrators should have access to the management plane, and access should be audited regularly.

Answer 428

B. NIST Explanation: The National Institute of Standards and Technology (NIST) defines cloud computing in the Special Publication (SP) 800-145 as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Answer 429

C. Backups Explanation: The management plane can be used to allow administrators to quickly make changes across all of the hypervisors and hosted systems in an environment. If the management plane were to be compromised, it would give the attacker full control of all hypervisors and hosted systems in the environment. This means that protecting the management plane from attackers is of the utmost importance. In order to protect the management plane from attackers, special considerations should be made to ensure the use of secure communications, network separation, and access control.

Answer 430

B. Type 1 hypervisor Explanation: A type 1 hypervisor, also known as a bare-metal hypervisor, runs directly on the machine's physical hardware, unlike type 2 hypervisors that are software-based. VMware ESXI is an example of a type 1 hypervisor.

Answer 431

B. Auditability Explanation: Auditability is the process of gathering and making available the evidence necessary to demonstrate the operation and use of the cloud. It is good to keep in mind that a CSP will rarely allow a customer to perform an audit on their controls. However, a CSP usually does supply third-party attestations under NDA. All other options are shared cloud considerations.

Answer 432

B. VLAN ``` Explanation: A VLAN (virtual local area network) is a network concept which allows for logical network segregation and isolation of systems. This is done by establishing virtual network segments with their own IP ranges and firewall settings that are separate from other segments of the network. ```

Answer 433

B. Authentication Explanation: Data masking does not provide any form of authentication. All the others are good examples of data masking in action.

Answer 434

C. ISO/IEC 27050 Explanation: The ISO/IEC 27050 standard provides guidelines for eDiscovery processes and best practices. ISO/IEC 27050 covers all steps of eDiscovery processes including identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive.

Answer 435

C. IPsec can provide end-to-end encryption of all communications and traffic because it operates at the Internet level ``` Explanation: The IPsec (IP Security) and TLS (Transport Layer Security) protocols are both protocols to encrypt traffic as it moves through a network. The main difference between the two (which causes IPsec to stand out), is that IPsec operates at the Internet network layer rather than the application layer (like TLS). Because IPsec operates at the network layer, it is able to provide complete end-to-end encryption of all communications and traffic. ```

Answer 436

B. A set of controls and practices put in place to ensure that data is only accessible to those authorized to access it Explanation: Data loss prevention refers to a set of controls and practices put in place to ensure that data is only accessible to those authorized to access it. Tokenization is the practice of utilizing a random or opaque value to replace what would otherwise be sensitive data. Key management is the practice of safeguarding encryption keys. Data de-identification is the method of using masking, obfuscation, or anonymization to protect sensitive data.

Answer 437

C. Maintenance Explanation: The maintenance phase of the software development lifecycle is the final stage, and it will go on through the entire lifetime of the software or application. The maintenance phase includes pushing out continual updates, bug fixes, security patches, and anything else needed to keep the software running securely and operating as it should.

Answer 438

D. Impact and urgency Explanation: To ensure an incident is dealt with correctly, it is important to determine how critical it is and prioritize the response appropriately. Urgency and impact are assigned values from Low, Medium, or High, and incidents that are high priority are handled first.

Answer 439

A. Multitenancy Explanation: Cloud providers will often have numerous customers sharing the same environment. However, it falls to the cloud provider to ensure that all the data between these customers is not visible to the others and is isolated from one another.

Answer 440

D. The illicit or unauthorized copying of data is prohibited. Explanation: Replication restrictions ensure that no unauthorized or unlawful copying of protected data occurs. All other options are descriptions of functionalities provided by other features of data rights management solutions.

Answer 441

D. Non-repudiation Explanation: The capacity to affirm the origin or authenticity of data with a high degree of assurance is referred to as non-repudiation. This is accomplished through the use of digital signatures and hashing to ensure that data has not been altered in any way. This idea is complementary to chain of custody in terms of maintaining the legitimacy and integrity of data.

Answer 442

D. Volume Explanation: Used in IaaS cloud environments, volume storage involves a virtual hard drive which is attached to the virtual host. The host is able to access the virtual hard drive in the same way a computer accesses a traditional hard drive.

Answer 443

A. IaaS Explanation: IaaS (infrastructure as a service) is often also referred to as "data center as a service." This is because the cloud provider is the one to provide and maintain all of the infrastructure devices. However, the cloud customer is responsible for the management of everything on the devices, from the storage to the operating systems to the applications installed.

Answer 444

A. Auditing Explanation: Auditing is the process of ensuring compliance with policy, guidelines, and regulations. Identification is the process of pinpointing either a system or individual in a way where they are distinctive from any other identify. Authorization is the process of granting access to resources. Federation is the process of implementing standard processes and technologies across various organizations so that they can join identity systems while maintaining their autonomy.

Answer 445

D. Firewall Explanation: The firewall is the main device that is used to manage the flow of traffic in and out of the network based on rules configured on the firewall. Firewalls can be virtual devices or physical devices.

Answer 446

D. Discretionary Access Control Explanation: The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database. All other options are access control models.

Answer 447

D. All phases of the cloud data lifecycle. Explanation: Data destruction policies encompass all phases of the data lifecycle. This is because data destruction may occur at all phases of the cloud data lifecycle.

Answer 448

D. Restrict Explanation: ISO/IEC 27018 is an international standard for security and privacy in cloud computing. The five key principles of ISO/IEC 27018 are communication, consent, control, transparency, and independent and yearly audits. Restrict is not one of the key principles.

Answer 449

A. PCI DSS Explanation: Due to the merchant's involvement with debit or credit cards, they must conform to the Payment Card Industry Data Security Standard (PCI DSS) framework. PCI DSS compliance is a contractual requirement. This is true regardless of local rules and regulations regarding cardholder data. Much of the PCI DSS is comprised of generic suggestions regarding the most effective security controls to implement in order to limit risk. All other options are compliance standards.

Answer 450

A. Reservations Explanation: Reservations refer to the minimum guaranteed amount of resources that a cloud customer will receive, regardless of the resources being used by other cloud customers. This guarantees that the cloud customer will always have, at the very least, the minimum amount of resources needed to power and operate their services. Because of ideas such as multitenancy, in which many cloud customers are utilizing the same pool of resources, reservations protect cloud customers in the event that a neighboring cloud customer experiences an attack which causes them to overuse resources, making them limited.

Answer 451

D. The Cloud Service Customer (CSC) is responsible for the maintenance and versioning of the apps they acquire and develop in a PaaS solution. The Cloud Service Provider (CSP) is responsible for the platform, tools, and underlying infrastructure. Explanation: In the PaaS cloud service model, the CSC is in charge of maintaining and versioning the apps they acquire and develop. The CSP is responsible for the platform and tools supplied by the PaaS solution, as well as the underlying infrastructure. SaaS and IaaS are other cloud service models.

Answer 452

C. DLP Explanation: DLP stands for data loss prevention or data leakage prevention. As the name suggests, DLP is a set of controls that is used to ensure that data is only accessible to those who should have access to it. DLP control sets, practices, and measures will vary from organization to organization.

Answer 453

C. Encryption Explanation: In order to secure data in a multitenancy and resource pooling cloud environment, encryption is required. There are different types of encryption for data at rest, data in use, and data in transit.

Answer 454

A. Discretionary Access Control Explanation: The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database. All other options are access control models.

Answer 455

B. 64.4 - 80.6 degrees F Explanation: According to ASHRAE (American Society of Heating, Refrigeration, and Air Conditioning Engineers), the recommended temperature for a data center is a minimum of 64.4 degrees F, and a maximum of 80.6 degrees F. This is 18 - 27 degrees C.

Answer 456

C. Development Explanation: The development phase entails the coding of software components as well as the integration and construction of the overall solution.

Answer 457

B. Information storage and management Explanation: Information storage and management is the classic form of storing data within databases that the application uses and maintains. This storage method is used in software as a service (SaaS) offerings. The other type of SaaS storage is content and file storage in which the SaaS application allows for data to be uploaded that is not part of the underlying database. Volume and object storage are used in IaaS environments rather than SaaS.

Answer 458

A. Any systems that will interact with federal agencies Explanation: Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

Answer 459

A. SOC ``` Explanation: A SOC (security operations center) is a group of individuals who focus solely on the monitoring, reporting, and handling of any security issues for an organization. SOC engineers will typically be responsible for monitoring the logs within a SIEM if there is one in place. SOCs are usually staffed 24/7 to ensure that someone is available in the event of a security incident. ```

Answer 460

B. CDN Explanation: A content delivery network (CDN) provides globally-distributed object storage, allowing an organization to keep data as close to users as possible. As a result, end users benefit from reduced bandwidth consumption and decreased latency because they can pull from a server closer to their geographic location. Software defined storage (SDS), Software defined networking (SDN) and storage area network (SAN) are incorrect options.

Answer 461

C. Hash values Explanation: It's very important to ensure that security patches that are downloaded are actually from the vendor and have not been modified by an attacker. In many cases, vendors will provide a hash value that can be used to check and validate the download of the patch file. When these hash values are available, they should be used to validate and ensure that the patch file matches what the vendor has provided.

Answer 462

A. Capacity management Explanation: Capacity management is a critical component of any IT system's overall operation. If a system is under-provisioned, services and performance will suffer, perhaps resulting in business or reputation damage. Capacity management focuses on the system resources required to offer acceptable performance in order to meet SLA criteria while remaining cost-effective. All other options do not support capacity management.

Answer 463

D. Management plane Explanation: In virtual environments, the management plane has access to all of the hypervisors and hosted systems. While this creates ease of use for administrators, it can also lead to security risks. If an attacker were able to compromise the management plane, they would be able to compromise all of the hypervisors and hosted systems in the environment.

Answer 464

A. GLBA Explanation: The Gramm-Leach-Bliley Act (GLBA) would be most applicable. GLBA is a U.S. federal law that requires financial institutions to disclose how they share and protect their customers' private information. GLBA is widely regarded as the most comprehensive federal data privacy and security legislation. Health care businesses are subject to the Health Insurance Portability and Accountability Act (HIPAA). Sarbanes-Oxley (SOX) protects individuals in publicly-traded firms against accounting errors and fraudulent practices. The Stored Communications Act (SCA) guards against illegal access to and interception of electronic communications and computer services.

Answer 465

A. Monitoring Explanation: Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

Answer 466

E. Measure of RTO disaster recovery activities should systems need restoration after a successful exploitation Explanation: The measure of RTO disaster recovery activities should systems need restoration after a successful exploit is not checked when using the DREAD threat model. The DREAD threat model focuses on the quantification of risk and threat evaluation. DREAD is based on the equation below, which calculates the value based on risk quantification in specific categories, with a value ranging from 0 to 10: Risk DREAD = (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5

Answer 467

D. Separation of system and user functionality Explanation: Separating system and user functions is critical for system and communication security. Separation of duties is a key security concept that protects users from modifying or incorrectly configuring systems and communication processes.

Answer 468

A. XML Explanation: Software components process and send data in a variety of ways between themselves and storage media. Extensible Markup Language (XML) is a standard information exchange format that employs tags to define data and is transmitted using the HTTP/S or SMTP protocols. All other options are incorrect.

Answer 469

B. Software-defined networking Explanation: In software defined networking, decisions regarding where traffic is filtered and sent are separate from the actual forwarding of the traffic. This separation allows network administrators to quickly and dynamically adjust network flows based on the needs of customers. Software defined networking is often shortened as SDN.

Answer 470

A. ISO/IEC 11889 Explanation: ISO/IEC 11889 specifies how various cryptographic techniques and architectural elements are to be implemented. It consists of four parts including an overview of architectures of the TPN, design principles, commands, and supporting code. All other options are ISO/IEC standards that apply to other types of technologies.

Answer 471

D. Data owner Explanation: A data owner is the party that maintains full responsibility and ownership of data. Data owners determine the appropriate controls that are necessary to protect that data. The data owner also determines appropriate use of the data.

Answer 472

C. 60 percent relative humidity Explanation: The recommended maximum moisture level in a data center is 60 percent relative humidity. The recommended minimum is 40 percent relative humidity. When there is too much moisture in the air, it can cause condensation to form, which may damage the systems. In addition, having the humidity levels too low may cause an excess of electrostatic discharge.

Answer 473

D. CSA Explanation: The cloud security alliance (CSA) is an organization that offers guidance to organizations deploying a cloud environment. OWASP, IANA and IEEE are other guidance organizations.

Answer 474

D. Cross-site scripting Explanation: Cross-site scripting (XSS) is a type of injection attack. XSS attacks occur when an attacker is able to send data to a user's browser without having to go through any validation process. Essentially, the victim visits a website or web application which delivers and executes the malicious code to the user's browser. Web forums and message boards are common locations to find XSS attacks.

Answer 475

C. Development Explanation: As each portion of code is created and completed, functional testing is done on it by the development team. This testing is done to ensure that it compiles correctly and operates as intended.

Answer 476

D. Formal patch management Explanation: When using a vendor or proprietary API, it is unlikely that you will have access to review or make changes to the source code. It's also unlikely that a vendor or proprietary API will be free to use. These are all generally features of using an open source API. One benefit of using a proprietary or vendor API is that it will likely include formal patch management.

Answer 477

C. Direct identifier Explanation: PII (personally identifiable information) is broken up into direct and indirect identifiers. A social security number is enough to identify a person without requiring more information, making it a direct identifier. An example of an indirect identifier would be a zip code. Nondescript and descript identifiers are not real types of PII.

Answer 478

A. Metered usage that changes based upon resource utilization Explanation: In an IaaS environment, the customer can expect to only pay for the resources that they are using. This is far more cost effective and allows for greater scalability. However, this type of billing does mean that the price is not locked-in and it could change as the need for resources either increases or decreases from month to month.

Answer 479

A. eDiscovery in a traditional data center is typically easier and less complex than eDiscovery in a cloud environment. Explanation: Within a traditional data center environment, any systems needed for an investigation can easily be physically isolated and preserved. In a cloud environment, most cloud customers do not own their own hardware, but instead share physical hardware in a multi-tenant cloud. Due to this, eDiscovery is typically easier and less complex in a traditional data center than in a cloud environment.

Answer 480

C. GDPR has no impact on organizations operating outside of the EU. Explanation: The General Data Protection Regulation (GDPR) is a regulation which focuses on protecting the data of EU citizens regardless of where the data was created, collected, processed, or stored. This means that if a citizen of the EU utilizes a website that is run by an organization outside of the EU, that organization is still required by law to adhere to GDPR.

Answer 481

A. PaaS Explanation: Platform as a Service (PaaS) provides organizations with a place to develop and maintain software and applications without needing to maintain the infrastructure or the server operating systems. This allows the developers and programmers to focus strictly on the tasks that they excel at, such as creating new applications.

Answer 482

C. IaaS Explanation: In the Infrastructure as a Service cloud service model, the cloud customer shares responsibility with the cloud provider for infrastructure security. In both PaaS and Saas models, the cloud provider is solely responsible for security at the infrastructure level.

Answer 483

A. Multitenancy Explanation: Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

Answer 484

B. Regulator Explanation: As a CCSP, you are responsible for ensuring that your organization's cloud environments adhere to all applicable regulatory requirements. By staying current on regulatory communications surrounding cloud computing and maintaining contact with approved advisors and, most crucially, regulators, you should be able to assure compliance with legal jurisdictions. All other options are roles within the organization.

Answer 485

B. Type 2 hypervisor Explanation: Type 2 hypervisors are dependent and run off of the host operating system rather than being tied directly into the hypervisor hardware in the way Type 1 hypervisors are. Bare metal hypervisors are another name used for type 1 hypervisors. Full service hypervisors are not an actual type of hypervisor.

Answer 486

D. Discretionary Access Control Explanation: The owner of a document is responsible for defining the limits on a per-document basis under a discretionary access control (DAC) model. This entails manually configuring sharing for documents that contain user authentication information for a database. All other options are access control models.

Answer 487

B. CMDB Explanation: The organization's configuration management database (CMDB) should capture all configuration items (CI’s) that have been placed under configuration management. This database can be used for manual audits as well as automated scanning to identify systems that have drifted out of their secure state.

Answer 488

C. Cloud platforms offer increased scalability and performance. Explanation: Cloud environments are attractive to organizations because they offer increased scalability and performance. While it's possible that moving to the cloud can be less expensive than traditional data centers, that is not always the case. Sometimes cloud platforms can come with hidden costs that weren't initially expected. Cloud platforms come with their own set of security risks and, while some are the same as the risks you'd see in a traditional data center, some are different as well.

Answer 489

C. Monitoring Explanation: Data loss prevention (DLP) is comprised of three major components including discovery and classification, enforcement, and monitoring. The monitoring stage is the core purpose of a DLP strategy as it involves watching the data move through its various states.

Answer 490

B. Define scope, gather requirements, analyze, assess risk, design, implement, test, report and revise Explanation: When developing a business continuity and disaster recovery (BCDR) plan, the following order should be followed: ``` Define scope Gather requirements Analyze Assess risk Design Implement the plan Test the plan Report and revise ```

Answer 491

B. Data dispersion Explanation: When a customer's data is distributed (or dispersed) throughout numerous geographic locations, this is known as data dispersion. Data dispersion can be used for disaster recovery purposes as it mitigates the risk of permanently losing data due to a disaster that occurs in one location.

Answer 492

C. Shared technology issues Explanation: Shared technology issues occur in the cloud whenever there is a multitenancy and resource pooling environment that the cloud provider has not properly secured. Multitenancy and resource pooling are both very common practices in cloud computing; but, when they are being used, it is up to the cloud provider to add additional layers of security to ensure that each cloud customer has access to only their own data and not others' who may be sharing the same environment.

Answer 493

A. IaaS Explanation: Each cloud service model uses different types of storage as shown below. Infrastructure as a Service (IaaS): Volume, Object Platform as a Service (PaaS): Structured, Unstructured Software as a Service (SaaS): Content and file storage, information storage and management DaaS is not a real type of cloud service model.

Answer 494

C. Multitenancy Explanation: Multitenancy describes the scenario in which cloud providers have multiple customers sharing the same pool of resources or residing within the same environment. These cloud customers are kept isolated from each other for security purposes.

Answer 495

A. Limits Explanation: Limits and reservations are both terms referring to how resources are allocated in a cloud environment. Reservations refer to the minimum amount of resources that a cloud customer is guaranteed to receive. The opposite of reservations are limits. Limits refer to the maximum of resources that a cloud customer may utilize. Shares refer to the prioritization of systems in the even of high utilization periods. Multitenancy refers to multiple cloud customers sharing the same cloud environment. Authentication is the granting of access to resources.

Answer 496

C. BYOD Explanation: BYOD stands for Bring Your Own Device and it is the act of allowing employees to bring their own equipment such as laptops, smartphones, and tablets on to the company network. This has become specifically popular with the onset of cloud computing.

Answer 497

B. Enforcement| Explanation: DLP is made up of three main stages including discovery and classification, monitoring, and enforcement. Enforcement is the final stage of DLP implementation. During the final stage, DLP policies are enforced and violations which were observed during the monitoring stage are addressed.

Answer 498

C. Data in transit Explanation: In order to protect data in transit (DIT), data loss prevention (DLP) methods are put in place on the network perimeter. They will capture traffic as it leaves the network through various protocols such HTTP and SMTP. These DLP solutions check to ensure that data leaving the network meets the security requirements.

Answer 499

E. None of the options are correct Explanation: Since the user removed all networking access from the VM, the user will be unable to use console access, RDP, or a jump box. Unfortunately, Microsoft cannot reconfigure that VM, because allowing that level of access to consumer resources is incredibly risky.

Answer 500

D. PHI Explanation: PHI stand for protected health information. All data that pertains to an individual and their health care is classified as PHI. This includes mental health information, physical health information, medical history, test and lab results, as well as a number of other items.

Answer 501

D. Hashing Explanation: Hashing feeds data into a one-way cryptographic algorithm that generates a unique value called a hash or message digest. Generating another hash of the same file in the future will produce the exact same value only if the data has not been modified; this protects data integrity. If the data has been altered, the new hash will differ from the original. All other options are data security technologies and strategies.

Answer 502

A. SDN Explanation: Software-Defined Networking (SDN) enables the creation of virtual networks that do not require any hardware much like a virtual machine. SDNs are theoretically a software layer that sits between user interfaces and the underlying networking devices. When configuring cloud-based network resources, users are not required to have device-specific technical knowledge. Software defined storage (SDS) and content delivery network (CDN) are other networking technologies in the cloud. SSH is an invalid choice.

Answer 503

B. RSL Explanation: The recovery service level (RSL) identifies the operations that you anticipate from your cloud service provider (CSP) during the restoration of a cloud resource. RSL agreements outline the parameters of the CSPs recovery process.

Answer 504

A. Advanced persistent threat Explanation: As the name suggests, an advanced persistent threat is done by an advanced attacker who has managed to gain unauthorized access and is carrying out the attack (usually the act of data theft) over a long (persistent) period of time. Unlike some attacks which cause chaos and make themselves very well known, advanced persistent threats try to stay undetected for as long as possible.

Answer 505

B. Requirement gathering and feasibility Explanation: Security engineers should be a part of every single phase of the SDLC, including the first stage: requirement gathering and feasibility. It is much more efficient to add security into an application as it's being developed, than to attempt to add in security features later on (after it's in production). During the requirement gather and feasibility stage of the SDLC, security engineers look at the risks associated with the project.

Answer 506

C. To connect a keyboard, mouse, and monitor to a physical server Explanation: A KVM is used to connect a keyboard, mouse and monitor to physical servers in a data center to provide access. KVM stands for keyboard, video, mouse. It's important in a data center, that security measures are put in place to prevent unauthorized access using the KVM.

Answer 507

C. VM escape Explanation: In a VM escape attack, a guest on a virtual machine uses an exploit to break outside the limits of the virtual machine and interact directly with the hypervisor. VM escape attacks allow the attacker to access the host operating system and all virtual machines running on that host.

Answer 508

A. FISMA Explanation: Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government.

Answer 509

D. The practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data Explanation: Tokenization is the practice of utilizing a random or opaque value in data to replace what would otherwise be sensitive data. Data loss prevention (DLP) is a set of controls and practices put in place to ensure that data is only accessible to individuals who are authorized to access it. Hashing is a method which involves transforming a string of characters into a fixed-length value or key that represents the original string. Key management is the practice of safeguarding encryption keys.

Answer 510

D. On-demand self service Explanation: In cloud computing, on-demand self service is the ability for cloud customers to add, configure, and provision a new cloud service without ever needing to interact with the cloud provider. This is usually done through a web portal and is an integral component of the pay-as-you-go cloud billing model.

Answer 511

C. Under some regulations, risk cannot be transferred Explanation: Under some regulations, risk cannot be transferred because the data owner bears the responsibility for any exploits resulting in loss of privacy or confidential data. This is especially true in regard to personal data.

Answer 512

C. Confidentiality Explanation: The main goal of confidentiality is to ensure that individuals who should not have access to sensitive data and systems are not given access to them. However, it's important that preventing access to unauthorized parties does not impact access to those who are authorized.

Answer 513

A. Development/coding Explanation: During the development/coding phase of the SLDC, the plans and requirements are turned into executable programming language. This is the heart of the software development process. Some functional testing is also completed during this stage. Development/coding is the bulk of the SDLC and will typically take the longest.

Answer 514

C. 526-FZ Explanation: Russian law 526-FZ was enacted in September of 2015. The law states that any collecting, processing, or storing of personal or private data that pertains to Russian citizens must be done from systems and databases which are physically located within the Russian Federation.

Answer 515

C. Data warehouse Explanation: A data warehouse is structured storage in which data has been normalized to fit a defined data model. All other selections are data storage mechnisims.

Answer 516

D. The destruction of data Explanation: The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

Answer 517

A. Partner Explanation: Partners frequently have the same amount of access to an organization's systems as employees do, but they are not directly under the organization's authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer's security needs. All other options are roles within an organization using cloud services.

Answer 518

D. Transparent encryption Explanation: Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user. Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

Answer 519

C. The nation where the data is collected Explanation: Data sovereignty refers to the concept that data is subject to a nation's laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria. All other options are incorrect.

Answer 520

C. Federated identity management Explanation: Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation. Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn't provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

Answer 521

C. Hybrid cloud Explanation: The four main cloud deployment models include public, private, community, and hybrid. Metropolitan, expanded, and mixed cloud do not exist.

Answer 522

B. Reliability Explanation: The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP. The ten privacy principles are: ``` Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third-parties Security for privacy Quality Monitoring and enforcement ```

Answer 523

C. Cloud data portability Explanation: The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers. Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

Answer 524

C. Data at rest Explanation: Data that is stored on a device but not being used by an application is known as data at rest. Data that is being used by an application is known as data in transit. Unstructured and structured data are not applicable answers to this question.

Answer 525

C. Internal auditor Explanation: Internal auditors serve as an organization's trusted counsel. Internal auditors collaborate with information technology (IT) to provide a proactive strategy that balances advisory and assurance services. Internal auditors are an independent entity that is not affiliated with either the cloud customer or the cloud provider. In most cases, an internal auditor will conduct audits in the conventional sense, ensuring that cloud systems comply with contractual and regulatory obligations. All other options are types of auditors.

Answer 526

C. IoT Explanation: The Internet of Things (IoT) refers to the use of non-traditional computing devices (such as lamps, thermostats, and other home appliances) by accessing the Internet.

Answer 527

D. Audit scope restrictions Explanation: Audit scope restrictions refer to the process of defining parameters for an audit. The rationale for audit scope restrictions is that audits are costly and often require the involvement of highly skilled content experts. Additionally, system auditing can impair system performance, and in some situations necessitate the shutdown of production systems. Carefully crafted scope constraints can help ensure that production systems are not harmed.

Answer 528

B. Partner Explanation: Partners frequently have the same amount of access to an organization's systems as employees do, but they are not directly under the organization's authority. Partner onboarding, management, maintenance, and offboarding processes should establish clear expectations of the cloud service customer's security needs. All other options are roles within an organization using cloud services.

Answer 529

B. Define scope Explanation: The first step of developing a business continuity and disaster recovery (BCDR) plan is to define the scope. While it will be important to define testing procedures, assess risks, and gather requirements later on, nothing can be done before the scope has been defined. This ensures that all security concerns are a part of the plan from the start and not added retroactively later on.

Answer 530

A. Cloud customer Explanation: In all cloud service types (IaaS, PaaS, SaaS), the roles and responsibility of governance fall solely to the cloud customer and not the cloud provider.

Answer 531

A. IaaS Explanation: Two special security considerations that are applicable to IaaS cloud environments are virtual switch attacks and virtual machine attacks.

Answer 532

D. Change management Explanation: Change management is a critical component of configuration management and, more broadly, business. The process of committing to a change that will influence production workload is known as change management. In the case of any change that will have an impact on production, change management is the last stage and approval process. All other options are management strategies.

Answer 533

D. BCP Explanation: A business continuity plan (BCP) is designed to keep an organization operating in the event of a disaster. The BCP may prioritize important business procedures necessary to maintain operations during disaster recovery. The business continuity plan identifies the events and incidents that will trigger the plan's execution, as well as the severity levels associated with such events and incidents. Incident response plan (IRP), disaster recovery plan (DRP) and acceptable use policy (AUP) are other types of organizational documents.

Answer 534

C. Data rights management Explanation: Data rights management (DRM) is an extension of normal data protection which is encapsulated within the concept of information rights management (IRM). In DRM, advanced security controls such as extra ACLs and permission requirements are placed onto the data.

Answer 535

B. Format Explanation: It is crucial that format is taken into consideration when developing a cloud data archiving strategy. If format is not thought about during the strategy, then the archived data may become very difficult to retrieve if needed in the long run. Other important considerations include technologies used to create and maintain the archives, regulatory requirements, and testing procedures.

Answer 536

A. Host hardening Explanation: In computing, hardening is the process of securing a system by reducing its vulnerability surface. Host hardening is the processing of hardening a host system by removing all nonessential services and software from that host. Removing the services and software that are not needed reduces the opportunities for attackers to gain access using one of those unnecessary services or programs.

Answer 537

C. Respond Explanation: Isolation and containment are the initial response steps in an incident response. The purpose of containment is to protect an organization from further damage caused by a known incident. Disconnecting affected systems, disabling hardware, and disconnecting storage are only a few of the responsibilities. All other options are phases of incident response.

Answer 538

D. Creating a physical copy of the encryption keys and storing them in a physical safe Explanation: There are three main methods of key storage in a cloud environment. The first and simplest is to have the keys stored and accessed from the same virtual machine that is hosting the encryption service or engine. Alternatively, the keys can be stored on a separate device from the virtual machine that is hosting the encryption service or engine. The final option is to have an external and independent service or system to host the key storage. Creating a physical copy of the encryption keys and storing them in a physical safe is not one of the methods used for key storage.

Answer 539

D. Portability issues Explanation: Many people believe that moving from a traditional data center to a cloud environment is a simple, easy, and seamless transition, but this is a common misconception. There is a lot of work and reworking that must go into moving systems the cloud. Not all applications will be easy to pick up and move into a cloud environment, and they may require some code changes to be made.

Answer 540

D. Cloud-based applications and systems Explanation: The Treacherous Twelve is similar to the OWASP Top 10. However, unlike the OWASP Top 10, which lays out vulnerabilities and risks associated with all web applications (regardless of whether they are hosted in the cloud or in a traditional data center), the Treacherous Twelve lays out risks and vulnerabilities that are specific to cloud-based applications and systems.

Answer 541

D. Data in encryption Explanation: The three data states include data in use, data in motion (also called data in transit), and data at rest. Data in encryption is not one of these three data states. Data in use refers to when the data is being actively used by a system. Data in motion, or data in transit, refers to when the data is in active transmission across the network. Data at rest refers to data being stored in an idle state.

Answer 542

C. Federated identity management Explanation: Federated identity management should be implemented whenever users outside of the organization will need to authenticate and access data. Federated identity management works by establishing trust between systems within the federation. Single sign on is used to allow users within an organization to use a single set of authentication credentials to log into multiple company resources, but it doesn't provide any way for users outside of the organization to authenticate. REST and SOAP are types of APIs and not authentication mechanisms.

Answer 543

B. Non-disclosed PII Explanation: The two main types of PII (personally identifiable information) include contractual PII and regulated PII. Another type of PII is PHI or protected health information, which is a special type of PII pertaining to healthcare data. Non-disclosed PII is not a recognized type of PII.

Answer 544

A. Delegation of all security to CSP Explanation: While an organization may delegate operational responsibilities to a cloud service provider (CSP) and the CSP may, in some situations, share responsibility with the organization, an organization cannot delegate all compliance responsibilities to a CSP. All other options address regulatory compliance challenges in the cloud.

Answer 545

B. Data warehouse Explanation: A data warehouse is structured storage in which data has been normalized to fit a defined data model. All other selections are data storage mechnisims.

Answer 546

A. Measured service Explanation: Measured service use enables CSPs to bill for resources consumed. With a measured service, everyone pays their share of the cost. Rather than maintaining the maximum service level at all times, an organization might pay for the metered service at peak periods. As a result, costly utilization and resource waste are avoided.

Answer 547

D. Fault tolerance involves the use of specialized hardware that can detect faults and automatically switch to redundant systems. Explanation: High availability makes use of shared and pooled resources to maintain a high level of availability and minimize downtime. Fault tolerance is different, in that it utilizes a specialized hardware which can detect faults and automatically switch to redundant systems based on the type of failure.

Answer 548

A. SAML Explanation: SAML is an XML-based standard used to exchange information in the authorization and authentication process. SAML 2.0, which was adopted in 2005, is the latest standard put out by the nonprofit OASIS consortium and its Security Services Technical Committee.

Answer 549

D. Cloud provider Explanation: In an Infrastructure as a Service (IaaS ) environment, the cloud provider is responsible for allocating and maintaining storage which comes in the form of volume and object storage.

Answer 550

B. The difference between the original value of an asset and the remaining value of an asset after a single successful exploitation Explanation: SLE refers to single loss expectancy. The SLE is the difference between the original value of an asset and the remaining value of an asset after a single successful exploitation. The SLE is used alongside the ALE and ARO to perform a quantitative assessment.

Answer 551

C. Interoperability Explanation: Cloud interoperability refers to a customer's capacity to interact with cloud services in any way they desire. Interoperability enables communication and data sharing across many platforms provided by various providers. Interoperability enables customers to prioritize services needed rather than the vendor providing the service, which lessens the concern of vendor lock-in. All other options are other shared cloud considerations.

Answer 552

A. Urgent Explanation: The correct names for risk ratings are (in order) minimal, low, moderate, high, and critical. Urgent is not a commonly accepted risk rating.

Answer 553

A. A highly vetted and limited set of administrators Explanation: If compromised, the management plane would provide full control of the cloud environment to an attacker. Due to this, only a highly vetted and limited set of administrators should have access to the management plane. However, you will want more than a single administrator, in case the single administrator leaves or is no longer able to perform management duties.

Answer 554

C. Shared responsibility Explanation: The shared responsibility model places the obligation for cloud security, which includes both services and infrastructure such as computing and storage, on the CSP. Cloud consumers are responsible for ensuring that the security of the cloud is maintained, such as managing operating systems, enforcing access control policies, and protecting client data. All other options are unrelated technologies used in the cloud.

Answer 555

C. 9.4 zettabytes Explanation: The correct answer is 9.4 zettabytes.

Answer 556

A. Failover Explanation: The recovery point objective (RPO) is defined as the period of time during which an organization is willing to accept the risk of missing transactions. With seamless failover in a cloud environment, the RPO for all but the most catastrophic incidents can practically be zero seconds of lost transactions. This is facilitated by maintaining a copy of data in another region or availability zone.

Answer 557

D. Artificial intelligence Explanation: Artificial intelligence is the ability of devices to perform human-like analysis. Artificial intelligence operates by consuming a large amount of data and recognizing patterns and trends in the data.

Answer 558

B. First line of defense Explanation: Your Information Security department is your organization's first line of defense. Your Risk Management team is your second line of defense. Internal Audit is your third line of defense.

Answer 559

A. APEC Explanation: Both the United States and the European Union (EU) have established data privacy regulations such as HIPAA and GDPR. In addition, the Asian-Pacific Economic Cooperation (APEC) is another influential body that has established regulations regarding data privacy. APEC developed the APEC Privacy Framework.

Answer 560

C. Multitenancy Explanation: Multitenancy is a cloud function in which multiple cloud customers (tenants) are hosted by the same cloud provider using the same cloud environment. Because the cloud customers are sharing resources and may be running off the same hardware, a breach to one system may lead to a data breach of all the other tenants in the cloud environment.

Answer 561

B. Evidence management Explanation: Evidence management is concerned with maintaining the chain of custody in a forensics investigation. Capacity management is focused on maintaining the required resources needed to meet SLAs. Incident management is focused on limiting the impact of incidents on an organization. Continuity management is concerned with developing a business continuity and disaster recovery plan.

Answer 562

D. ISMS Explanation: An Information security management system (ISMS) is intended to protect the confidentiality, availability, and integrity of an organization's data. The most effective ISMSs are those that are aligned with the organization's standards and include specific information on compliance requirements.

Answer 563

B. Kerberos, CHAP, IPSec Explanation: Secure authentication protocols such as CHAP and Kerberos can be utilized, while encrypted communications can use IPsec protocol. SAML is an authentication markup language, although it is not especially effective for securing storage controllers.

Answer 564

C. The destruction of data Explanation: The final step in the cloud secure data life cycle is destroy. This represents the destruction and sanitation of data so that it is permanently removed and no longer accessible.

Answer 565

D. Security budget ``` Explanation: The FIPS (Federal Information Processing Standard) 140-2 standard is divided into 11 sections that define security requirements, which include: ``` ``` Cryptographic Module Specification Cryptographic Module Ports and Interfaces Roles, Services, Authentication Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC Self-tests Design Assurance Mitigation of Other Attacks ```

Answer 566

C. When records are listed and linked together using cryptography Explanation: Blockchain is a list of records that are linked together in a chain using a cryptography method.

Answer 567

A. SOX Explanation: Some post-incident communication policies are mandated by legislation or regulation. Sarbanes-Oxley (SOX) is the most frequently mentioned standard when discussing obligatory reporting and communications. SOX requires the disclosure or reporting of events applying exclusively to financial records. HIPAA, GDPR and PCI DSS are not applicable.

Answer 568

A. HIPAA Explanation: HIPAA (Health Insurance Portability and Accountability Act) is concerned with the security controls and confidentiality of protected health information (PHI). It's vital that anyone working in any healthcare facility be aware of HIPAA regulations. The Gramm-Leach-Bliley Act, officially named the Financial Modernization Act of 1999, focuses on PII as it pertains to financial institutions, such as banks. GDPR is an EU specific regulation that encompasses all organizations in all different industries. FRCP is a set of federal rules for handling civil legal proceedings in federal courts.

Answer 569

D. Performance monitoring Explanation: Performance monitoring is a continual process in which the CSP ensures that systems operate reliably and that customer service level agreements are met. All other options are types of monitoring.

Answer 570

D. Data de-identification Explanation: Data de-identification is the process of removing, hiding, covering, or replacing sensitive data. Masking, obfuscations, and anonymization are all techniques used in data de-identification.

Answer 571

A. Retention formats Explanation: The retention format section of the data retention policy specifies the media on which the various data classifications should be stored, as well as any associated handling processes.

Answer 572

D. Vendor Risk Management Explanation: The CSPs reliance on other third-party vendors to provide services used by their customers is a form of vendor risk management.

Answer 573

B. Encryptability Explanation: The three main concepts of data security are confidentiality, integrity, and availability. This is often known as the CIA triad. Although privacy is part of confidentiality, it is sometimes thought of, along with nonrepudiation, as the other core aspect of data security. Encryptability is not one of the core aspects of security.

Answer 574

B. Resource pooling Explanation: Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

Answer 575

C. Flash drive Explanation: KVM (keyboard, video, mouse) are used to connect input devices into multiple servers. This allows for easy access and management. However, usb storage devices, such as a flash drive, should not be permitted to connect to the KVM for security reasons.

Answer 576

D. Data discovery Explanation: Data discovery is a unique type of data analysis process because it relies heavily on the data user to interpret the data in a meaningful way. Data discovery is a user-driven business intelligence process where data is visually represented and analyzed to look for specific attributes and patterns within the data.

Answer 577

D. Moving to a new office Explanation: There are many incidents which can result in the initiation of a business continuity and disaster recovery (BCDR) plan. These include a natural disaster, terrorist attacks or acts of war, equipment failure, utility disruptions or failures and, finally, data center or service provider failures, and neglect. Moving to a new office location is unlikely to result in the initiation of a BCDR plan.

Answer 578

D. Maintenance Explanation: The software development lifecycle (SDLC) is made up of six steps which include requirement gathering and feasibility, analysis, design, development/coding, testing, and maintenance. The final step of the SDLC is maintenance, although this step is never quite finished. Maintenance is ongoing process that must occur throughout the entire lifetime of the software or application.

Answer 579

B. The nation where the data is collected Explanation: Data sovereignty refers to the concept that data is subject to a nation's laws and regulations. The laws governing the data sovereignty of the country where the data is collected should be followed. If you are required to comply with a data sovereignty obligation regarding the placement of your data, global CSPs will offer locations that may satisfy these criteria. All other options are incorrect.

Answer 580

B. Overwriting Explanation: In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

Answer 581

D.Quickly ensure the integrity of data which is spread throughout multiple storage locations Explanation: Hashing creates a fingerprint or checksum value of a fixed size (known as the hash value) of the original data object. If the same hashing algorithm is used and the data remains unchanged, the hash value will always be the same. This makes it possible to quickly ensure the integrity of data that may be stored in various storage locations.

Answer 582

A. Hybrid cloud Explanation: The four main cloud deployment models include public, private, community, and hybrid. Metropolitan, expanded, and mixed cloud do not exist.

Answer 583

B. Physical segregation is not possible Explanation: Multitenancy is an aspect of cloud computing in which many different cloud customers are able to share the same cloud environment. This raises security concerns because, in a cloud environment, physical segregation is not possible. Multitenancy relies on the cloud provider to implement virtual network segregation and isolation to ensure that one cloud customer is only able to see their own data and not the data and resources of the other tenants in the environment.

Answer 584

D. ISO/IEC 27018 Explanation: ISO/IEC 27018 is a standard for providing security and privacy within cloud computing. The ISO/IEC 27018 focuses on five key principles which include communication (relaying information to cloud customers), consent (receiving permission before using customer data for any reason), control (cloud customers retain full control over their own data in the cloud), transparency (cloud providers inform customers of any potential exposure to support staff and contractors), and independent and yearly audits (cloud providers must undergo yearly audits performed by a third party).

Answer 585

C. Use Explanation: Due to the nature of data being actively used, viewed, and processed in the use phase, it is more likely to be leaked in this phase than in others, such as the store, archive, and destroy phases.

Answer 586

B. Resource pooling Explanation: Cloud providers may choose to do resource pooling, which is the process of aggregating all of the cloud resources together and allocating them to their cloud customers.

Answer 587

A. Perform a vulnerability scan Explanation: Vulnerability scans are typically performed by an organization against their own systems. Vulnerability scans are relatively simple to perform. They use known attacks and methodologies to verify that systems are hardened against them. Vulnerability scans use known tests and signatures and can quickly output a report displaying the weaknesses. The vulnerability scan is the best choice out of the options listed to provide the requested outcome.

Answer 588

D. CSA Explanation: Cloud Security Alliance (CSA) Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery provides guidance on contract negotiations with cloud service providers about eDiscovery search ability and data preservation. ISO/IEC 27037: Provides guidelines for handling digital evidence. ISO/IEC 27041: Provides guidance for methods and processes used in investigations to make sure they are "fit for purpose". ISO/IEC 27042: Provides guidance on analysis and interpretation of digital evidence.

Answer 589

B. Images may not be patched and up to date with production system baselines and configurations Explanation: It isn't uncommon for organizations to leave their images offline at the BCDR site when not in use; however, this does cause some risks. If the images are left offline, they might not be up to date on patches or up to date with the latest configurations and systems baselines of the production environment. This could lead to serious issues in the event of a disaster when these images are needed. If the images are kept offline, engineers must take special care to ensure that there are processes in place to patch and update the images at the BCDR site.

Answer 590

A. SIEM ``` Explanation: A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location. ```

Answer 591

A. Many proprietary requirements from the cloud provider Explanation: Vendor lock-in occurs when an organization is unable to move from one cloud provider to another without incurring major burdens or expenses. The most likely and common scenario for this is that the current cloud provider has many proprietary requirements. The proprietary requirements make it very expensive, difficult, and burdensome to move to a new provider.

Answer 592

B. The temperature is ideal, but the humidity level is too low Explanation: It's very important to ensure that both temperature and humidity levels are ideal within a data center. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommend that data centers have a temperature between 64.4-80.6 degrees Fahrenheit and a humidity level of between 40-60 percent relative humidity. A humidity level of 35 percent is too low and could lead to an excess of electrostatic discharge.

Answer 593

A. Logical network separation Explanation: In a cloud environment, physical network segregation is not possible. However, it's important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

Answer 594

D. Fourth party risk Explanation: The term "fourth party" refers to a third-party's third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

Answer 595

B. Type 1 hypervisor Explanation: There are only two types of hypervisors: type 1 hypervisors and type 2 hypervisors. Type 1 hypervisors are also called bare metal, embedded, or native hypervisors. This is because type 1 hypervisors run directly on the physical hardware, while type 2 hypervisors are dependent upon the host operating systems.

Answer 596

C. SIEM ``` Explanation: A SIEM (security information and event management) system collects and indexes logs from various sources on the network (servers, firewalls, etc.) and stores them in one centralized location. This allows for administrators to find correlations between log events and potential attacks. SIEM systems also provide a great way for engineers to troubleshoot issues within the network by being able to see all of the logs in one location. ```

Answer 597

B. Overwriting Explanation: In a cloud environment, where the customer does not have access or control of the physical hardware, sanitation methods such as incineration, destruction, and degaussing are not an option. Overwriting is an option that can be used in cloud environments. Overwriting is sometimes called zeroing because the process often includes overwriting erased data with arbitrary data and zero values.

Answer 598

A. Block storage Explanation: Block storage is a type of storage in which all information is stored in equal-sized blocks on disks. It is more efficient and effective than file storage in general and is utilized in databases and virtual machines. The above-mentioned characteristics are those of block storage. All other options are types of storage.

Answer 599

D. Shares Explanation: The concept of shares works by prioritizing hosts within the environment using a scoring system. When resources are limited, hosts with a higher score value will have access to the limited resources that are available.

Answer 600

A. Logical network separation Explanation: In a cloud environment, physical network segregation is not possible. However, it's important for cloud providers to ensure separation and isolation between tenants in a multitenant cloud. In order to achieve this, logical network separation can be implemented to minimize the chance of accidental exposure.

Answer 601

B. Fourth party risk Explanation: The term "fourth party" refers to a third-party's third-party, such as when your vendors outsource service provision to a separate, independent vendor. The risks faced by the organization now include those related to the SaaS solution itself, as well as any additional risks posed by the CSP they utilize.

Answer 602

B. Due to being tied to the physical hardware of the machine, it would be harder for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor. Explanation: Type 1 hypervisors are known as bare-metal hypervisors because they run directly on the physical hardware of the machine and they are not software-based like type 2 hypervisors. Because they are tied to the hardware, it is more difficult for an attacker to inject malicious code to gain access than it would be on a type 2 hypervisor.

Answer 603

B. Key management Explanation: Key management is the process of safeguarding encryption keys and access to those keys. Key management is complex and of extreme importance. This is because encryption is only as strong as the protection of the encryption keys.

Answer 604

B. Security misconfiguration Explanation: A security misconfiguration occurs whenever systems or applications are configured in a way that makes them insecure. Systems regularly come preconfigured with default administrative credentials. These default credentials are generally easy to find online, so the failure to change them makes it possible for an attacker to gain access. This is an example of a security misconfiguration.

Answer 605

A. Identity management Explanation: Identity management is the process of identifying, provisioning, and deprovisioning accounts (or identities). Most organizations will use an identity system such as LDAP to assist with the process of identity management.

Answer 606

D. Envelope Explanation: The Simple Object Access Protocol (SOAP) is used to exchange information between web services. It does this by encapsulating its data in what is called a SOAP envelope and then using common communication protocols such as HTTP for transmission.

Answer 607

D. Quantum computing Explanation: Quantum computing is capable of solving problems that traditional computers are incapable of solving. When quantum computing becomes widely accessible to the general public, it will almost certainly be via the cloud, due to the substantial processing resources necessary to do quantum calculations.

Answer 608

B. Requirement gathering and feasibility Explanation: During the requirement gathering and feasibility stage of the SDLC, overall goals as well as desired outcomes should be documented. Timing and duration of the project should also be defined. During this phase, a cost-benefit analysis should be done to determine the feasibility of the project.

Answer 609

D. Integrity Explanation: DNSSEC addresses DNS integrity, but does nothing for availability. Confidentiality is not generally a concern for DNS.

Answer 610

C. OWASP Top 10 Explanation: The Open Web Application Security Project (OWASP) Top 10 list identifies the 10 most critical web application security risks as a given time. The project is regularly updated to ensure that their list is up to date. The current top 10 are as follows: ``` Injection Broken authentication Sensitive data exposure XML external entities Broken access control Security misconfigurations Cross-site scripting Insecure deserialization Using components with known vulnerabilities Insufficient logging and monitoring ```

Answer 611

C. Common Criteria Explanation: The terms EAL, PP, and SARs are all applicable within the Common Criteria standard, which is set forth by ISO/IEC.

Answer 612

A. Something the user knows Explanation: In multi-factor authentication (MFA), users are required to use two or more types of authentication components. Authentication types include something the user knows (pin, passwords), something the user has (RSA token, key card), or something the user is (retina scan, fingerprint scan). Other less common authentication types include somewhere the user is (location-based) and something the user does (behavioral).

Answer 613

D. Infinity Paradigm ``` Explanation: The IDCA (International Data Center Authority) is responsible for developing the Infinity Paradigm, which is a framework intended to be used for operations and data center design. The Infinity Paradigm covers aspects of data center design, which include location, cabling, security, connectivity, and much more. ```

Answer 614

D. Share Explanation: When data is used in an application where it is viewable to users, customers, and administrators, this is known as the share stage of the cloud secure data life cycle.

Answer 615

B. Release management Explanation: Cloud release management includes the planning, coordination, execution, and validation of updates and rollouts to the production environment. The primary focus is on accurately mapping out all of the procedures necessary for a release and then setting and loading them correctly. All other selections are operational controls and standards within an organization.

Answer 616

C. Tenant Explanation: When one or more cloud customers share access to the same pool of resources, each customer is known as a tenant.

Answer 617

C. Data about data Explanation: Metadata is information regarding data such as the type of data, how the data is stored, and when the data was created.

Answer 618

B. Uptime Institute Explanation: The Uptime Institute publishes the most widely used standard for data center topologies. The standard is based on a series of four tiers. The standard also incorporates compliance tests. ITIL (formerly the Information Technology Infrastructure Library), publishes best practices for implementing technology into business practices. The National Fire Protection Association (NFPA) publishes standards regarding fire protection. SOAP is not an institution, but a type of API.

Answer 619

A. Handshake Protocol and Record Protocol Explanation: Transport Layer Security (TLS) is a set of cryptographic protocols that provide encryption for data in transit. TLS specifies a handshake protocol when two parties establish an encrypted communications channel and TLS record protocol uses keys created during the handshake.

Answer 620

D. Abuse and nefarious use of cloud services Explanation: The Cloud Security Alliances (CSA) Egregious 11 includes the following: Data breaches Misconfigurations and inadequate change control Lack of cloud security architecture and strategy Insufficient identity, credentials, access and key management Account hijacking Insider threat Insecure interfaces and APIs Weak control plane Metastructure and applistructure failures Limited cloud usage visibility Abuse and nefarious use of cloud services

Answer 621

A. Verify that the image has not been modified and is from the source that it claims to be Explanation: If a container image is not verified, then it could have been modified to allow an attacker to gain access to an organization's data after it's been deployed. Verification can be done via checksums or signing by the vendor, which is verified by the organization after downloading.

Answer 622

D. Cloud provider Explanation: The cloud provider is solely responsible for the security of the physical environment for all cloud types, which includes IaaS, SaaS, and PaaS.

Answer 623

A. Reliability Explanation: The Generally Accepted Privacy Principles (GAPP) are focused on principles of privacy risks. Reliability is not one of the ten privacy principles outlined in GAPP. The ten privacy principles are: ``` Management Notice Choice and consent Collection Use, retention, and disposal Access Disclosure to third-parties Security for privacy Quality Monitoring and enforcement ```

Answer 624

D. Archive phase Explanation: The archive phase is when data is removed from the system and moved to long term storage. In many cases, archived data is stored offsite for disaster recovery purposes.

Answer 625

C. VPN ``` Explanation: A VPN (virtual private network) facilities the extension of a private network over a public network as the name suggests. When a user is connected a VPN, they are able to work as if they were sitting within the physical boundaries of the private network. ```

Answer 626

A. Encrypted transport methods such as TLS Explanation: Data in transport is protected by encrypted transport methods such as TLS. To protect data in use, secure API calls and web services must be used. The main method for protecting data at rest is to use encryption methods such as AES.

Answer 627

A. Data in transit Explanation: HTTPS, IPSec, TLS/SSL and vpn technologies are used to secure data in transit. In order to protect data at rest, it's best to encrypt the full hard drive of the device where the data is being stored.

Answer 628

C. Cloud service broker Explanation: A cloud service broker is an individual or organization which serves as the go-between or intermediary between cloud customers and cloud service providers.

Answer 629

D. Zeroing Explanation: Zeroing is another term for overwriting. In this process, erased data is overwritten with arbitrary data and zero values as a means of data sanitation.

Answer 630

B. Containerization Explanation: Containerization is the process of putting all objects into a container. Developers can accomplish this by packaging a program they have written along with all necessary components for the program's execution. Application containers isolate application files and dependencies from the container's host system. Containerization is a lightweight alternative to installing and running applications directly within an operating system. All other options are related technologies.

Answer 631

B. Advanced persistent threat Explanation: An advanced persistent threat (APT) is an attack which aims to gain access to the network and systems while staying undetected. APTs will try not to do anything that could be disruptive, as their goal is to maintain access for as long as possible without raising any red flags. During an APT's stay on the network, the attackers will often create more back-doors for re-entry in case the original way in gets patched. APTs are generally looking for ways to steal data from the network and systems.

Answer 632

B. RPO Explanation: A Recovery point objective (RPO) is defined in terms of data loss, not time period; it defines the maximum quantity of data that may be tolerated during a disaster recovery incident. Increasing scheduled backups can decrease the value. RTO, MTD and ALE are other disaster recovery and business continuity criteria.

Answer 633

C. DAST Explanation: Dynamic application security testing (DAST) is a "black-box" type of security test, meaning that the tester is not given any special information about the systems they are testing. DAST is performed on live systems. Static application security testing (SAST) is a "white-box" type of test, meaning that the tester has knowledge of and access to the source code. SAST is performed in an offline manner. Vulnerability scanning is a test that is run on systems to ensure that the systems are properly hardened and there are not any known vulnerabilities on the system. Penetration testing is a type of test in which the tester attempts to break into systems using the same tools that an attacker would to discovery vulnerabilities.

Answer 634

D. Define scope Explanation: Audit planning is made up of four main steps, which occur in the following order: Define objectives Define scope Conduct the audit Lessons learned and analysis

Answer 635

D. RTO Explanation: The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management's BCDR (business continuity and disaster recovery) objectives are met.

Answer 636

A. Web content filtering Explanation: SIEM (Security and Information Event Management) solutions include features such as aggregation, correlation, alerting, reporting, compliance, and dashboards. A SIEM solution will not provide web content filtering. Firewalls are often used as a way to accomplish web content filtering.

Answer 637

B. The cloud provider may not be willing to allow auditors the level of access needed to certify their environment Explanation: In many cases, to meet regulatory requirements, the underlying infrastructure and hosting environment of an application must undergo auditing before the application residing there can be certified. This can be a problem for applications hosted in the cloud, especially those in a public cloud. The cloud provider may not be willing to allow auditors the access needed to certify their environment. The cloud provider may also be unwilling or unable to meet the requirements necessary to be certified, anyway.

Answer 638

A. Incident management Explanation: Any event that causes disruptions within an organization is known as an incident; this includes security events as well. Processes and procedures put in place to limit the effects of these incidents are known as incident management.

Answer 639

A. Object storage Explanation: While block storage is ideal for big, organized data sets that require frequent access and updates, it struggles with metadata, which is required to make sense of unstructured data. The best option for unstructured data is object storage. Each storage unit in object storage is an object, which may or may not be connected with metadata describing the item. This simplifies the organization and retrieval of data. A business can simplify the categorization and retrieval of unstructured data by utilizing object storage. Block, Blob, and Volume are other storage types.

Answer 640

D. DN ``` Explanation: A DN (distinguished name) acts as the primary key for an object in LDAP (lightweight directory access protocol). ```

Answer 641

B. Authorization Explanation; OAuth is a framework used for authorization. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

Answer 642

D. Limits Explanation: The maximum amount of memory and processing utilization allowed by a cloud customer is known as a limit. Limits are the opposite of reservations. Reservations are used to ensure that cloud customers have the minimum amount of resources needed to run their services.

Answer 643

D. Data in transit Explanation: When data is being used by an application, it is referred to as data in transit. When data is not being used by an application, it is known as data at rest. Structured and unstructured data are not applicable answers to this question.

Answer 644

B. FIPS 140-2 ``` Explanation: The FIPS (Federal Information Processing Standard) 140-2 is divided into 11 sections used to define security requirements. Finite State Model is one of the 11 standards ```

Answer 645

C. Software-based Explanation: VMware Workstation is a type 2 hypervisor, also known as a software-based hypervisor. It is not tied directly to the hardware infrastructure and can run within an operating system as software.

Answer 646

A. Auditability Explanation: CSPs rarely permit CSC to audit their service controls. CSC engages third parties to conduct independent examinations of cloud service controls and to offer an opinion on their function in relation to their purpose. SOC reports, vulnerability scans, and penetration testing are all examples of these types of assessments. Regulatory, governance and resiliency are other shared cloud considerations.

Answer 647

A. Denial-of-service Explanation: A denial-of-service attack occurs when a large amount of useless traffic is sent to a system, thereby overloading the system's resources and making it unable to respond to legitimate requests. In a cloud environment, it's possible for a denial-of-service attack to affect all clients of the affected cloud provider.

Answer 648

B. Inexpensive Explanation: A public cloud is the least expensive cloud deployment option, but also the least secure. Public clouds are available to the general public and customers only pay for the services that they use. All expenses ranging from the licensing, hardware, bandwidth and operational costs are handled by the provider. Public clouds do not offer full control over the systems in the way that private clouds do, nor do they offer the control over data the way that private clouds do.

Answer 649

C. Communication Explanation: The ISO/IEC 27018 is focused on five key principles, which include communication, consent, control, transparency, and independent and yearly audits. Communication refers to the need for any event that could impact the security of data within a cloud environment to be clearly documented as well as relayed to the cloud customers.

Answer 650

B. All cloud service models Explanation: The security and privacy of the actual data itself is the sole responsibility of the cloud customer in all cloud service models, including SaaS, PaaS, and IaaS.

Answer 651

E. Clear communication Explanation: Clear communication is one of the variables affecting the distributed IT model. Traditional IT model deployments have a line of sight, which means they have physical access to the systems and are aware of what is happening. Now that you have distributed offices, you must maintain clear communication with them. Collaboration and information sharing are vital. Thus, there must be clear, effective communication. All other options are drivers of the distributed IT model.

Answer 652

A. SLA Explanation: The service level agreement (SLA) is a criterion that provides specific requirements that must be met by the cloud provider for contractual satisfaction between the cloud customer and the cloud provider.

Answer 653

A. Penetration test Explanation: During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario and therefore, the tester will use the same techniques, methodologies, and toolsets that an actual attacker would use to compromise a system. During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner. Vulnerability scans are usually done by an organization against their own systems to ensure that their systems are hardened against known vulnerabilities. Runtime application self-protection (RASP) is a security mechanism that helps applications protect themselves by blocking attacks in real time.

Answer 654

D. IAST Explanation: Interactive Application Security Testing (IAST) is a gray-box testing technique. An agent is placed in an application to undertake real-time analysis of the program's traffic performance in order to uncover any security vulnerabilities. IAST can be used at any point during the SSDLC. Static application security testing (SAST), Dynamic application security testing (DAST) and Runtime application self-protection (RASP) are other security testing types.

Answer 655

C. User education Explanation: In any sort of identity and access management (IAM) system, whether through a SaaS provider solution or through federation with the organization's on-premise IAM manager, there are risks. In either case, user education is an important component to the organization's cloud IAM strategy. All other options are incorrect.

Answer 656

A. Denial-of-service Explanation: Denial-of-service (DoS) attacks flood a network with useless traffic in order to consume all the available resources. This eventually makes it impossible for the resources to be used for legitimate traffic, rendering the services useless. Without reservations in place to guarantee that all customers have the minimum needed resources to operate, a DoS attack on one customer could prevent other customers from operating as well.

Answer 657

B. 40-60 percent relative humidity Explanation: It is important to ensure that both temperature and humidity are at ideal levels within a data center. Whenever humidity levels are too high, condensation can form and cause water damage to systems. Whenever humidity levels are too low, electrostatic discharge is more likely to occur and cause damage to systems. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends data centers to have a level of 40-60 percent relative humidity.

Answer 658

A. Input validation Explanation: An injection attack occurs when malicious code is sent via input fields to a web application. In order to prevent this type of attack, all data that goes through an input field should require input validation and be properly sanitized.

Answer 659

B. CMDB Explanation: Software configuration management (SCM) and versioning are commonly utilized in all types of software development environments and are facilitated by the use of configuration management databases (CMDBs). The CMDB can be federated and synchronized across many systems, and the database can be stored on-premises or in the cloud.

Answer 660

B. Transparent encryption Explanation: Transparent encryption is a method of encryption that works by being integrated right into the database processes. In this way, the encryption is unnoticeable by the user. Blind encryption, computational encryption, and speed encryption are not legitimate encryption types.

Answer 661

A. Vendor lock-in Explanation: Vendor lock-in is a scenario in which a cloud customer is tied and dependent on one cloud provider without the ability to move to another provider. Cloud customers should ensure that anything done with the cloud provider will not cause this type of vendor lock-in.

Answer 662

C. Passport number Explanation: Protected health information (PHI) covers items such as a medical history, physical and mental health information, demographic information, lab results, physician notes, and other health related items. Passport numbers would be considered personally identifiable information (PII) rather than PHI.

Answer 663

C. OLAs Explanation: OLAs (operational level agreements) are similar to SLAs, but rather than existing between a customer and an external provider, OLAs exist between to two units within the same organization. Service level management is concerned with the oversight of SLAs, UCs, and OLAs.

Answer 664

A. SAST tools in conjunction with IAST tools Explanation: Given that you are utilizing a well-known and well-supported Open-Source Software (OSS), performing Static Application Security Testing (SAST) to identify vulnerabilities and then implementing Interactive Application Security Testing (IAST) to detect additional security issues in real time would be sufficient for validation.

Answer 665

D. Know all of the locations where data is present within its application Explanation: In order to implement security controls and policies, an organization must first know where and what type of data is present in the system. Having a proper mapping strategy enables an organization to know all of the locations where data is present within its application and within other storage. Having this knowledge goes a long way in creating effective security policies.

Answer 666

B. Functional Explanation: Network services and acceptable use policies are examples of functional policies. Functional policies set guiding principles for individual business functions and activities. All other options are policy type categories.

Answer 667

B. Define scope Explanation: Audit planning is made up of four main steps, which occur in the following order: Define objectives Define scope Conduct the audit Lessons learned and analysis

Answer 668

D. RTO Explanation: The RTO, or recovery time objective, is the measurement of how long it would take to recover operations after a diaster has occurred. Operations must be recovered to a point where management's BCDR (business continuity and disaster recovery) objectives are met.

Answer 669

A. Abuse or nefarious use of cloud services Explanation: Abuse or nefarious use of cloud services is listed as one of the top twelve threats to cloud environments by the Cloud Security Alliance. Abuse or nefarious use of cloud services occurs when an attacker is able to launch attacks from a cloud environment either by gaining access to a poorly secured cloud or using a free trial of cloud service.

Answer 670

C. Mandatory Access Control Explanation: In a mandatory access control (MAC) model, the owner is responsible for specifying metadata like classification rating or user role. The IRM system utilizes this metadata to enforce access control decisions. All other options are access control models.

Answer 671

B. FISMA Explanation: Any systems that will interact with federal agencies in any manner must adhere to the requirements set forth in FISMA (Federal Information Security Management Act). The requirements are used to ensure compliance with security controls required by the federal government. An engineer working on a system that will be used by a federal government agency must be aware of FISMA.

Answer 672

D. Condensation may form causing water damage Explanation: The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends that data centers have a moisture level of 40-60 percent relative humidity. Having the humidity level too high could cause condensation to form and damage systems. Having the humidity level too low could cause an excess of electrostatic discharge which may cause damage to systems.

Answer 673

D. IPsec Explanation: IPsec is a protocol for encrypting and authenticating packets between two parties. Examples of this include a pair of servers, a pair of network devices, or between network devices and servers. DNSSEC is a security extension of the DNS protocol and couldn't be used in the described scenario. DHCP is used to dynamically configure network information on hosts. RDP is a technology developed by Microsoft to allow users to connect into a remote device.

Answer 674

C. Cloud data portability Explanation: The ability to move data between multiple cloud providers is known as cloud data portability, while cloud application portability refers, instead, to the ability to move an application between cloud providers. Rapid elasticity refers to the ability to quickly (or rapidly) expand resources in the cloud as needed. Multitenancy is the term used to describe a cloud provider housing multiple customers and/or applications within one environment.

Answer 675

C. PII Explanation: Personally identifiable data (PII) is a type of data that can either directly or indirectly identify an individual. Cardholder data (CD) is a specific type of PII that relates to information such as credit/debit card numbers, security codes, expiration numbers, and any information that ties these items to the cardholder.

Answer 676

A. Redundant maintainability Explanation: The Uptime Institute publishes one of the most widely used standards on data center tiers and topologies. The standard is based on four tiers, which include: Tier I: Basic Capacity Tier II: Redundant Capacity Components Tier III: Concurrently Maintainable Tier IV: Fault Tolerance