Pre-Assessment Test
If an organization desires to utilize multiple cloud providers for the purposes of redundancy and disaster recovery strategies, which cloud deployment model would be the most appropriate? A. Hybrid B. Private C. Public D. Community
A. A hybrid cloud solution utilizes multiple different cloud deployment models to meet an organization's needs. It allows an organization to use different providers and types of services, but in a way where the systems are compatible and interchangeable.
Which of the following is NOT one of the main methods of data discovery processes? A. Checksums B. Metadata C. Labels D. Content analysis
A. Checksums, where a value is derived based on the overall data object, are often used for ensuring the integrity of data. If any alterations to the file have been made from the original, the checksum of the file will compute to a different value. Checksums would not be used for data discovery.
Which of the following is not one of the defined security controls domains within the Cloud Controls Matrix, published by the Cloud Security Alliance? A. Financial B. Human resources C. Mobile security D. Identity and access management
A. Financial is not one of the security controls domains of the Cloud Control Matrix (CCM).
What type of management involves minimizing the impact of disruptions to services or operations? A. Incident management B. Problem management C. Continuity management D. Availability management
A. Incident management is focused on limiting the impact of disruptive events on an organization and their services, and returning their state to full operational status as quickly as possible.
For security purposes, a university keeps its student and faculty data separated from each other within a system. What security concept does this strategy illustrate? A. Sandboxing B. Isolation C. Segregation D. Compartmentalization
A. Sandboxing involves the segregation and isolation of information or processes from other information and processes within the same system or application, typically for security concerns. This is generally used for data isolation, such as keeping different communities and populations of users isolated from others with similar data.
Which of the following standards pertains to the accreditation of cryptographic modules? A. FIPS 140-2 B. PCI DSS C. NIST 800-53 D. ISO/IEC 27001
A. The FIPS 140-2 criterion is published by the federal government of the United States and pertains to the accreditation of cryptographic modules. Although it was published in 2002, long before cloud computing came into existence, the heavy usage of and reliance on encryption within cloud computing makes it relevant to the cloud security professional.
Which of the following represents the most commonly used metrics for risk categorization? A. Minimal, low, moderate, high, critical B. Low, medium, high C. Low, moderate, high D. Low, medium, high, critical
A. The most commonly used metrics for risk categorization are minimal, low, moderate, high, and critical.
What is the recommended relative humidity level for a data center, per recommendations from ASHRAE? A. 40-60 percent B. 20-30 percent C. 50-70 percent D. 24-36 percent
A. The recommended relative humidity rate for a data center, per the American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE), is 40-60 percent.
What will govern the level of access and insight a cloud customer has with the cloud provider they are hosting applications and data with? A. SLAs B. Regulation C. Jurisdiction D. Classification
A. The service level agreement (SLA) between the cloud customer and cloud provider will dictate and govern the type, level, and immediacy of access and insight available with the underlying infrastructure and operations.
Which of the following metrics are tested during a BCDR exercise to ensure management objectives are being achieved? A. RPO and RTO B. RPO and costs C. Costs and RTO D. Costs and downtime
A. With any BCDR test, the main objective is to ensure the BCDR plan is designed to meet both the recovery point objective (RPO) and the recovery time objective (RTO) established by management.
When is a system vulnerable within a cloud environment but would not be within a traditional data center? A. When powered off B. During development C. During patching D. During booting
A. Within a cloud environment, or any virtualized environment, virtual images are files that exist on a file system (typically within object storage in a cloud environment). Due to this factor, even when a virtual machine is powered off, the images are still potential vulnerabilities that an attacker can attempt to exploit.
Which strategy involves using a fake production system to lure attackers in order to learn about their tactics? A. IDS B. Honeypot C. IPS D. Firewall
B. A honeypot is a system isolated from the production system but designed to appear to an attacker as part of the production system and containing valuable data. However, the data on a honeypot is bogus data, and it is set up on an isolated network so that any compromise of it cannot impact any other systems within the environment.
Which of the following components is not a key participant within a federated identity system? A. User B. Application C. Relying party D. Identity provider
B. Although access to an application is typically the end result of going through a federated identity system, it is not one of the core components of the actual federated system.
Which of the following strategies to ensure data deletion and unrecoverability is the most likely to be available within a cloud environment? A. Degaussing B. Cryptographic erasure C. Overwriting D. Shredding
B. Cryptographic erasure involves the purposeful destruction of encryption keys that were used to protect data. Destroying the keys ensures that the encryption cannot be undone or recovered, or at least not within any time frame that would be useful or practical. Because this process is entirely software based, it would be available in any cloud environment.
DRS is used for managing all aspects of clustered systems. Which of the following represents what DRS stands for? A. Dynamic resource state B. Distributed resource scheduling C. Distributed resource selection D. Dynamic resource scheduling
B. Distributed resource scheduling (DRS) is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes.
Which of the following functions can be controlled by IRM technologies, where typical operating system controls would not be sufficient? A. Read B. Copy C. Delete D. Write
B. Information rights management (IRM) technologies extend the security controls available to protect data beyond those offered by the operating systems. The ability to control the copying of a file is one of those controls. With standard operating system controls, if a user can read a file, they can also copy the file, which is something that IRM can control.
Which cloud service category is most associated with auto-scaling offerings for a cloud customer? A. IaaS B. PaaS C. SaaS D. DaaS
B. Platform as a Service (PaaS) is most associated with auto-scaling, as PaaS offers a fully configured and deployable hosting environment, where the cloud customer's application code and data are the additional components needed to make everything fully functional. It allows for programmatic and automatic expansion of an environment to meet current need with minimal additional configuration required from the cloud customer, as opposed to IaaS.
What type of security testing uses testers who have knowledge of the systems, and in most cases access to the source code as well, and is performed against offline systems? A. DAST B. SAST C. Pen D. RASP
B. Static application security testing (SAST) is a method used to test and analyze the code and components of an application. It is considered "white-box" testing in that the people running the tests have knowledge of and access to the source code and systems involved.
Which phase of the cloud secure data lifecycle is where data is viewable to customers or users? A. Use B. Share C. Store D. View
B. The "share" phase of the cloud secure data lifecycle is where data is made available to the users or customers of an application or system.
Which model lays out a vision for IT Service Management, encompassing best-practice recommendations covering a wide variety of IT services and operations? A. SABSA B. ITIL C. TOGAF D. NIST SP 500-293
B. The IT Infrastructure Library (ITIL) is a collection of papers and concepts to lay out a vision for IT Service Management (ITSM). It is essentially a collection of best practices to give companies of all sizes (but more targeted to large companies) a framework for providing both IT services and user support.
What security concept does the letter R represent in the DREAD threat risk model? A. Reversibility B. Reproducibility C. Redundancy D. Resiliency
B. The R of the DREAD threat risk model refers to reproducibility, which in this case means a quantitative measure as to the ease and sophistication required to reproduce an exploit.
Which United States program was designed to attempt to bridge the differences between US and European privacy requirements for the purposes of commerce? A. GLBA B. Safe harbor C. HIPAA D. SOX
B. The Safe Harbor regulations were developed by the Department of Commerce and meant to bridge the gap between the privacy regulations of the European Union and the United States. With the lack of an adequate privacy law or protection from the federal level in the US, European privacy regulations generally prohibit the exporting (or sharing) of personally identifiable information (PII) from Europe to the United States.
Which data security and privacy practice uses an opaque value for sensitive data fields that can be mapped back to the original value if needed? A. Anonymization B. Tokenization C. Obfuscation D. Masking
B. Tokenization is the practice of utilizing a random and opaque "token" value in data to replace what otherwise would be a sensitive or protected data object. The token value is usually generated by the application with a means to map it back to the actual real value.
Modern systems and applications bridge many different services and systems. What is the overall management of an entire system commonly referred to as? A. Holistic management B. Supply-chain management C. Comprehensive management D. Configuration management
B. With the nature of modern applications being built on a myriad of different components and services, the supply chain of any system or application can rapidly expand to a scale far outside a single organization.
Which security concept is the most important consideration with the use of an external key management system? A. Confidentiality B. Availability C. Integrity D. Privacy
B. With the use of an external key management system, where the keys are hosted and managed on a system that is kept segregated from the systems using and depending on them, availability becomes the most pressing security concern for production operations. If availability is not maintained, especially with storage and data-at-rest encryption used widely with cloud implementations, an entire system or application may be rendered useless and inaccessible.
Which type of hypervisor runs within a host operating system, rather than directly tied to the underlying hypervisor hardware? A. Type 1 B. Type 3 C. Type 2 D. Hosted
C. A Type 2 hypervisor runs within a host operating system rather than being tied directly to the underlying hardware in the way a Type 1 hypervisor is.
Which of the following would be appropriate to use in conjunction with an RSA token for a multifactor authentication system? A. Thumb drive B. Access card C. Password D. Mobile device code generator
C. A password would be appropriate to use in conjunction with an RSA token for a multifactor authentication system because a password is something a user knows, whereas the RSA token represents something the user has. As such, they are factors from two different categories.
Which of the following will typically be used by a cloud provider to offer assurance of security to cloud customers and mitigate the need for customers to audit the underlying infrastructure? A. Contracts B. SLA C. Certification D. Baselines
C. A standard strategy for providing security assurances to cloud customers is for the cloud provider to obtain certification for its security controls and policies from a prominent and reputable certification source. This will allow cloud customers to assume security controls up to the scope of the certification, and then perform their own audits from that point on.
Which cloud storage type is typically accessed via an API or web service call? A. Volume B. Structured C. Unstructured D. Object
D. Object storage is data storage that operates as an API or a web service call. Rather than being in a file tree structure and accessible as a traditional hard drive, data is stored as objects in an independent system and given a key value for reference and retrieval.
Which key aspect of cloud computing allows the cloud customer to administer their configurations or provisioned services without the need to interact or be involved with the cloud provider and its staff? A. Resource pooling B. Measured service C. Multitenancy D. On-demand self-service
D. On-demand self-service allows a cloud customer to provision resources or change configurations on their own, without the need to interact with the staff of the cloud provider. This is typically accomplished through a web portal and tools provided by the cloud provider.
During which stage of the SDLC process should security be consulted and begin its initial involvement? A. Testing B. Design C. Development D. Requirement gathering
D. Requirements gathering and feasibility is the first stage, and it is appropriate for security to be included as part of this stage. Security should be included at the project's inception or at least from the very earliest stages to ensure proper controls and technologies are being used, as well as to ensure that security is always considered with each decision made.
One approach to dealing with risk is often compared to taking insurance against risk becoming realized. What type of risk mitigation strategy does this refer to? A. Accept B. Avoid C. Mitigate D. Transfer
D. Risk transfer is the process of having another entity assume the risk from the organization. One thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through the use of insurance policies to cover the financial costs of successful risk exploits; however, this will not cover all issues related to risk transference because an organization can face non-financial penalties, such as the loss of reputation, business, or trust.
Which concept is utilized by a cloud provider to determine how to allocate resources requested by cloud customers when the cloud infrastructure does not have enough resources to meet all requests? A. Limits B. Reservations C. Holds D. Shares
D. The concept of shares within a cloud environment is used to mitigate and control customer requests for resources, which the environment may not have the current capability to allow. Shares work by prioritizing hosts within a cloud environment through a weighting system that is defined by the cloud provider.
Which protocol allows for the use of storage commands over a TCP network rather than a physical connection? A. IPSec B. SCSI C. VPN D. iSCSI
D. The most prevalent communications protocol for network-based storage is iSCSI, which is a protocol that allows for the transmission and use of SCSI commands and features over a TCP-based network.
What metric is intended to measure the duration of operational recovery to meet a predetermined point after a disaster has occurred? A. RPO B. RSL C. SRE D. RTO
D. The recovery time objective (RTO) is the time that it would take to recover operations in the event of a disaster to the point where management's objectives for BCDR are met.
When forming a contract with a cloud provider, which of the following would not be a direct component of the actual contract? A. Definitions B. Incident response C. Metrics D. Uptime requirements
D. Uptime (or availability) requirements are not typically a direct component of a contract with a cloud provider. The uptime and availability requirements would be a key component of the service level agreement (SLA).
An eDiscovery order typically encompasses data that fits within all of the following categories of an organization's processes except which one? A. Possession B. Custody C. Control D. Creation
D. Whether or not an organization is the creator of specific data is not one of the core components of what typically encompasses an eDiscovery order.
Which of the following event data types is a cloud customer most likely to be supplied with a SaaS implementation? A. Firewall B. Authentication C. Patching D. Billing
D. With the entire responsibility for both the system and application being with the cloud provider for a SaaS implementation, the customer is mostly like going to receive only very limited event data. Among the event data types that are universal for cloud customers to receive with SaaS is billing data for their usage of services.
Which of the following properties of an application will lead to the biggest cost-savings potential with a move into a cloud environment? A. Heavy utilization B. Light utilization C. Cyclical utilization D. Internal utilization
C. An application that experiences cyclical utilization, where some periods have high utilization and others have low, has the potential to realize substantial cost savings within a cloud environment due to measured service. With a traditional data center, an application needs to be built to handle the highest possible utilization, with substantial resources sitting idle at other times. Within a cloud environment, systems can be expanded for high-utilization periods and then scaled down during lower periods, thus saving money.
Which of the following is NOT considered one of the core building-block technologies of cloud computing and services offered by cloud providers? A. CPU B. Memory C. Operating systems D. Storage
C. Operating systems are not one of the key components of the cloud computing resources and services offered by a cloud provider. Depending on the cloud service category, operating systems may not even be a factor at all, such as with IaaS, where they are the sole responsibility of the cloud customer, and they are certainly not a universal factor across all cloud service categories.
Which of the following will always dictate the minimum requirements for data retention and archiving periods? A. Company policies B. Application needs C. Regulations D. Administrator requests
C. Regulatory requirements, either from law or industry, will always dictate the minimum retention period for any log data in order to maintain compliance or certification.
Which network protocol allows for the centralized administration and configuration of network settings for systems hosted within the network? A. DNS B. IPSec C. DHCP D. VLAN
C. The Dynamic Host Configuration Protocol (DHCP) is used to assign an IP address and the associated network configuration settings to a system within a network from a centralized administrative system, rather than having the settings on the host themselves.
Which jurisdiction has implemented policy regulations that are known as the "right to be forgotten" protections? A. United States B. Russia C. European Union D. APEC
C. The European Union is widely recognized as implementing the most comprehensive and strong data privacy and security regulations. The "right to be forgotten" provisions protect a user's right and ability to have their presence and information removed from search engine indexes and results.
What type of reports are considered restricted and commonly used to detail the financial reporting controls of an organization? A. SAS-70 B. SOC 2 C. SOC 1 D. SOC 3
C. The SOC 1 reports are the effective direct replacement for the SAS-70 reports. They are focused specifically on controls for financial reporting. The SOC 1 reports are considered restricted-use reports in that they are intended for a small and limited scope of controls auditing, and are not intended to be expanded into greater use. They are focused specifically on internal controls as they relate to financial reporting.
There are many different causes that can lead to a declared disaster for a system. Which of the following would not be considered a reason for a declared disaster and the triggering of a BCDR plan? A. Earthquake B. Flood C. Key personnel loss D. Utility outage
C. The loss of key personnel, although detrimental to a system or operations, would not trigger a declared disaster or the invocation of a BCDR plan because it would not directly affect a system or its users, nor would it be a reason to move services or data to an alternative hosting location.
What type of software is often considered secured and validated via community knowledge? A. Proprietary B. Object-oriented C. Open source D. Scripting
C. The most popular and widely used open source software packages have undergone extensive code review, testing, collaborative development, and scrutiny, which is not possible with proprietary software packages that are closed source and protected. With this level of scrutiny and the ability for any organization to evaluate and analyze the code from these packages, many consider them to be among the most secure and stable packages available in the industry.
What type of common vulnerability is exploited by sending commands through input fields in an application in an attempt to bypass application security? A. Cross-site scripting B. Cross-site request forgery C. Insecure direct object references D. Injection
D. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
Which phase of the cloud data lifecycle represents the first opportunity to apply security controls to protect data? A. Create B. Use C. Share D. Store
D. Immediately after the "create" phase has been completed, the data must be committed to some sort of storage system, such as a database or file system. This represents the first time where security controls can be applied to the data, based on the type of storage system used and the classification of the data.