CCSP - Certified Cloud Security Professional - All Domains, CCSP Full, CCSP Review Assessment, Managing Cloud Security, Managing Cloud Security - PreAssessment C838

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Multi-tenancy

Data center networks that are logically divided into smaller, isolated networks. They share the physical networking gear but operate on their own network without visibility into the other logical networks.

The networking standard that supports virtual LANs (VLANs) on an Ethernet network

802.1 Q

Domain Name System (DNS)

A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as Internet Protocol (IP) addresses. DNS allows you to use friendly names, such as www.isc2.org, to easily locate computers and other resources on a TCP/IP-based network.

On-demand self-service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider

Record

A data structure or collection of information that must be retained by an organization for legal, regulatory or business reasons.

Cloud Database

A database accessible to clients from the cloud and delivered to users on demand via the Internet.

Database Activity Monitoring (DAM)

A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs

Hardware Security Module (HSM)

A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc.

API Gateway

A device that filters API traffic; it can be installed as a proxy or as a specific part of your applications stack before data is processed, can implement access control, rate limiting, logging, metrics, and security filtering

Insecure Direct Object References (OWASP top ten):

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Identity Repository

A directory services for the administration of user account attributes)

Software as a Service (SaaS)

A distributed model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources.

Personal Cloud Storage

A form of cloud storage that applies to storing an individual's data in the cloud and providing the individual with access to the data from anywhere.

Mobile Cloud Storage

A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.

Public Cloud Storage

A form of cloud storage where the enterprise and storage service provider are separate and the data is stored outside of the enterprise's data center.

Private Cloud Storage

A form of cloud storage where the enterprise data and cloud storage resources both reside within the enterprise's data center and behind the firewall.

Desktop-as-a-service

A form of virtual desktop infrastructure (VDI) in which the VDI is outsourced and handled by a third party.

Service Level Agreement (SLA)

A formal agreement between two or more organizations: one that provides a service and the other the recipient of the service. It may be a legal contract with incentives and penalties.

Organizational Normative Framework (ONF)

A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization

Security Alliance's Cloud Controls Matrix

A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management

Security Alliance's Cloud Controls Matrix

A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.

With regards to management of the compute resources of a host in a cloud environment, what does a reservation provide?

A guaranteed minimum resource allocation which must be met by the host with physical compute resources in order to allow for a Guest to power on and operate.

What is Representational State Transfer?

A software architecture style consisting of guidelines and best practices for creating scalable web services

API - Representational State Transfer (REST)

A software architecture style consisting of guidelines and best practices for creating scalable web services.

Encryption Key

A special mathematical code that allows encryption hardware/software to encode and then decipher an encrypted message.

Cloud Application Management for Platforms (CAMP)

A specification designed to ease management of applications — including packaging and deployment — across public and private cloud computing platforms.

Application Normative Framework (ANF)

A subset of the ONF that will contain only the information required for a specific business application to reach the targeted level of trust

Domain Name System Security Extensions (DNSSEC)

A suite of extensions that adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence.

Sandbox

A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control

Cloud Backup Service Provider

A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.

Cloud Computing

A type of computing, comparable to grid computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications.

What is developed to create, expand, and manage cloud services easily by providing complete list of features and components for cloud environments?

Apache CloudStack

An open source cloud computing and infrastructure as a service platform developed to help make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.

Apache Cloudstack

A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.

Application Normative Framework (ANF)

A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.

Application Programming Interfaces (APIs)

Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.

Application Virtualization

Broken Authentication and Session Management (OWASP top ten):

Application functions related to authentication and session in management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume other users' identities.

I SO 27034-1

Application security

Which of the following technologies encapsulates application software from the underlying operating system on which it is executed to test applications?

Application virtualization

Data Loss Prevention (DLP)

Audit and prevent unauthorized data exfiltration. Components (3). 1.Discovery and classification 2.Monitoring 3.Enforcement

Which of the following security devices is a layer-7 monitoring device that understands SQL commands and can detect and stop malicious SQL commands from executing on a server?

DAM

DREAD

Damage, Reproducibility, Exploitability, Affected Users, Discovery

Which kind of data access can be caused by simple negligence?

Data Loss

Auditing and preventing unauthorized data exfiltration.

Data Loss Prevention

Data Privacy also guarantees data integrity.

False

Data must be completely removed at the end of the retention period.

False

Encryption can ensure integrity.

False

Even if the hypervisor is compromised, the underlying systems are still safe.

False

HIPPA is the only law that covers PII.

False

Open Source software typically goes through less scrutiny and code review than proprietary software.

False

Physical Environment Security is the sole responsibility of the cloud customer.

False

Privacy and Confidentiality are considered to be the same thing.

False

The CSP is always required to turn over evidence for eDiscovery to the Cloud Customer.

False

Which is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography?

Kerberos

Which of the following are supported authentication methods for iSCSI? (Choose two)

Kerberos Secure Remote Password (SRP)

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

Key Management

Key Management

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

Privacy & Data Protection (P&DP)

Provide safeguards to the individuals (Data Subjects) for the Processing of their Personal Data in the respect of their privacy and will.

Quantitative assessments

Typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers. This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.

Cloud Application Architect

Typically responsible for adapting, porting, or deploying an application to a target cloud environment.

Which of the following are storage types used with an Infrastructure as a Service solution?

Volume and Object

Encrypts only a part of a hard drive instead of the entire disk.

Volume encryption

Allows different security realms to unite and is used in association with transport and application-specific protocols

W S - Federation

Which of the following security devices monitors HTTP traffic and prevents DoS attacks of 350 Gbps and 450 Gbps?

WAF

What is the most used communications protocol for network based storage?

iSCSI

I SO 27016

information security economics

Cloud Bursting

is an application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes

Commonly known as a bare metal, embedded, or native hypervisor. Works directly on the hardware of the host and can monitor OS's that run above the hypervisor

Type 1 hypervisor

Which type of report under SAS70 contains the same information as the other reports, and adds additional evaluations?

Type 2

Is installed on top of the host's OS and supports other guest OSs running above it as VM's. Is completely dependent on the host OS for its operations.

Type 2 hypervisor

Cloud Services Broker (CSB)

Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers.

Qualitative assessments

Typically employ a set of methods, principles, or rules for assessing risk based on non-numerical categories or levels (e.g., very low, low, moderate, high, very high).

What is a key capability or characteristic of Platform as a Service?

Ability to reduce lock-in.

Four phases of audits

Defining audit objectives, defining audit scope, conducting audit, refine audit process

C S A type 2 certification framework

3rd party assessment

Risk_DREAD =:

(Damage + Reproducibility + Exploitability + Affected Users + Discovery) /5

List three security benefits that could be realized should your organization utilize cloud-based services

1. Improved Security visibility 2. Enhanced policy/governance enforcement 3. Real time monitoring

What order to the SDLC steps fall into?

1. Planning and Requirement Analysis 2. Defining 3. Designing 4. Developing 5. Testing

STRIDE Threat Model

1. Spoofing: Attacker assumes identity of subject, 2. Tampering: Data or messages are altered by an attacker 3. Repudiation: Illegitimate denial of an event 4. Information Disclosure: Information is obtained without authorization 5. Denial of Service: Attacker overloads system to deny legitimate access 6. Elevation of Privilege: Attacker gains a privilege level above what is permitted

SDLC process models include:

1.Define: Business and Security Requirements and standards being determine 2.Design: Threat modeling, secure design 3.Develop: Code review, unit testing, static analysis 4.Test: Vulnerability Assessment, Dynamic Analysis, Functional Tests, Quality Assurance

SaaS Benefits

1.Ease of use and limited/minimal administration. 2.Automatic updates and patch management. 3.Standardization and compatibility: All users will have the same version of the software release 4.Global accessibility

Key Cloud Computing Characteristics (5)

1.On-Demand Self-Service, 2.Broad Network Access, 3.Resource Pooling, 4.Rapid 5.Elasticity, Measured Service.

PaaS Key Benefits

1.Operating system can be changed and upgraded frequently. 2.Globally distributed development teams are able to work together on software development projects within the same environment. 3.Services are available and can be obtained from diverse sources that cross international boundaries. 4.Upfront and recurring or ongoing costs can be significantly reduced

The purpose of Incident Management is to:

1.Restore normal Service Operation as quickly as possible 2.Minimize the adverse impact on business operations 3.Ensure service quality and availability are maintained

IaaS Key Benefits

1.Usage is metered and priced on the basis of units (or instances) consumed. 2.The ability to scale up and down of infrastructure services based on actual usage. 3.Reduced cost of ownership. 4.Reduced energy and cooling costs.

Criminal Law

A body of rules and statutes that defines conduct that is prohibited by the government and is set out to protect the safety and well-being of the public.

Identity Management

A broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity

Software Defined Networking (SDN)

A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components

Software Defined Networking (SDN)

A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.

Hybrid Cloud Storage

A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise's private cloud while other data is stored and accessible from a public cloud storage provider.

Cloud Computing Reseller

A company that purchases hosting services from a cloud server hosting or cloud computing provider and then re-sells them to its own customers.

Cross-site Request Forgery (CSRF) (OWASP top ten):

A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Formula for Annualized Loss Expectancy

A L E = Single loss expectancy times annualized rate of occurrence

National Institute of Standards and Technology (NIST) SP 800-53

A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.

Tort Law

A body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others.

Static Application Security Testing (SAST)

A set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities

Web Application Firewall (WAF)

A layer-7 firewall, one that can understand HTTP traffic, can be extremely effective in the case of a denial-of- service (DoS) attack; two recent cases exist where a cloud WAF was used to successfully thwart DoS attacks of 350Gb/sec and 450Gb/sec

Database Activity Monitoring (DAM)

A layer-7 monitoring device that understands SQL commands, can be agent-based (ADAM) or network-based (NDAM), can be used to detect and stop malicious commands from executing on an SQL server

Traditional networking model

A layered approach with physical switches at the top layer and logical separation at the hypervisor level.

Seeking to follow good design practices and principles, the CSP should create the physical network design based on which of the following?

A logical network designTraining

Security Information and Event Management (SIEM)

A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.

Multi-factor Authentication

A method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors, such as passwords. Combines two or more independent credentials: what the user knows, what the user has and what the user is.

Data Masking

A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training

TCI Reference Architecture

A methodology and a set of tools that enables security professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

Infrastructure as a Service (IaaS)

A model that provides a complete infrastructure (e.g. servers, internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices.

Processor

A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the Controller.

Cloud OS

A phrase frequently used in place of Platform as a Service (PaaS) to denote an association to cloud computing.

API - Simple Object Access Protocol (SOAP)

A protocol specification for exchanging structured information in the implementation of web services in computer networks.

Remote Desktop Protocol (RDP)

A protocol that allows for separate channels for carrying presentation data, serial device communication, licensing information, and highly encrypted data (keyboard, mouse activity).

A risk can be considered fully mitigated when?

A risk cannot be fully mitigated

Cloud Provider

A service provider who offers customers storage or software solutions available via a public network, usually the Internet.

Content Delivery Network (CDN)

A service where data is replicated across the global Internet.

Application Programming Interfaces (APIs)

A set of routines, standards, protocols, and tools for building software applications to access a Web-based software application or Web tool

Cloud Server Hosting

A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.

Security Assertion Markup Language (SAML)

A version of the SAML standard for exchanging authentication and authorization data between security domains

Platform as a Service (PaaS)

A way for customers to rent hardware, operating systems, storage, and network capacity over the Internet from a cloud service provider.

Masking

A weak form of confidentiality assurance that replaces the original information with asterisks or X's.

Which of the following are the characteristics of PaaS? Each correct answer represents a complete solution. Choose three.

Ability to auto-scale Support multiple languages and frameworks Flexibility

Which of the following frameworks is used in conjunction with the organizational normative framework and contains only the information required for a specific business application to reach the targeted level of trust?

ANF

Publishes the optimal temperature and humidity levels for data centers

ASH RAE

What is a key capability or characteristic of PaaS?

Ability to reduce lock-in

Cloud Computing Accounting Software

Accounting software that is hosted on remote servers.

Which are steps in the patch management process (choose multiple)?

Acquire Patches Be aware of available patches Validate Patches

Control

Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.

ISO/IEC 27018

Address the privacy aspects of cloud computing for consumers and is the first international set of privacy controls in the cloud.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Adopt national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. Protected Health information can be stored via cloud computing under HIPAA.

The A in DREAD stands for:

Affected Users

Release and Deployment Management

Aims to plan, schedule, and control the movement of releases to test and live environments.

Data Loss Prevention (DLP)

Audit and prevent unauthorized data exfiltration.

Integrates the A O N T and erasure coding. This method first encrypts and transforms information and encryption key into blocks so the info cannot be recovered without using all the blocks. Then it uses the information dispersal algorithm (IDA) to split the blocks into m shares that are distributed to different cloud storage services.

All-or-Nothing-Transform with Reed-Solomon (AONT-RS)

Web Application Firewall (WAF)

An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection

Web Application Firewall (WAF)

An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

Federated Identity Management

An arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group

Business Impact Analysis (BIA)

An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.

Data Subject

An identifiable subject is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity; [telephone number, IP address].

What is the definition of an incident according to the ITIL framework?

An incident is defined as an unplanned interruption to an IT service or reduction in the quality of an IT service.

What is the Cloud Security Alliance Cloud Controls Matrix?

An inventory of Cloud Service security controls that are arranged into separate security domains.

Apache CloudStack

An open source cloud computing and Infrastructure as a Service (IaaS) platform developed to help Infrastructure as a Service make creating, deploying, and managing cloud services easier by providing a complete "stack" of features and components for cloud environments.

Eucalyptus

An open source cloud computing and Infrastructure as a Service (IaaS) platform for enabling private clouds.

Encryption

An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext).

Which BCDR step combines the scope and requirements steps to form objectives?

Analyze

The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.

Anonymization

Personal Data

Any information relating to an identified or identifiable natural person data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.

Personal Data

Any information relating to an identified or identifiable natural person. There are many types of personal data, such as sensitive/ health data, biometric data, and telephone/telematic traffic data. According to the type of Personal Data, the P&DP laws usually set out specific privacy and data protection obligations (e.g., security measures, Data Subject's consent for the processing).

Anything-as-a-Service

Anything-as-a-service, or "XaaS," refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on premises.

An open source cloud computing and infrastructure as a service platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components.

Apache CloudStack

Single loss expectancy (SLE) is calculated by using:

Asset value and exposure factor

Data stored on a system is:

At Rest

Which of the following layers of CSA STAR requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM?

Attestation

In order to support continuous operations, which of the following principles should be adopted as part of the security operations policies?

Audit logging, Contract/Authority Maintenance, Secure Disposal and Incident Response Legal Preparation

What are SOCI/SOCII/SOCIII?

Audit reports

Access Control combines which two factors of security?

Authentication Authorization

All of the following are domains in ISO\IEC 27001:2013 except:

Authorization

According to AICPA (American Institute of CPAs), which of the following principles should be used in the performance of Trust Services engagements? Each correct answer represents a complete solution. Choose three.

Availability Confidentiality Processing integrity

What is typically included in the Service Level Agreement (SLA)?

Availability of the services to be covered by the SLA Change Management process to be used Dispute mediation process to be used

Tier 1 data from Uptime Institute's Data Center Site Infrastructure Tier Standard Topology

Basic Data Center Site Infrastructure

Which of the following are distinguishing characteristics of a Managed Service Provider?

Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management

Which of the following is the recommended operating range for temperature and humidity in a data center?

Between 64 °F - 81 °F and 40% and 60% relative humidity

Where is an XML firewall located?

Between the firewall and application

Usually involves splitting up and storing encrypted information across different cloud storage services.

Bit Splitting

A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance.

Block storage

When using a Software as a Service solution, who is responsible for application security?

Both cloud provider and the enterprise

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.

Broken Authentication and Session Management

Normative Framework (ONF) Components

Business Context: Regulatory Context: Technical Context: Specifications:Roles, responsibilities, and qualifications: Application Security Control Library:

ISO 22301 2012

Business Continuity

What is the difference between Business Continuity and Business Continuity Management?

Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.

Business Impact Analysis

Which of the following components of the organizational normative framework (ONF) includes all application security policies, standards, and best practices adopted by an organization?

Business context

Which framework provides guidance for cloud vendors and assists cloud customers to assess the overall security of a C S P?

C S A C C M

The key areas of a physical cloud environment are:

CPU, Memory, Disk, and Network

Which of the following are considered to be the building blocks of cloud computing?

CPU, RAM, Storage and Networking

Which of the following are cloud computing roles?

CSP and backup service provider

B I C S I

Cabling standards

Broad network access

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations)

Rapid elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Delivers the agreed service-level targets in a timely and cost-effective manner.

Capacity management

This is a comprehensive log of history of data from creation to disposal:

Chain of Custody

Which of the following is a process in which the collected evidence is preserved and protected till the time it is presented in the court?

Chain of custody

What should Configuration Management ALWAYS be tied to?

Change Management

Automates the process of building, deploying, and manage an infrastructure.

Chef

Who has the responsibility for agreement with the P&DP laws commitments?

Customer as a data controller

Which would not be listed in an audit scope statement?

Classification of Data

Data classification

Classifying the data based on locations, compliance requirements, ownership, or business usage, in other words "value". Classification is also used in order to decide on the proper retention procedures for the enterprise.

A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.

Cloud Access Security Broker (CASB)

This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).

Cloud Administrator

Typically responsible for adapting, porting, or deploying an application to a target cloud environment.

Cloud Application Architect

A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.

Cloud Application Management for Platforms (CAMP)

Someone who determines when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements from a technical perspective.

Cloud Architect

A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.

Cloud Backup Service Provider

A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.

Cloud Computing Reseller

Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant S L As and that the storage components are functioning according to their specified requirements.

Cloud Data Architect

Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components.

Cloud Developer

The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.

Cloud Development

Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Helps to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.

Cloud Management

A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.

Cloud Operating System (OS)

The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments.

Cloud Portability

A service provider who offers customers storage or software solutions available via a public network, usually the Internet.

Cloud Provider

Which of the following are cloud computing roles?

Cloud Provider and Backup Service Provider

The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite.

Cloud Provisioning

A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, they are provided by multiple connected servers that comprise a cloud.

Cloud Server Hosting

Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and C S Ps.

Cloud Services Brokerage (CSB)

The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud Storage

Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.

Cloud Testing

A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.

Cloud computing

NIST Definition of Cloud Computing

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Who is responsible for overseeing business and billing administration, purchasing, and auditing report requests?

Cloud service business manager

Measured service

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service

I SO 27002

Code of practice for information security controls - essentially a detailed catalog of information security controls that might be managed through the I S M S

I SO 27017

Code of practice for information security controls based on I SO 27002 for cloud services

I SO 27018

Code of practice for protection of personally identifiable information

Digital Forensics Phases:

Collection: Examination: Analysis: Reporting:

I SO 15408

Common Criteria for Information Technology Security Evaluation

A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

Common Vulnerabilities and Exposures

Which framework ensures customers that the products they are buying have been evaluated and that the vendor's claims have been verified by a vendor-neutral third party?

Common criteria assurance

Using Components with Known Vulnerabilities (OWASP top ten):

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

At which of the following levels should logical design for data separation be incorporated?

Compute nodes and Network

Logical design for data separation needs to be incorporated at the following levels

Compute nodes, Management plane, Storage nodes, Control plane, Network

Tier 3 Uptime Institute's Data Center Site Infrastructure Tier Standard Topology

Concurrently Maintainable Site Infrastructure

What are the two biggest challenges associated with the use of IPsec in cloud computing environments?

Configuration Management and Performance

Honeypot

Consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

A service where data is replicated across the global Internet. A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users.

Content Delivery Network (CDN)

In which of the following storage types is data, stored in object storage, divided in multiple nodes to improve Internet consumption speed?

Content delivery network

C S A type 3 certification framework

Continuous monitoring

Which of the following makes the infrastructure resilient against component failure?

Continuous uptime

Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.

Control

The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.

Controller

Management Plane

Controls the entire infrastructure, and parts of it will be exposed to customers independent of network location, it is a prime resource to protect.

The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.

Corporate Governance

What are the six stages of the cloud secure data lifecycle?

Create, Store, Use, Share, Archive and Destroy

What is the correct order of the Cloud Data Lifecycle?

Create, Store, Use, Share, Archive, Destroy

Data Life Cycle

Create: Store: Use: Share: Archive: Destroy

Sends forged requests though an authenticated session

Cross-Site Request Forgery

Occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. It allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Cross-Site Scripting, a k a X S S

What are the BCDR planning factors? Each correct answer represents a complete solution. Choose three.

Current locations of the assets The networks between the assets and the sites of their processing Assets: data and processing

Who generates, holds, and retains the keys in key management services?

Customer

When using Maintenance Mode, what two items are disabled and what item remains enabled?

Customer access and Alerts are disabled while logging remains enabled.

Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset.

Data classification

What is the key issue associated with the Object Storage type that the CSP has to be aware of?

Data consistency is achieved only after change propagation to all replica instances has taken place.

A person who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Data controllers

Responsible for the safe custody, transport, storage of the data, and implementation of business rules

Data custodians

A technology that keeps the format of a data string but alters the content. A weak form of confidentiality assurance that replaces the original information with asterisks or Xs.

Data masking

Responsible for data context, context, and associated business rules

Data stewards

A subject who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity (such as telephone number or IP address).

Data subject

A layer-7 monitoring device that understands SQL commands

Database activity monitoring

In essence, a managed database service.

Database as a Service (DBaaS)

Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as "big data."

Datamining

Access Management

Deals with managing an individual's access to resources is based on the answers to "Who are you?" and "What do you have access to?"

The steps in the B C D R continual process

Define Scope, Gather Requirements, Analyze, Asses Risk, Implement, Test, Report, Revise

NIST SP 800-92

Define a log as a record of the events occurring within an organization's systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network.

Event

Defined as a change of state that has significance for the management of an IT service or other configuration item.

Incident

Defined as an unplanned interruption to an IT service or reduction in the quality of an IT service.

Which kind of threat can cause higher than usual billing based on resources consumed?

Denial of Service

STRIDE Threat Model

Derived from an acronym for the following six threat categories; Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege

Incident Management

Describes the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.

A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.

Desktop as a Service (DaaS)

What does the concept of non-destructive testing mean in the context of a vulnerability assessment?

Detected vulnerabilities are not exploited during the vulnerability assessment.

Cloud Backup Solutions

Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.

I SO 27037

Digital evidence

Directive 95/46 EC:

Directive 95/46/EC focuses on the protection of individuals with regard to the processing of personal data and on the free movement of such data; it also captures the human right to privacy, as referenced in the European Convention on Human Rights (ECHR).

Used to balance workloads, jobs, and processes

Distributed Resource Scheduling

What security risks and benefits must you consider when thinking about cloud computing

Distributed/Multitenant Security Environment (Business ecosystem), Risk (Business/Reputational), Compliance (Legal, Regulatory) and Privacy

Determines in which jurisdiction the dispute will be heard in case of a conflict

Doctrine of the proper law

Private Cloud Project

Enable their IT infrastructure to become more capable of quickly adapting to continually evolving business needs and requirements.

The development and implementation of policies and procedures to aid in protecting the company, its assets, and its people from threats.

Due care

What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?

Due care

What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?

Due care

The act of investigating and understanding the risks a company faces.

Due diligence

Generally considered a black-box test, where the tool must discover individual execution paths in the application being analyzed. Considered effective when testing exposed H T T P and H T M L interfaces of web applications

Dynamic application security testing

ISO 27050

E discovery

Which is a European Standards Agency?

ENISA

Virtualization

Each user has a single view of the available resources independently

Qualitative risk assessment is earmarked by which of the following?

Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process

What are the 3 Key Cloud Computing Drivers

Elasticity, Simplicity and Expandability

Virtualization Technologies

Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocations of resources across multiple tenants and environments.

Homomorphic Encryption

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.

Stored Communication Act

Enacted in the United States in 1986 as part of the Electronic Communications Privacy Act. It provides privacy protections for certain electronic communication and computing services from unauthorized access or interception.

Which of the following methods for the safe disposal of electronic records can ALWAYS be used within a cloud environment?

Encryption

Which of the following can be deployed to help ensure the confidentiality of data in the cloud? (Choose two)

Encryption Masking

What are the objectives of change management? Each correct answer represents a complete solution. Choose all that apply.

Ensure that changes are recorded and evaluated. Respond to a customer's changing business requirements while maximizing value and reducing incidents, disruption, and rework.

Cloud Data Architect

Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant SLAs and that the storage components are functioning according to their specified requirements.

Software that a business uses to assist in solving problems.

Enterprise Application

Translates business and security requirements into a set of rules and defines the identities and attributes required to evaluate the rules.

Entitlement process

Policy Management

Establishes the security and access policies based on business needs and degree of acceptable risk.

An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.

Eucalyptus

Authorization

Evaluates "What do you have access to?" after authentication occurs.

Which two documents contain rules which must be followed when collecting and preserving evidence?

FRE (Federal Rules of Evidence) FRCP (Federal Rules of Civil Procedure)

The archive phase means that data is moved to tape and is not readily accessible.

False

The use of a generator eliminates the need for a Battery Backup system in a data center.

False

To get a full assessment of the readiness of an organization, auditing should be performed during peak processing and user loads.

False

With a regular patching schedule, scanning is no longer needed.

False

Tier 4 Uptime Institute's Data Center Site Infrastructure Tier Standard Topology

Fault-Tolerant Site Infrastructure

NIST publication written to accredit and distinguish cryptographic modules produced by private-sector vendors who seek to have their solutions and services certified for use in U.S. government departments and regulated industries that deal with data that is deemed to be sensitive but not top secret.

Federal Information Processing Standard (FIPS) 140-2

Gramm-Leach-Bliley Act (GLBA)

Federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

Database Encryption

File level encryption, Transparent encryption, Application-level encryption

N F P A

Fire protection

Criteria of a Kernel-based Virtual Machine

Fixed firmware, safe buffer design, push-button control, housing intrusion detection, tamper-proof circuit board, tamper-warning labels on each side of the K V M

Cloud Developer

Focuses on development for the cloud infrastructure itself. This role can vary from client tools or solutions engagements, through to systems components.

Digital Rights Management (DRM)

Focuses on security and encryption to prevent unauthorized copying limit distribution to only those who pay.

Which of the following parts of the NIST framework helps an organization align activities with business requirements, risk tolerance, and resources?

Framework profile

The risk-management process

Framing risk, Assessing risk, Responding to risk, Monitoring risk

What are the four steps in the Risk Management process?

Framing, Assessing, Monitoring and Response

Risk Management Process

Framing, assessing, reponding, monitoring

What are the three things that must be understood BEFORE you can determine the necessary controls to deploy for data protection in a cloud environment?

Function, location and actors

What are the three things that you must understand before you can determine the necessary controls to deploy for data protection in a cloud environment?

Function, location, and actors

A test against a particular component of a cloud system is:

Functional Testing

Which of the following identifies and reports on any risks that may affect the AIC of key information assets?

Gap analysis

Security Misconfiguration (OWASP top ten):

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

What type of risks are typically associated with Virtualization?

Guest breakout, snapshot and image security and sprawl

What types of risks are typically associated with virtualization?

Guest breakout, snapshot and image security, and sprawl

NISTT S P 800-43 revision 3

Guide to Enterprise Patch Management Technologies

I SO 27013

Guideline on the integrated implementation of I SO 27001 and I SO 20000-1

A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.

Hardware Security Module (HSM)

Cloud Architect

He or she will determine when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements (from a technical perspective).

ISO IEC 27001:2013

Help organizations to establish and maintain an ISMS. An ISMS is a set of interrelated elements that organizations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information.

Information (Data) Classification

High-level description of important and valuable information categories (e.g., highly confidential, regulated).

Vendor Lock-in

Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.

Identity Provider

Hold all of the identities and generate a token for known users.

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.

Homomorphic Encryption

A protocol that uses T C P to transport small computer system interface commands, enabling the use of the existing T C P I P networking infrastructure as a storage area network

I skuzzie

Which of the following can be used for securing communications to prevent eavesdropping? Each correct answer represents a complete solution. Choose all that apply.

IPSec TLS

Which of the following offers guidelines for information security controls applicable to the provision and use of cloud services?

ISO/IEC 27017:2015

What is the first international set of privacy controls in the cloud?

ISO/IEC 27018

Simplicity

IT environment complexities are reduced

Which Category gives the customer complete control of networking settings?

IaaS

What is the process flow of digital forensics?

Identification of incident & evidence, Collection, Examination, Analysis and Presentation

IAM Capabilities

Identity Management, Access Management, Identity Repository/Directory Services

Besides facilitating the ability to deploy a continuous security monitoring capabilities what other advantages does Automation provide

Improved security visibility, enhanced policy/governance enforcement, framework for management of extended business ecosystem and organizational transition from infrastructure-centric to a data-centric security model

What is the difference between a Managed Service Provider (MSP) and a Cloud Service Provider (CSP)

In an MSP the consumer dictates the technology and operating procedures while in a CSP the service provider dictates both the technology and operational procedures

Database as a Service

In essence, a managed database service.

Privacy in United States

In this location, the processing of personal data is subject to "Opt Out" consent from the Data Subject, while the "Opt In" rule applies in special cases such as the processing of sensitive/health data.

States the activities of an organization to identify, analyze, and correct hazards to prevent a future reoccurence

Incident management

Injection (OWASP top ten):

Includes injection flaws such as SQL, OS, LDAP, and other injections occur when untrusted data is sent to an interpreter as part of a command or query. If the interpreter is successfully tricked, it will execute the unintended commands or access data without proper authorization.

Which of the following is not a part of STRIDE?

Information

I SO 27014

Information security governance

Personally Identifiable Information (PII)

Information that can be traced back to an individual user, e.g. your name, postal address, or e-mail address. Personal user preferences tracked by a Web site via a cookie is also considered personally identifiable when linked to other personally identifiable information provided by you online.

_______________ occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Injection flaws

Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Insecure Direct Object References

Redundant Array of Inexpensive Disks (RAID

Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.

Redundant Array of Inexpensive Disks (RAID)

Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.

All-or-Nothing-Transform with Reed-Solomon (AONT-RS)

Integrates the AONT and erasure coding. This method first encrypts and transforms the information and the encryption key into blocks in a way that the information cannot be recovered without using all the blocks, and then it uses the IDA to split the blocks into m shares that are distributed to different cloud storage services (the same as in SSMS).

Enterprise DRM

Integration plan designed by Digital Equipment Corp. to provide an operation platform for multi-vendor environment.

Which concept focuses on the trustworthiness of data?

Integrity

A protocol that uses transmission control protocol (TCP) to transport commands, enabling the use of the existing T C P I P networking infrastructure as a storage area network (SAN).

Internet small computer system interface

Which of the following defines the ease of moving and reusing application components regardless of the provider, platform, and so on?

Interoperability

Cloud Roadmap Requirements

Interoperability, Portability, Availability, Security, Privacy, Resilience, Performance, Governance,Service Level Agreements (SLA), Auditability, Regulatory

Transport Layer Security (TLS)

Is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL)

Federation

Is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

Secure Sockets Layer

Is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral

Problem Management

Is to minimize the impact of problems on the organization.

What is a key characteristic of a honeypot?

Isolated, monitored environment

Demilitarized Zone (DMZ)

Isolates network elements such as e-mail servers that, because they can be accessed from trustless networks, are exposed to external attacks.

NIST SP 800-53

Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.

Which of the following are legal risks in cloud computing? Each correct answer represents a complete solution. Choose three.

Jurisdiction Law enforcement Data protection

Classification uses this to mark the level of classification:

Labels

Which of the following pitfalls are related to cloud security? Each correct answer represents a complete solution. Choose all that apply.

Lack of documentation and guidelines Complexities of integration Not all apps are "cloud-ready"

Privacy in Asian-Pacific Economic Cooperation (APEC)

Leaders in this location have endorsed a framework recognizing the importance of the development of effective privacy protections that avoid barriers to information flows, ensure continued trade, and economic growth.

Sarbanes Oxley Act (SOX)

Legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.

Online Backup

Leverages the Internet and cloud computing to create an attractive off-site storage solution with little hardware requirements for any business of any size.

Cloud Testing

Load and performance testing conducted on the applications and services provided via cloud computing — particularly the capability to access these services — in order to ensure optimal performance and scalability under a wide variety of conditions.

Data aggregation

Log management aggregates data from many sources, including network, security, servers, databases, and applications, providing the ability to consolidate monitored data to help avoid missing crucial events.

Correlation

Looks for common attributes and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information.

Type of cluster which offers cost-effective building blocks that can start small and grow as applications demand. It offers performance, I/O, and storage capacity within the same node.

Loosely coupled cluster

The measure of the average time between failures of a specific component or part of a system.

Mean time to repair (MTTR)

Which threat comes as a result of an employee's (current or former) misuse of confidential data to which he has (or had) authorized access?

Malicious insider

An I T service where the customer dictates both the technology and the operational procedures, and an external party executes admin and ops support according to a contract

Managed Service Provider

Which of the following allows an administrator to manage any or all of the hosts remotely?

Management plane

NIST S P 800-39

Managing Information Security Risk

Sensitive Data Exposure (OWASP top ten):

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection, such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

Which method involves replacing values or adding additional characters to a field?

Masking

What are three analysis methods used with data discovery techniques?

Metadata, Labels and Content Analysis

Which of the following are attributes of cloud computing?

Minimal management effort and shared resources

A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.

Mobile Cloud Storage

Host Intrusion Detection Systems (HIDS)

Monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.

Missing Function Level Access Control (OWASP top ten):

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

The following is used to ensure non-repudiation:

Multi-Factor

Which cloud characteristic defines that more than one user can store their data by using the applications provided by SaaS?

Multitenancy

Which of the following is a concept in which many customers may be running on the same environment with no physical isolation.

Multitenancy

A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner.

NIST S P 800-37

Where would the monitoring engine be deployed when using a Network based Data Loss Prevention system?

Near the organizational gateway

A network file server with a drive or group of drives, portions of which are assigned to users on that network. The user will see it as a file server and can share files to it.

Network Attached Storage

Helps to check not only the hardware and the software but the distribution facets such as SDN control planes.

Network monitoring

7 key principles of safe harbor

Notice, choice, transfer to 3rd parties, access, security, data integrity, enforcement

Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters.

O S logging

A utility that identifies project dependencies and checks whether there are any known, publicly disclosed, vulnerabilities

O WASP Dependency-Check

Often used in authorization with mobile apps, it provides third-party applications limited access to HTTP services.

O auth

XML-based framework for communicating user authentication, entitlement, and attribute information across organizations

Security Assertion Markup Language

In IaaS the Customer has control over:

OS

The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.

Obfuscation

Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI).

Object Storage

Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned.

Object storage

Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities.

Object-based storage

Object Storage

Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface.

Which of the following should be carried out first when seeking to perform a gap analysis?

Obtain management support

Oversubscription

Occurs when more users are connected to a system than can be fully supported at the same time.

Which of the following are essential characteristics of cloud computing? (Choose two)

On-demand self service Broad network access

NIST 5 essential characteristics of cloud computing

On-demand self-service, Broad network access, Resource pooling, Rapid elasticity and measured service

What is domain A.16 of the ISO 27001:2013 standard?

Security Incident Management

An interoperable authentication protocol based on the O Auth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords

Open I D Connect

Processing

Operations that are performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

Converged networking model

Optimized for cloud deployments and utilizes standard perimeter protection measures. The underlying storage and IP networks are converged to maximize the benefits for a cloud workload.

A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.

Organizational Normative Framework (ONF)

Cloud Technology Roadmap

Originally developed by NIST, it provides guidance and recommendations for enabling security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

Which of the following statements are true of CSP (cloud service provider)? Each correct answer represents a complete solution. Choose all that apply.

Outsources activities and functions Provides services and resources for use

Which is not a benefit of Public Cloud Models?

Ownership Retention

Which is not a key feature of IaaS?

Ownership retention

Sensitive Data Exposure looks at the following except:

PCI

Logical design

Part of the design phase of the SDLC in which all functional features of the system chosen for development in analysis are described independently of any computer platform

Which of the following are common capabilities of Information Rights Management solutions?

Persistent protection, dynamic policy control, automatic expiration, continuous audit trail and support for existing authentication infrastructure

Which of the following are common capabilities of IRM solutions?

Persistent protection, dynamic policy control, automatic expiration, continuous audit trail, and support for existing authentication security infrastructure

Which of the following are the key principles of an enterprise architecture that should be followed at all times? Each correct answer represents a complete solution. Choose three.

Prepare the resilient architecture and support multilandlord platforms. Provide direction to secure information preserved by regulations. Explain protections that enable trust in the cloud.

SIEM is:

Security Information Event Management

The following are Virtualization Risks except:

Physical Compromise

Steps of the S D L C

Planning and Requirement Analysis, Defining, Designing, Developing, Testing

What are the phases of a Software Development Life Cycle process model?

Planning and requirements analysis, Define, Design, Develop, Testing and Maintenance

Software Development Lifecycle

Planning and requirements, defining, designing, developing, testing, maintenance

ISO/IEC 27001

Possibly the most widely known and accepted information security standard, ISO 27001 was originally developed and created by the British Standards Institute, under the name of BS 7799. The standard was adopted by the International Organization for Standardization (ISO) and re-branded ISO 27001. Since September 2013, ISO 27001 was updated to ISO 27001:2013 and now consists of 35 control objectives and 114 controls spread over 14 domains.

Which of the following are parts of the APEC (Asia-Pacific Economic Cooperation) privacy framework? Each correct answer represents a part of the solution. Choose all that apply.

Preamble Implementation Information privacy principles Scope

Asia-Pacific Economic Cooperation privacy framework

Preamble, Scope, Information privacy principles, Implementation

FIPS 140-2

Primary goal is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.

Which of the following laws is defined as the right of an individual to determine when, how, and to what extent they will release personal information?

Privacy

Which cloud deployment model is managed by an organization it serves?

Private

Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.

Private Cloud Project

Identifies and provides solutions to errors occurred in an operation and prevents their reoccurence

Problem management

Operations that are performed upon personal data, whether or not by automatic means.

Processing

What are the four cloud deployment models?

Public, Private, Hybrid and Community

Allows to define the state of an IT infrastructure and then automatically enforces the correct state

Puppet

Which of the following statements are true of the REST (Representational State Transfer) API format? Each correct answer represents a complete solution. Choose all that apply.

REST reads can be cached Supports only SSL security Works only over HTTP on a transport layer

A software architecture style consisting of guidelines and best practices for creating scalable web services

REpresentational State Transfer

This is the amount of time it would take to recover in the event of a disaster:

RTO

A technique which allows the replacement of the data with random characters, leaving the other traits intact such as length of the string and character set.

Randomization

Cloud environments can often have services restored faster than traditional failover sites through the use of:

Rapid Elasticity

A user wants to save his documents on a cloud. He found that the available storage on the cloud is filled. Therefore, he needs additional storage for saving the document. Which characteristic of cloud computing will help him do so?

Rapid elasticity

What are the relevant cloud infrastructure characteristics that can be considered distinct advantages in realizing a BCDR plan objective with regards to Cloud computing environments?

Rapid elasticity, broad network connectivity and a pay per use model

Which of the following are the important processes of the continuous operation of audit logging? Each correct answer represents a complete solution. Choose three.

Reduction of false positives New event detection Adding new rules

Tier 2 from Uptime Institute's Data Center Site Infrastructure Tier Standard Topology

Redundant Site Infrastructure Capacity Components

Which of the following is the correct name for Tier II of the Uptime Institute Data Center Site Infrastructure Tier Standard Topology?

Redundant Site Infrastructure Capacity Components

Which of the following is the correct name for Tier II of the Uptime Institute Data Center Site Infrastructure Tier Standard Topology?

Redundant Site Infrastructure Capacity Components

eDiscovery

Refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

Quality of Service (QoS)

Refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies

Information gathering

Refers to the process of identifying, collecting, documenting, structuring, and communicating information from various sources in order to enable educated and swift decision making to occur.

Which could not be used with a password to meet multifactor authentication requirements?

Security Questions

Australian Privacy Act 1988

Regulates the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information, and access to and correction of that information.

Service Organization Controls 1 (SOC 1)

Reports on Controls at Service organizations relevant to user entities' Internal Control over financial reporting.

Service Organization Controls 2 (SOC 2)

Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy.

A software architecture style consisting of guidelines and best practices for creating scalable web services.

Representational State Transfer (REST)

ISO/IEC 27034-1

Represents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security

What are the objectives of Change Management? (Choose all that apply)

Respond to a customer's changing business requirements while maximizing value and reducing incidents, disruption, and re-work Ensure that changes are recorded and evaluated

Which of the following metrics reports on the time required to perform the requested operation or tasks?

Response time

What are the four elements that a data retention policy should define?

Retention periods, data formats, data security and data retrieval procedures

NIST SP 800-30

Risk Assessment guide for Information Technology Systems

I SO 31000

Risk management

Individuals in an organization who together determine the organization's overall risk profile.

Risk owner and player

Generally considered to focus on applications that possess self-protection capabilities built into their runtime environments.

Runtime application self-protection

A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.

S P 800-53

Which is a standard put out by OASIS and is a XML based exchange method for authentication and authorization?

SAML

Which of the following statements about Software Defined Networking are correct? (Choose two)

SDN provides for the ability to execute the control plane software on general purpose hardware, allowing for the decoupling from specific network hardware configurations and allowing for the use of commodity servers. Further, the use of software based controllers allows for a view of the network that presents a logical switch to the applications running above, allowing for access via API's that can be used to configure, manage, and secure network resources. SDN's objective is to provide a clearly defined and separate network control plane to manage network traffic that is separated from the forwarding plane. This approach allows for network control to become directly programmable and distinct from forwarding, allowing for dynamic adjustment of traffic flows to address changing patterns of consumption.

Which is not a method of protection for data in transit?

SLA

A type of report which are for auditing the financial reporting instruments of a corporation.

SOC 1

A type of report which is intended to report audits of controls on an organization's security, availability, processing integrity, and privacy.

SOC 2

Contains no actual data about the security controls of the audit target and is also known as the "seal of approval".

SOC 3

Which report was created to replace SAS70?

SSAE

What are the three generally accepted service models of cloud computing?

SaaS, PaaS, and IaaS

This is segregating information from others within the same system:

Sandboxing

Which of the following is used to execute untrusted code without risking harm to the host machine or operating system?

Sandboxing

Which is not a step in the audit plan?

Scope Analysis

What defines what is to be covered in the audit?

Scope of audit

A secure password-based authentication and key-exchange protocol. It exchanges a cryptographically strong secret as a by-product of successful authentication, which enables the two parties to communicate securely.

Secure remote password

A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.

Security Alliance's Cloud Controls Matrix

NIST S P 800-92

Security log management

What are the five Trust Services Principles?

Security, Availability, Processing Integrity, Confidentiality and Privacy

Which of the following are examples of a trust zone? (Choose Two)

Segmentation according to department A web application with a two tiered architecture

C S A type 1 certification framework

Self-assessment

Negotiates agreements with various parties to design services with the agreed-upon service-level agents

Service-level management

In cloud computing models you purchase ______.

Services

Helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider.

Shared policy

When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?

Shares

Cloud App (Cloud Application)

Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.

A technique which uses different entries from within the same data set to represent the data.

Shuffling

A protocol specification for exchanging structured information in the implementation of web services in computer networks

Simple Object Access Protocol

A protocol specification for exchanging structured information in the implementation of web services in computer network.

Simple object access protocol (SOAP):

Provides authentication, key establishment, data integrity, and data confidentiality in an online distributed application environment using a public-key infrastructure.

Simple public-key mechanism

Federated Single Sign-on (SSO)

Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability

Cloud Management

Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.

What are the three generally accepted service models of cloud computing?

Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)

Application Virtualization

Software technology that encapsulates application software from the underlying operating system on which it is executed

A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.

Software-Defined Networking (SDN)

The five steps used to create an A S M P per I SO 27034-1

Specifying application requirements and environment, Assessing application security risks, Creating and maintaining the A N F, Provisioning and operating application, Auditing security of application

What are the five steps used to create an Application Security Management Process?

Specifying the application requirements and environment, Assessing application security risks, Creating and maintaining the Application Normative Framework, Provisioning and operating the application and Auditing the security of the application

STRIDE Threat Model

Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege

What are the six components that make up the STRIDE Threat Model?

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege

STRIDE

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege

Generally considered a white-box test, where the application test performs an analysis of the application source code, byte code, and binaries without executing the application code.

Static application security testing

A group of devices connected to the network that provide storage space to users. Typically, the storage apportioned to the user is mounted to that user's machine, like an empty drive.

Storage Area Network

Which of the following statements are true of storage clusters? Each correct answer represents a complete solution. Choose all that apply.

Store and protect data through the use of AIC mechanisms. Provide ability to separate customer data in multitenant hosting environments. Meet the required service levels as specified in the SLA.

Data is organized and can easily be placed in a database:

Structured

Which of the following are data storage types used with a Platform as a Service solution?

Structured and Unstructured

A Linux toolset which performs patch management

System tap

What is a security related concern for a Platform as a Service solution?

System/Resource isolation

A methodology and a set of tools that enable security, enterprise, and risk management achitects to leverage a common set of solutions that fulfill common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities.

T C I Reference Architecture

Negotiates the secure attributes of a session and provides easy error handling

T L S handshake protocol

Encapsulates higher-level protocols and provides connection security and ensures the connection is private and reliable

T L S record protocol

Cloud Portability

The ability to move applications and its associated data between one cloud provider and another — or between public and private cloud environments.

Consider the following example: An online shopping website where the web interface asked its customers to select the purchase quantity for the products using a drop-down list. A hacker altered the entered value, and entered a quantity of "-1". The developer had only enforced the range validation at the web interface level and not at the backend application level. The price for the order was calculated to be -xUSD and the hacker actually ended up receiving a refund on his credit card. The hacker is making money by ordering a negative number of products. Imagine the damage that could have been caused if a value other than -1 was entered. Which of the following tools does the attacker use to alter the data?

Tampering

Cloud Service Manager

The Cloud Service Manager is typically responsible for policy design, business agreement, pricing model, and some elements of the SLA (not necessarily the legal components or amendments that will require contractual amendments). This role will work closely with cloud management and customers to reach agreement, and alongside the Cloud Administrator on behalf of the customers.

Common Criteria

The Common Criteria (CC) is an international set of guidelines and specifications (ISO/IEC 15408) developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.

When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?

The Directive applies to data processed by automated means and data contained in paper files.

NIST SP 800-145

The NIST Definition of Cloud Computing

In a federated environment, who is the Relying Party, and what do they do?

The Relying Party is the service provider and they would consume the tokens generated by the Identity Provider.

Which of the following key benefits does IaaS provide to organizations? Each correct answer represents a complete solution. Choose three.

The ability to scale up and down infrastructure services based on actual usage. Usage metered and priced on the basis of units consumed. Reduced cost of ownership.

Forensic analysis

The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.

Authentication

The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.

Anonymization

The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.

Non-Repudiation

The assurance that a specific author actually did create and send a specific item to a specific recipient, and that it was successfully received. With assurance of non-repudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.

Alerting

The automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third-party channels such as e-mail.

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Hybrid Cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Private Cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community Cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Public Cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider

Public Cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Storage Cloud

The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.

Infrastructure as a Service (IaaS)

The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Platform as a Service (PaaS)

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications for the application-hosting environment.

Software as a Service (SaaS)

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Obfuscation

The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.

Cloud Provisioning

The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain on-site behind the firewall or in the private cloud.

Identity and Access Management

The entire process of registering, provisioning, and deprovisioning identities

Elasticity

The environment transparently manages a user's resources utilization based on dynamically changing needs

Authorization

The granting of right of access to a user, program, or process.

What is the benefit derived from the high degree of automation employed by most CSPs

The high degree of automation provided by CSPs enables real-time monitoring and reporting of infrastructure security control points that easily transition into continuous security monitoring capabilities.

What is a Cloud Carrier?

The intermediary that provides connectivity and transport of cloud services between Cloud Providers and Cloud Consumers.

Cloud Carrier

The intermediary that provides connectivity and transport of cloud services between Cloud Providers and Cloud Consumers.

Privacy in European Union (EU)

The main piece of legislation is the EU directive 95/46/EC "on the protection of individuals with regard to the processing of personal data and on the free movement of such data."

In the context of Privacy and Data Protection, what is a Controller?

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Controller

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Vertical Cloud Computing

The optimization of cloud computing and cloud services for a particular vertical (e.g., a specific industry) or specific-use application.

Cost

The pay-per-usage model allows an organization to pay only for the resources they need with basically no investment in the physical resources available in the cloud. There are no infrastructure maintenance or upgrade costs.

NIST SP 800-53

The primary goal and objective of the 800-53 standard is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.

Crypto-shredding

The process of deliberately destroying the encryption keys that were used to encrypt the data originally.

Data archiving

The process of identifying and moving inactive data out of current production systems and into specialized long-term archival storage systems.

Cloud Enablement

The process of making available one or more of the following services and infrastructures to create a public cloud-computing environment: cloud provider, client, and application.

Data mapping

The process of mapping all relevant data in order to understand data types (structure, unstructured), data formats, file types and data location (network drives, databases, object, or volume storage).

Tokenization

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.

Dynamic Application Security Testing (DAST)

The process of testing an application or software product in an operating state

Cloud Migration

The process of transitioning all or part of a company's data, applications, and services from on-site premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.

Resource pooling

The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Corporate Governanc

The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.

Corporate Governance

The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.

What does an audit scope statement provide to a cloud service customer or organization?

The required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and type of assessment being performed.

Hypervisor (2 types)

The role of the hypervisor is a simple one - to allow multiple operating systems (OS) to share a single hardware host (with each OS appearing to have the host's processor, memory, and resources to itself). Type I = Hardware, Type II = Operating System

What is a Data Custodian responsible for?

The safe custody, transport, storage of the data, and implementation of business rules

Identity and Access Management (IAM)

The security discipline that enables the right individuals to access the right resources at the right times for the right reasons

What are the issues in transferring data from Ireland within the EEA enunciated by the Data Protection Guidance? Each correct answer represents a complete solution. Choose all that apply.

The security of the data The requirement for a written contract between the CSP and any subprocessors The location of the data

Enterprise Risk Management

The set of processes and structure to systematically manage all risks to the enterprise.

Cloud Storage

The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Enterprise Application

The term used to describe applications — or software — that a business would use to assist the organization in solving enterprise problems.

Storage Clusters

The use of two or more storage servers working together to increase performance, capacity, or reliability. Clustering distributes workloads to each server, manages the transfer of workloads between servers, and provides access to all files from any server regardless of the physical location of the file.

Big Data

The volume of data that must be efficiently processed for discovery larger and the diversity of sources and formats presents challenges that make many traditional methods of data discovery fail.

Real-time analytics

These use cases are valuable but require data discovery tools that are faster, more automated, and more adaptive.

Agile analytics

They perform data discovery processes more often and in more diverse ways.

Hybrid cloud

This cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Private cloud

This cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on- or off-premises.

Community cloud

This cloud infrastructure is provisioned for exclusive use by a specific community of organizations with shared concerns (e.g., mission, security requirements, policy, and compliance considerations).

Public cloud

This cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Applicable law

This determines the legal regime applicable to a certain matter.

Cloud Administrator

This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).

Ephemeral storage

This type of storage is relevant for IaaS instances and exists only as long as its instance is up. It will typically be used for swap files and other temporary storage needs and will be terminated with its instance.

Jurisdiction

This usually determines the ability of a national court to decide a case or enforce a judgment or order.

Within the realm of IT security, which of the following combinations best defines risk?

Threat coupled with a vulnerability

Type of cluster which has a physical backplane into which controllers nodes connect.

Tightly coupled cluster

When using a Platform as a Service solution, what is the capability provided to the customer?

To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment

When using an Infrastructure as a Service solution, what is the capability provided to the customer?

To provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.

When using a Software as a Service solution, what is the capability provided to the customer?

To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

When using a SaaS solution, what is the capability provided to the customer?

To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Data Hashes ensure integrity of Data.

True

XML Gateways

Transform how services and sensitive data are exposed as APIs to developers, mobile, and cloud, can be either hardware or software, can implement security controls such as DLP, antivirus, and anti-malware services

A BCDR plan is not considered reliable until it is Tested.

True

A Type 2 Hypervisor resides on the Host Device i.e. VM Workstation.

True

Encryption is important to segregation of data in a cloud environment.

True

In a cloud environment, a change in geographic location for BCDR purposes can lead to latency and other performance issues.

True

Logging levels can be negotiated and are usually listed in the SLA.

True

OpenID is a federated identity system.

True

The level of auditing required should be detailed in the SLA.

True

XML Firewalls validate incoming XML code before sending to the application.

True

Which is not required for KVM security?

USB storage devices should be allowed over the KVM

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Unvalidated Redirects and Forwards

When using an Infrastructure as a Service solution, what is a key benefit provided to the customer?

Usage is metered and priced on the basis of units consumed.

What are the phases of cloud data lifecycle? Each correct answer represents a complete solution. Choose all that apply.

Use Store Destroy Archive

Which is not a Common Vulnerability?

XaaS

Which of the following are contractual components that the Cloud Security professional should review and understand fully when contracting with a cloud service provider? (Choose Two)

Use of subcontractors Scope of processingTraining

Collaboration/Innovation

Users are starting to see the cloud as a way to work simultaneously on common data and information

Risk Reduction

Users can use the cloud to test ideas and concepts before making major investments in technology

Scalability

Users have access to a large number of resources that scale based on user demand

Mobility

Users have the ability to access data and applications from around the globe

Degaussing

Using strong magnets for scrambling data on magnetic media such as hard drives and tapes.

Bit Splitting

Usually involves splitting up and storing encrypted information across different cloud storage services.

Which of the following are nonexhaustive risks to which BCDR is tasked to protect against? Each correct answer represents a complete solution. Choose three.

Utility service outages Damage from natural causes and disasters Wear and tear of equipment

Monitors compliance with a preconfigured baseline

V M ware Update Manager

Uses built-in tools that allows users to build custom baselines

V M ware V sphere

Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.

Vendor Lock-In

Allows for agentless retrieval of the guest OS state, such as the list of running processes, active networking connections, and opening files.

Virtual Machine Introspection

Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.

Virtualization technologies

A layer-7 firewall that can understand HTTP traffic

Web Application Firewall

Unvalidated Redirects and Forwards (OWASP top ten):

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

Information Management Policies

What activities are allowed for different information types?

Doctrine of the Proper Law

When a conflict of laws occurs, this determines in which jurisdiction the dispute will be heard.

When does a Cross-site Scripting flaw occur?

Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping

PII - Contractual

Where an organization or entity processes, transmits, or stores PII as part of its business or services, this information is required to be adequately protected in line with relevant local state, national, regional, federal, or other laws.

Location and Jurisdictional Policies

Where can data be geographically located. What are the legal and regulatory implications or ramifications?

Authorizations

Who is allowed to access different types of information?

Custodianship

Who is responsible for managing the information at the bequest of the owner?

A method for encrypting all data associated with the operation/use of a virtual machine, such as the data stored at rest on the volume, disk input/output (I/O), all snapshots created from the volume, as well as all data in transit moving between the virtual machine and the storage volume.

Whole Instance Encryption

EU General Data Protection Regulation 2012

Will introduce many significant changes for data processors and controllers. The following may be considered as some of the more significant changes: The concept of consent, Transfers Abroad, The right to be forgotten, Establishment of the role of the "Data Protection Officer", Access Requests, Home State Regulation, Increased Sanctions

When using transparent encryption of a database, where does the encryption engine reside?

Within the database

Which of the following software vulnerabilities occurs when an application takes untrusted data and sends it to a web browser without proper validation?

XSS

Cross-site Scripting (XSS) (OWASP top ten):

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.

5 key principles of ISO 27018

consent, control, transparency, communication, independent and yearly audit

I D C A

data center design

An organization will conduct a risk assessment to evaluate

threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization and the residual risk


Kaugnay na mga set ng pag-aaral

Chapter 37 - Respiratory - Pharmacology & Nursing Process

View Set

logistics ch 5 supply chain management

View Set

Chapter 34: Management of Patients With Hematologic Neoplasms

View Set

Cognitive Psychology Exam 2: Practice Questions and Key Terms/Concepts

View Set

chapter 10 quiz linux, chapter 11 quiz linux, Chapter 12 quiz linux, chapter 13 quiz linux, chapter 13 homework linux, chapter 12 homework linu, chapter 11 homework linux, chapter 10 homework Linux

View Set