Domain 1

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

In terms of greatest stringency and requirements for security validation, which is the highest merchant level in the PCI standard? 1 2 3 4

1

Which common criteria evaluation assurance level (EAL) is granted to those products that are formally verified in terms of design and tested by their manufacturer/vendor? 1 3 5 7

1

A hosted cloud environment is a great place for an organization to use as ___________. Storage of physical assets A testbed/sandbox A platform for managing unsecure production data A cost-free service for meeting all user needs

A testbed/sandbox

When should cloud providers allow PaaS customers shell access to the servers running their instances? Never Weekly Only when the contract stipulates the requirement Always

Never

Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. In order to protect her company's intellectual property. Alice might want to consider implementing all these techniques/solutions except________. Egress monitoring Encryption Turnstiles Digital Watermarking

Turnstiles

Which kind of hypervisor is the preferred target of attackers and why? Type 1, because it is more straightforward Type 1, because it has a greater attack surface Type 2, because it is less protected Type 2, because it has a greater attack surface

Type 2, because it has a greater attack surface

In terms of the amount of security functions offered, which is the highest FIPS 140-2 security level a cryptographic module can achieve in certification? 1 2 3 4

4

What is the entity that created the Statement on Standards for Attestation Engagements (SSAE) auditing standard and certifies auditors for that standard? NIST ENISA GDPR AICPA

AICPA

Which of the following would make a good provision to include in the service-level agreement (SLA) between cloud customer and provider? Location of the data center Amount of data uploaded/downloaded during a pay period Type of personnel security controls for network administrators Physical security barriers on the perimeter of the data center campus

Amount of data uploaded/downloaded during a pay period

You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the cloud provider will be able to allow your organization to substantiate and determine with some assurance that all fo the contract terms are being met. This is a(n) _______issue. Regulatory Privacy Resiliency Auditability

Auditability

An essential element of access management, ______ is the practice of confirming than an individual is who they claim to be. Authentication Authorization Nonrepudiation Regression

Authentication

What is the usual order of an access management process? Access-authorization-authentication Authentication-authorization-access Authorization-authentication-access Authentication-access-authorization

Authentication-authorization-access

An essential element of access management, __________ is the practice of granting permissions based on validated identification. Authentication Authorization Nonrepudiation Regression

Authorization

In a PaaS implementation, each instance should have its own user-level permissions; when instances share common policies/controls, the cloud security professional should be careful to reduce the possibility of _______ and _______ over time. DoS/physical theft Authorization creep/inheritance Sprawl/hashing Instercession/side-channel attacks

Authorization creep/inheritance

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, why are DoS attacks such a significant threat to cloud operations? DoS attackers operate internationally There are no laws against DoS attacks, so they are impossible to prosecute Availability issues prevent productivity in the cloud DoS attacks that can affect cloud providers are easy to launch

Availability issues prevent productivity in the cloud

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "sensitive data exposure." Which of these is not a technique to reduce the potential for a sensitive data exposure? Destroy sensitive data as soon as possible Avoid categorizing data as sensitive User proper key management when encrypting sensitive data Disable autocomplete on forms that collect sensitive data

Avoid categorizing data as sensitive

What is usually considered the difference between BC efforts and DR efforts? BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO). BC is for events caused by humans (like arson or theft), while DR is for natural disasters. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption. BC involves protecting human assets (personnel, staff, users), while DR is about protecting property (assets, data)

BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.

Which of the following is not a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment? Pooled resources in the cloud Shifting from capital expenditures to support IT investment to operational expenditures The time savings and efficiencies offered by the cloud service Branding associated with which cloud provider might be selected

Branding associated with which cloud provider might be selected

The Statement on Standards for Attestation Engagements 16 (SSAE 16) Service Organization Control (SOC) reports are audit tools promulgated by the AICPA. What kind of entities were SOC reports designed to audit? US Federal government Privately held companies Publicly traded corporations Nonprofit organizations

C - SSAE 16 was created in response to SOX which addressed shortcomings in audits of publicly traded corporations.

What element of credit cardholder information may never be stored for any length of time, according to the PCI DSS? Full credit card number CCV Cardholder's mailing address Cardholder's full name

CCV

You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the PCI DSS what can you never store for any length of time? Personal data of customers The credit card verification number The credit card number Home Address of the customer

CCV

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "insecure direct object reference." Which of these is a method to counter the risks of insecure direct object references? Performing user security training Check access each time a direct object reference is called by an untrusted source Install high-luminosity interior lighting throughout the facility Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity

Check access each time a direct object reference is called by an untrusted source

Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Number of users Cost of software licensing Number of applications Number of clientele

Cost of software licensing

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? APIs are always used for administrative access Customers perform many high-value tasks via APIs APIs are cursed It is impossible to securely code an API

Customers perform many high-value tasks via APIs

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, severe traffic highjacking can affect all of the following portions of the CIA triad except _________. Confidentiality Integrity Availability None. Service traffic highjacking can't affect any portion of the CIA triad.

D - All will be affected. Service traffic can affect all portions of the CIA triad.

All of the following are statutory regulations except __________. GLBA HIPAA FISMA PCI DSS

D - voluntary

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. What is probably the single most important way of countering the highest number of items on the OWASP Top Ten (regardless of the year)? Social engineering training Disciplined coding practices and processes White-box source code testing Physical controls at all locations at which the application is eventually used

Disciplined coding practices and processes

Which of the following is not an element of the identification component of identity and access management? Provisioning Management Discretion Deprovisioning

Discretion

In a LDAP environment, each entry in a directory server is identified by a __________. Domain name (DN) Distinguished name (DN) Directory name (DN) Default name (DN)

Distinguished name (DN)

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what do we call DoS attacks staged from multiple machines against a specific target? Invasive DoS (IDoS) Pervasive DoS (PDoS) Massive DoS (MDoS) Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS)

From an academic perspective, what is the main distinction between an event and an incident? Incidents can last for extended periods (days or weeks), while an event is momentary Incidents can happen at the network level, while events are restricted to those at system level Events are anything that can occur in the IT environment, while incidents are unscheduled events Events only occur during processing, while incidents can occur at any time

Events are anything that can occur in the IT environment, while incidents are unscheduled events

Which of the following entities in most likely to play a vital role in the identity provisioning aspect of the user's experience in an organization? The accounting department HR office Maintenance team Purchasing office

HR office

What are the two general delivery modes for the SaaS model? Ranked and free Hosted application management and software on demand Intrinsic motivation complex and undulating perspective details Framed and modular

Hosted application management and software on demand

For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all the following except__________. Which party will be responsible for initiating a BCDR response activity How a BCDR response will be initiated How soon the customer's data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event

How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event

Which of the following is not a method for creating logical segmentation in a cloud data center? Virtual local area networks (VLANs) Network address translation (NAT) Bridging Hubs

Hubs

A cloud data encryption situation where the cloud customer retains control of the encryption keys and the cloud provider only processes and stores the data could be considered a ________________. Threat Risk Hybrid cloud deployment model Case of infringing on the rights of the provider

Hybrid cloud deployment model

What is the international standard that dictates the creation of an organizational information security management system (ISMS)? NIST SP 800-53 PCS DSS ISO 27001 NIST SP 800-37

ISO 27001

If an organization wants to retain the most control of their assets in the cloud, which service and deployment model combination should they choose? PaaS, community IaaS, hybrid SaaS, public IaaS, private

IaaS, private

Backdoors are sometimes left in software by developers ________. In lieu of other security controls As a means to counter DoS attacks Inadvertently or on purpose As a way to distract attackers

Inadvertently or on purpose

Why might an organization choose to comply with the ISO 27001 standard? Price Ease of implementation International acceptance Speed

International acceptance

You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether your current applications in the on-prem environment will function properly with the provider's hosted system and tools. This is a(n) ________ issue. Interoperability Portability Availability Security

Interoperability

Each of the following is an element of the Identification phase of the identity and access management (IAM) process except ________. Provisioning Inversion Management Deprovisioning

Inversion

Which of the following is true about two-person integrity? It forces all employees to distrust each other It requires two different IAM matrices It forces collusion for unauthorized access It enables more thieves to gain access to the facility

It forces collusion for unauthorized access

Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, every piece of data, and transaction that takes place on the cloud, why might that not be optimum choice for an organization? Key length variance don't provide any additional security It would cause additional processing overhead and time delay It might result in vendor lockout The data subjects might be upset by this

It would cause additional processing overhead and time delay

Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Personnel training Personnel turnover Loss due to depreciation of IT assets Loss due to an internal data breach

Loss due to depreciation of IT assets

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of malicious insiders so alarming? Scalability Multitenancy Metered service Flexibility

Multitenancy

ISO 27001 favors which type of technology? Open source PC Cloud Based None

None

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad? Confidentiality Integrity Availability None

None

The PCI DSS distinguishes merchants by different tiers, based on _______. Number of transactions per year Dollar value of transactions per year Geographic location Jurisdiction

Number of transactions a year

In a PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on ________. International standards Federal regulations Organizational policies Federation directives

Organizational policies

You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the provider will have undue control over your data once it is within the provider's data center; will the provider be able to hold your organization hostage because they have your data? This is a(n)________ issue. Interoperability Portability Availability Security

Portability

_______ is an example of due care, and ______ is an example of due diligence. Privacy data security policy; auditing the controls dictated by the privacy data security policy The EU Data Directive; the GLBA Locks on doors; turnstiles Perimeter defenses; internal defenses

Privacy data security policy; auditing the controls dictated by the privacy data security policy

Privileges user accounts need to be reviewed more closely than basic user accounts. Why is this? Privileges users have more encryption keys Regular users are more trustworthy There are extra controls on privileged user accounts Privileged users can cause more damage to the organization

Privileged users can cause more damage to the organization

From a customer perspective, all of the following are benefits of IaaS cloud services except______. Reduced cost of ownership Reduced energy costs Metered usage Reduced cost of administering the OS in the cloud environment

Reduced cost of administering the OS in the cloud environment

Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. What is probably the biggest factor in her decision? Network Scalability Offsite backup capability Global accessibility Reduced overall cost due to outsourcing administration

Reduced overall cost due to outsourcing administration

Which of the following is one of the benefits of a private cloud deployment? Less cost Higher performance Retaining control of governance Reduction in the need for maintenance capability on the customer side

Retaining control of governance

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes ""using components with known vulnerabilities." Which of the following is a good way to protect against this problem? Use only standard libraries Review all updates/lists/notification for components your organization uses Be sure to HTML escape all attribute elements Increase the user training budget

Review all updates/lists/notification for components your organization uses

Which of the following is not a report used to assess the design and selection of security controls within an organization? Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Security Alliance Cloud Controls Matrix (CSA CCM) SOC 1 SOC 2 Type 1

SOC 1

Which of the following is a report used to assess the implementation and effectiveness of security controls within an organization? SOC 1 SOC 2 Type 1 SOC 2 Type 2 SOC 3

SOC 2 Type 2

Which US federal law instigated the change for the SAS 70 audit standard to SSAE 16? NIST 800-53 HIPAA SOX GLBA

SOX

Alice is staging an attack against Bob's website. She is able to introduce a string of command code into a database Bob is running, simply by entering the command string into a data field. This is an example of which type of attack? Insecure direct object reference Buffer overflow SQL injection DoS

SQL injection

If an organization wants to realize the most cost savings by reducing administrative overhead, which service and deployment model combination should they choose? PaaS, community IaaS, hybrid SaaS, public IaaS, private

SaaS, public

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarming, from a management perspective? Scalability Multitenancy Resiliency Broadband connections

Scalability

While cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual financial benefit the organization realizes in a cloud environment? Altitude of the cloud data center Security controls and countermeasures Loss of ownership of IT assets Costs of Internet connectivity for remote users

Security controls and countermeasures

Alice is staging an attack against Bob's website. She has discovered that Bob has been storing crytographic keys on a server with a default admin password and is able to get access to those keys and violate confidentiality and access controls. This is an example of which type of attack? SQL injection Buffer overflow Using components with known vulnerabilities Security misconfiguration

Security misconfiguration

The current AICPA standard codifies certain audit reporting mechanisms. What are these called? SOX reports SSL audits Sherwood Applied Business Structure Architecture (SABSA) System and Organization Controls (SOC) reports

System and Organization Controls (SOC) reports

What is the most significant aspect of the SLA that incentivizes the cloud provider to perform? The throughoughness with which it details all aspect of cloud processing The financial penalty for not meeting service-levels The legal liability for violating data breach notification requirements The risk exposure to the cloud provider

The financial penalty for not meeting service-levels

According to the ISC2 CBK, the lack/ambiguity of physical endpoints as individual network components in the cloud environment creates what kind of threat/concern? The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets Without physical endpoints, it is impossible to apply security controls to an environment Without physical endpoints, it is impossible to track user activity The lack of physical endpoints increases the opportunity for physical damage/theft.

The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets

Why are PaaS environments at a higher likelihood of suffering backdoor vulnerabilities? They rely on virtualization They are often used for software development They have multitenancy They are scalable

They are often used for software development

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? HTML escape all HTML attributes Train users to recognize unvalidated links Block all inbound resource requests Implement audit logging

Train users to recognize unvalidated links

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they've selected goes out of business. What do we call this problem? Vendor lock-in Vendor lock-out Vendor incapacity Unscaled

Vendor lock-out

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is not an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider? Ensuring that any legacy applications are not dependent on internal security controls before moving them to a cloud environment Reviewing all contractual elements to appropriately define each party's roles, responsibilities, and requirements Assessing the provider's financial standing and soundness Vetting the cloud providers administration and personnel to ensure the same level of trust as the legacy environment

Vetting the cloud providers administration and personnel to ensure the same level of trust as the legacy environment

Which of the following is a new management risk that organizations operating in the cloud will have to address? Insider threat Virtual sprawl DDoS Natural disasters

Virtual sprawl

Bob is staging an attack against Alice's website. He is able to embed a link on her site that will execute malicious code on a visitor's machine, if the visitor clicks on the link. This is an example of which type of attack? XSS (cross site scripting) Broken authentication/session management Security misconfiguration Insecure cryptographic storage

XSS (cross site scripting)

Your organization has migrated to a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notifications in accordance with all applicable laws? The network admin is responsible The cloud provider The regulators overseeing your deployment Your organization

Your organization

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "insecure direct object reference." Which of these is an example of an insecure direct object reference? www.sybex.com/authoraccounts/benmalisow 10 ? "sybex accounts"; 20 goto 10 Mysql -u [bmalisow] -p [database1]; [email protected]

www.sybex.com/authoraccounts/benmalisow

Which common criteria evaluation assurance level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party? 1 3 5 7

7

Which of the following entities would not be covered by the PCI DSS? A bank issuing credit cards A retailer accepting credit cards as payment A business that processes credit card payments on behalf of a retailer A company that offers credit card debt repayment counseling

A company that offers credit card debt repayment counseling

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Broad user training that includes initial, recurring, and refresher sessions Deeper personnel screening procedures for privileged users than is used for regular users A repeatable patching process that includes updating libraries as well as software Randomly auditing all user activity, with additional focus on privileged users

A repeatable patching process that includes updating libraries as well as software

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all the following data breach notification requirements except ____. Multiple state laws Contractual notification requirements All standards-based notification schemes Any applicable federal regulations

All standards-based notification schemes

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? Cloud customers and third parties are continually enhancing and modifying APIs APIs can have automated settings It is impossible to uninstall APIs APIs are a form of malware

Cloud customers and third parties are continually enhancing and modifying APIs

For US government agencies, what level of data sensitivity/classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria? Controlled Unclassified Information (CUI) Secret Top Secret Sensitive Compartmentalized Information

Controlled Unclassified Information (CUI)

Which of the following protocols is most applicable to the identification process aspect of IAM? SSL IPsec LDAP Amorphous ancillary data transmission (AADT)

LDAP

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that suffers a data breach might suffer all of the following negative effects except ______________. Cost of compliance with notification laws Loss of public perception/good will Loss of market share Cost of detection

Cost of detection

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is a good method for reducing the risk of broken authentication and session management? Do not use custom authentication schemes Implement widespread training programs Ensure that strong input validation is in place Use X.400 protocol standards

Do not use custom authentication schemes - Only use approved, tested authentication implementations

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? Don't use redirects/forwards in your applications Refrain from storing credentials long term Implement SIEM/SIM/SEM solutions Implement digital rights management solutions

Don't use redirects/forwards in your applications

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site scripting (XSS)." Which of the following is not a method for reducing the risk of XSS attacks? Only put untrusted data in allowed slots of HTML documents HTML escape when including untrusted data in any HTML elements Attribute escape when including untrusted data in attribute elements Encrypting all HTML documents

Encrypting all HTML documents

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". Which of the following is a good way to deter CSRF attacks? Have your website refuse all HTTP resource requests Ensure that all HTTP resource requests include a unique, unpredictable token Don't allow e-commerce on your website Process all user requests with only one brand of browser, and refuse all resource requests from other browsers

Ensure that all HTTP resource requests include a unique, unpredictable token

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "sensitive data exposure." Which of these is a technique to reduce the potential for a sensitive data exposure? Extensive user training on proper data handling techniques Advanced firewalls inspecting all inbound traffic, to include content based screening Ensuring the use of utility backup power supplies Roving security guards

Extensive user training on proper data handling techniques

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management? Session identification exposed in URLs Unprotected stored credentials Lack of session time-out Failure to follow HIPAA guidance

Failure to follow HIPAA guidance

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Purchase only trusted devices/components Follow a published, known industry standard for baseline configurations Hire only screened, vetted candidates for all positions Update policy on a regular basis, according to a proven process

Follow a published, known industry standard for baseline configurations

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA's Notorious Nine list, data breaches can be ________. Overt or covert International or subterranean From internal or external resources Voluminous or specific

From internal or external resources

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWSAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential for a security misconfiguration? Enforce strong user access control processes Have a repeatable hardening process for all systems/software Use encryption for all remote access User encryption for all stored data

Have a repeatable hardening process for all systems/software

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is an example of a security misconfiguration? Having unpatched software in the prod environment Leaving unprotected portable media in the workplace Letting data owners determine the classifications/categorization of their data Preventing users from accessing untrusted networks

Having unpatched software in the prod environment

When reviewing IT security products that have been subjected to common criteria certification, what does the Evaluation Assurance Level (EAL) tell you? How secure the product is from an external attack How thoroughly the product has been tested The level of security the product delivers to an environment The level of trustworthiness you can have if you deploy the product

How thoroughly the product has been tested

Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework? ISO 27002 PCI DSS NIST SP 800-37 HIPPA

ISO 27002

In which of the following situations does the data owner have to administer the OS? IaaS PaaS Offsite archive SaaS

IaaS

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, all of the following activity can result in data loss except ________. Misplaced crypto keys Improper policy Ineffectual backup procedures Accidental overwrite

Improper policy

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". Which of these is a technique to reduce the potential for a CSRF? Train users to detect forged HTTP requests Have users remove all browsers from their devices Don't allow links to or from other websites Include a CAPTCHA code as part of the user resource request process

Include a CAPTCHA code as part of the user resource request process

Who performs the review process for hardware security modules (HSM) in accordance with FIPS 140-2? NIST NSA Independent (private) labs The European Union Agency for Network and Information Security (ENISA)

Independent (private) labs

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "injection". In most cases, what is the method for reducing the risk of an injection attack? User training Hardening the OS Input validation/bounds checking Physical locks

Input validation/bounds checking - If the application has suitable input validation (that is refusing code strings and confirming that input conforms to field value types) it will block the attack

What sort of legal enforcement may the PCI Security Standards Council not bring to bear against organizations that fail to comply with the PCI DSS? Fines Jail time Suspension of credit card processing privileges Subject to increased audit frequency and scope

Jail time - PCI is not a government body and therefore cannot enforce imprisonment

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is an example of a security misconfiguration? Not providing encryption keys to untrusted users Having a public-facing website Leaving default accounts unchanged Using turnstiles instead of mantraps

Leaving default accounts unchanged

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, data loss can be suffered as a result of ______activity. Malicious or inadvertent Casual or explicit Web-based or stand-alone Managed or independent

Malicious or inadvertent

Who pays for cryptographic modules to be certified in accordance with FIPS 140-2 criteria? US government Module vendors Certification laboratories Module users

Module vendors

How often should the accounts of privileged users be reviewed? Annually Twice a year Monthly More often than regular user account reviews

More often than regular user account reviews

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? Most of the cloud customer's interaction with resources will be performed through APIs APIs are inherently insecure Attackers have already published vulnerabilities for all known APIs APIs are known carcinogens

Most of the cloud customer's interaction with resources will be performed through APIs

Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues? Multitenancy Metered service Service-level agreement (SLA) Remote access

Multitenancy

Who publishes the list of cryptographic modules validated according to the Federal Information Processing Standard (FIPS) 140-2? The US Office of Management and Budget (OMB) The International Standards Organization (ISO) ISC2 The National Institute of Standards and Technology

NIST

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that operates in the cloud environment and suffers a data breach may be required to _______. Notify affected users Reapply for cloud service Scrub all affected physical memory Change regulatory frameworks

Notify affected users

The PCI DSS merchant levels are based on _______. Dollar value of transactions over the course of a year Number of transactions over the course of a year Location of the merchant or processor Dollar value and number of transactions over the year

Number of transactions over the course of a year

Why is the deprovisioning element of the identification component of IAM so important? Extra accounts cost so much extra money Open by unassigned accounts are vulns User tracking is essential to performance Encryption has to be maintained

Open by unassigned accounts are vulns

Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. Which cloud services model should she most likely consider for her company's purpose? PaaS SaaS Baas IaaS

PaaS will allow her developers to create and design their software on a variety of different Oss, increasing the breadth if the market she can sell to. Also, she can use geographically dispersed programmers to work on projects concurrently, and the provider with be responsible for maintain and updating the Oss as necessary.

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "using components with known vulnerabilities." Why would an organization ever use components with known vulnerabilities to create software? Org is insured Particular vulns only exist in a context not being used by the developers Some vulns only exist in foreign countries A component might have a hidden vulnerability

Particular vulns only exist in a context not being used by the developers

The additional review activities that might be performed for privileged user accounts could include all of the following except______. Deeper personnel background checks Review of personal financial accounts for privileged users More frequent reviews of the necessity for access Pat-down checks of privileged users to deter against physical theft

Pat-down checks of privileged users to deter against physical theft

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Get regulatory approval for major configuration modifications Update the BCDR plan on a timely basis Train all users on proper security procedures Perform periodic scans and audits of the environment

Perform periodic scans and audits of the environment

Why might an organization choose to comply with NIST SP 800-series standards? Price Ease of implementation International acceptance Speed

Price - they are free

You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the cloud provider will be able to comply with the existing legislative and contractual frameworks your organization is required to follow. This is a(n)____________ issue. Resiliency Privacy Performance Regulatory

Regulatory

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which aspect of cloud computing makes it particulary suspectible to account/service traffic highjacking? Scalability Metered service Remote access Pooled resources

Remote access

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "missing function level access control." Which of these is a technique to reduce the potential for a missing function level access control? Run a process as both user and privileged user, and determine similarity Run automated monitoring and audit scripts Include browser buttons/navigation elements to secure functions Enhance user training to include management personnel

Run a process as both user and privileged user, and determine similarity

The SSAE 16 SOC reports are audit tools promulgated by the AICPA. As an investor, when reviewing SOC reports for a cloud provider, which report would you most like to see? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3

SOC 1

The SSAE 16 SOC reports are audit tools promulgated by the AICPA. As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you most like to see? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3

SOC 2, Type 2

The SSAE 16 SOC reports are audit tools promulgated by the AICPA. You are an IT Security progessional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven't, which SOC report might be best for your intial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3

SOC 3

The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the ______. SABSA SSAE 16 Biba NIST SP 800-53

SSAE 16

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "missing function level access control." Which of these is a technique to reduce the potential for a missing function level access control? Set default to deny all access to functions, and require authentication/authorization for each access request HTML escape all HTML attributed Restrict permissions based on an access control list (ACL) Refrain from including direct access information in URLs

Set default to deny all access to functions, and require authentication/authorization for each access request

The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. The CSA recommends the prohibition of ______ in order to diminish the likliehood of account/service traffic highjacking. All user activity Sharing account credentials between users and services Multifactor authentication Interstate commerce

Sharing account credentials between users and services

The PCI DSS requires __________security requirements for entities involved in credit card payments and processing. Technical Nontechnical Technical and nontechnical Neither technical nor nontechnical

Technical and nontechnical

Privileged user account access should be _______. Temporary Pervasive Thorough Granular

Temporary

Who published the list of cryptographic modules validated according to the FIPS 140-2? The US Office of Management and Budget (OMB) The International Standards Organization (ISO) ISC2 The National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST)

What distinguishes the FIPS 140-2 security levels for cryptographic modules? The level of sensitivity of data they can be used to protect The amount of physical protection provided by the product, in terms of tamper resistance The size of the IT environment the product can be used to protect The geographic locations in which the product is permitted to be used

The amount of physical protection provided by the product, in terms of tamper resistance

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". A CSRF attack might be used for all the following malicious actions except_________. The attacker could have the user log in to one of the user's online accounts The attacker could collect the user's online account login credentials, to be used by the attacker later The attacker could have the user perform an action in one of the user's online accounts The attacker could trick the user into calling a fraudulent customer services number hosted by the attacker and talk the user into disclosing personal information

The attacker could trick the user into calling a fraudulent customer services number hosted by the attacker and talk the user into disclosing personal information

If personal financial account reviews are performed as an additional security control for privileged users, which of the following characteristics is least likely to be a useful indicator for review purpose? Too much money in the bank Too little money in the account The bank branch being used Specific sender/recipients

The bank branch being used

Which of the following is the least important factor to an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment? Depreciation of IT assets Shift in focus from IT dependences to business process opportunities The cloud provider's proximity to the organization's employees Costs associated with utility consumption

The cloud provider's proximity to the organization's employees

When the cloud customer requests modifications to the current contract or service-level agreement (SLA) between the cloud customer and provider for BD/DR purposes, who should absorb the cost of modifications? The customer absorbs the cost The provider absorbs the cost The cost should be split equally Modifications don't cost anything

The customer absorbs the cost

Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, every piece of data, and transaction that takes place on the cloud, why might that not be optimum choice for an organization? It could increase the possibility of physical theft Encryption won't work throughout the environment The protection might be disproportionate to the value of the assets Users will be able to see everything within an organization

The protection might be disproportionate to the value of the assets

Who pays for the Common Criteria certification of an IT product? NIST The vendor/manufacturer The Cloud customer The end user

The vendor/manufacturer

All of the following are reasons to perform review and maintenance actions on user accounts except________. To determine whether the user still needs the same access To determine whether the user is still with the organization To determine whether the data set is still applicable to the user's role To determine whether the user is still performing well

To determine whether the user is still performing well

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "injection". In most cases, what is the attacker trying to do with an injection attack? Get the user to allow access for the attacker Insert malware onto the system Trick the application into running commands Penetrate the facility hosting the software

Trick the application into running commands - Injection attack is adding a string line of commands into the code

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "using components with known vulnerabilities." Which of the following is a good way to protect against this problem? Use only components your organization has written Update to current versions of component libraries asap Never use anyone else's component library Apply patched to old component libraries

Update to current versions of component libraries asap

Who should be involved in review and maintenance of user accounts/access? User's manager Security manager Accounting department Incident response team

User's manager

Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Utilities costs Security costs Landscaping costs Travel costs

Utilities costs

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management? Failure to rotate session IDs after a successful login Easily guessed authentication credentials Weak physical entry points in the data center Credentials sent over unencrypted lines

Weak physical entry points in the data center

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site scripting (XSS)." Which of the following is not a method for reducing the risk of XSS attacks? Use an auto-escaping template system XML escape all identity assertations Sanitize HTML markup with a library designed for the purpose HTML escape JSON values in an HTML context and read the data with JSON.parse

XML escape all identity assertations


Kaugnay na mga set ng pag-aaral

BUS 203 Lesson 5- Criminal Liability

View Set

Microsoft Azure Fundamentals: Describe Azure Architecture and Services

View Set

Lesson One: Basic Theories of Government

View Set

Chapter 6: Values, Ethics, and Advocacy

View Set

Assess and Manage Kidney and Urinary System (Exam 5)

View Set