CCSP - Certified Cloud Security Professional - All Domains, CCSP Full, CCSP Review Assessment, Managing Cloud Security, Managing Cloud Security - PreAssessment C838
Multi-tenancy
Data center networks that are logically divided into smaller, isolated networks. They share the physical networking gear but operate on their own network without visibility into the other logical networks.
The networking standard that supports virtual LANs (VLANs) on an Ethernet network
802.1 Q
Domain Name System (DNS)
A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as Internet Protocol (IP) addresses. DNS allows you to use friendly names, such as www.isc2.org, to easily locate computers and other resources on a TCP/IP-based network.
On-demand self-service
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider
Record
A data structure or collection of information that must be retained by an organization for legal, regulatory or business reasons.
Cloud Database
A database accessible to clients from the cloud and delivered to users on demand via the Internet.
Database Activity Monitoring (DAM)
A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc.
API Gateway
A device that filters API traffic; it can be installed as a proxy or as a specific part of your applications stack before data is processed, can implement access control, rate limiting, logging, metrics, and security filtering
Insecure Direct Object References (OWASP top ten):
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
Identity Repository
A directory services for the administration of user account attributes)
Software as a Service (SaaS)
A distributed model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources.
Personal Cloud Storage
A form of cloud storage that applies to storing an individual's data in the cloud and providing the individual with access to the data from anywhere.
Mobile Cloud Storage
A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.
Public Cloud Storage
A form of cloud storage where the enterprise and storage service provider are separate and the data is stored outside of the enterprise's data center.
Private Cloud Storage
A form of cloud storage where the enterprise data and cloud storage resources both reside within the enterprise's data center and behind the firewall.
Desktop-as-a-service
A form of virtual desktop infrastructure (VDI) in which the VDI is outsourced and handled by a third party.
Service Level Agreement (SLA)
A formal agreement between two or more organizations: one that provides a service and the other the recipient of the service. It may be a legal contract with incentives and penalties.
Organizational Normative Framework (ONF)
A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization
Security Alliance's Cloud Controls Matrix
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management
Security Alliance's Cloud Controls Matrix
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
With regards to management of the compute resources of a host in a cloud environment, what does a reservation provide?
A guaranteed minimum resource allocation which must be met by the host with physical compute resources in order to allow for a Guest to power on and operate.
What is Representational State Transfer?
A software architecture style consisting of guidelines and best practices for creating scalable web services
API - Representational State Transfer (REST)
A software architecture style consisting of guidelines and best practices for creating scalable web services.
Encryption Key
A special mathematical code that allows encryption hardware/software to encode and then decipher an encrypted message.
Cloud Application Management for Platforms (CAMP)
A specification designed to ease management of applications — including packaging and deployment — across public and private cloud computing platforms.
Application Normative Framework (ANF)
A subset of the ONF that will contain only the information required for a specific business application to reach the targeted level of trust
Domain Name System Security Extensions (DNSSEC)
A suite of extensions that adds security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence.
Sandbox
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control
Cloud Backup Service Provider
A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.
Cloud Computing
A type of computing, comparable to grid computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications.
What is developed to create, expand, and manage cloud services easily by providing complete list of features and components for cloud environments?
Apache CloudStack
An open source cloud computing and infrastructure as a service platform developed to help make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.
Apache Cloudstack
A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.
Application Normative Framework (ANF)
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Application Programming Interfaces (APIs)
Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.
Application Virtualization
Broken Authentication and Session Management (OWASP top ten):
Application functions related to authentication and session in management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume other users' identities.
I SO 27034-1
Application security
Which of the following technologies encapsulates application software from the underlying operating system on which it is executed to test applications?
Application virtualization
Data Loss Prevention (DLP)
Audit and prevent unauthorized data exfiltration. Components (3). 1.Discovery and classification 2.Monitoring 3.Enforcement
Which of the following security devices is a layer-7 monitoring device that understands SQL commands and can detect and stop malicious SQL commands from executing on a server?
DAM
DREAD
Damage, Reproducibility, Exploitability, Affected Users, Discovery
Which kind of data access can be caused by simple negligence?
Data Loss
Auditing and preventing unauthorized data exfiltration.
Data Loss Prevention
Data Privacy also guarantees data integrity.
False
Data must be completely removed at the end of the retention period.
False
Encryption can ensure integrity.
False
Even if the hypervisor is compromised, the underlying systems are still safe.
False
HIPPA is the only law that covers PII.
False
Open Source software typically goes through less scrutiny and code review than proprietary software.
False
Physical Environment Security is the sole responsibility of the cloud customer.
False
Privacy and Confidentiality are considered to be the same thing.
False
The CSP is always required to turn over evidence for eDiscovery to the Cloud Customer.
False
Which is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography?
Kerberos
Which of the following are supported authentication methods for iSCSI? (Choose two)
Kerberos Secure Remote Password (SRP)
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Key Management
Key Management
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Privacy & Data Protection (P&DP)
Provide safeguards to the individuals (Data Subjects) for the Processing of their Personal Data in the respect of their privacy and will.
Quantitative assessments
Typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers. This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.
Cloud Application Architect
Typically responsible for adapting, porting, or deploying an application to a target cloud environment.
Which of the following are storage types used with an Infrastructure as a Service solution?
Volume and Object
Encrypts only a part of a hard drive instead of the entire disk.
Volume encryption
Allows different security realms to unite and is used in association with transport and application-specific protocols
W S - Federation
Which of the following security devices monitors HTTP traffic and prevents DoS attacks of 350 Gbps and 450 Gbps?
WAF
What is the most used communications protocol for network based storage?
iSCSI
I SO 27016
information security economics
Cloud Bursting
is an application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes
Commonly known as a bare metal, embedded, or native hypervisor. Works directly on the hardware of the host and can monitor OS's that run above the hypervisor
Type 1 hypervisor
Which type of report under SAS70 contains the same information as the other reports, and adds additional evaluations?
Type 2
Is installed on top of the host's OS and supports other guest OSs running above it as VM's. Is completely dependent on the host OS for its operations.
Type 2 hypervisor
Cloud Services Broker (CSB)
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers.
Qualitative assessments
Typically employ a set of methods, principles, or rules for assessing risk based on non-numerical categories or levels (e.g., very low, low, moderate, high, very high).
What is a key capability or characteristic of Platform as a Service?
Ability to reduce lock-in.
Four phases of audits
Defining audit objectives, defining audit scope, conducting audit, refine audit process
C S A type 2 certification framework
3rd party assessment
Risk_DREAD =:
(Damage + Reproducibility + Exploitability + Affected Users + Discovery) /5
List three security benefits that could be realized should your organization utilize cloud-based services
1. Improved Security visibility 2. Enhanced policy/governance enforcement 3. Real time monitoring
What order to the SDLC steps fall into?
1. Planning and Requirement Analysis 2. Defining 3. Designing 4. Developing 5. Testing
STRIDE Threat Model
1. Spoofing: Attacker assumes identity of subject, 2. Tampering: Data or messages are altered by an attacker 3. Repudiation: Illegitimate denial of an event 4. Information Disclosure: Information is obtained without authorization 5. Denial of Service: Attacker overloads system to deny legitimate access 6. Elevation of Privilege: Attacker gains a privilege level above what is permitted
SDLC process models include:
1.Define: Business and Security Requirements and standards being determine 2.Design: Threat modeling, secure design 3.Develop: Code review, unit testing, static analysis 4.Test: Vulnerability Assessment, Dynamic Analysis, Functional Tests, Quality Assurance
SaaS Benefits
1.Ease of use and limited/minimal administration. 2.Automatic updates and patch management. 3.Standardization and compatibility: All users will have the same version of the software release 4.Global accessibility
Key Cloud Computing Characteristics (5)
1.On-Demand Self-Service, 2.Broad Network Access, 3.Resource Pooling, 4.Rapid 5.Elasticity, Measured Service.
PaaS Key Benefits
1.Operating system can be changed and upgraded frequently. 2.Globally distributed development teams are able to work together on software development projects within the same environment. 3.Services are available and can be obtained from diverse sources that cross international boundaries. 4.Upfront and recurring or ongoing costs can be significantly reduced
The purpose of Incident Management is to:
1.Restore normal Service Operation as quickly as possible 2.Minimize the adverse impact on business operations 3.Ensure service quality and availability are maintained
IaaS Key Benefits
1.Usage is metered and priced on the basis of units (or instances) consumed. 2.The ability to scale up and down of infrastructure services based on actual usage. 3.Reduced cost of ownership. 4.Reduced energy and cooling costs.
Criminal Law
A body of rules and statutes that defines conduct that is prohibited by the government and is set out to protect the safety and well-being of the public.
Identity Management
A broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity
Software Defined Networking (SDN)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components
Software Defined Networking (SDN)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.
Hybrid Cloud Storage
A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise's private cloud while other data is stored and accessible from a public cloud storage provider.
Cloud Computing Reseller
A company that purchases hosting services from a cloud server hosting or cloud computing provider and then re-sells them to its own customers.
Cross-site Request Forgery (CSRF) (OWASP top ten):
A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Formula for Annualized Loss Expectancy
A L E = Single loss expectancy times annualized rate of occurrence
National Institute of Standards and Technology (NIST) SP 800-53
A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
Tort Law
A body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others.
Static Application Security Testing (SAST)
A set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities
Web Application Firewall (WAF)
A layer-7 firewall, one that can understand HTTP traffic, can be extremely effective in the case of a denial-of- service (DoS) attack; two recent cases exist where a cloud WAF was used to successfully thwart DoS attacks of 350Gb/sec and 450Gb/sec
Database Activity Monitoring (DAM)
A layer-7 monitoring device that understands SQL commands, can be agent-based (ADAM) or network-based (NDAM), can be used to detect and stop malicious commands from executing on an SQL server
Traditional networking model
A layered approach with physical switches at the top layer and logical separation at the hypervisor level.
Seeking to follow good design practices and principles, the CSP should create the physical network design based on which of the following?
A logical network designTraining
Security Information and Event Management (SIEM)
A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.
Multi-factor Authentication
A method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors, such as passwords. Combines two or more independent credentials: what the user knows, what the user has and what the user is.
Data Masking
A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training
TCI Reference Architecture
A methodology and a set of tools that enables security professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Infrastructure as a Service (IaaS)
A model that provides a complete infrastructure (e.g. servers, internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices.
Processor
A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the Controller.
Cloud OS
A phrase frequently used in place of Platform as a Service (PaaS) to denote an association to cloud computing.
API - Simple Object Access Protocol (SOAP)
A protocol specification for exchanging structured information in the implementation of web services in computer networks.
Remote Desktop Protocol (RDP)
A protocol that allows for separate channels for carrying presentation data, serial device communication, licensing information, and highly encrypted data (keyboard, mouse activity).
A risk can be considered fully mitigated when?
A risk cannot be fully mitigated
Cloud Provider
A service provider who offers customers storage or software solutions available via a public network, usually the Internet.
Content Delivery Network (CDN)
A service where data is replicated across the global Internet.
Application Programming Interfaces (APIs)
A set of routines, standards, protocols, and tools for building software applications to access a Web-based software application or Web tool
Cloud Server Hosting
A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.
Security Assertion Markup Language (SAML)
A version of the SAML standard for exchanging authentication and authorization data between security domains
Platform as a Service (PaaS)
A way for customers to rent hardware, operating systems, storage, and network capacity over the Internet from a cloud service provider.
Masking
A weak form of confidentiality assurance that replaces the original information with asterisks or X's.
Which of the following are the characteristics of PaaS? Each correct answer represents a complete solution. Choose three.
Ability to auto-scale Support multiple languages and frameworks Flexibility
Which of the following frameworks is used in conjunction with the organizational normative framework and contains only the information required for a specific business application to reach the targeted level of trust?
ANF
Publishes the optimal temperature and humidity levels for data centers
ASH RAE
What is a key capability or characteristic of PaaS?
Ability to reduce lock-in
Cloud Computing Accounting Software
Accounting software that is hosted on remote servers.
Which are steps in the patch management process (choose multiple)?
Acquire Patches Be aware of available patches Validate Patches
Control
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.
ISO/IEC 27018
Address the privacy aspects of cloud computing for consumers and is the first international set of privacy controls in the cloud.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Adopt national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. Protected Health information can be stored via cloud computing under HIPAA.
The A in DREAD stands for:
Affected Users
Release and Deployment Management
Aims to plan, schedule, and control the movement of releases to test and live environments.
Data Loss Prevention (DLP)
Audit and prevent unauthorized data exfiltration.
Integrates the A O N T and erasure coding. This method first encrypts and transforms information and encryption key into blocks so the info cannot be recovered without using all the blocks. Then it uses the information dispersal algorithm (IDA) to split the blocks into m shares that are distributed to different cloud storage services.
All-or-Nothing-Transform with Reed-Solomon (AONT-RS)
Web Application Firewall (WAF)
An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection
Web Application Firewall (WAF)
An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.
Federated Identity Management
An arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group
Business Impact Analysis (BIA)
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
Data Subject
An identifiable subject is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity; [telephone number, IP address].
What is the definition of an incident according to the ITIL framework?
An incident is defined as an unplanned interruption to an IT service or reduction in the quality of an IT service.
What is the Cloud Security Alliance Cloud Controls Matrix?
An inventory of Cloud Service security controls that are arranged into separate security domains.
Apache CloudStack
An open source cloud computing and Infrastructure as a Service (IaaS) platform developed to help Infrastructure as a Service make creating, deploying, and managing cloud services easier by providing a complete "stack" of features and components for cloud environments.
Eucalyptus
An open source cloud computing and Infrastructure as a Service (IaaS) platform for enabling private clouds.
Encryption
An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext).
Which BCDR step combines the scope and requirements steps to form objectives?
Analyze
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Anonymization
Personal Data
Any information relating to an identified or identifiable natural person data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Personal Data
Any information relating to an identified or identifiable natural person. There are many types of personal data, such as sensitive/ health data, biometric data, and telephone/telematic traffic data. According to the type of Personal Data, the P&DP laws usually set out specific privacy and data protection obligations (e.g., security measures, Data Subject's consent for the processing).
Anything-as-a-Service
Anything-as-a-service, or "XaaS," refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on premises.
An open source cloud computing and infrastructure as a service platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components.
Apache CloudStack
Single loss expectancy (SLE) is calculated by using:
Asset value and exposure factor
Data stored on a system is:
At Rest
Which of the following layers of CSA STAR requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM?
Attestation
In order to support continuous operations, which of the following principles should be adopted as part of the security operations policies?
Audit logging, Contract/Authority Maintenance, Secure Disposal and Incident Response Legal Preparation
What are SOCI/SOCII/SOCIII?
Audit reports
Access Control combines which two factors of security?
Authentication Authorization
All of the following are domains in ISO\IEC 27001:2013 except:
Authorization
According to AICPA (American Institute of CPAs), which of the following principles should be used in the performance of Trust Services engagements? Each correct answer represents a complete solution. Choose three.
Availability Confidentiality Processing integrity
What is typically included in the Service Level Agreement (SLA)?
Availability of the services to be covered by the SLA Change Management process to be used Dispute mediation process to be used
Tier 1 data from Uptime Institute's Data Center Site Infrastructure Tier Standard Topology
Basic Data Center Site Infrastructure
Which of the following are distinguishing characteristics of a Managed Service Provider?
Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management
Which of the following is the recommended operating range for temperature and humidity in a data center?
Between 64 °F - 81 °F and 40% and 60% relative humidity
Where is an XML firewall located?
Between the firewall and application
Usually involves splitting up and storing encrypted information across different cloud storage services.
Bit Splitting
A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance.
Block storage
When using a Software as a Service solution, who is responsible for application security?
Both cloud provider and the enterprise
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.
Broken Authentication and Session Management
Normative Framework (ONF) Components
Business Context: Regulatory Context: Technical Context: Specifications:Roles, responsibilities, and qualifications: Application Security Control Library:
ISO 22301 2012
Business Continuity
What is the difference between Business Continuity and Business Continuity Management?
Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
Business Impact Analysis
Which of the following components of the organizational normative framework (ONF) includes all application security policies, standards, and best practices adopted by an organization?
Business context
Which framework provides guidance for cloud vendors and assists cloud customers to assess the overall security of a C S P?
C S A C C M
The key areas of a physical cloud environment are:
CPU, Memory, Disk, and Network
Which of the following are considered to be the building blocks of cloud computing?
CPU, RAM, Storage and Networking
Which of the following are cloud computing roles?
CSP and backup service provider
B I C S I
Cabling standards
Broad network access
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations)
Rapid elasticity
Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Delivers the agreed service-level targets in a timely and cost-effective manner.
Capacity management
This is a comprehensive log of history of data from creation to disposal:
Chain of Custody
Which of the following is a process in which the collected evidence is preserved and protected till the time it is presented in the court?
Chain of custody
What should Configuration Management ALWAYS be tied to?
Change Management
Automates the process of building, deploying, and manage an infrastructure.
Chef
Who has the responsibility for agreement with the P&DP laws commitments?
Customer as a data controller
Which would not be listed in an audit scope statement?
Classification of Data
Data classification
Classifying the data based on locations, compliance requirements, ownership, or business usage, in other words "value". Classification is also used in order to decide on the proper retention procedures for the enterprise.
A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.
Cloud Access Security Broker (CASB)
This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).
Cloud Administrator
Typically responsible for adapting, porting, or deploying an application to a target cloud environment.
Cloud Application Architect
A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.
Cloud Application Management for Platforms (CAMP)
Someone who determines when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements from a technical perspective.
Cloud Architect
A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.
Cloud Backup Service Provider
A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.
Cloud Computing Reseller
Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant S L As and that the storage components are functioning according to their specified requirements.
Cloud Data Architect
Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components.
Cloud Developer
The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.
Cloud Development
Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Helps to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.
Cloud Management
A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.
Cloud Operating System (OS)
The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments.
Cloud Portability
A service provider who offers customers storage or software solutions available via a public network, usually the Internet.
Cloud Provider
Which of the following are cloud computing roles?
Cloud Provider and Backup Service Provider
The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite.
Cloud Provisioning
A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, they are provided by multiple connected servers that comprise a cloud.
Cloud Server Hosting
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and C S Ps.
Cloud Services Brokerage (CSB)
The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Cloud Storage
Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.
Cloud Testing
A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.
Cloud computing
NIST Definition of Cloud Computing
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Who is responsible for overseeing business and billing administration, purchasing, and auditing report requests?
Cloud service business manager
Measured service
Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service
I SO 27002
Code of practice for information security controls - essentially a detailed catalog of information security controls that might be managed through the I S M S
I SO 27017
Code of practice for information security controls based on I SO 27002 for cloud services
I SO 27018
Code of practice for protection of personally identifiable information
Digital Forensics Phases:
Collection: Examination: Analysis: Reporting:
I SO 15408
Common Criteria for Information Technology Security Evaluation
A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
Common Vulnerabilities and Exposures
Which framework ensures customers that the products they are buying have been evaluated and that the vendor's claims have been verified by a vendor-neutral third party?
Common criteria assurance
Using Components with Known Vulnerabilities (OWASP top ten):
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
At which of the following levels should logical design for data separation be incorporated?
Compute nodes and Network
Logical design for data separation needs to be incorporated at the following levels
Compute nodes, Management plane, Storage nodes, Control plane, Network
Tier 3 Uptime Institute's Data Center Site Infrastructure Tier Standard Topology
Concurrently Maintainable Site Infrastructure
What are the two biggest challenges associated with the use of IPsec in cloud computing environments?
Configuration Management and Performance
Honeypot
Consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
A service where data is replicated across the global Internet. A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users.
Content Delivery Network (CDN)
In which of the following storage types is data, stored in object storage, divided in multiple nodes to improve Internet consumption speed?
Content delivery network
C S A type 3 certification framework
Continuous monitoring
Which of the following makes the infrastructure resilient against component failure?
Continuous uptime
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.
Control
The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.
Controller
Management Plane
Controls the entire infrastructure, and parts of it will be exposed to customers independent of network location, it is a prime resource to protect.
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
Corporate Governance
What are the six stages of the cloud secure data lifecycle?
Create, Store, Use, Share, Archive and Destroy
What is the correct order of the Cloud Data Lifecycle?
Create, Store, Use, Share, Archive, Destroy
Data Life Cycle
Create: Store: Use: Share: Archive: Destroy
Sends forged requests though an authenticated session
Cross-Site Request Forgery
Occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. It allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.
Cross-Site Scripting, a k a X S S
What are the BCDR planning factors? Each correct answer represents a complete solution. Choose three.
Current locations of the assets The networks between the assets and the sites of their processing Assets: data and processing
Who generates, holds, and retains the keys in key management services?
Customer
When using Maintenance Mode, what two items are disabled and what item remains enabled?
Customer access and Alerts are disabled while logging remains enabled.
Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset.
Data classification
What is the key issue associated with the Object Storage type that the CSP has to be aware of?
Data consistency is achieved only after change propagation to all replica instances has taken place.
A person who determines the purposes for which and the manner in which any personal data are, or are to be, processed
Data controllers
Responsible for the safe custody, transport, storage of the data, and implementation of business rules
Data custodians
A technology that keeps the format of a data string but alters the content. A weak form of confidentiality assurance that replaces the original information with asterisks or Xs.
Data masking
Responsible for data context, context, and associated business rules
Data stewards
A subject who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity (such as telephone number or IP address).
Data subject
A layer-7 monitoring device that understands SQL commands
Database activity monitoring
In essence, a managed database service.
Database as a Service (DBaaS)
Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as "big data."
Datamining
Access Management
Deals with managing an individual's access to resources is based on the answers to "Who are you?" and "What do you have access to?"
The steps in the B C D R continual process
Define Scope, Gather Requirements, Analyze, Asses Risk, Implement, Test, Report, Revise
NIST SP 800-92
Define a log as a record of the events occurring within an organization's systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network.
Event
Defined as a change of state that has significance for the management of an IT service or other configuration item.
Incident
Defined as an unplanned interruption to an IT service or reduction in the quality of an IT service.
Which kind of threat can cause higher than usual billing based on resources consumed?
Denial of Service
STRIDE Threat Model
Derived from an acronym for the following six threat categories; Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege
Incident Management
Describes the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.
A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.
Desktop as a Service (DaaS)
What does the concept of non-destructive testing mean in the context of a vulnerability assessment?
Detected vulnerabilities are not exploited during the vulnerability assessment.
Cloud Backup Solutions
Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.
I SO 27037
Digital evidence
Directive 95/46 EC:
Directive 95/46/EC focuses on the protection of individuals with regard to the processing of personal data and on the free movement of such data; it also captures the human right to privacy, as referenced in the European Convention on Human Rights (ECHR).
Used to balance workloads, jobs, and processes
Distributed Resource Scheduling
What security risks and benefits must you consider when thinking about cloud computing
Distributed/Multitenant Security Environment (Business ecosystem), Risk (Business/Reputational), Compliance (Legal, Regulatory) and Privacy
Determines in which jurisdiction the dispute will be heard in case of a conflict
Doctrine of the proper law
Private Cloud Project
Enable their IT infrastructure to become more capable of quickly adapting to continually evolving business needs and requirements.
The development and implementation of policies and procedures to aid in protecting the company, its assets, and its people from threats.
Due care
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?
Due care
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?
Due care
The act of investigating and understanding the risks a company faces.
Due diligence
Generally considered a black-box test, where the tool must discover individual execution paths in the application being analyzed. Considered effective when testing exposed H T T P and H T M L interfaces of web applications
Dynamic application security testing
ISO 27050
E discovery
Which is a European Standards Agency?
ENISA
Virtualization
Each user has a single view of the available resources independently
Qualitative risk assessment is earmarked by which of the following?
Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process
What are the 3 Key Cloud Computing Drivers
Elasticity, Simplicity and Expandability
Virtualization Technologies
Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocations of resources across multiple tenants and environments.
Homomorphic Encryption
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
Stored Communication Act
Enacted in the United States in 1986 as part of the Electronic Communications Privacy Act. It provides privacy protections for certain electronic communication and computing services from unauthorized access or interception.
Which of the following methods for the safe disposal of electronic records can ALWAYS be used within a cloud environment?
Encryption
Which of the following can be deployed to help ensure the confidentiality of data in the cloud? (Choose two)
Encryption Masking
What are the objectives of change management? Each correct answer represents a complete solution. Choose all that apply.
Ensure that changes are recorded and evaluated. Respond to a customer's changing business requirements while maximizing value and reducing incidents, disruption, and rework.
Cloud Data Architect
Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant SLAs and that the storage components are functioning according to their specified requirements.
Software that a business uses to assist in solving problems.
Enterprise Application
Translates business and security requirements into a set of rules and defines the identities and attributes required to evaluate the rules.
Entitlement process
Policy Management
Establishes the security and access policies based on business needs and degree of acceptable risk.
An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.
Eucalyptus
Authorization
Evaluates "What do you have access to?" after authentication occurs.
Which two documents contain rules which must be followed when collecting and preserving evidence?
FRE (Federal Rules of Evidence) FRCP (Federal Rules of Civil Procedure)
The archive phase means that data is moved to tape and is not readily accessible.
False
The use of a generator eliminates the need for a Battery Backup system in a data center.
False
To get a full assessment of the readiness of an organization, auditing should be performed during peak processing and user loads.
False
With a regular patching schedule, scanning is no longer needed.
False
Tier 4 Uptime Institute's Data Center Site Infrastructure Tier Standard Topology
Fault-Tolerant Site Infrastructure
NIST publication written to accredit and distinguish cryptographic modules produced by private-sector vendors who seek to have their solutions and services certified for use in U.S. government departments and regulated industries that deal with data that is deemed to be sensitive but not top secret.
Federal Information Processing Standard (FIPS) 140-2
Gramm-Leach-Bliley Act (GLBA)
Federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
Database Encryption
File level encryption, Transparent encryption, Application-level encryption
N F P A
Fire protection
Criteria of a Kernel-based Virtual Machine
Fixed firmware, safe buffer design, push-button control, housing intrusion detection, tamper-proof circuit board, tamper-warning labels on each side of the K V M
Cloud Developer
Focuses on development for the cloud infrastructure itself. This role can vary from client tools or solutions engagements, through to systems components.
Digital Rights Management (DRM)
Focuses on security and encryption to prevent unauthorized copying limit distribution to only those who pay.
Which of the following parts of the NIST framework helps an organization align activities with business requirements, risk tolerance, and resources?
Framework profile
The risk-management process
Framing risk, Assessing risk, Responding to risk, Monitoring risk
What are the four steps in the Risk Management process?
Framing, Assessing, Monitoring and Response
Risk Management Process
Framing, assessing, reponding, monitoring
What are the three things that must be understood BEFORE you can determine the necessary controls to deploy for data protection in a cloud environment?
Function, location and actors
What are the three things that you must understand before you can determine the necessary controls to deploy for data protection in a cloud environment?
Function, location, and actors
A test against a particular component of a cloud system is:
Functional Testing
Which of the following identifies and reports on any risks that may affect the AIC of key information assets?
Gap analysis
Security Misconfiguration (OWASP top ten):
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
What type of risks are typically associated with Virtualization?
Guest breakout, snapshot and image security and sprawl
What types of risks are typically associated with virtualization?
Guest breakout, snapshot and image security, and sprawl
NISTT S P 800-43 revision 3
Guide to Enterprise Patch Management Technologies
I SO 27013
Guideline on the integrated implementation of I SO 27001 and I SO 20000-1
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.
Hardware Security Module (HSM)
Cloud Architect
He or she will determine when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements (from a technical perspective).
ISO IEC 27001:2013
Help organizations to establish and maintain an ISMS. An ISMS is a set of interrelated elements that organizations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information.
Information (Data) Classification
High-level description of important and valuable information categories (e.g., highly confidential, regulated).
Vendor Lock-in
Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.
Identity Provider
Hold all of the identities and generate a token for known users.
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.
Homomorphic Encryption
A protocol that uses T C P to transport small computer system interface commands, enabling the use of the existing T C P I P networking infrastructure as a storage area network
I skuzzie
Which of the following can be used for securing communications to prevent eavesdropping? Each correct answer represents a complete solution. Choose all that apply.
IPSec TLS
Which of the following offers guidelines for information security controls applicable to the provision and use of cloud services?
ISO/IEC 27017:2015
What is the first international set of privacy controls in the cloud?
ISO/IEC 27018
Simplicity
IT environment complexities are reduced
Which Category gives the customer complete control of networking settings?
IaaS
What is the process flow of digital forensics?
Identification of incident & evidence, Collection, Examination, Analysis and Presentation
IAM Capabilities
Identity Management, Access Management, Identity Repository/Directory Services
Besides facilitating the ability to deploy a continuous security monitoring capabilities what other advantages does Automation provide
Improved security visibility, enhanced policy/governance enforcement, framework for management of extended business ecosystem and organizational transition from infrastructure-centric to a data-centric security model
What is the difference between a Managed Service Provider (MSP) and a Cloud Service Provider (CSP)
In an MSP the consumer dictates the technology and operating procedures while in a CSP the service provider dictates both the technology and operational procedures
Database as a Service
In essence, a managed database service.
Privacy in United States
In this location, the processing of personal data is subject to "Opt Out" consent from the Data Subject, while the "Opt In" rule applies in special cases such as the processing of sensitive/health data.
States the activities of an organization to identify, analyze, and correct hazards to prevent a future reoccurence
Incident management
Injection (OWASP top ten):
Includes injection flaws such as SQL, OS, LDAP, and other injections occur when untrusted data is sent to an interpreter as part of a command or query. If the interpreter is successfully tricked, it will execute the unintended commands or access data without proper authorization.
Which of the following is not a part of STRIDE?
Information
I SO 27014
Information security governance
Personally Identifiable Information (PII)
Information that can be traced back to an individual user, e.g. your name, postal address, or e-mail address. Personal user preferences tracked by a Web site via a cookie is also considered personally identifiable when linked to other personally identifiable information provided by you online.
_______________ occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Injection flaws
Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
Insecure Direct Object References
Redundant Array of Inexpensive Disks (RAID
Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.
Redundant Array of Inexpensive Disks (RAID)
Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.
All-or-Nothing-Transform with Reed-Solomon (AONT-RS)
Integrates the AONT and erasure coding. This method first encrypts and transforms the information and the encryption key into blocks in a way that the information cannot be recovered without using all the blocks, and then it uses the IDA to split the blocks into m shares that are distributed to different cloud storage services (the same as in SSMS).
Enterprise DRM
Integration plan designed by Digital Equipment Corp. to provide an operation platform for multi-vendor environment.
Which concept focuses on the trustworthiness of data?
Integrity
A protocol that uses transmission control protocol (TCP) to transport commands, enabling the use of the existing T C P I P networking infrastructure as a storage area network (SAN).
Internet small computer system interface
Which of the following defines the ease of moving and reusing application components regardless of the provider, platform, and so on?
Interoperability
Cloud Roadmap Requirements
Interoperability, Portability, Availability, Security, Privacy, Resilience, Performance, Governance,Service Level Agreements (SLA), Auditability, Regulatory
Transport Layer Security (TLS)
Is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL)
Federation
Is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Secure Sockets Layer
Is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral
Problem Management
Is to minimize the impact of problems on the organization.
What is a key characteristic of a honeypot?
Isolated, monitored environment
Demilitarized Zone (DMZ)
Isolates network elements such as e-mail servers that, because they can be accessed from trustless networks, are exposed to external attacks.
NIST SP 800-53
Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.
Which of the following are legal risks in cloud computing? Each correct answer represents a complete solution. Choose three.
Jurisdiction Law enforcement Data protection
Classification uses this to mark the level of classification:
Labels
Which of the following pitfalls are related to cloud security? Each correct answer represents a complete solution. Choose all that apply.
Lack of documentation and guidelines Complexities of integration Not all apps are "cloud-ready"
Privacy in Asian-Pacific Economic Cooperation (APEC)
Leaders in this location have endorsed a framework recognizing the importance of the development of effective privacy protections that avoid barriers to information flows, ensure continued trade, and economic growth.
Sarbanes Oxley Act (SOX)
Legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.
Online Backup
Leverages the Internet and cloud computing to create an attractive off-site storage solution with little hardware requirements for any business of any size.
Cloud Testing
Load and performance testing conducted on the applications and services provided via cloud computing — particularly the capability to access these services — in order to ensure optimal performance and scalability under a wide variety of conditions.
Data aggregation
Log management aggregates data from many sources, including network, security, servers, databases, and applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
Correlation
Looks for common attributes and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information.
Type of cluster which offers cost-effective building blocks that can start small and grow as applications demand. It offers performance, I/O, and storage capacity within the same node.
Loosely coupled cluster
The measure of the average time between failures of a specific component or part of a system.
Mean time to repair (MTTR)
Which threat comes as a result of an employee's (current or former) misuse of confidential data to which he has (or had) authorized access?
Malicious insider
An I T service where the customer dictates both the technology and the operational procedures, and an external party executes admin and ops support according to a contract
Managed Service Provider
Which of the following allows an administrator to manage any or all of the hosts remotely?
Management plane
NIST S P 800-39
Managing Information Security Risk
Sensitive Data Exposure (OWASP top ten):
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection, such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
Which method involves replacing values or adding additional characters to a field?
Masking
What are three analysis methods used with data discovery techniques?
Metadata, Labels and Content Analysis
Which of the following are attributes of cloud computing?
Minimal management effort and shared resources
A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.
Mobile Cloud Storage
Host Intrusion Detection Systems (HIDS)
Monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.
Missing Function Level Access Control (OWASP top ten):
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
The following is used to ensure non-repudiation:
Multi-Factor
Which cloud characteristic defines that more than one user can store their data by using the applications provided by SaaS?
Multitenancy
Which of the following is a concept in which many customers may be running on the same environment with no physical isolation.
Multitenancy
A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner.
NIST S P 800-37
Where would the monitoring engine be deployed when using a Network based Data Loss Prevention system?
Near the organizational gateway
A network file server with a drive or group of drives, portions of which are assigned to users on that network. The user will see it as a file server and can share files to it.
Network Attached Storage
Helps to check not only the hardware and the software but the distribution facets such as SDN control planes.
Network monitoring
7 key principles of safe harbor
Notice, choice, transfer to 3rd parties, access, security, data integrity, enforcement
Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters.
O S logging
A utility that identifies project dependencies and checks whether there are any known, publicly disclosed, vulnerabilities
O WASP Dependency-Check
Often used in authorization with mobile apps, it provides third-party applications limited access to HTTP services.
O auth
XML-based framework for communicating user authentication, entitlement, and attribute information across organizations
Security Assertion Markup Language
In IaaS the Customer has control over:
OS
The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.
Obfuscation
Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI).
Object Storage
Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned.
Object storage
Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities.
Object-based storage
Object Storage
Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface.
Which of the following should be carried out first when seeking to perform a gap analysis?
Obtain management support
Oversubscription
Occurs when more users are connected to a system than can be fully supported at the same time.
Which of the following are essential characteristics of cloud computing? (Choose two)
On-demand self service Broad network access
NIST 5 essential characteristics of cloud computing
On-demand self-service, Broad network access, Resource pooling, Rapid elasticity and measured service
What is domain A.16 of the ISO 27001:2013 standard?
Security Incident Management
An interoperable authentication protocol based on the O Auth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords
Open I D Connect
Processing
Operations that are performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
Converged networking model
Optimized for cloud deployments and utilizes standard perimeter protection measures. The underlying storage and IP networks are converged to maximize the benefits for a cloud workload.
A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.
Organizational Normative Framework (ONF)
Cloud Technology Roadmap
Originally developed by NIST, it provides guidance and recommendations for enabling security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Which of the following statements are true of CSP (cloud service provider)? Each correct answer represents a complete solution. Choose all that apply.
Outsources activities and functions Provides services and resources for use
Which is not a benefit of Public Cloud Models?
Ownership Retention
Which is not a key feature of IaaS?
Ownership retention
Sensitive Data Exposure looks at the following except:
PCI
Logical design
Part of the design phase of the SDLC in which all functional features of the system chosen for development in analysis are described independently of any computer platform
Which of the following are common capabilities of Information Rights Management solutions?
Persistent protection, dynamic policy control, automatic expiration, continuous audit trail and support for existing authentication infrastructure
Which of the following are common capabilities of IRM solutions?
Persistent protection, dynamic policy control, automatic expiration, continuous audit trail, and support for existing authentication security infrastructure
Which of the following are the key principles of an enterprise architecture that should be followed at all times? Each correct answer represents a complete solution. Choose three.
Prepare the resilient architecture and support multilandlord platforms. Provide direction to secure information preserved by regulations. Explain protections that enable trust in the cloud.
SIEM is:
Security Information Event Management
The following are Virtualization Risks except:
Physical Compromise
Steps of the S D L C
Planning and Requirement Analysis, Defining, Designing, Developing, Testing
What are the phases of a Software Development Life Cycle process model?
Planning and requirements analysis, Define, Design, Develop, Testing and Maintenance
Software Development Lifecycle
Planning and requirements, defining, designing, developing, testing, maintenance
ISO/IEC 27001
Possibly the most widely known and accepted information security standard, ISO 27001 was originally developed and created by the British Standards Institute, under the name of BS 7799. The standard was adopted by the International Organization for Standardization (ISO) and re-branded ISO 27001. Since September 2013, ISO 27001 was updated to ISO 27001:2013 and now consists of 35 control objectives and 114 controls spread over 14 domains.
Which of the following are parts of the APEC (Asia-Pacific Economic Cooperation) privacy framework? Each correct answer represents a part of the solution. Choose all that apply.
Preamble Implementation Information privacy principles Scope
Asia-Pacific Economic Cooperation privacy framework
Preamble, Scope, Information privacy principles, Implementation
FIPS 140-2
Primary goal is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.
Which of the following laws is defined as the right of an individual to determine when, how, and to what extent they will release personal information?
Privacy
Which cloud deployment model is managed by an organization it serves?
Private
Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.
Private Cloud Project
Identifies and provides solutions to errors occurred in an operation and prevents their reoccurence
Problem management
Operations that are performed upon personal data, whether or not by automatic means.
Processing
What are the four cloud deployment models?
Public, Private, Hybrid and Community
Allows to define the state of an IT infrastructure and then automatically enforces the correct state
Puppet
Which of the following statements are true of the REST (Representational State Transfer) API format? Each correct answer represents a complete solution. Choose all that apply.
REST reads can be cached Supports only SSL security Works only over HTTP on a transport layer
A software architecture style consisting of guidelines and best practices for creating scalable web services
REpresentational State Transfer
This is the amount of time it would take to recover in the event of a disaster:
RTO
A technique which allows the replacement of the data with random characters, leaving the other traits intact such as length of the string and character set.
Randomization
Cloud environments can often have services restored faster than traditional failover sites through the use of:
Rapid Elasticity
A user wants to save his documents on a cloud. He found that the available storage on the cloud is filled. Therefore, he needs additional storage for saving the document. Which characteristic of cloud computing will help him do so?
Rapid elasticity
What are the relevant cloud infrastructure characteristics that can be considered distinct advantages in realizing a BCDR plan objective with regards to Cloud computing environments?
Rapid elasticity, broad network connectivity and a pay per use model
Which of the following are the important processes of the continuous operation of audit logging? Each correct answer represents a complete solution. Choose three.
Reduction of false positives New event detection Adding new rules
Tier 2 from Uptime Institute's Data Center Site Infrastructure Tier Standard Topology
Redundant Site Infrastructure Capacity Components
Which of the following is the correct name for Tier II of the Uptime Institute Data Center Site Infrastructure Tier Standard Topology?
Redundant Site Infrastructure Capacity Components
Which of the following is the correct name for Tier II of the Uptime Institute Data Center Site Infrastructure Tier Standard Topology?
Redundant Site Infrastructure Capacity Components
eDiscovery
Refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.
Quality of Service (QoS)
Refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies
Information gathering
Refers to the process of identifying, collecting, documenting, structuring, and communicating information from various sources in order to enable educated and swift decision making to occur.
Which could not be used with a password to meet multifactor authentication requirements?
Security Questions
Australian Privacy Act 1988
Regulates the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information, and access to and correction of that information.
Service Organization Controls 1 (SOC 1)
Reports on Controls at Service organizations relevant to user entities' Internal Control over financial reporting.
Service Organization Controls 2 (SOC 2)
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy.
A software architecture style consisting of guidelines and best practices for creating scalable web services.
Representational State Transfer (REST)
ISO/IEC 27034-1
Represents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security
What are the objectives of Change Management? (Choose all that apply)
Respond to a customer's changing business requirements while maximizing value and reducing incidents, disruption, and re-work Ensure that changes are recorded and evaluated
Which of the following metrics reports on the time required to perform the requested operation or tasks?
Response time
What are the four elements that a data retention policy should define?
Retention periods, data formats, data security and data retrieval procedures
NIST SP 800-30
Risk Assessment guide for Information Technology Systems
I SO 31000
Risk management
Individuals in an organization who together determine the organization's overall risk profile.
Risk owner and player
Generally considered to focus on applications that possess self-protection capabilities built into their runtime environments.
Runtime application self-protection
A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
S P 800-53
Which is a standard put out by OASIS and is a XML based exchange method for authentication and authorization?
SAML
Which of the following statements about Software Defined Networking are correct? (Choose two)
SDN provides for the ability to execute the control plane software on general purpose hardware, allowing for the decoupling from specific network hardware configurations and allowing for the use of commodity servers. Further, the use of software based controllers allows for a view of the network that presents a logical switch to the applications running above, allowing for access via API's that can be used to configure, manage, and secure network resources. SDN's objective is to provide a clearly defined and separate network control plane to manage network traffic that is separated from the forwarding plane. This approach allows for network control to become directly programmable and distinct from forwarding, allowing for dynamic adjustment of traffic flows to address changing patterns of consumption.
Which is not a method of protection for data in transit?
SLA
A type of report which are for auditing the financial reporting instruments of a corporation.
SOC 1
A type of report which is intended to report audits of controls on an organization's security, availability, processing integrity, and privacy.
SOC 2
Contains no actual data about the security controls of the audit target and is also known as the "seal of approval".
SOC 3
Which report was created to replace SAS70?
SSAE
What are the three generally accepted service models of cloud computing?
SaaS, PaaS, and IaaS
This is segregating information from others within the same system:
Sandboxing
Which of the following is used to execute untrusted code without risking harm to the host machine or operating system?
Sandboxing
Which is not a step in the audit plan?
Scope Analysis
What defines what is to be covered in the audit?
Scope of audit
A secure password-based authentication and key-exchange protocol. It exchanges a cryptographically strong secret as a by-product of successful authentication, which enables the two parties to communicate securely.
Secure remote password
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Security Alliance's Cloud Controls Matrix
NIST S P 800-92
Security log management
What are the five Trust Services Principles?
Security, Availability, Processing Integrity, Confidentiality and Privacy
Which of the following are examples of a trust zone? (Choose Two)
Segmentation according to department A web application with a two tiered architecture
C S A type 1 certification framework
Self-assessment
Negotiates agreements with various parties to design services with the agreed-upon service-level agents
Service-level management
In cloud computing models you purchase ______.
Services
Helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider.
Shared policy
When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?
Shares
Cloud App (Cloud Application)
Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.
A technique which uses different entries from within the same data set to represent the data.
Shuffling
A protocol specification for exchanging structured information in the implementation of web services in computer networks
Simple Object Access Protocol
A protocol specification for exchanging structured information in the implementation of web services in computer network.
Simple object access protocol (SOAP):
Provides authentication, key establishment, data integrity, and data confidentiality in an online distributed application environment using a public-key infrastructure.
Simple public-key mechanism
Federated Single Sign-on (SSO)
Single sign-on (SSO) systems allow a single user authentication process across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability
Cloud Management
Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.
What are the three generally accepted service models of cloud computing?
Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)
Application Virtualization
Software technology that encapsulates application software from the underlying operating system on which it is executed
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.
Software-Defined Networking (SDN)
The five steps used to create an A S M P per I SO 27034-1
Specifying application requirements and environment, Assessing application security risks, Creating and maintaining the A N F, Provisioning and operating application, Auditing security of application
What are the five steps used to create an Application Security Management Process?
Specifying the application requirements and environment, Assessing application security risks, Creating and maintaining the Application Normative Framework, Provisioning and operating the application and Auditing the security of the application
STRIDE Threat Model
Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege
What are the six components that make up the STRIDE Threat Model?
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege
STRIDE
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege
Generally considered a white-box test, where the application test performs an analysis of the application source code, byte code, and binaries without executing the application code.
Static application security testing
A group of devices connected to the network that provide storage space to users. Typically, the storage apportioned to the user is mounted to that user's machine, like an empty drive.
Storage Area Network
Which of the following statements are true of storage clusters? Each correct answer represents a complete solution. Choose all that apply.
Store and protect data through the use of AIC mechanisms. Provide ability to separate customer data in multitenant hosting environments. Meet the required service levels as specified in the SLA.
Data is organized and can easily be placed in a database:
Structured
Which of the following are data storage types used with a Platform as a Service solution?
Structured and Unstructured
A Linux toolset which performs patch management
System tap
What is a security related concern for a Platform as a Service solution?
System/Resource isolation
A methodology and a set of tools that enable security, enterprise, and risk management achitects to leverage a common set of solutions that fulfill common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities.
T C I Reference Architecture
Negotiates the secure attributes of a session and provides easy error handling
T L S handshake protocol
Encapsulates higher-level protocols and provides connection security and ensures the connection is private and reliable
T L S record protocol
Cloud Portability
The ability to move applications and its associated data between one cloud provider and another — or between public and private cloud environments.
Consider the following example: An online shopping website where the web interface asked its customers to select the purchase quantity for the products using a drop-down list. A hacker altered the entered value, and entered a quantity of "-1". The developer had only enforced the range validation at the web interface level and not at the backend application level. The price for the order was calculated to be -xUSD and the hacker actually ended up receiving a refund on his credit card. The hacker is making money by ordering a negative number of products. Imagine the damage that could have been caused if a value other than -1 was entered. Which of the following tools does the attacker use to alter the data?
Tampering
Cloud Service Manager
The Cloud Service Manager is typically responsible for policy design, business agreement, pricing model, and some elements of the SLA (not necessarily the legal components or amendments that will require contractual amendments). This role will work closely with cloud management and customers to reach agreement, and alongside the Cloud Administrator on behalf of the customers.
Common Criteria
The Common Criteria (CC) is an international set of guidelines and specifications (ISO/IEC 15408) developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.
When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?
The Directive applies to data processed by automated means and data contained in paper files.
NIST SP 800-145
The NIST Definition of Cloud Computing
In a federated environment, who is the Relying Party, and what do they do?
The Relying Party is the service provider and they would consume the tokens generated by the Identity Provider.
Which of the following key benefits does IaaS provide to organizations? Each correct answer represents a complete solution. Choose three.
The ability to scale up and down infrastructure services based on actual usage. Usage metered and priced on the basis of units consumed. Reduced cost of ownership.
Forensic analysis
The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.
Authentication
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.
Anonymization
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Non-Repudiation
The assurance that a specific author actually did create and send a specific item to a specific recipient, and that it was successfully received. With assurance of non-repudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.
Alerting
The automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third-party channels such as e-mail.
Software as a Service (SaaS)
The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Hybrid Cloud
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Private Cloud
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
Community Cloud
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider
Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Storage Cloud
The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.
Infrastructure as a Service (IaaS)
The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Platform as a Service (PaaS)
The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications for the application-hosting environment.
Software as a Service (SaaS)
The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Obfuscation
The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.
Cloud Provisioning
The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain on-site behind the firewall or in the private cloud.
Identity and Access Management
The entire process of registering, provisioning, and deprovisioning identities
Elasticity
The environment transparently manages a user's resources utilization based on dynamically changing needs
Authorization
The granting of right of access to a user, program, or process.
What is the benefit derived from the high degree of automation employed by most CSPs
The high degree of automation provided by CSPs enables real-time monitoring and reporting of infrastructure security control points that easily transition into continuous security monitoring capabilities.
What is a Cloud Carrier?
The intermediary that provides connectivity and transport of cloud services between Cloud Providers and Cloud Consumers.
Cloud Carrier
The intermediary that provides connectivity and transport of cloud services between Cloud Providers and Cloud Consumers.
Privacy in European Union (EU)
The main piece of legislation is the EU directive 95/46/EC "on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
In the context of Privacy and Data Protection, what is a Controller?
The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Controller
The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Vertical Cloud Computing
The optimization of cloud computing and cloud services for a particular vertical (e.g., a specific industry) or specific-use application.
Cost
The pay-per-usage model allows an organization to pay only for the resources they need with basically no investment in the physical resources available in the cloud. There are no infrastructure maintenance or upgrade costs.
NIST SP 800-53
The primary goal and objective of the 800-53 standard is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.
Crypto-shredding
The process of deliberately destroying the encryption keys that were used to encrypt the data originally.
Data archiving
The process of identifying and moving inactive data out of current production systems and into specialized long-term archival storage systems.
Cloud Enablement
The process of making available one or more of the following services and infrastructures to create a public cloud-computing environment: cloud provider, client, and application.
Data mapping
The process of mapping all relevant data in order to understand data types (structure, unstructured), data formats, file types and data location (network drives, databases, object, or volume storage).
Tokenization
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Dynamic Application Security Testing (DAST)
The process of testing an application or software product in an operating state
Cloud Migration
The process of transitioning all or part of a company's data, applications, and services from on-site premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.
Resource pooling
The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Corporate Governanc
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
Corporate Governance
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
What does an audit scope statement provide to a cloud service customer or organization?
The required level of information for the client or organization subject to the audit to fully understand (and agree) with the scope, focus, and type of assessment being performed.
Hypervisor (2 types)
The role of the hypervisor is a simple one - to allow multiple operating systems (OS) to share a single hardware host (with each OS appearing to have the host's processor, memory, and resources to itself). Type I = Hardware, Type II = Operating System
What is a Data Custodian responsible for?
The safe custody, transport, storage of the data, and implementation of business rules
Identity and Access Management (IAM)
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons
What are the issues in transferring data from Ireland within the EEA enunciated by the Data Protection Guidance? Each correct answer represents a complete solution. Choose all that apply.
The security of the data The requirement for a written contract between the CSP and any subprocessors The location of the data
Enterprise Risk Management
The set of processes and structure to systematically manage all risks to the enterprise.
Cloud Storage
The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Enterprise Application
The term used to describe applications — or software — that a business would use to assist the organization in solving enterprise problems.
Storage Clusters
The use of two or more storage servers working together to increase performance, capacity, or reliability. Clustering distributes workloads to each server, manages the transfer of workloads between servers, and provides access to all files from any server regardless of the physical location of the file.
Big Data
The volume of data that must be efficiently processed for discovery larger and the diversity of sources and formats presents challenges that make many traditional methods of data discovery fail.
Real-time analytics
These use cases are valuable but require data discovery tools that are faster, more automated, and more adaptive.
Agile analytics
They perform data discovery processes more often and in more diverse ways.
Hybrid cloud
This cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Private cloud
This cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on- or off-premises.
Community cloud
This cloud infrastructure is provisioned for exclusive use by a specific community of organizations with shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
Public cloud
This cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Applicable law
This determines the legal regime applicable to a certain matter.
Cloud Administrator
This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).
Ephemeral storage
This type of storage is relevant for IaaS instances and exists only as long as its instance is up. It will typically be used for swap files and other temporary storage needs and will be terminated with its instance.
Jurisdiction
This usually determines the ability of a national court to decide a case or enforce a judgment or order.
Within the realm of IT security, which of the following combinations best defines risk?
Threat coupled with a vulnerability
Type of cluster which has a physical backplane into which controllers nodes connect.
Tightly coupled cluster
When using a Platform as a Service solution, what is the capability provided to the customer?
To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment
When using an Infrastructure as a Service solution, what is the capability provided to the customer?
To provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
When using a Software as a Service solution, what is the capability provided to the customer?
To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
When using a SaaS solution, what is the capability provided to the customer?
To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Data Hashes ensure integrity of Data.
True
XML Gateways
Transform how services and sensitive data are exposed as APIs to developers, mobile, and cloud, can be either hardware or software, can implement security controls such as DLP, antivirus, and anti-malware services
A BCDR plan is not considered reliable until it is Tested.
True
A Type 2 Hypervisor resides on the Host Device i.e. VM Workstation.
True
Encryption is important to segregation of data in a cloud environment.
True
In a cloud environment, a change in geographic location for BCDR purposes can lead to latency and other performance issues.
True
Logging levels can be negotiated and are usually listed in the SLA.
True
OpenID is a federated identity system.
True
The level of auditing required should be detailed in the SLA.
True
XML Firewalls validate incoming XML code before sending to the application.
True
Which is not required for KVM security?
USB storage devices should be allowed over the KVM
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Unvalidated Redirects and Forwards
When using an Infrastructure as a Service solution, what is a key benefit provided to the customer?
Usage is metered and priced on the basis of units consumed.
What are the phases of cloud data lifecycle? Each correct answer represents a complete solution. Choose all that apply.
Use Store Destroy Archive
Which is not a Common Vulnerability?
XaaS
Which of the following are contractual components that the Cloud Security professional should review and understand fully when contracting with a cloud service provider? (Choose Two)
Use of subcontractors Scope of processingTraining
Collaboration/Innovation
Users are starting to see the cloud as a way to work simultaneously on common data and information
Risk Reduction
Users can use the cloud to test ideas and concepts before making major investments in technology
Scalability
Users have access to a large number of resources that scale based on user demand
Mobility
Users have the ability to access data and applications from around the globe
Degaussing
Using strong magnets for scrambling data on magnetic media such as hard drives and tapes.
Bit Splitting
Usually involves splitting up and storing encrypted information across different cloud storage services.
Which of the following are nonexhaustive risks to which BCDR is tasked to protect against? Each correct answer represents a complete solution. Choose three.
Utility service outages Damage from natural causes and disasters Wear and tear of equipment
Monitors compliance with a preconfigured baseline
V M ware Update Manager
Uses built-in tools that allows users to build custom baselines
V M ware V sphere
Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Vendor Lock-In
Allows for agentless retrieval of the guest OS state, such as the list of running processes, active networking connections, and opening files.
Virtual Machine Introspection
Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.
Virtualization technologies
A layer-7 firewall that can understand HTTP traffic
Web Application Firewall
Unvalidated Redirects and Forwards (OWASP top ten):
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.
Information Management Policies
What activities are allowed for different information types?
Doctrine of the Proper Law
When a conflict of laws occurs, this determines in which jurisdiction the dispute will be heard.
When does a Cross-site Scripting flaw occur?
Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping
PII - Contractual
Where an organization or entity processes, transmits, or stores PII as part of its business or services, this information is required to be adequately protected in line with relevant local state, national, regional, federal, or other laws.
Location and Jurisdictional Policies
Where can data be geographically located. What are the legal and regulatory implications or ramifications?
Authorizations
Who is allowed to access different types of information?
Custodianship
Who is responsible for managing the information at the bequest of the owner?
A method for encrypting all data associated with the operation/use of a virtual machine, such as the data stored at rest on the volume, disk input/output (I/O), all snapshots created from the volume, as well as all data in transit moving between the virtual machine and the storage volume.
Whole Instance Encryption
EU General Data Protection Regulation 2012
Will introduce many significant changes for data processors and controllers. The following may be considered as some of the more significant changes: The concept of consent, Transfers Abroad, The right to be forgotten, Establishment of the role of the "Data Protection Officer", Access Requests, Home State Regulation, Increased Sanctions
When using transparent encryption of a database, where does the encryption engine reside?
Within the database
Which of the following software vulnerabilities occurs when an application takes untrusted data and sends it to a web browser without proper validation?
XSS
Cross-site Scripting (XSS) (OWASP top ten):
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.
5 key principles of ISO 27018
consent, control, transparency, communication, independent and yearly audit
I D C A
data center design
An organization will conduct a risk assessment to evaluate
threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization and the residual risk