Domain 1
In terms of greatest stringency and requirements for security validation, which is the highest merchant level in the PCI standard? 1 2 3 4
1
Which common criteria evaluation assurance level (EAL) is granted to those products that are formally verified in terms of design and tested by their manufacturer/vendor? 1 3 5 7
1
A hosted cloud environment is a great place for an organization to use as ___________. Storage of physical assets A testbed/sandbox A platform for managing unsecure production data A cost-free service for meeting all user needs
A testbed/sandbox
When should cloud providers allow PaaS customers shell access to the servers running their instances? Never Weekly Only when the contract stipulates the requirement Always
Never
Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. In order to protect her company's intellectual property. Alice might want to consider implementing all these techniques/solutions except________. Egress monitoring Encryption Turnstiles Digital Watermarking
Turnstiles
Which kind of hypervisor is the preferred target of attackers and why? Type 1, because it is more straightforward Type 1, because it has a greater attack surface Type 2, because it is less protected Type 2, because it has a greater attack surface
Type 2, because it has a greater attack surface
In terms of the amount of security functions offered, which is the highest FIPS 140-2 security level a cryptographic module can achieve in certification? 1 2 3 4
4
What is the entity that created the Statement on Standards for Attestation Engagements (SSAE) auditing standard and certifies auditors for that standard? NIST ENISA GDPR AICPA
AICPA
Which of the following would make a good provision to include in the service-level agreement (SLA) between cloud customer and provider? Location of the data center Amount of data uploaded/downloaded during a pay period Type of personnel security controls for network administrators Physical security barriers on the perimeter of the data center campus
Amount of data uploaded/downloaded during a pay period
You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the cloud provider will be able to allow your organization to substantiate and determine with some assurance that all fo the contract terms are being met. This is a(n) _______issue. Regulatory Privacy Resiliency Auditability
Auditability
An essential element of access management, ______ is the practice of confirming than an individual is who they claim to be. Authentication Authorization Nonrepudiation Regression
Authentication
What is the usual order of an access management process? Access-authorization-authentication Authentication-authorization-access Authorization-authentication-access Authentication-access-authorization
Authentication-authorization-access
An essential element of access management, __________ is the practice of granting permissions based on validated identification. Authentication Authorization Nonrepudiation Regression
Authorization
In a PaaS implementation, each instance should have its own user-level permissions; when instances share common policies/controls, the cloud security professional should be careful to reduce the possibility of _______ and _______ over time. DoS/physical theft Authorization creep/inheritance Sprawl/hashing Instercession/side-channel attacks
Authorization creep/inheritance
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, why are DoS attacks such a significant threat to cloud operations? DoS attackers operate internationally There are no laws against DoS attacks, so they are impossible to prosecute Availability issues prevent productivity in the cloud DoS attacks that can affect cloud providers are easy to launch
Availability issues prevent productivity in the cloud
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "sensitive data exposure." Which of these is not a technique to reduce the potential for a sensitive data exposure? Destroy sensitive data as soon as possible Avoid categorizing data as sensitive User proper key management when encrypting sensitive data Disable autocomplete on forms that collect sensitive data
Avoid categorizing data as sensitive
What is usually considered the difference between BC efforts and DR efforts? BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO). BC is for events caused by humans (like arson or theft), while DR is for natural disasters. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption. BC involves protecting human assets (personnel, staff, users), while DR is about protecting property (assets, data)
BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.
Which of the following is not a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment? Pooled resources in the cloud Shifting from capital expenditures to support IT investment to operational expenditures The time savings and efficiencies offered by the cloud service Branding associated with which cloud provider might be selected
Branding associated with which cloud provider might be selected
The Statement on Standards for Attestation Engagements 16 (SSAE 16) Service Organization Control (SOC) reports are audit tools promulgated by the AICPA. What kind of entities were SOC reports designed to audit? US Federal government Privately held companies Publicly traded corporations Nonprofit organizations
C - SSAE 16 was created in response to SOX which addressed shortcomings in audits of publicly traded corporations.
What element of credit cardholder information may never be stored for any length of time, according to the PCI DSS? Full credit card number CCV Cardholder's mailing address Cardholder's full name
CCV
You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the PCI DSS what can you never store for any length of time? Personal data of customers The credit card verification number The credit card number Home Address of the customer
CCV
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "insecure direct object reference." Which of these is a method to counter the risks of insecure direct object references? Performing user security training Check access each time a direct object reference is called by an untrusted source Install high-luminosity interior lighting throughout the facility Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity
Check access each time a direct object reference is called by an untrusted source
Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Number of users Cost of software licensing Number of applications Number of clientele
Cost of software licensing
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? APIs are always used for administrative access Customers perform many high-value tasks via APIs APIs are cursed It is impossible to securely code an API
Customers perform many high-value tasks via APIs
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, severe traffic highjacking can affect all of the following portions of the CIA triad except _________. Confidentiality Integrity Availability None. Service traffic highjacking can't affect any portion of the CIA triad.
D - All will be affected. Service traffic can affect all portions of the CIA triad.
All of the following are statutory regulations except __________. GLBA HIPAA FISMA PCI DSS
D - voluntary
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. What is probably the single most important way of countering the highest number of items on the OWASP Top Ten (regardless of the year)? Social engineering training Disciplined coding practices and processes White-box source code testing Physical controls at all locations at which the application is eventually used
Disciplined coding practices and processes
Which of the following is not an element of the identification component of identity and access management? Provisioning Management Discretion Deprovisioning
Discretion
In a LDAP environment, each entry in a directory server is identified by a __________. Domain name (DN) Distinguished name (DN) Directory name (DN) Default name (DN)
Distinguished name (DN)
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what do we call DoS attacks staged from multiple machines against a specific target? Invasive DoS (IDoS) Pervasive DoS (PDoS) Massive DoS (MDoS) Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
From an academic perspective, what is the main distinction between an event and an incident? Incidents can last for extended periods (days or weeks), while an event is momentary Incidents can happen at the network level, while events are restricted to those at system level Events are anything that can occur in the IT environment, while incidents are unscheduled events Events only occur during processing, while incidents can occur at any time
Events are anything that can occur in the IT environment, while incidents are unscheduled events
Which of the following entities in most likely to play a vital role in the identity provisioning aspect of the user's experience in an organization? The accounting department HR office Maintenance team Purchasing office
HR office
What are the two general delivery modes for the SaaS model? Ranked and free Hosted application management and software on demand Intrinsic motivation complex and undulating perspective details Framed and modular
Hosted application management and software on demand
For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all the following except__________. Which party will be responsible for initiating a BCDR response activity How a BCDR response will be initiated How soon the customer's data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event
How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event
Which of the following is not a method for creating logical segmentation in a cloud data center? Virtual local area networks (VLANs) Network address translation (NAT) Bridging Hubs
Hubs
A cloud data encryption situation where the cloud customer retains control of the encryption keys and the cloud provider only processes and stores the data could be considered a ________________. Threat Risk Hybrid cloud deployment model Case of infringing on the rights of the provider
Hybrid cloud deployment model
What is the international standard that dictates the creation of an organizational information security management system (ISMS)? NIST SP 800-53 PCS DSS ISO 27001 NIST SP 800-37
ISO 27001
If an organization wants to retain the most control of their assets in the cloud, which service and deployment model combination should they choose? PaaS, community IaaS, hybrid SaaS, public IaaS, private
IaaS, private
Backdoors are sometimes left in software by developers ________. In lieu of other security controls As a means to counter DoS attacks Inadvertently or on purpose As a way to distract attackers
Inadvertently or on purpose
Why might an organization choose to comply with the ISO 27001 standard? Price Ease of implementation International acceptance Speed
International acceptance
You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether your current applications in the on-prem environment will function properly with the provider's hosted system and tools. This is a(n) ________ issue. Interoperability Portability Availability Security
Interoperability
Each of the following is an element of the Identification phase of the identity and access management (IAM) process except ________. Provisioning Inversion Management Deprovisioning
Inversion
Which of the following is true about two-person integrity? It forces all employees to distrust each other It requires two different IAM matrices It forces collusion for unauthorized access It enables more thieves to gain access to the facility
It forces collusion for unauthorized access
Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, every piece of data, and transaction that takes place on the cloud, why might that not be optimum choice for an organization? Key length variance don't provide any additional security It would cause additional processing overhead and time delay It might result in vendor lockout The data subjects might be upset by this
It would cause additional processing overhead and time delay
Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Personnel training Personnel turnover Loss due to depreciation of IT assets Loss due to an internal data breach
Loss due to depreciation of IT assets
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of malicious insiders so alarming? Scalability Multitenancy Metered service Flexibility
Multitenancy
ISO 27001 favors which type of technology? Open source PC Cloud Based None
None
The cloud computing characteristic of elasticity promotes which aspect of the CIA triad? Confidentiality Integrity Availability None
None
The PCI DSS distinguishes merchants by different tiers, based on _______. Number of transactions per year Dollar value of transactions per year Geographic location Jurisdiction
Number of transactions a year
In a PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on ________. International standards Federal regulations Organizational policies Federation directives
Organizational policies
You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the provider will have undue control over your data once it is within the provider's data center; will the provider be able to hold your organization hostage because they have your data? This is a(n)________ issue. Interoperability Portability Availability Security
Portability
_______ is an example of due care, and ______ is an example of due diligence. Privacy data security policy; auditing the controls dictated by the privacy data security policy The EU Data Directive; the GLBA Locks on doors; turnstiles Perimeter defenses; internal defenses
Privacy data security policy; auditing the controls dictated by the privacy data security policy
Privileges user accounts need to be reviewed more closely than basic user accounts. Why is this? Privileges users have more encryption keys Regular users are more trustworthy There are extra controls on privileged user accounts Privileged users can cause more damage to the organization
Privileged users can cause more damage to the organization
From a customer perspective, all of the following are benefits of IaaS cloud services except______. Reduced cost of ownership Reduced energy costs Metered usage Reduced cost of administering the OS in the cloud environment
Reduced cost of administering the OS in the cloud environment
Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. What is probably the biggest factor in her decision? Network Scalability Offsite backup capability Global accessibility Reduced overall cost due to outsourcing administration
Reduced overall cost due to outsourcing administration
Which of the following is one of the benefits of a private cloud deployment? Less cost Higher performance Retaining control of governance Reduction in the need for maintenance capability on the customer side
Retaining control of governance
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes ""using components with known vulnerabilities." Which of the following is a good way to protect against this problem? Use only standard libraries Review all updates/lists/notification for components your organization uses Be sure to HTML escape all attribute elements Increase the user training budget
Review all updates/lists/notification for components your organization uses
Which of the following is not a report used to assess the design and selection of security controls within an organization? Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Security Alliance Cloud Controls Matrix (CSA CCM) SOC 1 SOC 2 Type 1
SOC 1
Which of the following is a report used to assess the implementation and effectiveness of security controls within an organization? SOC 1 SOC 2 Type 1 SOC 2 Type 2 SOC 3
SOC 2 Type 2
Which US federal law instigated the change for the SAS 70 audit standard to SSAE 16? NIST 800-53 HIPAA SOX GLBA
SOX
Alice is staging an attack against Bob's website. She is able to introduce a string of command code into a database Bob is running, simply by entering the command string into a data field. This is an example of which type of attack? Insecure direct object reference Buffer overflow SQL injection DoS
SQL injection
If an organization wants to realize the most cost savings by reducing administrative overhead, which service and deployment model combination should they choose? PaaS, community IaaS, hybrid SaaS, public IaaS, private
SaaS, public
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarming, from a management perspective? Scalability Multitenancy Resiliency Broadband connections
Scalability
While cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual financial benefit the organization realizes in a cloud environment? Altitude of the cloud data center Security controls and countermeasures Loss of ownership of IT assets Costs of Internet connectivity for remote users
Security controls and countermeasures
Alice is staging an attack against Bob's website. She has discovered that Bob has been storing crytographic keys on a server with a default admin password and is able to get access to those keys and violate confidentiality and access controls. This is an example of which type of attack? SQL injection Buffer overflow Using components with known vulnerabilities Security misconfiguration
Security misconfiguration
The current AICPA standard codifies certain audit reporting mechanisms. What are these called? SOX reports SSL audits Sherwood Applied Business Structure Architecture (SABSA) System and Organization Controls (SOC) reports
System and Organization Controls (SOC) reports
What is the most significant aspect of the SLA that incentivizes the cloud provider to perform? The throughoughness with which it details all aspect of cloud processing The financial penalty for not meeting service-levels The legal liability for violating data breach notification requirements The risk exposure to the cloud provider
The financial penalty for not meeting service-levels
According to the ISC2 CBK, the lack/ambiguity of physical endpoints as individual network components in the cloud environment creates what kind of threat/concern? The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets Without physical endpoints, it is impossible to apply security controls to an environment Without physical endpoints, it is impossible to track user activity The lack of physical endpoints increases the opportunity for physical damage/theft.
The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets
Why are PaaS environments at a higher likelihood of suffering backdoor vulnerabilities? They rely on virtualization They are often used for software development They have multitenancy They are scalable
They are often used for software development
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? HTML escape all HTML attributes Train users to recognize unvalidated links Block all inbound resource requests Implement audit logging
Train users to recognize unvalidated links
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they've selected goes out of business. What do we call this problem? Vendor lock-in Vendor lock-out Vendor incapacity Unscaled
Vendor lock-out
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is not an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider? Ensuring that any legacy applications are not dependent on internal security controls before moving them to a cloud environment Reviewing all contractual elements to appropriately define each party's roles, responsibilities, and requirements Assessing the provider's financial standing and soundness Vetting the cloud providers administration and personnel to ensure the same level of trust as the legacy environment
Vetting the cloud providers administration and personnel to ensure the same level of trust as the legacy environment
Which of the following is a new management risk that organizations operating in the cloud will have to address? Insider threat Virtual sprawl DDoS Natural disasters
Virtual sprawl
Bob is staging an attack against Alice's website. He is able to embed a link on her site that will execute malicious code on a visitor's machine, if the visitor clicks on the link. This is an example of which type of attack? XSS (cross site scripting) Broken authentication/session management Security misconfiguration Insecure cryptographic storage
XSS (cross site scripting)
Your organization has migrated to a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notifications in accordance with all applicable laws? The network admin is responsible The cloud provider The regulators overseeing your deployment Your organization
Your organization
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "insecure direct object reference." Which of these is an example of an insecure direct object reference? www.sybex.com/authoraccounts/benmalisow 10 ? "sybex accounts"; 20 goto 10 Mysql -u [bmalisow] -p [database1]; [email protected]
www.sybex.com/authoraccounts/benmalisow
Which common criteria evaluation assurance level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party? 1 3 5 7
7
Which of the following entities would not be covered by the PCI DSS? A bank issuing credit cards A retailer accepting credit cards as payment A business that processes credit card payments on behalf of a retailer A company that offers credit card debt repayment counseling
A company that offers credit card debt repayment counseling
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Broad user training that includes initial, recurring, and refresher sessions Deeper personnel screening procedures for privileged users than is used for regular users A repeatable patching process that includes updating libraries as well as software Randomly auditing all user activity, with additional focus on privileged users
A repeatable patching process that includes updating libraries as well as software
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all the following data breach notification requirements except ____. Multiple state laws Contractual notification requirements All standards-based notification schemes Any applicable federal regulations
All standards-based notification schemes
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? Cloud customers and third parties are continually enhancing and modifying APIs APIs can have automated settings It is impossible to uninstall APIs APIs are a form of malware
Cloud customers and third parties are continually enhancing and modifying APIs
For US government agencies, what level of data sensitivity/classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria? Controlled Unclassified Information (CUI) Secret Top Secret Sensitive Compartmentalized Information
Controlled Unclassified Information (CUI)
Which of the following protocols is most applicable to the identification process aspect of IAM? SSL IPsec LDAP Amorphous ancillary data transmission (AADT)
LDAP
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that suffers a data breach might suffer all of the following negative effects except ______________. Cost of compliance with notification laws Loss of public perception/good will Loss of market share Cost of detection
Cost of detection
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is a good method for reducing the risk of broken authentication and session management? Do not use custom authentication schemes Implement widespread training programs Ensure that strong input validation is in place Use X.400 protocol standards
Do not use custom authentication schemes - Only use approved, tested authentication implementations
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? Don't use redirects/forwards in your applications Refrain from storing credentials long term Implement SIEM/SIM/SEM solutions Implement digital rights management solutions
Don't use redirects/forwards in your applications
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site scripting (XSS)." Which of the following is not a method for reducing the risk of XSS attacks? Only put untrusted data in allowed slots of HTML documents HTML escape when including untrusted data in any HTML elements Attribute escape when including untrusted data in attribute elements Encrypting all HTML documents
Encrypting all HTML documents
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". Which of the following is a good way to deter CSRF attacks? Have your website refuse all HTTP resource requests Ensure that all HTTP resource requests include a unique, unpredictable token Don't allow e-commerce on your website Process all user requests with only one brand of browser, and refuse all resource requests from other browsers
Ensure that all HTTP resource requests include a unique, unpredictable token
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "sensitive data exposure." Which of these is a technique to reduce the potential for a sensitive data exposure? Extensive user training on proper data handling techniques Advanced firewalls inspecting all inbound traffic, to include content based screening Ensuring the use of utility backup power supplies Roving security guards
Extensive user training on proper data handling techniques
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management? Session identification exposed in URLs Unprotected stored credentials Lack of session time-out Failure to follow HIPAA guidance
Failure to follow HIPAA guidance
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Purchase only trusted devices/components Follow a published, known industry standard for baseline configurations Hire only screened, vetted candidates for all positions Update policy on a regular basis, according to a proven process
Follow a published, known industry standard for baseline configurations
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA's Notorious Nine list, data breaches can be ________. Overt or covert International or subterranean From internal or external resources Voluminous or specific
From internal or external resources
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWSAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential for a security misconfiguration? Enforce strong user access control processes Have a repeatable hardening process for all systems/software Use encryption for all remote access User encryption for all stored data
Have a repeatable hardening process for all systems/software
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is an example of a security misconfiguration? Having unpatched software in the prod environment Leaving unprotected portable media in the workplace Letting data owners determine the classifications/categorization of their data Preventing users from accessing untrusted networks
Having unpatched software in the prod environment
When reviewing IT security products that have been subjected to common criteria certification, what does the Evaluation Assurance Level (EAL) tell you? How secure the product is from an external attack How thoroughly the product has been tested The level of security the product delivers to an environment The level of trustworthiness you can have if you deploy the product
How thoroughly the product has been tested
Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework? ISO 27002 PCI DSS NIST SP 800-37 HIPPA
ISO 27002
In which of the following situations does the data owner have to administer the OS? IaaS PaaS Offsite archive SaaS
IaaS
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, all of the following activity can result in data loss except ________. Misplaced crypto keys Improper policy Ineffectual backup procedures Accidental overwrite
Improper policy
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". Which of these is a technique to reduce the potential for a CSRF? Train users to detect forged HTTP requests Have users remove all browsers from their devices Don't allow links to or from other websites Include a CAPTCHA code as part of the user resource request process
Include a CAPTCHA code as part of the user resource request process
Who performs the review process for hardware security modules (HSM) in accordance with FIPS 140-2? NIST NSA Independent (private) labs The European Union Agency for Network and Information Security (ENISA)
Independent (private) labs
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "injection". In most cases, what is the method for reducing the risk of an injection attack? User training Hardening the OS Input validation/bounds checking Physical locks
Input validation/bounds checking - If the application has suitable input validation (that is refusing code strings and confirming that input conforms to field value types) it will block the attack
What sort of legal enforcement may the PCI Security Standards Council not bring to bear against organizations that fail to comply with the PCI DSS? Fines Jail time Suspension of credit card processing privileges Subject to increased audit frequency and scope
Jail time - PCI is not a government body and therefore cannot enforce imprisonment
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is an example of a security misconfiguration? Not providing encryption keys to untrusted users Having a public-facing website Leaving default accounts unchanged Using turnstiles instead of mantraps
Leaving default accounts unchanged
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, data loss can be suffered as a result of ______activity. Malicious or inadvertent Casual or explicit Web-based or stand-alone Managed or independent
Malicious or inadvertent
Who pays for cryptographic modules to be certified in accordance with FIPS 140-2 criteria? US government Module vendors Certification laboratories Module users
Module vendors
How often should the accounts of privileged users be reviewed? Annually Twice a year Monthly More often than regular user account reviews
More often than regular user account reviews
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing? Most of the cloud customer's interaction with resources will be performed through APIs APIs are inherently insecure Attackers have already published vulnerabilities for all known APIs APIs are known carcinogens
Most of the cloud customer's interaction with resources will be performed through APIs
Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues? Multitenancy Metered service Service-level agreement (SLA) Remote access
Multitenancy
Who publishes the list of cryptographic modules validated according to the Federal Information Processing Standard (FIPS) 140-2? The US Office of Management and Budget (OMB) The International Standards Organization (ISO) ISC2 The National Institute of Standards and Technology
NIST
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that operates in the cloud environment and suffers a data breach may be required to _______. Notify affected users Reapply for cloud service Scrub all affected physical memory Change regulatory frameworks
Notify affected users
The PCI DSS merchant levels are based on _______. Dollar value of transactions over the course of a year Number of transactions over the course of a year Location of the merchant or processor Dollar value and number of transactions over the year
Number of transactions over the course of a year
Why is the deprovisioning element of the identification component of IAM so important? Extra accounts cost so much extra money Open by unassigned accounts are vulns User tracking is essential to performance Encryption has to be maintained
Open by unassigned accounts are vulns
Alice is the CEO for a software company; she is considering migrating the operation from the current on-premises legacy environment into the cloud. Which cloud services model should she most likely consider for her company's purpose? PaaS SaaS Baas IaaS
PaaS will allow her developers to create and design their software on a variety of different Oss, increasing the breadth if the market she can sell to. Also, she can use geographically dispersed programmers to work on projects concurrently, and the provider with be responsible for maintain and updating the Oss as necessary.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWAP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "using components with known vulnerabilities." Why would an organization ever use components with known vulnerabilities to create software? Org is insured Particular vulns only exist in a context not being used by the developers Some vulns only exist in foreign countries A component might have a hidden vulnerability
Particular vulns only exist in a context not being used by the developers
The additional review activities that might be performed for privileged user accounts could include all of the following except______. Deeper personnel background checks Review of personal financial accounts for privileged users More frequent reviews of the necessity for access Pat-down checks of privileged users to deter against physical theft
Pat-down checks of privileged users to deter against physical theft
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "security misconfiguration." Which of these is a technique to reduce the potential of a security misconfiguration? Get regulatory approval for major configuration modifications Update the BCDR plan on a timely basis Train all users on proper security procedures Perform periodic scans and audits of the environment
Perform periodic scans and audits of the environment
Why might an organization choose to comply with NIST SP 800-series standards? Price Ease of implementation International acceptance Speed
Price - they are free
You are the SME for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the cloud provider will be able to comply with the existing legislative and contractual frameworks your organization is required to follow. This is a(n)____________ issue. Resiliency Privacy Performance Regulatory
Regulatory
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which aspect of cloud computing makes it particulary suspectible to account/service traffic highjacking? Scalability Metered service Remote access Pooled resources
Remote access
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "missing function level access control." Which of these is a technique to reduce the potential for a missing function level access control? Run a process as both user and privileged user, and determine similarity Run automated monitoring and audit scripts Include browser buttons/navigation elements to secure functions Enhance user training to include management personnel
Run a process as both user and privileged user, and determine similarity
The SSAE 16 SOC reports are audit tools promulgated by the AICPA. As an investor, when reviewing SOC reports for a cloud provider, which report would you most like to see? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3
SOC 1
The SSAE 16 SOC reports are audit tools promulgated by the AICPA. As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you most like to see? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3
SOC 2, Type 2
The SSAE 16 SOC reports are audit tools promulgated by the AICPA. You are an IT Security progessional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven't, which SOC report might be best for your intial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way? SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3
SOC 3
The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the ______. SABSA SSAE 16 Biba NIST SP 800-53
SSAE 16
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "missing function level access control." Which of these is a technique to reduce the potential for a missing function level access control? Set default to deny all access to functions, and require authentication/authorization for each access request HTML escape all HTML attributed Restrict permissions based on an access control list (ACL) Refrain from including direct access information in URLs
Set default to deny all access to functions, and require authentication/authorization for each access request
The Cloud Security Alliance (CSA) published the Notorious Nine, a list of common threats to organizations participating in cloud computing. The CSA recommends the prohibition of ______ in order to diminish the likliehood of account/service traffic highjacking. All user activity Sharing account credentials between users and services Multifactor authentication Interstate commerce
Sharing account credentials between users and services
The PCI DSS requires __________security requirements for entities involved in credit card payments and processing. Technical Nontechnical Technical and nontechnical Neither technical nor nontechnical
Technical and nontechnical
Privileged user account access should be _______. Temporary Pervasive Thorough Granular
Temporary
Who published the list of cryptographic modules validated according to the FIPS 140-2? The US Office of Management and Budget (OMB) The International Standards Organization (ISO) ISC2 The National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST)
What distinguishes the FIPS 140-2 security levels for cryptographic modules? The level of sensitivity of data they can be used to protect The amount of physical protection provided by the product, in terms of tamper resistance The size of the IT environment the product can be used to protect The geographic locations in which the product is permitted to be used
The amount of physical protection provided by the product, in terms of tamper resistance
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site request forgery". A CSRF attack might be used for all the following malicious actions except_________. The attacker could have the user log in to one of the user's online accounts The attacker could collect the user's online account login credentials, to be used by the attacker later The attacker could have the user perform an action in one of the user's online accounts The attacker could trick the user into calling a fraudulent customer services number hosted by the attacker and talk the user into disclosing personal information
The attacker could trick the user into calling a fraudulent customer services number hosted by the attacker and talk the user into disclosing personal information
If personal financial account reviews are performed as an additional security control for privileged users, which of the following characteristics is least likely to be a useful indicator for review purpose? Too much money in the bank Too little money in the account The bank branch being used Specific sender/recipients
The bank branch being used
Which of the following is the least important factor to an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment? Depreciation of IT assets Shift in focus from IT dependences to business process opportunities The cloud provider's proximity to the organization's employees Costs associated with utility consumption
The cloud provider's proximity to the organization's employees
When the cloud customer requests modifications to the current contract or service-level agreement (SLA) between the cloud customer and provider for BD/DR purposes, who should absorb the cost of modifications? The customer absorbs the cost The provider absorbs the cost The cost should be split equally Modifications don't cost anything
The customer absorbs the cost
Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, every piece of data, and transaction that takes place on the cloud, why might that not be optimum choice for an organization? It could increase the possibility of physical theft Encryption won't work throughout the environment The protection might be disproportionate to the value of the assets Users will be able to see everything within an organization
The protection might be disproportionate to the value of the assets
Who pays for the Common Criteria certification of an IT product? NIST The vendor/manufacturer The Cloud customer The end user
The vendor/manufacturer
All of the following are reasons to perform review and maintenance actions on user accounts except________. To determine whether the user still needs the same access To determine whether the user is still with the organization To determine whether the data set is still applicable to the user's role To determine whether the user is still performing well
To determine whether the user is still performing well
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "injection". In most cases, what is the attacker trying to do with an injection attack? Get the user to allow access for the attacker Insert malware onto the system Trick the application into running commands Penetrate the facility hosting the software
Trick the application into running commands - Injection attack is adding a string line of commands into the code
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "using components with known vulnerabilities." Which of the following is a good way to protect against this problem? Use only components your organization has written Update to current versions of component libraries asap Never use anyone else's component library Apply patched to old component libraries
Update to current versions of component libraries asap
Who should be involved in review and maintenance of user accounts/access? User's manager Security manager Accounting department Incident response team
User's manager
Which of the following is an aspect of IT costs that should be reduced by moving into the cloud? Utilities costs Security costs Landscaping costs Travel costs
Utilities costs
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "broken authentication and session management." Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management? Failure to rotate session IDs after a successful login Easily guessed authentication credentials Weak physical entry points in the data center Credentials sent over unencrypted lines
Weak physical entry points in the data center
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-drive OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "cross-site scripting (XSS)." Which of the following is not a method for reducing the risk of XSS attacks? Use an auto-escaping template system XML escape all identity assertations Sanitize HTML markup with a library designed for the purpose HTML escape JSON values in an HTML context and read the data with JSON.parse
XML escape all identity assertations