Download C838 - MANAGING CLOUD SECURITY FINAL EXAM REVISION and more Exams Computer Science in PDF only on Docsity!
C838 - MANAGING CLOUD SECURITY FINAL EXAM
REVISION
_____ drive security decisions. - ANSWERS-business requirements All of these are reasons because of which an organization may want to consider cloud migration, except: - ANSWERS-Elimination of risks The generally accepted definition of cloud computing includes all of the following characteristics except: - ANSWERS-negating the need for backups When a cloud customer uploads PII to a cloud provider, who becomes ultimately responsible for the security of that PII? - ANSWERS-cloud customer We use which of the following to determine the critical paths, processes, and assets of an organization? - ANSWERS-BIA If a service or solution does not meet all of the specified key characteristics listed below, it is said to be not true cloud computing. Please select the valid cloud computing characteristics out of the terms identified below. Each correct answer represents a complete solution. Choose all that apply. - ANSWERS-On-demand self-service Broad network access Resource pooling measured service All of these technologies have made cloud service viable except: - ANSWERS-smart hubs The cloud deployment model that features organizational
ownership of the hardware and infrastructure, and usage only by members of that organization, is known as: - ANSWERS-private The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as: - ANSWERS-Public The cloud deployment model that features joint ownership of assets among an affinity group is known as: - ANSWERS- Community If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best? - ANSWERS-PaaS If a cloud customer wants a fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? - ANSWERS-SaaS If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for BC/DR purposes, which cloud service model would probably be best? - ANSWERS-IaaS Which of the following is not a common cloud service model? - ANSWERS-Programming as a Service Cloud Access Security Brokers (CASBs) might offer all the following services EXCEPT: - ANSWERS-BC / DR / COOP If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad? - ANSWERS-Availability All of the following can result in vendor lock-in except: - ANSWERS-Statutory compliance The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as: - ANSWERS-vendor lock-out
practitioner should convince senior management to include security controls of which type? - ANSWERS-All of These (Technological, Physical, Administrative) Which of the following is considered an administrative control? - ANSWERS-Access control process Which of the following is considered a technological control? - ANSWERS-Firewall Software Which of the following is considered a physical control? - ANSWERS-Fences In a cloud environment, encryption should be used for all the following, except: - ANSWERS-Profile formatting The process of hardening a device should include all of the following, except: - ANSWERS-Improve default accounts The process of hardening a device should include which of the following? - ANSWERS-updating and patching the system What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? - ANSWERS-Homomorphic To protect data on user devices in a BYOD environment, the organization should consider requiring all of the following, except:
- ANSWERS-Two-person integrity Devices in the cloud datacenter should be secure against attack. All the following are means of hardening devices, except: - ANSWERS-Removing all admin accounts All of these are methods of data discovery, except: - ANSWERS- User-based Data labels could include all the following, except: - ANSWERS- Data value
Data labels could include all the following, except: - ANSWERS- delivery vendor Data labels could include all the following, except: - ANSWERS- Mutlifactor authentication All the following are data analytics modes, except: - ANSWERS- Refractory iteration In the cloud motif, the data owner is usually: - ANSWERS-the cloud customer In the cloud motif, the data processor is usually: - ANSWERS-cloud provider All of the following regions have at least one country with an overarching, federal privacy law protecting personal data of its citizens, except: - ANSWERS-The United States What is the intellectual property protection for the tangible expression of a creative idea? - ANSWERS-copyright What is the intellectual property protection for a useful manufacturing innovation? - ANSWERS-patent What is the intellectual property protection for a very valuable set of sales leads? - ANSWERS-trade secret What is the intellectual property protection for a confidential recipe for muffins? - ANSWERS-trade secret What is the intellectual property protection for the logo of a new video game? - ANSWERS-Trademark What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused? - ANSWERS-Takedown notice What is the federal agency that accepts applications for new patents? - ANSWERS-USPTO
caches of copied content close to locations of high demand? - ANSWERS-CDN All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except: - ANSWERS-data discovery The goals of SIEM solution implementation include all of the following, except: - ANSWERS-performance enhancement DLP solutions can aid in deterring loss due to which of the following? - ANSWERS-inadvertent disclosure DLP solutions can aid in deterring loss due to which of the following? - ANSWERS-malicious disclosure What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? - ANSWERS-homomorphic encryption Proper implementation of DLP solutions for successful function requires which of the following? - ANSWERS-accurate data categorization Tokenization requires two distinct ______________. - ANSWERS- databases Data masking can be used to provide all of the following functionality, except: - ANSWERS-authentication of privileged users DLP can be combined with what other security technology to enhance data controls? - ANSWERS-DRM Best practices for key management include all of the following, except: - ANSWERS-ensure mutlifactor authentication What are third-party providers of IAM functions for the cloud environment? - ANSWERS-CASBs
The goals of DLP solution implementation include all of the following, except: - ANSWERS-Elasticity What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud? - ANSWERS- portability All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except: - ANSWERS-Use DRM and DLP solutions widely throughout the cloud operation The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? - ANSWERS-IaaS Because of multitenancy, specific risks in the public cloud that don't exist in the other cloud service models include all the following except: - ANSWERS-DoS/DDoS What is the term used to describe loss of access to data because the cloud provider has ceased operation? - ANSWERS-vendor lock- out Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind? - ANSWERS-backdoors Which hypervisor malicious attackers would prefer to attack? - ANSWERS-Type 2 Countermeasures for protecting cloud operations against external attackers include all of the following except: - ANSWERS-Detailed and extensive background checks Which of the following is a technique used to attenuate risks to
the following? - ANSWERS-the cost-benefit analysis the organization conducted when deciding on cloud migration Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except: - ANSWERS- the cloud provider's resellers When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: - ANSWERS-Legal liability can't be transferred to the cloud provider In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties? - ANSWERS-the contract In all cloud models, security controls are driven by which of the following? - ANSWERS-business requirements A firewall can use all of the following techniques for controlling traffic except: - ANSWERS-randomization A honeypot should contain _________ data. - ANSWERS-useless Vulnerability assessments cannot detect which of the following? - ANSWERS-zero-day exploits What is the cloud service model in which the customer is responsible for administration of the OS? - ANSWERS-IaaS Hardening the operating system refers to all of the following except: - ANSWERS-Removing antimalware agents Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives? - ANSWERS-open source software In all cloud models, the customer will be given access and ability
to modify which of the following? - ANSWERS-data To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except: - ANSWERS-security control adminstration Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? - ANSWERS-SOC 3 Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it? - ANSWERS-SOC 2 Type 2 As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as: - ANSWERS-SOX The cloud customer's trust in the cloud provider can be enhanced by all of the following except: - ANSWERS-Real-time video surveillance User access to the cloud environment can be administered in all of the following ways except: - ANSWERS-customer provides administration on behalf of the provider Which kind of SSAE audit reviews controls dealing with the organization's controls for assuring the confidentiality, integrity, and availability of data? - ANSWERS-SOC 2 Which kind of SSAE report comes with a seal of approval from a certified auditor? - ANSWERS-SOC 3 Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer's trust in the provider? - ANSWERS-Audit and performance log data In all cloud models, the _________ will retain ultimate liability and responsibility for any data loss or disclosure. - ANSWERS-customer
Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like: - ANSWERS-XSS and SQL Injection Multifactor authentication consists of at least two items. Which of the following best represents this concept? - ANSWERS-Something you know and something you have Which of the following best represents the definition of REST? - ANSWERS-Lightweight and scalable Question 12 : Which of the following best describes a sandbox? - ANSWERS-An isolated space where untested code and experimentation can safely occur separate from the production environment APIs are defined as which of the following? - ANSWERS-A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP? - ANSWERS-Extremely fast Sandboxing provides which of the following? - ANSWERS-A test environment that isolates untrusted code changes for testing in a nonproduction environment. Which of the following is not a component of the of the STRIDE model? - ANSWERS-External pen testing Which of the following best describes SAST? - ANSWERS-A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability Which of the following best describes data masking? - ANSWERS-A method for creating similar but inauthentic datasets used for
software testing and user training. Which of the following best describes data masking? - ANSWERS- Data masking is used to create a similar, inauthentic dataset used for training and software testing. Dynamic application security testing (DAST) is best described as which of the following? - ANSWERS-Test performed on an application or software product while it is being executed in memory in an operating system What is the lowest tier of datacenter redundancy, according to the Uptime Institute? - ANSWERS- What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute? - ANSWERS-12 hours Which of the following is not a feature of a secure KVM component? - ANSWERS-Keystroke logging What type of redundancy can we expect to find in a datacenter of any tier? - ANSWERS-Emergency egress What should be the primary focus of datacenter redundancy and contingency planning? - ANSWERS-Health and Human Safety Which of the following techniques for ensuring cloud datacenter storage resiliency uses parity bits and disk striping? - ANSWERS- RAID Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations? - ANSWERS-Cross-training Which of the following has not been attributed as the cause of lost capabilities due to DoS? - ANSWERS-Changing regulatory motif What is often a major challenge to getting both redundant power
Which characteristic of automated patching makes it attractive? - ANSWERS-speed For performance purposes, OS monitoring should include all of the following except: - ANSWERS-print spooling Maintenance mode requires all of these actions except: - ANSWERS-initiate enhanced security controls When deciding whether to apply specific updates, it is best to follow ________, in order to demonstrate due care. - ANSWERS- vendor guidance How often should the CMB meet? - ANSWERS-Often enough to address organizational needs and attenuate frustration with delay The CMB should include representations from all of the following offices except: - ANSWERS-Regulators What is one of the reasons a baseline might be changed? - ANSWERS-numerous change requests Deviations from the baseline should be investigated and ________ - ANSWERS-documented The baseline should cover which of the following? - ANSWERS-as many systems throughout the organization as possible Which form of BC/DR testing has the most impact on operations? - ANSWERS-full test Which form of BC/DR testing has the least impact on operations? - ANSWERS-tabletop Which characteristic of liquid propane increases its desirability as a fuel for backup generators? - ANSWERS-does not spoil A UPS should have enough power to last how long? - ANSWERS- long enough for graceful shutdown
A generator transfer switch should bring backup power online within what time frame? - ANSWERS-before the ups duration is exceeded Which tool can reduce confusion and misunderstanding during a BC/DR response? - ANSWERS-checklist In addition to battery backup, a UPS can offer which capability? - ANSWERS-line conditioning A localized incident or disaster can be addressed in a cost- effective manner by using which of the following? - ANSWERS- joint operating agreements Generator fuel storage for a cloud datacenter should last for how long, at a minimum? - ANSWERS-12 hours The BC/DR kit should include all of the following except: - ANSWERS-hard drives Legal controls refer to which of the following? - ANSWERS-Controls designed to comply with laws and regulations related to the cloud environment Which of the following is not associated with security? - ANSWERS-Quality Which of the following laws resulted from a lack of independence in audit practices? - ANSWERS-SOX Which statute addresses security and privacy matters in the financial industry? - ANSWERS-GLBA Which of the following is not an example of a highly regulated environment? - ANSWERS-Wholesale or distribution SOX was enacted because of which of the following? - ANSWERS-"ALL OF THESE" Poor BOD oversight
Which of the following reports is no longer used? - ANSWERS-SAS 70 Which of the following report is most aligned with financial control audits? - ANSWERS-SOC 1 Which of the following is the primary purpose of an SOC 3 report?
- ANSWERS-Seal of approval Gap analysis is performed for what reason? - ANSWERS-To begin the benchmarking process GAAPs are created and maintained by which organization? - ANSWERS-AICPA Which of the following SOC report subtypes represents a point in time? - ANSWERS-Type I Which of the following SOC report subtypes spans a period of time? - ANSWERS-Type II The right to audit should be a part of what documents? - ANSWERS-SLA Which of the following is the best advantage of external audits? - ANSWERS-Independence Which of the following is a valid risk management metric? - ANSWERS-KRI Which of the following frameworks focuses specifically on design implementation and management? - ANSWERS-ISO 31000: Which of the following frameworks identifies the top 8 security risks based on likelihood and impact? - ANSWERS-ENISA Which of the following is not a risk management framework? - ANSWERS-Key Risk Indicators (KRI) Which of the following best define risk? - ANSWERS-Threat
coupled with a vulnerability Which of the following is not a part of the ENISA Top 8 Security Risks of cloud computing? - ANSWERS-availability Which of the following is a risk management option that halts a business function? - ANSWERS-Avoidance Which of the following methods of addressing risk is most associated with insurance? - ANSWERS-Transference Which of the following is not a way to manage risk? - ANSWERS- Enveloping Which of the following is not a risk management framework? - ANSWERS-Hex GBL Which of the following is not appropriate to include in an SLA? - ANSWERS-Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status Which of the following is not one of the types of controls? - ANSWERS-Transitional Which of the following is not an example of an essential internal stakeholder? - ANSWERS-IT analyst Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? - ANSWERS-Use of subcontractors Which is the lowest level of the CSA STAR program? - ANSWERS- Self-Assessment The CSA STAR program consists of three levels. Which of the following is not one of those levels? - ANSWERS-SOC 2 audit certification Which ISO standard refers to addressing security risks in a supply
