Читать книгу (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests - Sean Murphy, Ben Malisow - Страница 15

Domain 1 of the Certified Cloud Security Professional (CCSP) Exam Outline is an introductory section that touches on almost every other element of the exam outline so you’ll find a wide breadth of content and subject matter ranging over many topics. The questions in this chapter will reflect that broad scope but will also get into some level of detail on certain aspects you’ll find pertinent to the exam.

1 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?Platform as a service (PaaS)Software as a service (SaaS)Backup as a service (Baas)Infrastructure as a service (IaaS)

2 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues?MultitenancyMetered serviceService-level agreement (SLA)Remote access

3 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. In order to protect her company’s intellectual property, Alice might want to consider implementing all these techniques/solutions except ____________.Egress monitoringEncryptionTurnstilesDigital watermarking

4 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. What is probably the biggest factor in her decision?Network scalabilityOff-site backup capabilityGlobal accessibilityReduced overall cost due to outsourcing administration

5 In which of the following situations does the data owner have to administer the OS?IaaSPaaSOff-site archiveSaaS

6 You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the Payment Card Industry Data Security Standard (PCI DSS), what can you never store for any length of time?Personal data of consumersThe credit card verification (CCV) numberThe credit card numberHome address of the customer

7 The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on ____________.Number of transactions per yearDollar value of transactions per yearGeographic locationJurisdiction

8 What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).

9 For business continuity and disaster recovery (BC/DR) purposes, the contract between the primary cloud provider and customer should include all of the following except _______________.Which party will be responsible for initiating a BC/DR response activityHow a BC/DR response will be initiatedHow soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue serviceHow much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event

10 When the cloud customer requests modifications to the current contract or service-level agreement (SLA) for business continuity/disaster recovery (BD/DR) purposes, who should absorb the cost of modification?The customer absorbs the cost.The provider absorbs the cost.The cost should be split equally.Modifications don’t cost anything.

11 Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?Pooled resources in the cloudShifting from IT investment as capital expenditures to operational expendituresThe time savings and efficiencies offered by the cloud serviceBranding associated with which cloud provider might be selected

12 Which of the following is the least important factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?Depreciation of IT assetsShift in focus from IT dependencies to business process opportunitiesWhether the provider bills on a monthly or weekly basisCosts associated with utility consumption

13 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment into the cloud?Number of usersCost of software licensingNumber of applicationsNumber of clientele

14 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?Utilities costsSecurity costsLandscaping costsTravel costs

15 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?Personnel trainingPersonnel turnoverCapital expenses for IT assetsLoss due to an internal data breach

16 Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual financial benefit the organization realizes in a cloud environment?Altitude of the cloud data centerSecurity controls and countermeasuresLoss of ownership of IT assetsCosts of Internet connectivity for remote users

17 What is the international standard that dictates creation of an organizational information security management system (ISMS)?NIST SP 800-53PCI DSSISO 27001NIST SP 800-37

18 ISO 27001 favors which type of technology?Open sourcePCCloud-basedNone

19 Why might an organization choose to comply with the ISO 27001 standard?PriceEase of implementationInternational acceptanceSpeed

20 Why might an organization choose to comply with NIST SP 800-series standards?PriceEase of implementationInternational acceptanceSpeed

21 Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?ISO 27002Payment Card Industry Data Security Standard (PCI DSS)NIST SP 800-37Health Insurance Portability and Accountability Act (HIPAA)

22 The current American Institute of Certified Public Accountants (AICPA) publishes the _______________ standard, from which the Service Organization Control (SOC) reports are derived.Sherwood Applied Business Security Architecture (SABSA)Statement on Standards for Attestation Engagements (SSAE) 18BibaNIST SP 800-53

23 Which U.S. federal law affects banking and insurance companies?NIST 800-53HIPAASarbanes-Oxley Act (SOX)Gramm-Leach-Bliley Act (GLBA)

24 The Statement on Standards for Attestation Engagements 18 (SSAE 18) Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). What kind of entities were SOC reports designed to audit?U.S. federal governmentPrivately held companiesCompanies that provide servicesNonprofit organizations

25 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you most like to see?SOC 1SOC 2, Type 1SOC 2, Type 2SOC 3

26 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an investor, when reviewing SOC reports for a cloud provider, which report would you most like to see?SOC 1SOC 2, Type 1SOC 2, Type 2SOC 3

27 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 18 audits and some haven’t, which SOC report might be best to use for your initial review of several different cloud providers in order to narrow down the field of potential services in a fast, easy way?SOC 1SOC 2, Type 1SOC 2, Type 2SOC 3

28 Which of the following entities would not be covered by the Payment Card Industry Data Security Standard (PCI DSS)?A bank issuing credit cardsA retailer accepting credit cards as paymentA business that processes credit card payments on behalf of a retailerA company that offers credit card debt repayment counseling

29 What sort of legal enforcement may the Payment Card Industry (PCI) Security Standards Council not bring to bear against organizations that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS)?FinesJail timeSuspension of credit card processing privilegesSubject to increased audit frequency and scope

30 The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on _______________.Dollar value of transactions over the course of a yearNumber of transactions over the course of a yearLocation of the merchant or processorDollar value and number of transactions over the course of a year

31 In terms of greatest stringency and requirements for security validation, which is the highest merchant level in the Payment Card Industry (PCI) standard?1234

32 The Payment Card Industry Data Security Standard (PCI DSS) requires _______________ security requirements for entities involved in credit card payments and processing.TechnicalNontechnicalTechnical and nontechnicalNeither technical nor nontechnical

33 According to the Payment Card Industry Data Security Standard (PCI DSS), if a merchant is going to store credit cardholder information for any length of time, what type of security protection must be used?Tokenization or maskingObfuscation or tokenizationMasking or obfuscationTokenization or encryption

34 What element of credit cardholder information may never be stored for any length of time, according to the Payment Card Industry Data Security Standard (PCI DSS)?The full credit card numberThe card verification value (CVV)The cardholder’s mailing addressThe cardholder’s full name

35 When reviewing IT security products that have been subjected to Common Criteria certification, what does the Evaluation Assurance Level (EAL) tell you?How secure the product is from an external attackHow thoroughly the product has been testedThe level of security the product delivers to an environmentThe level of trustworthiness you can have if you deploy the product

36 Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are functionally tested by their manufacturer/vendor?1357

37 Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?1357

38 Who pays for the Common Criteria certification of an IT product?National Institute of Standards and Technology (NIST)The vendor/manufacturerThe cloud customerThe end user

39 Who publishes the list of cryptographic modules validated according to the Federal Information Processing Standard (FIPS) 140-2?The U.S. Office of Management and Budget (OMB)The International Standards Organization (ISO)International Information System Security Certification Consortium, or (ISC)2The National Institute of Standards and Technology (NIST)

40 Who performs the review process for hardware security modules (HSMs) in accordance with the Federal Information Processing Standard (FIPS) 140-2?The National Institute of Standards and Technology (NIST)The National Security Agency (NSA)Independent (private) laboratoriesThe European Union Agency for Network and Information Security (ENISA)

41 In terms of the number of security functions offered, which is the highest Federal Information Processing Standard (FIPS) 140-2 security level a cryptographic module can achieve in certification?1234

42 What distinguishes the Federal Information Processing Standard (FIPS) 140-2 security levels for cryptographic modules?The level of sensitivity of data they can be used to protectThe amount of physical protection provided by the product, in terms of tamper resistanceThe size of the IT environment the product can be used to protectThe geographic locations in which the product is allowed

43 For U.S. government agencies, what level of data sensitivity/classification may be processed by cryptographic modules certified according to the Federal Information Processing Standard (FIPS) 140-2 criteria?Sensitive but unclassified (SBU)SecretTop SecretSensitive Compartmentalized Information (SCI)

44 Who pays for cryptographic modules to be certified in accordance with Federal Information Processing Standard (FIPS) 140-2 criteria?The U.S. governmentModule vendorsCertification laboratoriesModule users

45 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. What is probably the single most important way of countering the highest number of items on the OWASP Top Ten (regardless of year)?Social engineering trainingDisciplined coding practices and processesWhite-box source code testingPhysical controls at all locations at which the application is eventually used

46 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the attacker trying to do with an injection attack?Get the user to allow access for the attacker.Insert malware onto the system.Trick the application into running commands.Penetrate the facility hosting the software.

47 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the method for reducing the risk of an injection attack?User trainingHardening the OSInput validation/bounds checkingPhysical locks

48 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is a good method for reducing the risk of broken authentication and session management?Do not use custom authentication schemes.Implement widespread training programs.Ensure that strong input validation is in place.Use X.400 protocol standards.

49 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Session identification exposed in URLsUnprotected stored credentialsLack of session timeoutFailure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance

50 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Failure to rotate session IDs after a successful loginEasily guessed authentication credentialsWeak physical entry points in the data centerCredentials sent over unencrypted lines

51 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).” Which of the following is not a method for reducing the risk of XSS attacks?Put untrusted data in only allowed slots of HTML documents.HTML escape when including untrusted data in any HTML elements.Use the attribute escape when including untrusted data in attribute elements.Encrypt all HTML documents.

52 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).” Which of the following is not a method for reducing the risk of XSS attacks?Use an auto-escaping template system.Use XML escape for all identity assertions.Sanitize HTML markup with a library designed for the purpose.HTML escape JSON values in an HTML context and read the data with JSON.parse.

53 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is an example of an insecure direct object reference?www.sybex.com/authoraccounts/benmalisow10 ? "sybex accounts"; 20 goto 10mysql -u [bmalisow] -p [database1];bmalisow@sybex.com

54 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?Perform user security training.Check access each time a direct object reference is called by an untrusted source.Install high-luminosity interior lighting throughout the facility.Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.

55 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?Not providing encryption keys to untrusted usersHaving a public-facing websiteLeaving default accounts unchangedUsing turnstiles instead of mantraps

56 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?Having unpatched software in the production environmentLeaving unprotected portable media in the workplaceLetting data owners determine the classifications/categorizations of their dataPreventing users from accessing untrusted networks

57 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Enforce strong user access control processes.Have a repeatable hardening process for all systems/software.Use encryption for all remote access.Use encryption for all stored data.

58 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Broad user training that includes initial, recurring, and refresher sessionsDeeper personnel screening procedures for privileged users than is used for regular usersA repeatable patching process that includes updating libraries as well as softwareRandomly auditing all user activity, with additional focus on privileged users

59 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Purchase only trusted devices/components.Follow a published, known industry standard for baseline configurations.Hire only screened, vetted candidates for all positions.Update policy on a regular basis, according to a proven process.

60 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Get regulatory approval for major configuration modifications.Update the business continuity and disaster recovery (BC/DR) plan on a timely basis.Train all users on proper security procedures.Perform periodic scans and audits of the environment.

61 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “sensitive data exposure.” Which of these is a technique to reduce the potential for a sensitive data exposure?Extensive user training on proper data handling techniquesAdvanced firewalls inspecting all inbound traffic, to include content-based screeningEnsuring the use of utility backup power suppliesRoving security guards

62 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “sensitive data exposure.” All of the following are techniques for reducing the possibility of exposing sensitive data, except ____________.Destroying sensitive data as soon as possibleAvoiding categorizing data as sensitiveUsing proper key management when encrypting sensitive dataDisabling autocomplete on forms that collect sensitive data

63 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list sometimes includes “missing function level access control.” Which of these is a technique to reduce the potential for a missing function-level access control?Set the default to deny all access to functions, and require authentication/authorization for each access request.HTML escape all HTML attributes.Restrict permissions based on an access control list (ACL).Refrain from including direct access information in URLs.

64 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list sometimes includes “missing function level access control.” Which of these is a technique to reduce the potential for a missing function-level access control?Run a process as both user and privileged user, compare results, and determine similarity.Run automated monitoring and audit scripts.Include browser buttons/navigation elements to secure functions.Enhance user training to include management personnel.

65 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “cross-site request forgery” (CSRF). Which of these is a technique to reduce the potential for a CSRF?Train users to detect forged HTTP requests.Have users remove all browsers from their devices.Don’t allow links to or from other websites.Include a CAPTCHA code as part of the user resource request process.

66 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “cross-site request forgery” (CSRF). A CSRF attack might be used for all the following malicious actions except _______________.The attacker could have the user log into one of the user’s online accounts.The attacker could collect the user’s online account login credentials, to be used by the attacker later.The attacker could have the user perform an action in one of the user’s online accounts.The attacker could trick the user into calling a fraudulent customer service number hosted by the attacker and talk the user into disclosing personal information.

67 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “cross-site request forgery” (CSRF). Which of the following is a good way to deter CSRF attacks?Have your website refuse all HTTP resource requests.Ensure that all HTTP resource requests include a unique, unpredictable token.Don’t allow e-commerce on your website.Process all user requests with only one brand of browser, and refuse all resource requests from other browsers.

68 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “using components with known vulnerabilities.” Which of the following is a good way to protect against this problem?Use only components your organization has written.Update to current versions of component libraries as soon as possible.Never use anyone else’s component library.Apply patches to old component libraries.

69 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “using components with known vulnerabilities.” Why would an organization ever use components with known vulnerabilities to create software?The organization is insured.The particular vulnerabilities exist only in a context not being used by developers.Some vulnerabilities exist only in foreign countries.A component might have a hidden vulnerability.

70 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “using components with known vulnerabilities.” Which of the following is a good way to protect against this problem?Use only standard libraries.Review all updates/lists/notifications for components your organization uses.Be sure to HTML escape all attribute elements.Increase the user training budget.

71 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list sometimes includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?HTML escape all HTML attributes.Train users to recognize invalidated links.Block all inbound resource requests.Implement audit logging.

72 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?Don’t use redirects/forwards in your applications.Refrain from storing credentials long term.Implement security incident/event monitoring (security information and event management [SIEM]/security information management [SIM]/security event management [SEM]) solutions.Implement digital rights management (DRM) solutions.

73 You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether your current applications in the on-premises environment will function properly with the provider’s hosted systems and tools. This is a(n) _______________ issue.InteroperabilityPortabilityStabilitySecurity

74 You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the provider will have undue control over your data once it is within the provider’s data center; will the provider be able to hold your organization hostage because they have your data? This is a(n) _______________ issue.InteroperabilityPortabilityStabilitySecurity

75 You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the cloud provider will be able to comply with the existing legislative and contractual frameworks your organization is required to follow. This is a _______________ issue.ResiliencyPrivacyPerformanceRegulatory

76 You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the cloud provider will be able to allow your organization to substantiate and determine with some assurance that all of the contract terms are being met. This is a(n) _______________ issue.RegulatoryPrivacyResiliencyAuditability

77 Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization?Key length variances don’t provide any actual additional security.It would cause additional processing overhead and time delay.It might result in vendor lockout.The data subjects might be upset by this.

78 Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization?It could increase the possibility of physical theft.Encryption won’t work throughout the environment.The protection might be disproportionate to the value of the asset(s).Users will be able to see everything within the organization.

79 Which of the following is not an element of the identification component of identity and access management (IAM)?ProvisioningManagementDiscretionDeprovisioning

80 Which of the following entities is most likely to play a vital role in the identity provisioning aspect of a user’s experience in an organization?The accounting departmentThe human resources (HR) officeThe maintenance teamThe purchasing office

81 Why is the deprovisioning element of the identification component of identity and access management (IAM) so important?Extra accounts cost so much extra money.Open but unassigned accounts are vulnerabilities.User tracking is essential to performance.Encryption has to be maintained.

82 All of the following are reasons to perform review and maintenance actions on user accounts except _______________.To determine whether the user still needs the same accessTo determine whether the user is still with the organizationTo determine whether the data set is still applicable to the user’s roleTo determine whether the user is still performing well

83 Who should be involved in review and maintenance of user accounts/access?The user’s managerThe security managerThe accounting departmentThe incident response team

84 Which of the following protocols is most applicable to the identification process aspect of identity and access management (IAM)?Secure Sockets Layer (SSL)Internet Protocol Security (IPSec)Lightweight Directory Access Protocol (LDAP)Amorphous ancillary data transmission (AADT)

85 Privileged user (administrators, managers, and so forth) accounts need to be reviewed more closely than basic user accounts. Why is this?Privileged users have more encryption keys.Regular users are more trustworthy.There are extra controls on privileged user accounts.Privileged users can cause more damage to the organization.

86 The additional review activities that might be performed for privileged user accounts could include all of the following except _______________.Deeper personnel background checksReview of personal financial accounts for privileged usersMore frequent reviews of the necessity for accessPat-down checks of privileged users to deter against physical theft

87 If personal financial account reviews are performed as an additional review control for privileged users, which of the following characteristics is least likely to be a useful indicator for review purposes?Too much money in the accountToo little money in the accountThe bank branch being used by the privileged userSpecific senders/recipients

88 How often should the accounts of privileged users be reviewed?AnnuallyTwice a yearMonthlyMore often than regular user account reviews

89 Privileged user account access should be _______________.TemporaryPervasiveThoroughGranular

90 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA’s Notorious Nine list, data breaches can be _______________.Overt or covertInternational or subterraneanFrom internal or external sourcesVoluminous or specific

91 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that operates in the cloud environment and suffers a data breach may be required to _______________.Notify affected usersReapply for cloud serviceScrub all affected physical memoryChange regulatory frameworks

92 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, an organization that suffers a data breach might suffer all of the following negative effects except _______________.Cost of compliance with notification lawsLoss of public perception/goodwillLoss of market shareCost of detection

93 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all the following data breach notification requirements except _______________.Multiple state lawsContractual notification requirementsAll standards-based notification schemesAny applicable federal regulations

94 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, data loss can be suffered as a result of _______________ activity.Malicious or inadvertentCasual or explicitWeb-based or stand-aloneManaged or independent

95 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, all of the following activity can result in data loss except _______________.Misplaced crypto keysImproper policyIneffectual backup proceduresAccidental overwrite

96 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, service traffic hijacking can affect which portion of the CIA triad?ConfidentialityIntegrityAvailabilityAll of the triad

97 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. The CSA recommends the prohibition of _______________ in order to diminish the likelihood of account/service traffic hijacking.All user activitySharing account credentials between users and servicesMultifactor authenticationInterstate commerce

98 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which aspect of cloud computing makes it particularly susceptible to account/service traffic hijacking?ScalabilityMetered serviceRemote accessPooled resources

99 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing?Most of the cloud customer’s interaction with resources will be performed through APIs.APIs are inherently insecure.Attackers have already published vulnerabilities for all known APIs.APIs are known carcinogens.

100 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing?Cloud customers and third parties are continually enhancing and modifying APIs.APIs can have automated settings.It is impossible to uninstall APIs.APIs are a form of malware.

101 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing?APIs are always used for administrative access.Customers perform many high-value tasks via APIs.APIs are cursed.It is impossible to securely code APIs.

102 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, why are denial of service (DoS) attacks such a significant threat to cloud operations?DoS attackers operate internationally.There are no laws against DoS attacks, so they are impossible to prosecute.Availability issues prevent productivity in the cloud.DoS attacks that can affect cloud providers are easy to launch.

103 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what do we call denial of service (DoS) attacks staged from multiple machines against a specific target?Invasive denial of service (IDoS)Pervasive denial of service (PDoS)Massive denial of service (MDoS)Distributed denial of service (DDoS)

104 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of malicious insiders so alarming?ScalabilityMultitenancyMetered serviceFlexibility

105 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, what aspect of managed cloud services makes the threat of abuse of cloud services so alarming from a management perspective?ScalabilityMultitenancyResiliencyBroadband connections

106 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is not an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider?Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environmentReviewing all contractual elements to appropriately define each party’s roles, responsibilities, and requirementsAssessing the provider’s financial standing and soundnessVetting the cloud provider’s administrators and personnel to ensure the same level of trust as the legacy environment

107 The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business. What do we call this problem?Vendor lock-inVendor lockoutVendor incapacityUnscaled

108 Which of the following is not a method for creating logical segmentation in a cloud data center?Virtual local area networks (VLANs)Network address translation (NAT)BridgingHubs

109 According to (ISC)2, the lack/ambiguity of physical endpoints as individual network components in the cloud environment creates what kind of threat/concern?The lack of defined endpoints makes it difficult to uniformly define, manage, and protect IT assets.Without physical endpoints, it is impossible to apply security controls to an environment.Without physical endpoints, it is impossible to track user activity.The lack of physical endpoints increases the opportunity for physical theft/damage.

110 When should cloud providers allow platform as a service (PaaS) customers shell access to the servers running their instances?NeverWeeklyOnly when the contract stipulates that requirementAlways

111 In a PaaS implementation, each instance should have its own user-level permissions; when instances share common policies/controls, the cloud security professional should be careful to reduce the possibility of _______________ and _______________ over time.Denial of service (DoS)/physical theftAuthorization creep/inheritanceSprawl/hashingIntercession/side-channel attacks

112 In a platform as a service (PaaS) environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on _______________ .International standardsFederal regulationsOrganizational policiesFederation directives

113 An essential element of access management, _______________ is the practice of confirming that an individual is who they claim to be.AuthenticationAuthorizationNonrepudiationRegression

114 An essential element of access management, _______________ is the practice of granting permissions based on validated identification.AuthenticationAuthorizationNonrepudiationRegression

115 What is the usual order of an access management process?Access-authorization-authenticationAuthentication-authorization-accessAuthorization-authentication-accessAuthentication-access-authorization

116 Why are platform as a service (PaaS) environments at a higher likelihood of suffering backdoor vulnerabilities?They rely on virtualization.They are often used for software development.They have multitenancy.They are scalable.

117 Backdoors are sometimes left in software by developers _______________.In lieu of other security controlsAs a means to counter denial of service (DoS) attacksInadvertently or on purposeAs a way to distract attackers

118 Alice is staging an attack against Bob’s website. She is able to introduce a string of command code into a database Bob is running, simply by entering the command string into a data field. This is an example of which type of attack?Insecure direct object referenceBuffer overflowSQL injectionDenial of service

119 Bob is staging an attack against Alice’s website. He is able to embed a link on her site that will execute malicious code on a visitor’s machine if the visitor clicks on the link. This is an example of which type of attack?Cross-site scriptingBroken authentication/session managementSecurity misconfigurationInsecure cryptographic storage

120 Alice is staging an attack against Bob’s website. She has discovered that Bob has been storing cryptographic keys on a server with a default admin password and is able to get access to those keys and violate confidentiality and access controls. This is an example of which type of attack?SQL injectionBuffer overflowUsing components with known vulnerabilitiesSecurity misconfiguration

121 Which of the following is a management risk that organizations migrating to the cloud will have to address?Insider threatVirtual sprawlDistributed denial of service (DDoS) attacksNatural disasters

122 Which kind of hypervisor is the preferred target of attackers, and why?Type 1, because it is more straightforwardType 1, because it has a greater attack surfaceType 2, because it is less protectedType 2, because it has a greater attack surface

123 Which of the following would make a good provision to include in the service-level agreement (SLA) between cloud customer and provider?Location of the data centerAmount of data uploaded/downloaded during a pay periodType of personnel security controls for network administratorsPhysical security barriers on the perimeter of the data center campus

124 What is the most significant aspect of the service-level agreement (SLA) that incentivizes the cloud provider to perform?The thoroughness with which it details all aspects of cloud processingThe financial penalty for not meeting service levelsThe legal liability for violating data breach notification requirementsThe risk exposure to the cloud provider

125 From a customer perspective, all of the following are benefits of infrastructure as a service (IaaS) cloud services except _______________.Reduced cost of ownershipReduced energy costsMetered usageReduced cost of administering the operating system (OS) in the cloud environment

126 From an academic perspective, what is the main distinction between an event and an incident?Incidents can last for extended periods (days or weeks), whereas an event is momentary.Incidents can happen at the network level, whereas events are restricted to the system level.Events are anything that can occur in the IT environment, whereas incidents are unscheduled events.Events occur only during processing, whereas incidents can occur at any time.

127 The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?ConfidentialityIntegrityAvailabilityNone

128 A hosted cloud environment is great for an organization to use as _______________.Storage of physical assetsA testbed/sandboxA platform for managing unsecured production dataA cost-free service for meeting all user needs

129 What is the entity that created the Statement on Standards for Attestation Engagements (SSAE) auditing standard and certifies auditors for that standard?National Institute of Standards and Technology (NIST)European Network and Information Security Agency (ENISA)General Data Protection Regulation (GDPR)American Institute of Certified Public Accountants (AICPA)

130 The current American Institute of Certified Public Accountants (AICPA) standard codifies certain audit reporting mechanisms. What are these called?Sarbanes-Oxley Act (SOX) reportsSecure Sockets Layer (SSL) auditsSherwood Applied Business Structure Architecture (SABSA)System and Organization Controls (SOC) reports

131 Which of the following is not a report used to assess the design and selection of security controls within an organization?Consensus Assessments Initiative Questionnaire (CAIQ)Cloud Security Alliance Cloud Controls Matrix (CSA CCM)SOC 1SOC 2 Type 1

132 Which of the following is a report used to assess the implementation and effectiveness of security controls within an organization?SOC 1SOC 2 Type 1SOC 2 Type 2SOC 3

133 _______________ is an example of due care, and _______________ is an example of due diligence.Privacy data security policy; auditing the controls dictated by the privacy data security policyThe European Union General Data Protection Regulation (GDPR); the Gramm-Leach-Bliley Act (GLBA)Locks on doors; turnstilesPerimeter defenses; internal defenses

134 In a Lightweight Directory Access Protocol (LDAP) environment, each entry in a directory server is identified by a _______________.Domain name (DN)Distinguished name (DN)Directory name (DN)Default name (DN)

135 Each of the following is an element of the Identification phase of the identity and access management (IAM) process except _______________.ProvisioningInversionManagementDeprovisioning

136 Which of the following is true about two-person integrity?It forces all employees to distrust one another.It requires two different identity and access management matrices (IAM).It forces collusion for unauthorized access.It enables more thieves to gain access to the facility.

137 All of the following are statutory regulations except the _______________.Gramm-Leach-Bliley Act (GLBA)Health Information Portability and Accountability Act (HIPAA)Federal Information Systems Management Act (FISMA)Payment Card Industry Data Security Standard (PCI DSS)

138 A cloud data encryption situation where the cloud customer retains control of the encryption keys and the cloud provider only processes and stores the data could be considered a _______________.ThreatRiskHybrid cloud deployment modelCase of infringing on the rights of the provider

139 Which of the following is one of the benefits of a private cloud deployment?Less costHigher performanceRetaining control of governanceReduction in need for maintenance capability on the customer side

140 What are the two general delivery modes for the software as a service (SaaS) model?Ranked and freeHosted application management and software on demandIntrinsic motivation complex and undulating perspective detailsFramed and modular

141 Your organization has migrated into a platform as a service (PaaS) configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notifications in accordance with all applicable laws?The network admin responsibleThe cloud providerThe regulators overseeing your deploymentYour organization

142 If an organization wants to retain the most control of their assets in the cloud, which service and deployment model combination should they choose?Platform as a service (PaaS), communityInfrastructure as a service (IaaS), hybridSoftware as a service (SaaS), publicInfrastructure as a service (IaaS), private

143 If an organization wants to realize the most cost savings by reducing administrative overhead, which service and deployment model combination should they choose?Platform as a service (PaaS), communityInfrastructure as a service (IaaS), hybridSoftware as a service (SaaS), publicInfrastructure as a service (IaaS), private