110 When should cloud providers allow platform as a service (PaaS) customers shell access to the servers running their instances?NeverWeeklyOnly when the contract stipulates that requirementAlways
111 In a PaaS implementation, each instance should have its own user-level permissions; when instances share common policies/controls, the cloud security professional should be careful to reduce the possibility of _______________ and _______________ over time.Denial of service (DoS)/physical theftAuthorization creep/inheritanceSprawl/hashingIntercession/side-channel attacks
112 In a platform as a service (PaaS) environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on _______________ .International standardsFederal regulationsOrganizational policiesFederation directives
113 An essential element of access management, _______________ is the practice of confirming that an individual is who they claim to be.AuthenticationAuthorizationNonrepudiationRegression
114 An essential element of access management, _______________ is the practice of granting permissions based on validated identification.AuthenticationAuthorizationNonrepudiationRegression
115 What is the usual order of an access management process?Access-authorization-authenticationAuthentication-authorization-accessAuthorization-authentication-accessAuthentication-access-authorization
116 Why are platform as a service (PaaS) environments at a higher likelihood of suffering backdoor vulnerabilities?They rely on virtualization.They are often used for software development.They have multitenancy.They are scalable.
117 Backdoors are sometimes left in software by developers _______________.In lieu of other security controlsAs a means to counter denial of service (DoS) attacksInadvertently or on purposeAs a way to distract attackers
118 Alice is staging an attack against Bob’s website. She is able to introduce a string of command code into a database Bob is running, simply by entering the command string into a data field. This is an example of which type of attack?Insecure direct object referenceBuffer overflowSQL injectionDenial of service
119 Bob is staging an attack against Alice’s website. He is able to embed a link on her site that will execute malicious code on a visitor’s machine if the visitor clicks on the link. This is an example of which type of attack?Cross-site scriptingBroken authentication/session managementSecurity misconfigurationInsecure cryptographic storage
120 Alice is staging an attack against Bob’s website. She has discovered that Bob has been storing cryptographic keys on a server with a default admin password and is able to get access to those keys and violate confidentiality and access controls. This is an example of which type of attack?SQL injectionBuffer overflowUsing components with known vulnerabilitiesSecurity misconfiguration
121 Which of the following is a management risk that organizations migrating to the cloud will have to address?Insider threatVirtual sprawlDistributed denial of service (DDoS) attacksNatural disasters
122 Which kind of hypervisor is the preferred target of attackers, and why?Type 1, because it is more straightforwardType 1, because it has a greater attack surfaceType 2, because it is less protectedType 2, because it has a greater attack surface
123 Which of the following would make a good provision to include in the service-level agreement (SLA) between cloud customer and provider?Location of the data centerAmount of data uploaded/downloaded during a pay periodType of personnel security controls for network administratorsPhysical security barriers on the perimeter of the data center campus
124 What is the most significant aspect of the service-level agreement (SLA) that incentivizes the cloud provider to perform?The thoroughness with which it details all aspects of cloud processingThe financial penalty for not meeting service levelsThe legal liability for violating data breach notification requirementsThe risk exposure to the cloud provider
125 From a customer perspective, all of the following are benefits of infrastructure as a service (IaaS) cloud services except _______________.Reduced cost of ownershipReduced energy costsMetered usageReduced cost of administering the operating system (OS) in the cloud environment
126 From an academic perspective, what is the main distinction between an event and an incident?Incidents can last for extended periods (days or weeks), whereas an event is momentary.Incidents can happen at the network level, whereas events are restricted to the system level.Events are anything that can occur in the IT environment, whereas incidents are unscheduled events.Events occur only during processing, whereas incidents can occur at any time.
127 The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?ConfidentialityIntegrityAvailabilityNone
128 A hosted cloud environment is great for an organization to use as _______________.Storage of physical assetsA testbed/sandboxA platform for managing unsecured production dataA cost-free service for meeting all user needs
129 What is the entity that created the Statement on Standards for Attestation Engagements (SSAE) auditing standard and certifies auditors for that standard?National Institute of Standards and Technology (NIST)European Network and Information Security Agency (ENISA)General Data Protection Regulation (GDPR)American Institute of Certified Public Accountants (AICPA)
130 The current American Institute of Certified Public Accountants (AICPA) standard codifies certain audit reporting mechanisms. What are these called?Sarbanes-Oxley Act (SOX) reportsSecure Sockets Layer (SSL) auditsSherwood Applied Business Structure Architecture (SABSA)System and Organization Controls (SOC) reports
131 Which of the following is not a report used to assess the design and selection of security controls within an organization?Consensus Assessments Initiative Questionnaire (CAIQ)Cloud Security Alliance Cloud Controls Matrix (CSA CCM)SOC 1SOC 2 Type 1
132 Which of the following is a report used to assess the implementation and effectiveness of security controls within an organization?SOC 1SOC 2 Type 1SOC 2 Type 2SOC 3
133 _______________ is an example of due care, and _______________ is an example of due diligence.Privacy data security policy; auditing the controls dictated by the privacy data security policyThe European Union General Data Protection Regulation (GDPR); the Gramm-Leach-Bliley Act (GLBA)Locks on doors; turnstilesPerimeter defenses; internal defenses
134 In a Lightweight Directory Access Protocol (LDAP) environment, each entry in a directory server is identified by a _______________.Domain name (DN)Distinguished name (DN)Directory name (DN)Default name (DN)
135 Each of the following is an element of the Identification phase of the identity and access management (IAM) process except _______________.ProvisioningInversionManagementDeprovisioning
136 Which of the following is true about two-person integrity?It forces all employees to distrust one another.It requires two different identity and access management matrices (IAM).It forces collusion for unauthorized access.It enables more thieves to gain access to the facility.
137 All of the following are statutory regulations except the _______________.Gramm-Leach-Bliley Act (GLBA)Health Information Portability and Accountability Act (HIPAA)Federal Information Systems Management Act (FISMA)Payment Card Industry Data Security Standard (PCI DSS)
138 A cloud data encryption situation where the cloud customer retains control of the encryption keys and the cloud provider only processes and stores the data could be considered a _______________.ThreatRiskHybrid cloud deployment modelCase of infringing on the rights of the provider
139 Which of the following is one of the benefits of a private cloud deployment?Less costHigher performanceRetaining control of governanceReduction in need for maintenance capability on the customer side
140 What are the two general delivery modes for the software as a service (SaaS) model?Ranked and freeHosted application management and software on demandIntrinsic motivation complex and undulating perspective detailsFramed and modular
141 Your organization has migrated