You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted in a cloud environment. You are considering using cloud backup services for your BC/DR purposes as well. What would probably be the best strategy for this approach, in terms of redundancy and resiliency?

1. Have your cloud provider also provide BC/DR backup.
2. Keep a BC/DR backup on the premises of your corporate headquarters.
3. Use another cloud provider for the BC/DR backup.
4. Move your production environment back into your corporate premises, and use your cloud provider to host your BC/DR backup.

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. You decide to have a tabletop test of the BC/DR activity. Which of the following will offer the best value during the test?

1. Have all participants conduct their individual activities via remote meeting technology.
2. Task a moderator well versed in BC/DR actions to supervise and present scenarios to the participants, including randomized special events.
3. Provide copies of the BC/DR policy to all participants.
4. Allow all users in your organization to participate.

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted by a cloud provider, and you have appropriate protections in place. Which of the following is a significant consideration for your BC/DR backup?

1. Enough personnel at the BC/DR recovery site to ensure proper operations
2. Good cryptographic key management
3. Access to the servers where the BC/DR backup is stored
4. Forensic analysis capabilities

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. You are going to conduct a full test of the BC/DR plan. Which of the following strategies is an optimum technique to avoid major issues?

1. Have another full backup of the production environment stored prior to the test.
2. Assign all personnel tasks to perform during the test.
3. Have the cloud provider implement a simulated disaster at a random moment in order to maximize realistic testing.
4. Have your regulators present at the test so they can monitor performance.

A Security Assertion Markup Language (SAML) identity assertion token uses the ___________________ protocol.

1. Extensible Markup Language (XML)
2. Hypertext Transfer Protocol (HTTP)
3. Hypertext Markup Language (HTML)
4. American Standard Code for Information Interchange (ASCII)

The minimum essential characteristics of a cloud data center are often referred to as “ping, power, pipe.” What does this term mean?

1. Remote access for customer to racked devices in the data center; electrical utilities; connectivity to an Internet service provider (ISP)/the Internet
2. Application suitability; availability; connectivity
3. Infrastructure as a service (IaaS); software as a service (SaaS); platform as a service (PaaS)
4. Anti-malware tools; controls against distributed denial-of-service (DDoS) attacks; physical/environmental security controls, including fire suppression

To support all aspects of the CIA triad (confidentiality, integrity, availability), all of the following aspects of a cloud data center need to be engineered with redundancies except ___________________.

1. Power supply
2. HVAC
3. Administrative offices
4. Internet service provider (ISP)/connectivity lines

Who is the cloud carrier?

1. The cloud customer
2. The cloud provider
3. The regulator overseeing the cloud customer’s industry
4. The ISP between the cloud customer and provider

Which of the following terms describes a means to centralize logical control of all networked nodes in the environment, abstracted from the physical connections to each?

1. Virtual private network (VPN)
2. Software-defined network (SDN)
3. Access control lists (ACLs)
4. Role-based access control (RBAC)

In software-defined networking (SDN), the northbound interface (NBI) usually handles traffic between the ___________________ and the ___________________.

1. Cloud customer; ISP
2. SDN controllers; SDN applications
3. Cloud provider; ISP
4. Router; host

Software-defined networking (SDN) allows network administrators and architects to perform all the following functions except ___________________.

1. Reroute traffic based on current customer demand
2. Create logical subnets without having to change any actual physical connections
3. Filter access to resources based on specific rules or settings
4. Deliver streaming media content in an efficient manner by placing it closer to the end user

Which of the following is a device specially purposed to handle the issuance, distribution, and storage of cryptographic keys?

1. Key management box (KMB)
2. Hardware security module (HSM)
3. Ticket-granting ticket (TGT)
4. Trusted computing base (TCB)

When discussing the cloud, we often segregate the data center into the terms compute, storage, and networking. Compute is made up of ___________________ and ___________________.

1. Routers; hosts
2. Application programming interface (APIs); northbound interface (NBIs)
3. Central processing unit (CPU); random-access memory (RAM)
4. Virtualized; actual hardware devices

All of the following can be used to properly apportion cloud resources except ___________________.

1. Reservations
2. Shares
3. Cancellations
4. Limits

Which of the following is a method for apportioning resources that involves setting guaranteed minimums for all tenants/customers within the environment?

1. Reservations
2. Shares
3. Cancellations
4. Limits

Which of the following is a method for apportioning resources that involves setting maximum usage amounts for all tenants/customers within the environment?

1. Reservations
2. Shares
3. Cancellations
4. Limits

Which of the following is a method for apportioning resources that involves prioritizing resource requests to resolve contention situations?

1. Reservations
2. Shares
3. Cancellations
4. Limits

A bare-metal hypervisor is Type ___________________.

1. 1
2. 2
3. 3
4. 4

A hypervisor that runs inside another operating system (OS) is a Type ___________________ hypervisor.

1. 1
2. 2
3. 3
4. 4

A Type ___________________ hypervisor is probably more difficult to defend than other hypervisors.

1. 1
2. 2
3. 3
4. 4

One of the security challenges of operating in the cloud is that additional controls must be placed on file storage systems because ___________________.

1. File stores are always kept in plain text in the cloud
2. There is no way to sanitize file storage space in the cloud
3. Virtualization necessarily prevents the use of application-based security controls
4. Virtual machines are stored as snapshotted files when not in use

What is the main reason virtualization is used in the cloud?

1. Virtual machines (VMs) are easier to administer.
2. If a VM is infected with malware, it can be easily replaced.
3. With VMs, the cloud provider does not have to deploy an entire hardware device for every new user.
4. VMs are easier to operate than actual devices.

Orchestrating resource calls is the job of the ___________________.

1. Administrator
2. Router
3. VM
4. Hypervisor

Which of the following terms describes a cloud storage area that uses a filesystem/hierarchy?

1. Volume storage
2. Object storage
3. Logical unit number (LUN)
4. Block storage

Typically, which form of cloud storage is used in the near term for snapshotted virtual machine (VM) images?

1. Volume storage
2. Object storage
3. Logical unit number (LUN)
4. Block storage

Who operates the management plane?

1. Regulators
2. End consumers
3. Privileged users
4. Privacy data subjects

What is probably the optimum way to avoid vendor lock-in?

1. Use nonproprietary data formats.
2. Use industry-standard media.
3. Use strong cryptography.
4. Use favorable contract language.

Who will determine whether your organization’s cloud migration is satisfactory from a compliance perspective?

1. The cloud provider
2. The cloud customer
3. The regulator(s)
4. The Internet service provider (ISP)

What is probably the best way to avoid problems associated with vendor lock-out?

1. Use strong contract language.
2. Use nonproprietary data and media formats.
3. Use strong cryptography.
4. Use another provider for backup purposes.

In a public cloud services arrangement, who creates governance that will determine which controls are selected for the data center and how they are deployed?

1. The cloud provider
2. The cloud customer
3. The regulator(s)
4. The end user

What is the term that describes the situation when a malicious user or attacker can exit the restrictions of a virtual machine (VM) and access another VM residing on the same host?

1. Host escape
2. Guest escape
3. Provider exit
4. Escalation of privileges

What is the term that describes the situation when a malicious user or attacker can exit the restrictions of a single host and access other nodes on the network?

1. Host escape
2. Guest escape
3. Provider exit
4. Escalation of privileges

___________________ is/are probably the main cause of virtualization sprawl.

1. Malicious attackers
2. Lack of provider controls
3. Lack of customer controls
4. Ease of use

Sprawl is mainly a(n) ___________________ problem.

1. Technical
2. External
3. Management
4. Logical

Which of the following risks exists in the traditional environment but is dramatically increased by moving into the cloud?

1. Physical security breaches
2. Loss of utility power
3. Financial upheaval
4. Man-in-the-middle attacks

A fundamental aspect of security principles, ___________________ should be implemented in the cloud as well as in traditional environments.

1. Continual uptime
2. Defense in depth
3. Multifactor authentication
4. Separation of duties

From a security perspective, automation of configuration aids in ___________________.

1. Enhancing performance
2. Reducing potential attack vectors
3. Increasing ease of use of the systems
4. Reducing need for administrative personnel

___________________ is the most prevalent protocol used in identity federation.

1. Hypertext Transfer Protocol (HTTP)
2. Security Assertion Markup Language (SAML)
3. File Transfer Protocol (FTP)
4. WS-Federation

A user signs on to a cloud-based social media platform. In another browser tab, the user finds an article worth posting to the social media platform. The user clicks on the platform’s icon listed on the article’s website, and the article is automatically posted to the user’s account on the social media platform. This is an example of what?

1. Single sign-on
2. Insecure direct identifiers
3. Identity federation
4. Cross-site scripting

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to review each other, for compliance with security governance and standards they all find acceptable, what is this federation model called?

1. Cross-certification
2. Proxy
3. Single sign-on
4. Regulated

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to hire a third party to review each organization, for compliance with security governance and standards they all find acceptable, what is this federation model called?

1. Cross-certification
2. Proxy
3. Single sign-on
4. Regulated

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the identity provider(s)?

1. Each organization
2. A trusted third party
3. The regulator overseeing their industry
4. All of their patients

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the service providers?

1. Each organization
2. A trusted third party
3. The regulator overseeing their industry
4. All of their patients

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). In this federation, all of the participating organizations would need to be in compliance with what U.S. federal regulation?

1. Gramm-Leach-Bliley Act (GLBA)
2. Family and Medical Leave Act (FMLA)
3. Payment Card Industry Data Security Standard (PCI DSS)
4. Health Information Portability and Accountability Act (HIPAA)

What is the process of granting access to resources?

1. Identification
2. Authentication
3. Authorization
4. Federation

The process of identity management includes all the following elements except ___________________.

1. Provisioning
2. Maintenance
3. Deprovisioning
4. Redaction

Which organizational entity usually performs the verification part of the provisioning element of the identification process?

1. Information technology (IT)
2. Security
3. Human resources (HR)
4. Sales

Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits?

1. Data in the cloud can’t be audited.
2. Controls in the cloud can’t be audited.
3. Getting physical access can be difficult.
4. There are no regulators for cloud operations.

Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits?

1. Cryptography is present.
2. Auditors don’t like the cloud.
3. Cloud equipment is resistant to audit.
4. They often rely on data the provider chooses to disclose.

Of the following options, which is a reason cloud data center audits are often less easy to verify than audits in standard data centers?

1. They frequently rely on third parties.
2. The standards are too difficult to follow.
3. The paperwork is cumbersome.
4. There aren’t enough auditors.

The cloud customer will usually not have physical access to the cloud data center. This enhances security by ___________________.

1. Reducing the need for qualified personnel
2. Limiting access to sensitive information
3. Reducing jurisdictional exposure
4. Ensuring statutory compliance

Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?

1. GPS tracking/locator
2. Automated vulnerability scan on system startup
3. Access control list (ACL) of authorized personnel
4. Write protection

Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?

1. Automatic registration with the configuration management system
2. Enhanced user training and awareness media
3. Mechanisms that prevent the file from being copied
4. Keystroke loggers

Virtual machine (VM) configuration management (CM) tools should probably include ___________________.

1. Biometric recognition
2. Anti-tampering mechanisms
3. Log file generation
4. Hackback capabilities

Using a virtual machine baseline image could be very useful for which of the following options?

1. Physical security
2. Auditing
3. Training
4. Customization

What can be revealed by an audit of a baseline virtual image, used in a cloud environment?

1. Adequate physical protections in the data center
2. Potential criminal activity before it occurs
3. Whether necessary security controls are in place and functioning properly
4. Lack of user training and awareness

Using one cloud provider for your operational environment and another for your BC/DR backup will also give you the additional benefit of ___________________.

1. Allowing any custom VM builds you use to be instantly ported to another environment
2. Avoiding vendor lock-in/lock-out
3. Increased performance
4. Lower cost

Having your BC/DR backup stored with the same cloud provider as your production environment can help you ___________________.

1. Maintain regulatory compliance
2. Spend less of your budget on traveling
3. Train your users about security awareness
4. Recover quickly from minor incidents

If you use the cloud for BC/DR purposes, even if you don’t operate your production environment in the cloud, you can cut costs by eliminating your ___________________.

1. Security personnel
2. BC/DR policy
3. Old access credentials
4. Need for a physical hot site/warm site

If the cloud is used for BC/DR purposes, the loss of ___________________ could gravely affect your organization’s RTO.

1. Any cloud administrator
2. A specific VM
3. Your policy and contract documentation
4. ISP connectivity

What is the most important asset to protect in cloud BC/DR activities?

1. Intellectual property
2. Hardware at the cloud data center
3. Personnel
4. Data on portable media

When considering cloud data replication strategies (i.e., whether you are making backups at the block, file, or database level), which element of your organization’s BC/DR plan will be most affected by your choice?

1. Recovery time objective
2. Recovery point objective
3. Maximum allowable downtime
4. Mean time to failure

In addition to BC/DR, what other benefit can your data archive/backup provide?

1. Physical security enforcement
2. Access control methodology
3. Security control against data breach
4. Availability for data lost accidentally

Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BC/DR backup/archive?

1. Physical intrusion
2. Proprietary formats/lack of interoperability
3. Vendor lock-in/lock-out
4. Natural disasters

Return to normal operations is a phase in BC/DR activity when the emergency is over and regular production can resume. Which of the following can sometimes be the result when the organization uses two different cloud providers for the production and BC/DR environments?

1. Both providers are affected by the emergency, extending the time before return to normal can occur.
2. The BC/DR provider becomes the new normal production environment.
3. Regulators will find the organization in violation of compliance guidance.
4. All data is lost irretrievably.

Which of these determines the critical assets, recovery time objective (RTO), and recover point objective (RPO) for BC/DR purposes?

1. Business drivers
2. User input
3. Regulator mandate
4. Industry standards

What artifact—which should already exist within the organization—can be used to determine the critical assets necessary to protect in the BC/DR activity?

1. Quantitative risk analysis
2. Qualitative risk analysis
3. Business impact analysis
4. Risk appetite

Which of the following is probably the most important element to address if your organization is using two different cloud providers for the production and BC/DR environments?

1. Do they cost the same?
2. Do they have similar facility protections in place?
3. What level of end-user support do they each offer?
4. Can the backup provider meet the same SLA requirements as the primary?

In a managed cloud services arrangement, who invokes a BC/DR action?

1. The cloud provider
2. The cloud customer
3. Depends on the contract
4. Any user

What do you need to do in order to fully ensure that a BC/DR action will function during a contingency?

1. Audit all performance functions.
2. Audit all security functions.
3. Perform a full-scale test.
4. Mandate this capability in the contract.

Which of the following is probably the most important activity, of those listed?

1. Regularly update the BC/DR plan/process.
2. Have contact information for all personnel in the organization.
3. Have contact information for essential BC/DR personnel.
4. Have contact information for local law enforcement.

The BC/DR plan/policy should include all of the following except ___________________.

1. Tasking for the office responsible for maintaining/enforcing the plan
2. Contact information for essential entities, including BC/DR personnel and emergency services agencies
3. Copies of the laws/regulations/standards governing specific elements of the plan
4. Checklists for BC/DR personnel to follow

The BC/DR plan/process should be written and documented in such a way that it can be used by ___________________.

1. Users
2. Essential BC/DR team members
3. Regulators
4. Someone with the requisite skills

Which of the following probably poses the most significant risk to the organization?

1. Not having essential BC/DR personnel available during a contingency
2. Not including all BC/DR elements in the cloud contract
3. Returning to normal operations too soon
4. Telecommunications outages

Which of the following probably poses the most significant risk to the organization?

1. Lack of data confidentiality during a contingency
2. Lack of regulatory compliance during a contingency
3. Returning to normal operations too late
4. Lack of encrypted communications during a contingency

Why does the physical location of your data backup and/or BC/DR failover environment matter?

1. It may affect regulatory compliance.
2. Lack of physical security.
3. Environmental factors such as humidity.
4. It doesn’t matter. Data can be saved anywhere without consequence.

According to the European Union Agency for Network and Information Security (ENISA), a cloud risk assessment should provide a means for customers to accomplish all these assurance tasks except ___________________.

1. Assess risks associated with cloud migration
2. Compare offerings from different cloud providers
3. Reduce the risk of regulatory noncompliance
4. Reduce the assurance burden on cloud providers

The European Union Agency for Network and Information Security’s (ENISA’s) definition of cloud computing differs slightly from the definition offered by (ISC)² (and, for instance, NIST). What is one of the characteristics listed by ENISA but not included in the (ISC)² definition?

1. Metered service
2. Shared resources
3. Scalability
4. Programmatic management

Risk should always be considered from a business perspective. Risk is often balanced by corresponding ___________________.

1. Profit
2. Performance
3. Cost
4. Opportunity

When considering the option to migrate from an on-premise environment to a hosted cloud service, an organization should weigh the risks of allowing external entities to access the cloud data for collaborative purposes against ___________________.

1. Not securing the data in the traditional environment
2. Disclosing the data publicly
3. Inviting external personnel into the traditional workspace in order to enhance collaboration
4. Sending the data outside the traditional environment for collaborative purposes

There are many ways to handle risk. However, the usual methods for addressing risk are not all possible in the cloud because ___________________.

1. Cloud data risks cannot be mitigated
2. Migrating into a cloud environment necessarily means you are accepting all risks
3. Some risks cannot be transferred to a cloud provider
4. Cloud providers cannot avoid risk

In which cloud service model does the customer lose the most control over governance?

1. Infrastructure as a service (IaaS)
2. Platform as a service (PaaS)
3. Software as a service (SaaS)
4. Private cloud

Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment?

1. Internal threats
2. Multitenancy
3. Natural disasters
4. Distributed denial-of-service (DDoS) attacks

In addition to the security offered by the cloud provider, a cloud customer must consider the security offered by ___________________.

1. The respective regulator
2. The end user(s)
3. Any vendor the cloud customer previously used in the on-premise environment
4. Any third parties the provider depends on

Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment?

1. User carelessness
2. Inadvertent breach
3. Device failure
4. Resource exhaustion

Where is isolation failure probably least likely to pose a significant risk?

1. Public cloud
2. Private cloud
3. PaaS environment
4. SaaS environment

Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise environment?

1. Fire
2. Legal seizure of another firm’s assets
3. Mandatory privacy data breach notifications
4. Flooding

Which of these does the cloud customer need to ensure protection of intellectual property created in the cloud?

1. Digital rights management (DRM) solutions
2. Identity and access management (IAM) solutions
3. Strong contractual clauses
4. Crypto-shredding

What could be the result of failure of the cloud provider to secure the hypervisor in such a way that one user on a virtual machine can see the resource calls of another user’s virtual machine?

1. Unauthorized data disclosure
2. Inference attacks
3. Social engineering
4. Physical intrusion

Key generation in a cloud environment might have less entropy than the traditional environment for all the following reasons except ___________________.

1. Lack of direct input devices
2. No social factors
3. Uniform build
4. Virtualization

Lack of industry-wide standards for cloud computing creates a potential for ___________________.

1. Privacy data breach
2. Privacy data disclosure
3. vendor lock-in
4. vendor lock-out

What can hamper the ability of a cloud customer to protect their assets in a managed services arrangement?

1. Prohibitions on port scanning and penetration testing
2. Geographical dispersion
3. Rules against training users
4. Laws that prevent them from doing so

Cloud administration almost necessarily violates the principles of the ___________________ security model.

1. Brewer-Nash (Chinese Wall)
2. Graham-Denning
3. Bell-LaPadula
4. Biba

The physical layout of a cloud data center campus should include redundancies of all the following except ___________________.

1. Physical perimeter security controls (fences, lights, walls, etc.)
2. The administration/support staff building
3. Electrical utility lines
4. Communications connectivity lines

Best practice for planning the physical resiliency for a cloud data center facility includes ___________________.

1. Having one point of egress for personnel
2. Ensuring that any cabling/connectivity enters the facility from different sides of the building/property
3. Ensuring that all parking areas are near generators so that personnel in high-traffic areas are always illuminated by emergency lighting, even when utility power is not available
4. Ensuring that the foundation of the facility is rated to withstand earthquake tremors

The physical layout of a cloud data center campus should include redundancies of all the following except ___________________.

1. Generators
2. HVAC units
3. Generator fuel storage
4. Points of personnel ingress

There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them?

1. It costs more to conduct a test at the same location as the primary workplace.
2. You don’t want to waste travel budget on what is only a test.
3. The risk of negative impact to both production and backup is too high.
4. There won’t be enough room for everyone to sit in the primary facility.

There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them?

1. It is good to invest in more than one community.
2. You want to approximate contingency conditions, which includes not operating in the primary location.
3. It is good for your personnel to see other places occasionally.
4. Your regulators won’t follow you off-site, so you’ll be unobserved during your test.

In an IaaS arrangement, who accepts responsibility for securing cloud-based applications?

1. The cloud provider
2. The cloud customer
3. The regulator
4. The end user/client

Industry best practices dictate that cloud customers do not ___________________.

1. Create their own identity and access management (IAM) solutions
2. Create contract language that favors them over the provider
3. Retrain personnel for cloud operations
4. Encrypt data before it reaches the cloud

It is possible for the cloud customer to transfer ___________________ risk to the provider, but the cloud customer always retains ultimate legal risk.

1. Market
2. Perception
3. Data
4. Financial

A process for ___________________ can aid in protecting against data disclosure due to lost devices.

1. User punishment
2. Credential revocation
3. Law enforcement notification
4. Device tracking

All of the following can be used in the process of anomaly detection except ___________________.

1. The ratio of failed to successful logins
2. Transactions completed successfully
3. Event time of day
4. Multiple concurrent logins

Critical components should be protected with ___________________.

1. Strong passwords
2. Chain-link fences
3. Homomorphic encryption
4. Multifactor authentication

It’s important to maintain a current asset inventory list, including surveying your environment on a regular basis, in order to ___________________.

1. Prevent unknown, unpatched assets from being used as back doors to the environment
2. Ensure that any lost devices are automatically entered into the acquisition system for repurchasing and replacement
3. Maintain user morale by having their devices properly catalogued and annotated
4. Ensure that billing for all devices is handled by the appropriate departments

Which of the following can enhance data portability?

1. Interoperable export formats
2. Egress monitoring solutions
3. Strong physical protections
4. Agile business intelligence

Which of the following can enhance application portability?

1. Using the same cloud provider for the production environment and archiving
2. Conducting service trials in an alternate cloud provider environment
3. Providing cloud-usage training for all users
4. Tuning web application firewalls (WAFs) to detect anomalous activity in inbound communications

What should the cloud customer do to ensure that disaster recovery activities don’t exceed the maximum allowable downtime (MAD)?

1. Make sure any alternate provider can support the application needs of the organization.
2. Ensure that contact information for all first responder agencies are correct and up-to-date at all times.
3. Select an appropriate recovery time objective (RTO).
4. Regularly review all regulatory directives for disaster response.

Which of the following would probably best aid an organization in deciding whether to migrate from a traditional environment to a particular cloud provider?

1. Rate sheets comparing a cloud provider to other cloud providers
2. Cloud provider offers to provide engineering assistance during the migration
3. The cost/benefit measure of closing the organization’s relocation site (hot site/warm site) and using the cloud for disaster recovery instead
4. SLA satisfaction surveys from other (current and past) cloud customers

A cloud provider will probably require all of the following except ___________________ before a customer conducts a penetration test.

1. Notice
2. Description of scope of the test
3. Physical location of the launch point
4. Knowledge of time frame/duration

Cloud providers will probably not allow ___________________ as part of a customer’s penetration test.

1. Network mapping
2. Vulnerability scanning
3. Reconnaissance
4. Social engineering

A cloud customer performing a penetration test without the provider’s permission is risking ___________________.

1. Malware contamination
2. Excessive fees for SLA violations
3. Loss of market share
4. Prosecution

When a customer performs a penetration test in the cloud, why isn’t the test an optimum simulation of attack conditions?

1. Attackers don’t use remote access for cloud activity.
2. Advanced notice removes the element of surprise.
3. When cloud customers use malware, it’s not the same as when attackers use malware.
4. Regulator involvement changes the attack surface.

Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. What is the technology that creates most of the cost savings in the cloud environment?

1. Emulation
2. Secure remote access
3. Crypto-shredding
4. Virtualization

Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. From the customer perspective, most of the cost differential created between the traditional environment and the cloud through virtualization is achieved by removing ___________________.

1. External risks
2. Internal risks
3. Regulatory compliance
4. Sunk capital investment

Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a traditional environment. Using a managed service allows the customer to realize significant cost savings through the reduction of ___________________.

1. Risk
2. Security controls
3. Personnel
4. Data

Which of the following is a risk posed by the use of virtualization?

1. Internal threats interrupting service through physical accidents (spilling drinks, tripping over cables, etc.)
2. The ease of transporting stolen virtual machine images
3. Increased susceptibility of virtual systems to malware
4. Electromagnetic pulse

The tasks performed by the hypervisor in the virtual environment can be most likened to the tasks of the ___________________ in the traditional environment.

1. Central processing unit (CPU)
2. Security team
3. Operating system (OS)
4. Pretty Good Privacy (PGP)

Mass storage in the cloud will most likely currently involve ___________________.

1. Spinning platters
2. Tape drives
3. Magnetic disks
4. Solid-state drives (SSDs)

What is the type of cloud storage arrangement that involves the use of associating metadata with the saved data?

1. Volume
2. Block
3. Object
4. Redundant

According to the NIST Cloud Computing Reference Architecture, which of the following is most likely a cloud carrier?

1. Amazon Web Services
2. Netflix
3. Verizon
4. Nessus

Resolving resource contentions in the cloud will most likely be the job of the ___________________.

1. Router
2. Emulator
3. Regulator
4. Hypervisor

Security controls installed on a guest virtual machine operating system (VM OS) will not function when ___________________.

1. The user is accessing the VM remotely
2. The OS is not scanned for vulnerabilities
3. The OS is not subject to version control
4. The VM is not active while in storage

Typically, SSDs are ___________________.

1. More expensive than spinning platters
2. Larger than tape backup
3. Heavier than tape libraries
4. More subject to malware than legacy drives

Typically, SSDs are ___________________.

1. Harder to install than magnetic memory
2. Faster than magnetic drives
3. Harder to administer than tape libraries
4. More likely to fail than spinning platters

Typically, SSDs are ___________________.

1. Impossible to destroy physically
2. Not vulnerable to degaussing
3. Subject to a longer warranty
4. Protected by international trade laws

Of the following control techniques/solutions, which can be combined to enhance the protections offered by each?

1. Fences/firewalls
2. Asset inventories/personnel training
3. Data dispersion/encryption
4. Intrusion prevention solutions/intrusion detection solutions

Of the following control techniques/solutions, which can be combined to enhance the protections offered by each?

1. Razor tape/background checks
2. Least privilege/generators
3. DLP/DRM
4. Personnel badging/secure baselines

Risk assessment is the responsibility of ___________________.

1. Companies offering managed cloud services
2. Regulatory bodies
3. Every organization
4. Legislative entities

Which entity can best aid the organization in avoiding vendor lock-in?

1. Senior management
2. The IT security office
3. General counsel
4. The cloud security representative

Perhaps the best method for avoiding vendor lock-out is also a means for enhancing BC/DR capabilities. This is ___________________.

1. Having a warm site within 250 miles of the primary production environment
2. Using one cloud provider for primary production and another for backup purposes
3. Building a data center above the flood plain
4. Cross-training all personnel

___________________ can often be the result of inadvertent activity.

1. DDoS
2. Phishing
3. Sprawl
4. Disasters

Of the following, which is probably the most significant risk in a managed cloud environment?

1. DDoS
2. Management plane breach
3. Guest escape
4. Physical attack on the utility service lines

What is the optimal number of entrances to the cloud data center campus?

1. One
2. Two
3. Three
4. Four

The cloud data center campus physical access point should include all of the following except ___________________.

1. Reception area
2. Video surveillance
3. Badging procedure
4. Mantrap structures

Where should multiple egress points be included?

1. At the power distribution substation
2. Within the data center
3. In every building on the campus
4. In the security operations center

Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment?

1. DDoS
2. Isolation failure
3. External attack
4. Internal attack

All security controls necessarily ___________________.

1. Are expensive
2. Degrade performance
3. Require senior management approval
4. Will work in the cloud environment as well as they worked in the traditional environment

Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment?

1. Legal liability in multiple jurisdictions
2. Loss of productivity due to DDoS
3. Ability of users to gain access to their physical workplace
4. Fire

Which of the following is a risk in the cloud environment that does not exist or is not as prevalent in the traditional environment?

1. Loss of availability due to DDoS
2. Loss of value due to DDoS
3. Loss of confidentiality due to DDoS
4. Loss of liability due to DDoS

DDoS attacks do not affect ___________________ for cloud customers.

1. Productivity
2. Availability
3. Connectivity
4. Integrity

Sprawl in the cloud can lead to significant additional costs to the organization because of ___________________.

1. Larger necessary physical footprint
2. Much larger utility consumption
3. Software licensing
4. Requisite additional training

It is best to use variables in ___________________.

1. Baseline configurations
2. Security control implementations
3. Contract language
4. BC/DR tests