Question 111: Why would an organization need to periodically test disaster recovery and business continuity plans if they’ve already been shown to work?
A. Environmental changes may render them ineffective over time.
B. It has low confidence in the abilities of the testers.
C. To appease senior leadership.
D. Resources may not be available in the future to test again.
Correct Answer: A. Environmental changes may render them ineffective over time.
Explanation: The best reason to periodically test DRPs and BCPs is to assess the effects of internal or external environment changes on them. Changes to these plans are inevitably and often frequently required, which puts an organization at risk of unacceptably long system outages if it doesn’t periodically test its DRPs/BCPs.
Question 112: Which of the following is not true about continuous monitoring?
A. It involves ad hoc processes that provide agility in responding to novel attacks.
B. Its main goal is to support organizational risk management.
C. It helps determine whether security controls remain effective.
D. It relies on carefully chosen metrics and measurements.
Correct Answer: A. It involves ad hoc processes that provide agility in responding to novel attacks.
Explanation: Continuous monitoring is a deliberate, data-driven process supporting organizational risk management. One of the key questions it answers is: are controls still effective at mitigating risks? Continuous monitoring could potentially lead to a decision to implement specific ad hoc processes, but these would not really be part of continuous monitoring.
Question 113: Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised floors
D. A mobile site that can be brought to the company’s parking lot
Correct Answer: B. A site that has all necessary PCs, servers, and telecommunications
Explanation: A hot site is a facility that is fully equipped and properly configured so that it can be up and running within hours to get a company back into production. “A site that has all necessary PCs, servers, and telecommunications” gives the best definition of a fully functional environment.
Question 114: What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritable attributes from their class
Correct Answer: B. To make a copy of an object and modify the attributes of the second copy
Explanation: Instantiation is what happens when an object is created from a class. Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes. This can be done for several reasons. The example given in the chapter was a way to use polyinstantiation for security purposes to ensure that a lower-level subject could not access an object at a higher level.
Question 115: Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field?
A. Traversal attack
B. Unicode encoding attack
C. URL encoding attack
D. Buffer overflow attack
Correct Answer: D. Buffer overflow attack
Explanation: The buffer overflow is probably the most notorious of input validation mistakes. A buffer is an area reserved by an application to store something in it, such as some user input. After the application receives the input, an instruction pointer points the application to do something with the input that’s been put in the buffer. A buffer overflow occurs when an application erroneously allows an invalid amount of input to be written into the buffer area, overwriting the instruction pointer in the code that tells the program what to do with the input. Once the instruction pointer is overwritten, whatever code has been placed in the buffer can then be executed, all under the security contact of the application.
Question 116: Fundamentally, iPaaS was designed to create individual management capabilities, with separate dashboards, to provide more granular control for software and servers.
A. True
B. False
Correct Answer: B. False
Explanation: Platform providers designed iPaaS to instill centralized management and coordinate various software and servers, including cross-environment migrations. The tools provide management views via a single dashboard that can monitor app performance and control resource consumption.
Question 117: What is the most important function of an iPaaS tool?
A. API-driven integration
B. Integration with legacy middleware
C. Authentication and access controls
D. All of the above
Correct Answer: D. All of the above
Explanation: When choosing between iPaaS tools, there are certain must-haves. Prebuilt connectors for APIs simplify the data integration process, integration with legacy middleware is crucial and enterprises need to ensure that data is safe with authentication and access controls.
Question 118: The capabilities of iPaaS only support workloads in the cloud.
A. True
B. False
Correct Answer: B. False
Explanation: While iPaaS tools are based in cloud services, it isn’t just for cloud applications. These tools can handle both cloud-to-cloud integrations and hybrid integration between on-premises software and cloud applications.
Question 119: Most iPaaS tools require a separate monitoring tool to track and secure integrations.
A. True
B. False
Correct Answer: B. False
Explanation: Many iPaaS tools feature built-in monitoring capabilities that can observe application availability and performance. These include alerts for application failures, enforcement of governance and compliance rules and detailed logging for audits.
Question 120: Enterprise service buses (ESBs) and iPaaS provide two approaches to a similar goal.
A. True
B. False
Correct Answer: A. True
Explanation: ESBs and iPaaS both connect systems and applications in order to share information. However, ESBs are typically aimed at on-premises integration rather than cloud integration. IPaaS is built on public and private clouds, reducing the need to connect systems through on-premises software and hardware.