CCSP : Certified Cloud Security Professional (CCSP) : Part 03
-
Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and OneDrive?
- Hybrid
- Public
- Private
- Community
Explanation:
Popular services such as iCloud, Dropbox, and OneDrive are all publicly available and are open to any user for free, with possible add-on services offered for a cost. -
Why does a Type 2 hypervisor typically offer less security control than a Type 1 hypervisor?
- A Type 2 hypervisor runs on top of another operating system and is dependent on the security of the OS for its own security.
- A Type 2 hypervisor allows users to directly perform some functions with their own access.
- A Type 2 hypervisor allows users to directly perform some functions with their own access.
- A Type 2 hypervisor is open source, so attackers can more easily find exploitable vulnerabilities with that access.
Explanation:
A Type 2 hypervisor differs from a Type 1 hypervisor in that it runs on top of another operating system rather than directly tied into the underlying hardware of the virtual host servers. With this type of implementation, additional security and architecture concerns come into play because the interaction between the operating system and the hypervisor becomes a critical link. The hypervisor no longer has direct interaction and control over the underlying hardware, which means that some performance will be lost due to the operating system in the middle needing its own resources, patching requirements, and operational oversight. -
Which is the appropriate phase of the cloud data lifecycle for determining the data’s classification?
- Create
- Use
- Share
- Store
Explanation:
Any time data is created, modified, or imported, the classification needs to be evaluated and set from the earliest phase to ensure security is always properly maintained for the duration of its lifecycle. -
Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?
- 69.8-86.0degF (21-30degC)
- 64.4-80.6degF(18-27degC)
- 51.8-66.2degF(11-19degC)
- 44.6-60-8degF(7-16degC)
Explanation:
The guidelines from ASHRAE establish 64.4-80.6degF (18-27degC) as the optimal temperature for a data center. -
Which of the following is not a risk management framework?
- COBIT
- Hex GBL
- ISO 31000:2009
- NIST SP 800-37
Explanation:
Hex GBL is a reference to a computer part in Terry Pratchett’s fictional Discworld universe. The rest are not. -
Which of the following threat types involves the sending of untrusted data to a user’s browser to be executed with their own credentials and access?
- Missing function level access control
- Cross-site scripting
- Cross-site request forgery
- Injection
Explanation:
Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user’s browser without going through any validation or sanitization processes, or where the code is not properly escaped from processing by the browser. The code is then executed on the user’s browser with the user’s own access and permissions, allowing an attacker to redirect their web traffic, steal data from their session, or potentially access information on the user’s own computer that their browser has the ability to access. -
How is an object stored within an object storage system?
- Key value
- Database
- LDAP
- Tree structure
Explanation:
Object storage uses a flat structure with key values to store and access objects. -
Which of the following is NOT a regulatory system from the United States federal government?
- PCI DSS
- FISMA
- SOX
- HIPAA
Explanation:
The payment card industry data security standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry regulatory standard, not a governmental one. -
Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority?
- European Union
- Germany
- Russia
- United States
Explanation:
The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries. -
Which United States law is focused on PII as it relates to the financial industry?
- HIPAA
- SOX
- Safe Harbor
- GLBA
Explanation:
The GLBA, as it is commonly called based on the lead sponsors and authors of the act, is officially known as “The Financial Modernization Act of 1999.” It is specifically focused on PII as it relates to financial institutions. There are three specific components of it, covering various areas and use, on top of a general requirement that all financial institutions must provide all users and customers with a written copy of their privacy policies and practices, including with whom and for what reasons their information may be shared with other entities. -
Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used?
- Security misconfiguration
- Insecure direct object references
- Sensitive data exposure
- Unvalidated redirects and forwards
Explanation:
Sensitive data exposure occurs when information is not properly secured through encryption and secure transport mechanisms; it can quickly become an easy and broad method for attackers to compromise information. Web applications must enforce strong encryption and security controls on the application side, but secure methods of communications with browsers or other clients used to access the information are also required. Security misconfiguration occurs when applications and systems are not properly configured for security, often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, thus allowing spoofing for malware or phishing attacks. -
What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?
- Remove
- Monitor
- Disable
- Stop
Explanation:
The best practice is to totally remove any unneeded services and utilities on a system to prevent any chance of compromise or use. If they are just disabled, it is possible for them to be inadvertently started again at any point, or another exploit could be used to start them again. Removing also negates the need to patch and maintain them going forward. -
Which of the following actions will NOT make data part of the “create” phase of the cloud data lifecycle?
- Modifying metadata
- Importing data
- Modifying data
- Constructing new data
Explanation:
Although the initial phase is called “create,” it can also refer to modification. In essence, any time data is considered “new,” it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and modified into a new form or value. Modifying the metadata does not change the actual data. -
What are the two protocols that TLS uses?
- Handshake and record
- Transport and initiate
- Handshake and transport
- Record and transmit
Explanation:
TLS uses the handshake protocol to establish and negotiate the TLS connection, and it uses the record protocol for the secure transmission of data. -
Which type of cloud model typically presents the most challenges to a cloud customer during the “destroy” phase of the cloud data lifecycle?
- IaaS
- DaaS
- SaaS
- PaaS
Explanation:
With many SaaS implementations, data is not isolated to a particular customer but rather is part of the overall application. When it comes to data destruction, a particular challenge is ensuring that all of a customer’s data is completely destroyed while not impacting the data of other customers. -
Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application?
- Multitenancy
- Certification
- Regulation
- Virtualization
Explanation:
Some regulations may require specific security controls or certifications be used for hosting certain types of data or functions, and in some circumstances they may be requirements that are unable to be met by any cloud provider. -
Which of the following is considered an internal redundancy for a data center?
- Power distribution units
- Network circuits
- Power substations
- Generators
Explanation:
Power distribution units are internal to a data center and supply power to internal components such as racks, appliances, and cooling systems. As such, they are considered an internal redundancy. -
Which of the following represents a control on the maximum amount of resources that a single customer, virtual machine, or application can consume within a cloud environment?
- Share
- Reservation
- Provision
- Limit
Explanation:
Limits are put in place to enforce a maximum on the amount of memory or processing a cloud customer can use. This can be done either on a virtual machine or as a comprehensive whole for a customer, and is meant to ensure that enormous cloud resources cannot be allocated or consumed by a single host or customer to the detriment of other hosts and customers. -
Which of the following roles is responsible for peering with other cloud services and providers?
- Cloud auditor
- Inter-cloud provider
- Cloud service broker
- Cloud service developer
Explanation:
The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services. -
Which of the following does NOT relate to the hiding of sensitive data from data sets?
- Obfuscation
- Federation
- Masking
- Anonymization
Explanation:
Federation pertains to authenticating systems between different organizations.
Subscribe
0 Comments
Newest