CCSP : Certified Cloud Security Professional (CCSP) : Part 08

CCSP : Certified Cloud Security Professional (CCSP) : Part 08

1. Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance?

   • Virtualization
   • Multitenancy
   • Resource pooling
   • Dynamic optimization

   Explanation:
   Cloud environments will regularly change virtual machines as patching and versions are changed. Unlike a physical environment, there is little continuity from one period of time to another. It is very unlikely that the same virtual machines would be in use during a repeat audit.

2. Which security concept would business continuity and disaster recovery fall under?

   • Confidentiality
   • Availability
   • Fault tolerance
   • Integrity
   Explanation:
   Disaster recovery and business continuity are vital concerns with availability. If data is destroyed or compromised, having regular backup systems in place as well as being able to perform disaster recovery in the event of a major or widespread problem allows operations to continue with an acceptable loss of time and data to management. This also ensures that sensitive data is protected and persisted in the event of the loss or corruption of data systems or physical storage systems.

3. Which of the following is NOT an application or utility to apply and enforce baselines on a system?

   • Chef
   • GitHub
   • Puppet
   • Active Directory
   Explanation:
   GitHub is an application for code collaboration, including versioning and branching of code trees. It is not used for applying or maintaining system configurations.

4. Which of the cloud cross-cutting aspects relates to the ability for a cloud customer to easily remove their applications and data from a cloud environment?

   • Reversibility
   • Availability
   • Portability
   • Interoperability
   Explanation:
   Reversibility is the ability for a cloud customer to easily remove their applications or data from a cloud environment, as well as to ensure that all traces of their applications or data have been securely removed per a predefined agreement with the cloud provider.

5. Which of the following is NOT a function performed by the record protocol of TLS?

   • Encryption
   • Acceleration
   • Authentication
   • Compression
   Explanation: 
   The record protocol of TLS performs the authentication and encryption of data packets, and in some cases compression as well. It does not perform any acceleration functions.

6. What concept does the “R” represent with the DREAD model?

   • Reproducibility
   • Repudiation
   • Risk
   • Residual
   Explanation:
   Reproducibility is the measure of how easy it is to reproduce and successful use an exploit. Scoring within the DREAD model ranges from 0, signifying a nearly impossibly exploit, up to 10, which signifies something that anyone from a simple function call could exploit, such as a URL.

7. The SOC Type 2 reports are divided into five principles.

   Which of the five principles must also be included when auditing any of the other four principles?

   • Confidentiality
   • Privacy
   • Security
   • Availability
   Explanation:
   Under the SOC guidelines, when any of the four principles other than security are being audited, which includes availability, confidentiality, processing integrity, and privacy, the security principle must also be included with the audit.

8. How many additional DNS queries are needed when DNSSEC integrity checks are added?

   • Three
   • Zero
   • One
   • Two
   Explanation:
   DNSSEC does not require any additional DNS queries to be performed. The DNSSEC integrity checks and validations are all performed as part of the single DNS lookup resolution.

9. Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?

   • Platform
   • Infrastructure
   • Governance
   • Application
   Explanation:
   Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the governance of systems and data.

10. Which of the following service categories entails the least amount of support needed on the part of the cloud customer?

    • SaaS
    • IaaS
    • DaaS
    • PaaS
    Explanation:
    With SaaS providing a fully functioning application that is managed and maintained by the cloud provider, cloud customers incur the least amount of support responsibilities themselves of any service category.

11. Which of the following would NOT be a reason to activate a BCDR strategy?

    • Staffing loss
    • Terrorism attack
    • Utility disruptions
    • Natural disaster
    Explanation:
    The loss of staffing would not be a reason to declare a BCDR situation because it does not impact production operations or equipment, and the same staff would be needed for a BCDR situation.

12. Which of the cloud cross-cutting aspects relates to the oversight of processes and systems, as well as to ensuring their compliance with specific policies and regulations?

    • Governance
    • Regulatory requirements
    • Service-level agreements
    • Auditability
    Explanation:
    Auditing involves reports and evidence that show user activity, compliance with controls and regulations, the systems and processes that run and what they do, as well as information and data access and modification records. A cloud environment adds additional complexity to traditional audits because the cloud customer will not have the same level of access to systems and data as they would in a traditional data center.

13. Which of the cloud cross-cutting aspects relates to the ability to reuse or move components of an application or service?

    • Availability
    • Interoperability
    • Reversibility
    • Portability
    Explanation:
    Interoperability is the ease with which one can move or reuse components of an application or service. This is maximized when services are designed without specific dependencies on underlying platforms, operating systems, locations, or cloud providers.

14. Which of the following is a restriction that can be enforced by information rights management (IRM) that is not possible for traditional file system controls?

    • Delete
    • Modify
    • Read
    • Print
    Explanation:
    IRM allows an organization to control who can print a set of information. This is not be possible under traditional file system controls, where if a user can read a file, they are able to print it as well.

15. What strategy involves hiding data in a data set to prevent someone from identifying specific individuals based on other data fields present?

    • Anonymization
    • Tokenization
    • Masking
    • Obfuscation
    Explanation:
    With data anonymization, data is manipulated in such a way so as to prevent the identification of an individual through various data objects, and is often used in conjunction with other concepts such as masking.

16. What type of security threat is DNSSEC designed to prevent?

    • Account hijacking
    • Snooping
    • Spoofing
    • Injection
    Explanation:
    DNSSEC is designed to prevent the spoofing and redirection of DNS resolutions to rogue sites.

17. Which European Union directive pertains to personal data privacy and an individual’s control over their personal data?

    • 99/9/EC
    • 95/46/EC
    • 2000/1/EC
    • 2013/27001/EC
    Explanation:
    Directive 95/46/EC is titled “On the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

18. Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards?

    • regulatory requirements
    • Auditability
    • Service-level agreements
    • Governance
    Explanation:
    Regulatory requirements are those imposed upon businesses and their operations either by law, regulation, policy, or standards and guidelines. These requirements are specific either to the locality in which the company or application is based or to the specific nature of the data and transactions conducted.

19. Which data point that auditors always desire is very difficult to provide within a cloud environment?

    • Access policy
    • Systems architecture
    • Baselines
    • Privacy statement
    Explanation:
    Cloud environments are constantly changing and often span multiple physical locations. A cloud customer is also very unlikely to have knowledge and insight into the underlying systems architecture in a cloud environment. Both of these realities make it very difficult, if not impossible, for an organization to provide a comprehensive systems design document.

20. What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users?

    • Proxy
    • Bastion
    • Honeypot
    • WAF
    Explanation:
    A bastion host is a server that is fully exposed to the public Internet, but is extremely hardened to prevent attacks and is usually dedicated for a specific application or usage; it is not something that will serve multiple purposes. This singular focus allows for much more stringent security hardening and monitoring.