CCSP : Certified Cloud Security Professional (CCSP) : Part 10

CCSP : Certified Cloud Security Professional (CCSP) : Part 10

1. Which aspect of security is DNSSEC designed to ensure?

   • Integrity
   • Authentication
   • Availability
   • Confidentiality

   Explanation:
   DNSSEC is a security extension to the regular DNS protocol and services that allows for the validation of the integrity of DNS lookups. It does not address confidentiality or availability at all. It allows for a DNS client to perform DNS lookups and validate both their origin and authority via the cryptographic signature that accompanies the DNS response.

2. Which process serves to prove the identity and credentials of a user requesting access to an application or data?

   • Repudiation
   • Authentication
   • Identification
   • Authorization
   Explanation: 
   Authentication is the process of proving whether the identity presented by a user is true and valid. This can be done through common mechanisms such as user ID and password combinations or with more secure methods such as multifactor authentication.

3. Who would be responsible for implementing IPsec to secure communications for an application?

   • Developers
   • Systems staff
   • Auditors
   • Cloud customer
   Explanation: 
   Because IPsec is implemented at the system or network level, it is the responsibility of the systems staff. IPsec removes the responsibility from developers, whereas other technologies such as TLS would be implemented by developers.

4. What is the minimum regularity for testing a BCDR plan to meet best practices?

   • Once year
   • Once a month
   • Every six months
   • When the budget allows it
   Explanation: 
   Best practices and industry standards dictate that a BCDR solution should be tested at least once a year, though specific regulatory requirements may dictate more regular testing. The BCDR plan should also be tested whenever a major modification to a system occurs.

5. Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster?

   • Broad network access
   • Interoperability
   • Resource pooling
   • Portability
   Explanation: 
   With a typical BCDR solution, an organization would need some number of staff to quickly travel to the location of the BCDR site to configure systems and applications for recovery. With a cloud environment, everything is done over broad network access, with no need (or even possibility) to travel to a remote site at any time.

6. Which of the following is NOT part of a retention policy?

   • Format
   • Costs
   • Accessibility
   • Duration
   Explanation: 
   The data retention policy covers the duration, format, technologies, protection, and accessibility of archives, but does not address the specific costs of its implementation and maintenance.

7. Which aspect of cloud computing would make the use of a cloud the most attractive as a BCDR solution?

   • Interoperability
   • Resource pooling
   • Portability
   • Measured service
   Explanation: 
   Measured service means that costs are only incurred when a cloud customer is actually using cloud services. This is ideal for a business continuity and disaster recovery (BCDR) solution because it negates the need to keep hardware or resources on standby in case of a disaster. Services can be initiated when needed and without costs unless needed.

8. Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer?

   • Hybrid
   • Community
   • Private
   • Public
   Explanation: 
   Because the public cloud model is available to everyone, in most instances all a customer will need to do to gain access is set up an account and provide a credit card number through the service’s web portal. No additional contract negotiations, agreements, or specific group memberships are typically needed to get started.

9. Which of the following is NOT something that an HIDS will monitor?

   • Configurations
   • User logins
   • Critical system files
   • Network traffic
   Explanation: 
   A host intrusion detection system (HIDS) monitors network traffic as well as critical system files and configurations.

10. Which of the following technologies is used to monitor network traffic and notify if any potential threats or attacks are noticed?

    • IPS
    • WAF
    • Firewall
    • IDS
    Explanation: 
    An intrusion detection system (IDS) is designed to analyze network packets, compare their contents or characteristics against a set of configurations or signatures, and alert personnel if anything is detected that could constitute a threat or is otherwise designated for alerting.

11. What concept does the “A” represent in the DREAD model?

    • Affected users
    • Authentication
    • Affinity
    • Authorization
    Explanation: 
    Affected users refers to the percentage of users who would be impacted by a successful exploit. Scoring ranges from 0, which means no users are impacted, to 10, which means all users are impacted.

12. Which attribute of data poses the biggest challenge for data discovery?

    • Labels
    • Quality
    • Volume
    • Format
    Explanation: 
    The main problem when it comes to data discovery is the quality of the data that analysis is being performed against. Data that is malformed, incorrectly stored or labeled, or incomplete makes it very difficult to use analytical tools against.

13. What does static application security testing (SAST) offer as a tool to the testers?

    • Production system scanning
    • Injection attempts
    • Source code access
    • Live testing
    Explanation: 
    Static application security testing (SAST) is conducted with knowledge of the system, including source code, and is done against offline systems.

14. Which of the following service capabilities gives the cloud customer an established and maintained framework to deploy code and applications?

    • Software
    • Desktop
    • Platform
    • Infrastructure
    Explanation: 
    The platform service capability provides programming languages and libraries from the cloud provider, where the customer can deploy their own code and applications into a managed and controlled framework.

15. What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed?

    • Dynamic clustering
    • Dynamic balancing
    • Dynamic resource scheduling
    • Dynamic optimization
    Explanation: 
    Dynamic optimization is the process through which the cloud environment is constantly maintained to ensure resources are available when and where needed, and that physical nodes do not become overloaded or near capacity, while others are underutilized.

16. Which value refers to the percentage of production level restoration needed to meet BCDR objectives?

    • RPO
    • RTO
    • RSL
    • SRE
    Explanation: 
    The recovery service level (RSL) is a percentage measure of the total typical production service level that needs to be restored to meet BCDR objectives in the case of a failure.

17. Over time, what is a primary concern for data archiving?

    • Size of archives
    • Format of archives
    • Recoverability
    • Regulatory changes
    Explanation:
    Over time, maintaining the ability to restore and read archives is a primary concern for data archiving. As technologies change and new systems are brought in, it is imperative for an organization to ensure they are still able to restore and access archives for the duration of the required retention period.

18. What is an often overlooked concept that is essential to protecting the confidentiality of data?

    • Strong password
    • Training
    • Security controls
    • Policies
    Explanation: 
    While the main focus of confidentiality revolves around technological requirements or particular security methods, an important and often overlooked aspect of safeguarding data confidentiality is appropriate and comprehensive training for those with access to it. Training should be focused on the safe handling of sensitive information overall, including best practices for network activities as well as physical security of the devices or workstations used to access the application.

19. Which of the cloud deployment models offers the most control and input to the cloud customer as to how the overall cloud environment is implemented and configured?

    • Public
    • Community
    • Hybrid
    • Private
    Explanation: 
    A private cloud model, and the specific contractual relationships involved, will give a cloud customer the most level of input and control over how the overall cloud environment is designed and implemented. This would be even more so in cases where the private cloud is owned and operated by the same organization that is hosting services within it.

20. What concept does the “D” represent with the STRIDE threat model?

    • Data loss
    • Denial of service
    • Data breach
    • Distributed
    Explanation: 
    Any application can be a possible target of denial-of-service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for non-authenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks.