CCSP : Certified Cloud Security Professional (CCSP) : Part 16

CCSP : Certified Cloud Security Professional (CCSP) : Part 16

1. On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.

   Which of the following is crucial to the orchestration and automation of networking resources within a cloud?

   • DNSSEC
   • DNS
   • DCOM
   • DHCP

   Explanation:
   The Dynamic Host Configuration Protocol (DHCP) automatically configures network settings for a host so that these settings do not need to be configured on the host statically. Given the rapid and programmatic provisioning of resources within a cloud environment, this capability is crucial to cloud operations. Both DNS and its security-integrity extension DNSSEC provide name resolution to IP addresses, but neither is used for the configuration of network settings on a host. DCOM refers to the Distributed Component Object Model, which was developed by Microsoft as a means to request services across a network, and is not used for network configurations at all.

2. BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business.

   Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives?

   • RSL
   • RTO
   • RPO
   • SRE
   Explanation:
   The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the determined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. SRE is provided as an erroneous response.

3. During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

   • Contractual requirements
   • Regulations
   • Vendor recommendations
   • Corporate policy
   Explanation:
   Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system.

4. The GAPP framework was developed through a joint effort between the major Canadian and American professional accounting associations in order to assist their members with managing and preventing risks to the privacy of their data and customers.

   Which of the following is the meaning of GAPP?

   • General accounting personal privacy
   • Generally accepted privacy practices
   • Generally accepted privacy principles
   • General accounting privacy policies

5. Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions?

   • IPSec
   • VPN
   • SSL
   • TLS
   Explanation:
   IPSec is a protocol for encrypting and authenticating packets during transmission between two parties and can involve any type of device, application, or service. The protocol performs both the authentication and negotiation of security policies between the two parties at the start of the connection and then maintains these policies throughout the lifetime of the connection. TLS operates at the application layer, not the network layer, and is widely used to secure communications between two parties. SSL is similar to TLS but has been deprecated. Although a VPN allows a secure channel for communications into a private network from an outside location, it’s not a protocol.

6. When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification.

   Which of the following is NOT one of the three main approaches to data discovery?

   • Content analysis
   • Hashing
   • Labels
   • Metadata
   Explanation:
   Hashing involves taking a block of data and, through the use of a one-way operation, producing a fixed-size value that can be used for comparison with other data. It is used primarily for protecting data and allowing for rapid comparison when matching data values such as passwords. Labels involve looking for header information or other categorizations of data to determine its type and possible classifications. Metadata involves looking at information attributes of the data, such as creator, application, type, and so on, in determining classification. Content analysis involves examining the actual data itself for its composition and classification level.

7. There are many situations when testing a BCDR plan is appropriate or mandated.

   Which of the following would not be a necessary time to test a BCDR plan?

   • After software updates
   • After regulatory changes
   • After major configuration changes
   • Annually
   Explanation:
   Regulatory changes by themselves would not trigger a need for new testing of a BCDR plan. Any changes necessary for regulatory compliance would be accomplished through configuration changes or software updates, which in turn would then trigger the necessary new testing. Annual testing is crucial to any BCDR plan. Also, any time major configuration changes or software updates are done, the plan should be evaluated and tested to ensure it is still valid and complete.

8. Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions.

   Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer?

   • Remote key management service
   • Local key management service
   • Client key management service
   • Internal key management service
   Explanation:
   A remote key management system resides away from the cloud environment and is owned and controlled by the cloud customer. With the use of a remote service, the cloud customer can avoid being locked into a proprietary system from the cloud provider, but also must ensure that service is compatible with the services offered by the cloud provider. A local key management system resides on the actual servers using the keys, which does not provide optimal security or control over them. Both the terms internal key management service and client key management service are provided as distractors.

9. Security is a critical yet often overlooked consideration for BCDR planning.

   At which stage of the planning process should security be involved?

   • Scope definition
   • Requirements gathering
   • Analysis
   • Risk assessment
   Explanation:
   Defining the scope of the plan is the very first step in the overall process. Security should be included from the very earliest stages and throughout the entire process. Bringing in security at a later stage can lead to additional costs and time delays to compensate for gaps in planning. Risk assessment, requirements gathering, and analysis are all later steps in the process, and adding in security at any of those points can potentially cause increased costs and time delays.

10. Which type of testing uses the same strategies and toolsets that hackers would use?

    • Static
    • Malicious
    • Penetration
    • Dynamic
    Explanation:
    Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities. Although the term malicious captures much of the intent of penetration testing from the perspective of an attacker, it is not the best answer. Static and dynamic are two types of system testing–where static is done offline and with knowledge of the system, and dynamic is done on a live system without any previous knowledge is associated–but neither describes the type of testing being asked for in the question.

11. Which of the following statements about Type 1 hypervisors is true?

    • The hardware vendor and software vendor are different.
    • The hardware vendor and software vendor are the same 
    • The hardware vendor provides an open platform for software vendors.
    • The hardware vendor and software vendor should always be different for the sake of security.
    Explanation:
    With a Type 1 hypervisor, the management software and hardware are tightly tied together and provided by the same vendor on a closed platform. This allows for optimal security, performance, and support. The other answers are all incorrect descriptions of a Type 1 hypervisor.

12. Which format is the most commonly used standard for exchanging information within a federated identity system?

    • XML
    • HTML
    • SAML
    • JSON
    Explanation:
    Security Assertion Markup Language (SAML) is the most common data format for information exchange within a federated identity system. It is used to transmit and exchange authentication and authorization data.XML is similar to SAML, but it’s used for general-purpose data encoding and labeling and is not used for the exchange of authentication and authorization data in the way that SAML is for federated systems. JSON is used similarly to XML, as a text-based data exchange format that typically uses attribute-value pairings, but it’s not used for authentication and authorization exchange. HTML is used only for encoding web pages for web browsers and is not used for data exchange–and certainly not in a federated system.

13. Which ITIL component is focused on anticipating predictable problems and ensuring that configurations and operations are in place to prevent these problems from ever occurring?

    • Availability management
    • Continuity management
    • Configuration management
    • Problem management
    Explanation:
    Problem management is focused on identifying and mitigating known problems and deficiencies before they are able to occur, as well as on minimizing the impact of incidents that cannot be prevented. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization.

14. Which of the following areas of responsibility would be shared between the cloud customer and cloud provider within the Software as a Service (SaaS) category?

    • Data
    • Governance
    • Application
    • Physical
    Explanation:
    With SaaS, the application is a shared responsibility between the cloud provider and cloud customer. Although the cloud provider is responsible for deploying, maintaining, and securing the application, the cloud customer does carry some responsibility for the configuration of users and options. Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer.

15. When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations?

    • Firewall
    • Proxy
    • Honeypot
    • Bastion
    Explanation:
    A bastion is a system that is exposed to the public Internet to perform a specific function, but it is highly restricted and secured to just that function. Any nonessential services and access are removed from the bastion so that security countermeasures and monitoring can be focused just on the bastion’s specific duties. A honeypot is a system designed to look like a production system to entice attackers, but it does not contain any real data. It is used for learning about types of attacks and enabling countermeasures for them. A firewall is used within a network to limit access between IP addresses and ports. A proxy server provides additional security to and rulesets for network traffic that is allowed to pass through it to a service destination.

16. With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies.

    Which standard from the ISO/IEC was designed specifically for cloud computing?

    • ISO/IEC 27001
    • ISO/IEC 19889
    • ISO/IEC 27001:2015
    • ISO/IEC 27018
    Explanation:
    ISO/IEC 27018 was implemented to address the protection of personal and sensitive information within a cloud environment. ISO/IEC 27001 and its later 27001:2015 revision are both general-purpose data security standards. ISO/IEC 19889 is an erroneous answer.

17. Which of the following is NOT considered a type of data loss?

    • Data corruption
    • Stolen by hackers
    • Accidental deletion
    • Lost or destroyed encryption keys
    Explanation:
    The exposure of data by hackers is considered a data breach. Data loss focuses on the data availability rather than security. Data loss occurs when data becomes lost, unavailable, or destroyed, when it should not have been.

18. Which of the following jurisdictions lacks a comprehensive national policy on data privacy and the protection of personally identifiable information (PII)?

    • European Union
    • Asian-Pacific Economic Cooperation
    • United States
    • Russia
    Explanation:
    The United States has a myriad of regulations focused on specific types of data, such as healthcare and financial, but lacks an overall comprehensive privacy law on the national level. The European Union, the Asian-Pacific Economic Cooperation, and Russia all have national privacy protections and regulations for the handling the PII data of their citizens.

19. Which component of ITIL involves planning for the restoration of services after an unexpected outage or incident?

    • Continuity management
    • Problem management
    • Configuration management
    • Availability management
    Explanation:
    Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization.

20. Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments?

    • Release management
    • Availability management
    • Problem management
    • Change management
    Explanation:
    Release management involves planning, coordinating, executing, and validating changes and rollouts to the production environment. Change management is a higher-level component than release management and also involves stakeholder and management approval, rather than specifically focusing the actual release itself. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.