CCSP : Certified Cloud Security Professional (CCSP) : Part 24

CCSP : Certified Cloud Security Professional (CCSP) : Part 24

1. Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except:

   • The cloud provider’s utilities
   • The cloud provider’s suppliers
   • The cloud provider’s resellers
   • The cloud provider’s vendors

   Explanation: 
   The cloud provider’s resellers are a marketing and sales mechanism, not an operational dependency that could affect the security of a cloud customer.

2. Because of multitenancy, specific risks in the public cloud that don’t exist in the other cloud service models include all the following except:

   • DoS/DDoS
   • Information bleed
   • Risk of loss/disclosure due to legal seizures
   • Escalation of privilege
   Explanation: 
   DoS/DDoS threats and risks are not unique to the public cloud model.

3. What is the cloud service model in which the customer is responsible for administration of the OS?

   • QaaS
   • SaaS
   • PaaS
   • IaaS
   Explanation: 
   In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.

4. All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except:

   • Ensure there are no physical limitations to moving
   • Use DRM and DLP solutions widely throughout the cloud operation
   • Ensure favorable contract terms to support portability
   • Avoid proprietary data formats
   Explanation: 
   DRM and DLP are used for increased authentication/access control and egress monitoring, respectively, and would actually decrease portability instead of enhancing it.

5. Hardening the operating system refers to all of the following except:

   • Limiting administrator access
   • Closing unused ports
   • Removing antimalware agents
   • Removing unnecessary services and libraries
   Explanation: 
   Removing antimalware agents. Hardening the operating system means making it more secure. Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure. But removing antimalware agents would actually make the system less secure. If anything, antimalware agents should be added, not removed.

6. Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?

   • SOC 1 Type 1
   • SOC 2 Type 2
   • SOC 3
   • SOC 1 Type 2
   Explanation: 
   The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.

7. The cloud customer’s trust in the cloud provider can be enhanced by all of the following except:

   • SLAs
   • Shared administration
   • Audits
   • real-time video surveillance
   Explanation:
   Video surveillance will not provide meaningful information and will not enhance trust. All the others will do it.

8. As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:

   • SOX
   • HIPAA
   • FERPA
   • GLBA
   Explanation: 
   Sarbanes-Oxley was a direct response to corporate scandals. FERPA is related to education. GLBA is about the financial industry. HIPAA is about health care.

9. In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?

   • HIPAA
   • The contract
   • Statutes
   • Security control matrix
   Explanation: 
   The contract between the provider and customer enhances the customer’s trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures). Statutes, however, largely leave customers liable. The security control matrix is a tool for ensuring compliance with regulations. HIPAA is a statute.

10. The application normative framework is best described as which of the following?

    • A superset of the ONF
    • A stand-alone framework for storing security practices for the ONF
    • The complete ONF
    • A subnet of the ONF
    Explanation: 
    Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.

11. Deviations from the baseline should be investigated and __________________.

    • Revealed
    • Documented
    • Encouraged
    • Enforced
    Explanation: 
    All deviations from the baseline should be documented, including details of the investigation and outcome. We do not enforce or encourage deviations. Presumably, we would already be aware of the deviation, so “revealing” is not a reasonable answer.

12. Which of the following best describes the Organizational Normative Framework (ONF)?

    • A set of application security, and best practices, catalogued and leveraged by the organization
    • A container for components of an application’s security, best practices catalogued and leveraged by the organization
    • A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
    • A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.
    Explanation: 
    Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better

13. A UPS should have enough power to last how long?

    • One day
    • 12 hours
    • Long enough for graceful shutdown
    • 10 minutes

14. Which of the following best describes the purpose and scope of ISO/IEC 27034-1?

    • Describes international privacy standards for cloud computing
    • Serves as a newer replacement for NIST 800-52 r4
    • Provides on overview of network and infrastructure security designed to secure cloud applications.
    • Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security.

15. Which of the following best describes SAML?

    • A standard used for directory synchronization
    • A standard for developing secure application management logistics
    • A standard for exchanging usernames and passwords across devices.
    • A standards for exchanging authentication and authorization data between security domains.

16. Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like:

    • Ransomware
    • Syn floods
    • XSS and SQL injection
    • Password cracking
    Explanation: 
    WAFs detect how the application interacts with the environment, so they are optimal for detecting and refuting things like SQL injection and XSS. Password cracking, syn floods, and ransomware usually aren’t taking place in the same way as injection and XSS, and they are better addressed with controls at the router and through the use of HIDS, NIDS, and antimalware tools.

17. APIs are defined as which of the following?

    • A set of protocols, and tools for building software applications to access a web-based software application or tool
    • A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool
    • A set of standards for building software applications to access a web-based software application or tool
    • A set of routines and tools for building software applications to access web-based software applications
    Explanation: 
    All the answers are true, but B is the most complete.

18. Which of the following best describes data masking?

    • A method for creating similar but inauthentic datasets used for software testing and user training.
    • A method used to protect prying eyes from data such as social security numbers and credit card data.
    • A method where the last few numbers in a dataset are not obscured. These are often used for authentication.
    • Data masking involves stripping out all digits in a string of numbers so as to obscure the original number.
    Explanation: 
    All of these answers are actually correct, but A is the best answer, because it is the most general, includes the others, and is therefore the optimum choice. This is a good example of the type of question that can appear on the actual exam.

19. Which of the following best describes a sandbox?

    • An isolated space where untested code and experimentation can safely occur separate from the production environment.
    • A space where you can safely execute malicious code to see what it does.
    • An isolated space where transactions are protected from malicious software
    • An isolated space where untested code and experimentation can safely occur within the production environment.
    Explanation:
    Options C and B are also correct, but A is more general and incorporates them both. D is incorrect, because sandboxing does not take place in the production environment.

20. A localized incident or disaster can be addressed in a cost-effective manner by using which of the following?

    • UPS
    • Generators
    • Joint operating agreements
    • Strict adherence to applicable regulations
    Explanation: 
    Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organization’s own facility and campus can be addressed at a different facility and campus. UPS and generators are not limited to serving needs for localized causes. Regulations do not promote cost savings and are not often the immediate concern during BC/DR activities.