AIO QA Comprehensive Flashcards
Your organization has just been served with an eDiscovery order. Because the organization has moved to a cloud environment, what is the biggest challenge when it comes to full compliance with an eDiscovery order?
A. Virtualization
B. Data discovery
C. Multitenancy
D. Resource pooling
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 344). McGraw Hill LLC. Kindle Edition.
B. Data discovery
Explanation:
Data discovery in a cloud environment encounters significant challenges due to the distributed nature of cloud computing. A primary concern with eDiscovery is determining all of the applicable data and locating it for collection and preservation. Within a cloud environment, locating the data and ensuring that all locations have been found can be a difficult process and will require the cooperation of both the cloud provider and the cloud customer, with procedures outlined in the contract and SLAs. A is incorrect because while virtualization forms the backbone of a cloud environment, the actual use of virtual machines does not increase the difficulty of data discovery, even if it does mean that assistance may be needed from the cloud provider for the actual data collection. With physical hardware, it is very easy to fully isolate and gather information because support staff will have full control of and access to the systems at all levels. C is incorrect because multitenancy involves hosting different systems and applications, from different organizations, within the same cloud environment and sharing resources between them. Although this can pose an additional challenge, depending on the scope of the eDiscovery order and the data it pertains to, data discovery as a broad topic is the more appropriate answer. D is incorrect because resource pooling is the sharing of resources between many different customers and systems, allowing for the aggregation of resources and the sharing of load across them. This will not have any impact on data-discovery processes.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 344). McGraw Hill LLC. Kindle Edition.
DHCP is heavily used within cloud environments to maintain network configurations in a centralized manner. Which of the following is not a network configuration that plays a role with DHCP?
A. IP address
B. Host name
C. MAC address
D. Gateway
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 344). McGraw Hill LLC. Kindle Edition.
B. Host name
Explanation:
Host name resolution is provided via the domain name service (DNS) and not provided as part of the network configuration for a specific server. A is incorrect because the IP address is one of the core network configuration items provided via DHCP to a server. C is incorrect because the MAC address is what the DHCP servers use to track and maintain network configuration settings for a host. D is incorrect because a gateway address would be assigned by a DHCP server as part of the network configuration given to the host.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 345). McGraw Hill LLC. Kindle Edition.
Your organization is considering a move to a cloud environment and is looking for certifications or audit reports from cloud providers to ensure adequate security controls and processes. Which of the following is not a security certification or audit report that would be pertinent?
A. FedRAMP
B. PCI DSS
C. FIPS 140-2
D. SOC Type 2
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 345). McGraw Hill LLC. Kindle Edition.
C. FIPS 140-2
Explanation:
C. FIPS 140-2 is a security standard from the United States federal government that pertains to the accreditation of cryptographic modules. While this is important to security processes and controls, it is not a certification or audit report that is responsive to overall security controls, policies, or operations. A is incorrect because the Federal Risk and Authorization Management Program (FedRAMP) is a program under the U.S. government for ensuring adequate security policies, practices, and configurations when using cloud-based resources and services. It offers certifications at different classification levels for federal agencies to use in their security monitoring and auditing and ensures they comply with specific, established security standards. B is incorrect because the Payment Card Industry Data Security Standard (PCI DSS) is an industry security standard for organizations that process and handle credit card transactions from the major credit card vendors and platforms. PCI DSS certification can be obtained, or required, by complying with and verifying security standards and policies. D is incorrect because the Service Organization Control (SOC) Type 2 reports focus on the nonfinancial aspects of an organization’s systems, specifically related to security, privacy, availability, processing integrity, and confidentiality. They are produced after thorough audits and reviews, and they can be used to assure clients of security controls and policies meeting specific standards and requirements.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 345). McGraw Hill LLC. Kindle Edition.
4.You are tasked with creating a system for ensuring that new systems meet security standards and policies as they are brought online. What is your best option to accomplish this?
A. Images
B. Baselines
C. Patching
D. Virtualization
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 346). McGraw Hill LLC. Kindle Edition.
B. Baselines
Explanation:
Baselines are a set of standards and settings that are applied to systems when they are first built. They are essentially templates and images that are built to security policies and are applied to any systems based on their purpose. A is incorrect because images can be used for consistency within an environment, but, ultimately, when they are first built, it will be the reliance on baselines that ensures they are built to security and policy standards. C is incorrect because patching will serve to maintain security updates going forward, but it will not be useful for ensuring newly built systems conform to policies. D is incorrect because virtualization will be a powerful tool for the use of images that have baselines applied, but overall it is not something that will automatically apply security controls and policies.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 346). McGraw Hill LLC. Kindle Edition.
You are developing a new process for data discovery for your organization and are charged with ensuring that all applicable data is included. Which of the following is not one of the three methods of data discovery?
A. Metadata
B. Content analysis
C. Labels
D. Classification
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 346). McGraw Hill LLC. Kindle Edition.
D. Classification
Explanation:
Classification is the overall process of using certain attributes about data and then applying appropriate security controls to that data. Classification is applied after data discovery has been completed, and it pertains only to the application of security controls, not the actual process of discovering or determining data. A is incorrect because metadata is essentially information about data, such as its type, how it is stored, how it is organized, how it was created, or how it is used. Metadata can also include headers and organizational markings, such as column or field names in a database or a spreadsheet. B is incorrect because content analysis involves looking at the data itself to make decisions based on what it is. This can include a person actually looking at it manually or using tools like checksums, heuristics, or statistical analysis to determine its content and data discovery. C is incorrect because labels are groupings or categorizations that have been applied to data either by personnel or automated means. They are typically done based on the characteristics or content of the data and then matched against criteria to be included under such a label. Unlike metadata, labels are only as good as how standardized they are and how thoroughly they are used throughout an environment. If they are not used in a standardized way or done comprehensively across all data sets, their usefulness to data discovery will be greatly diminished.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 346-347). McGraw Hill LLC. Kindle Edition.
6.Management has requested that security testing be done against their live cloud-based applications, with the testers not having internal knowledge of the system. Not attempting to actually breach systems or inject data is also a top requirement. Which of the following would be the appropriate approach to take?
A. Static application security testing
B. Penetration testing
C. Runtime application self-protection
D. Dynamic application security testing
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 347). McGraw Hill LLC. Kindle Edition.
D. Dynamic application security testing
Explanation:
Dynamic application security testing is done against a system or application in its actual runtime state, and the testers do not have specific knowledge about the configurations or technologies employed on it. Unlike static application security testing, dynamic testing must discover all interfaces and paths to test, but unlike penetration testing, it does not attempt to actively exploit vulnerabilities that could cause system outages, impact to users, or damage to the system or data. A is incorrect because static application security testing is done against offline systems, and the testers have knowledge ahead of time about the application and its configuration. This can include documentation about system design and the specific technologies used as well as access to the source code and programming libraries that the application was built upon. Because the testing is done against offline systems, it does not have the ability to impact production systems or users while the testing is being completed. B is incorrect because penetration testing is done against an application where the testers do not have any particular knowledge of the system or application. They would not know the specific technologies or toolsets used in the development of the application, and they would not have information about the runtime environment and the technologies it is built upon. Penetration testing is done using the same toolsets and tactics that hackers would use to attack the system in a real situation, and it is intended to determine security vulnerabilities in a proactive manner, allowing for patching or mitigation before hackers are able to discover the same exploits and successfully use them. C is incorrect because runtime application self-protection is the ability of a system or application to detect and respond to security threats and attacks in an automated manner. It is intended for applications to be able to respond to real-world attacks and scenarios in real time and apply mitigation tactics to stop the attacks immediately, allowing administrative or security personnel to review actions taken later when available and to provide further tuning or to investigate further.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 347-348). McGraw Hill LLC. Kindle Edition.
Which of the following cloud categories would allow for the least amount of customization by the cloud customer?
A. IaaS
B. SaaS
C. PaaS
D. DaaS
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 348). McGraw Hill LLC. Kindle Edition.
B. SaaS
Explanation:
B. Software as a Service allows the least amount of customization by the cloud customer. With the entire system and application under control of the cloud provider, the cloud customer will only have minimal options for customization, typically limited to branding or the selection of default options or settings. A is incorrect because Infrastructure as a Service allows the most customization by the cloud customer. While the cloud provider is solely responsible for the physical infrastructure and appliances of a cloud environment, the cloud customer has enormous control over storage, network settings, virtual machines, and identity and access control systems. With this level of control, the cloud customer can choose which technologies and configurations to use, typically without any involvement from the cloud provider. C is incorrect because Platform as a Service, although it does not allow full control at the operating system level like IaaS, allows tremendous control over application environments and configurations, and it allows sole control over the code that is deployed and configured for the applications. PaaS allows the cloud customer to choose the underlying operating system, application frameworks, and programming libraries and interfaces used within the environment. D is incorrect because Desktop as a Service works as a virtual desktop where configurations and installations are stored remotely and accessed over the network. It offers substantial security and recoverability features because the device is no longer the holder of data or software. Although it is centrally maintained, it offers more flexibility for configuration, software packages deployed, and customization than a SaaS solution offers to users.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 348). McGraw Hill LLC. Kindle Edition.
What concept that pertains to cloud computing involves the allocation of resources when needed, followed by the immediate destruction of them once that need has been fulfilled?
A. Ephemeral computing
B. Serverless technology
C. Virtualization
D. DevOps
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 348-349). McGraw Hill LLC. Kindle Edition.
A. Ephemeral computing
Explanation:
Ephemeral computing is a fancy term that basically encapsulates the main purpose and benefits of cloud computing. Overall, it refers to the paradigm of creating a virtual environment when needed, performing the computing that is required within that environment, and then discarding and destroying the environment once it has served its needs. This directly relates to the concepts of measured service and on-demand self-service, as these environments can be programmatically provisioned at any time, and costs will only be incurred for the period of time during which the environments are being used. B is incorrect because serverless technology refers to the ability to execute code and use compute resources without the need to provision servers, but it does not relate to the specific question. C is incorrect because virtualization refers to the underlying structure of resources within a cloud environment and is what enables ephemeral computing to work, but it is not the best answer to the question. D is incorrect because while DevOps very often makes heavy use of ephemeral computing, it is not the best answer to the question.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 349). McGraw Hill LLC. Kindle Edition.
Which phase of the risk management process involves an organization deciding how to mitigate risk discovered during the course of an audit?
A. Assessing
B. Framing
C. Responding
D. Monitoring
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 349). McGraw Hill LLC. Kindle Edition.
C. Responding
Explanation:
C. Responding is the stage of the risk management process where an organization will determine, based on the exact nature of the risk finding, as well as the potential costs and efforts involved with mitigation, which direction is appropriate to take. The organization may decide to accept the risk “as is,” which is typically an option when the finding is of a low or possible moderate classification. It can opt to avoid the risk by employing countermeasures or changes in operations so that the risk is never realized, which is typically accomplished by disabling or blocking access to certain functions or interfaces. It can also opt to transfer the risk to another entity, which, although not always possible, will typically be in the form of insurance. Lastly, the organization can decide to mitigate the risk through the use of applicable technologies, configuration changes, or code changes to remove or lessen the vulnerability or exposure. A is incorrect because the process of assessing risk involves evaluating potential vulnerabilities, coupled with the likeliness of occurrence and the possible damage from a successful exploit, and then assigning a risk classification value (ranging from minimal to critical). In some instances, the assigning of a risk level will be automatically dictated by regulatory requirements, depending on the type of data and application involved. This value and rating will then be used in the responding phase to determine the appropriate course of action based on the risk exposure, the risk appetite of the organization, and the costs associated with mitigation. B is incorrect because the framing stage of the risk management process is where the overall risk assessment is defined and scoped. The organization will determine during framing what risk and levels it wants to evaluate, based on specific threats, regulation, or the type of data that is used. This will guide the overall risk assessment process from start to finish. D is incorrect because the main purpose of the monitoring phase is to track risks and evaluations of them over time to determine if they are still applicable and if the same level of risk classification still applies. This will also incorporate changes from the regulatory perspective and ongoing threats, and it can serve as a continual risk management and assessment process for the organization.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 349-350). McGraw Hill LLC. Kindle Edition.
During the testing phase of the SDLC, which of the following is not included as a core activity of testing?
A. User testing
B. Stakeholder testing
C. Vulnerability scanning
D. Auditing
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 350). McGraw Hill LLC. Kindle Edition.
D. Auditing
Explanation:
Although many different types of testing are done at this phase, auditing is not one of them. Testing, as part of the SDLC process, is highly focused on functional and operational readiness, both from a stability perspective and a meeting functional requirements perspective. The testing phase does include security scanning as part of it, but not to the extent of formal audits and evaluations. A is incorrect because user testing involves having actual users test the application to see if it performs as expected and desired. This is very important overall because it will be a similar experience for all users of the application, and any features that are difficult to use or any aspects that are confusing to users will come to light, and possible fixes can be explored before the application is released to all users. With most testing, application developers and stakeholders are so involved in the application and how it is supposed to work that it is difficult for them to do proper testing and see things from the perspective of actual users, especially those who are new to the application or are encountering the new features being deployed. This will also bring out any user actions and behaviors that cause error conditions or incorrect data inputs that were not considered when the application and error checking were defined and coded. B is incorrect because stakeholder testing involves management, strategic partners, internal experts, and possibly customers if done as part of a contract for development. These groups are the core investors and administrators of the system or application as well as those who have a vested interest in it and an intimate knowledge of it and how it should operate. Testing by this group should be thorough, using scripted regression testing that evaluates all aspects of the application, including specific targeted testing for new and updated features as part of the code release. C is incorrect because while much of the testing phase is focused on functional and usability testing by populations of users and stakeholders, vulnerability scanning is also crucial at this stage. Although not a comprehensive audit, scanning should be done using standard tools with full signature sets to detect any common vulnerabilities, especially any code or functions that are vulnerable to XSS or injection attacks.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 350-351). McGraw Hill LLC. Kindle Edition.
You have decided to use SOAP as the protocol for exchanging information between services for your application. Which of the following is the only data format that can be used with SOAP?
A. SAML
B. OAuth
C. XML
D. HTML
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 351). McGraw Hill LLC. Kindle Edition.
C. XML
Explanation:
C. The SOAP protocol only uses XML as a data format for exchanging information. XML is a free, open standard for encoding documents and data in a format that is both machine and human readable. XML is designed to be extremely flexible and to handle any type of data formatting, which makes it ideal for web services. XML is widely used across all platforms and many different application frameworks and programming languages. A is incorrect because SAML is a free, open standard that is built on XML and is intended to be used for authentication and authorization data exchange between identity and service providers. While it is similar to and built on top of XML, it is used for the specific purposes of authentication and authorization and is not appropriate to use for general web services, specifically within the SOAP protocol, which requires XML. B is incorrect because OAuth is an authentication mechanism that allows users to authenticate to many different applications or web services using commonly used credentials, such as Google, Facebook, Twitter, and so on. It enables users to use credentials they already have, without having to create an account on each system or application, and without their credentials ever being exposed. It is an open standard that any system or application is free to use and leverage. D is incorrect because HTML forms the backbone of web pages and web design, and it is used as markup language to enable web browsers to render and display content. Although it is widely used and will be crucial to any web-based application, it is not used to encode information to be used by web services or protocols such as SOAP.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 351-352). McGraw Hill LLC. Kindle Edition.
12.A cloud provider is looking to provide a higher level of assurance to current and potential cloud customers about the design and effectiveness of its security controls. Which of the following audit reports would the cloud provider choose as the most appropriate to accomplish this goal?
A. SAS 70
B. SOC 1
C. SOC 2
D. SOC 3
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 352). McGraw Hill LLC. Kindle Edition.
D. SOC 3
Explanation:
SOC reports are done to test controls in place within an organization for financial or other systems. SOC 3 reports specifically are intended for general use and exposure, so they would be appropriate to use for potential cloud customers or put out for public consumption and review. A is incorrect because SAS 70 reports have largely been phased out and replaced by SOC 1 reports. When they were in routine use, SAS 70 reports were considered “restricted audience,” and as such would not be appropriate for potential customers or current customers. They were intended for internal audit or regulatory compliance review. B is incorrect because SOC 1 reports are considered restricted-use reports, much the same as their predecessor, the SAS 70 reports. They would not be appropriate for use with potential customers because they are restricted for internal use only and are also focused only on financial controls. C is incorrect because SOC 2 reports are very similar to SOC 3 reports, in that they cover security controls and go beyond the financial control limitation of SOC 1 reports. However, SOC 2 reports are not meant for general use and, in this particular example, potential customers.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 352). McGraw Hill LLC. Kindle Edition.
At which stage of the software development lifecycle is the most appropriate place to begin the involvement of security?
A. Requirements gathering
B. Design
C. Testing
D. Development
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 352). McGraw Hill LLC. Kindle Edition.
A. Requirements gathering
Explanation:
Security should be involved at all times in the SDLC process, including from the very initial stages of requirements gathering. Security can provide guidance on requirements from the regulatory perspective and the necessary security controls they dictate. By not involving security from the earliest stages, an organization can incur substantial risk for software development because security controls and requirements may be missed or inadequate, requiring later revisions or fixes. This can add additional costs and time to software development projects that are largely avoidable by including security from the onset. It also serves to foster better cooperation and to limit the perception prevalent in many organizations that security is a hindrance or roadblock in development and operations. B is incorrect because at the design stage, specific decisions are made as to which technologies and programming languages will be used with development. At this point, requirements have already been gathered and scoped, and it is very possible that security requirements have been missed or misunderstood. Although this is still early in the process, and changes are much easier to make at this stage than at later stages, it still adds additional time and costs that could have largely been avoided. C is incorrect because by the testing stage, development has been either mostly or completely finished, and it is far too late to start the involvement of security. Although security will play a role in the testing phase as far as vulnerability scanning and evaluation of security controls and their implementations go, many security concerns or requirements will likely have been missed throughout the overall development. Because this stage occurs as a final approval before release to production is approved, any changes in design or code based on discovered security concerns will likely incur substantial costs and delays, and depending on the release and any publicity that may have been done, or requirements to meet required deadlines, these delays can carry significant risk to an organization. D is incorrect because during the development stage, actual coding and implementations are done, based on requirements and decisions made during the design phase. At this stage, the lack of security could lead to a return to the design phase to mitigate concerns or deficiencies, which will in turn delay the project and will likely add additional costs to the overall project.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 353). McGraw Hill LLC. Kindle Edition.
Which of the following is not one of the main considerations with data archiving?
A. Format
B. Regulatory requirements
C. Testing
D. Encryption
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 353). McGraw Hill LLC. Kindle Edition.
D. Encryption
Explanation:
Although encryption will be used in many archiving solutions and implementations, it is not always a requirement and will be largely subjective, based on the type of data and the archiving method chosen. It is not considered, by itself, to be a major consideration with archiving. A is incorrect because the format of archives is very important to consider, both at the time of archiving and for the long-term considerations involved. The format chosen will have to be one that properly ensures archiving and readability. Failure to pick a format that is recoverable for the duration of the required archiving term will expose an organization to substantial risk for noncompliance with data-retention requirements. B is incorrect because in most instances, requirements for data retention, and possibly even archiving methods, will come from regulatory requirements. Depending on the type of data and its use, regulations will typically require minimum periods of archiving and data retention. In some instances, regulatory requirements will also dictate the time of recovery, in which case regulations will play a large role in the exact methods and technologies chosen for archiving. Also, an organization needs to ensure that it can recover data for the duration of the retention requirements. It serves no purpose and doesn’t satisfy compliance requirements if the data being archived for a period of time cannot be recovered. C is incorrect because in order for an archiving system to be considered valid and sound, it must be tested to ensure restoration and access are functional. Without this level of assurance, there is no point in having the archives in the first place. Testing should be done at regular intervals and follow the same procedures as those used for actual recoveries and restorations.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 353-354). McGraw Hill LLC. Kindle Edition.
While an audit is being conducted, which of the following could cause management and the auditors to change the original plan in order to continue with the audit?
A. Cost overruns
B. Impact on systems
C. Regulatory changes
D. Software version changes
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 354). McGraw Hill LLC. Kindle Edition.
B. Impact on systems
Explanation:
During an audit, even after extensive planning and scoping, there may end up being negative impacts on the environment and the performance of systems. Although testing should ideally be done against offline systems, that is not always possible in all environments, and it may cause potential service interruptions or slowdowns with the systems being tested. If this were to occur, it will be a decision by management as to whether to continue with the audit or to modify the scope or approach. A is incorrect because cost issues and budgeting would be completed before the audit begins. Once the audit has begun and the original scope and process are followed, costs should not be a dynamic value and should have no impact on the audit proceeding as planned. C is incorrect because regulatory changes during an actual audit would have no impact on the current audit. Since the audit scope and requirements are done before the audit begins, any changes after that would be captured by future audits. Also, regulatory changes happen over time, and even if new regulations were released during an audit, they would almost certainly have a future implementation and enforcement date. D is incorrect because software changes or releases would be suspended during auditing periods within any organization. Organizations almost always use an audit period as a freeze for configuration and version changes so that the environment is consistent and static while undergoing testing. The exception to this would be limited changes to mitigate auditing findings during the actual audit so that they can be closed before becoming official, but those changes would be very specific and limited in scope.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 354-355). McGraw Hill LLC. Kindle Edition.
Which of the following threat models has elevation of privilege as one of its key components and concerns?
A. DREAD
B. STRIDE
C. HIPAA
D. SOX
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 355). McGraw Hill LLC. Kindle Edition.
B. STRIDE
Explanation:
The E in the acronym for the STRIDE threat model stands for “elevation of privilege.” Elevation of privilege occurs as a threat to applications and systems that use a common login method and then display specific functions or data to users based on their role, with administrative users having the same initial interface as regular users. If the application is not properly coded and performing authorization checks within each function, it is possible for users to authenticate and change their level of access once they are within the application, even gaining administrative access if access controls are not properly enforced. A is incorrect because the DREAD model does not include elevation of privilege. While the DREAD model also contains an E in its acronym, in this instance it represents “exploitability,” which is a quantitative measure of the skills and sources needed for someone to successfully exploit a weakness. The value will be within a range of 0 to 10, with 0 representing extensive knowledge and resources to exploit and 10 representing no specific knowledge or skill required to exploit. C is incorrect because HIPAA refers to the U.S. Health Insurance Portability and Accountability Act of 1996. It covers the privacy and security of patient medical information. D is incorrect because SOX refers to the U.S. Sarbanes-Oxley Act of 2002. SOX is intended to protect the public and shareholders from accounting and fraudulent practices by corporations. In addition, it requires that certain information be disclosed to the public.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 355). McGraw Hill LLC. Kindle Edition.
17.What type of risk assessment is based on a documentation review and making informed judgment calls about risk from operational procedures and system designs?
A. Computational
B. Quantitative
C. Qualitative
D. Cursory
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 356). McGraw Hill LLC. Kindle Edition.
C. Qualitative
Explanation:
C. Qualitative risk assessments are based on documentation and other data about systems and applications that are not easily converted into numerical values for comparison. These assessments are often done in situations where an organization does not have the time or money to complete a more exhaustive quantitative assessment. After a thorough review of documentation, systems design, policies, and operational practices, risk categories can be assigned for management review based on the likeliness of threats being exploited as well as the potential damage that could occur if they are successfully exploited. A is incorrect because computational is not a type of risk assessment. B is incorrect because quantitative risk assessments are based on numerical data and metrics. With the availability of quantified data and risks, real calculations can be performed during a quantitative assessment. This will include the values for single loss expectancy (SLE), the annualized rate of occurrence (ARO), and the derived annualized loss expectancy (ALE). These values and calculations can give management hard data and cost numbers to make informed risk mitigation or acceptance decisions. D is incorrect because cursory is not a type of risk assessment.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 356). McGraw Hill LLC. Kindle Edition.
Which of the following principles must always be included in a SOC 2 auditing report?
A. Security
B. Processing integrity
C. Privacy
D. Availability
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 356). McGraw Hill LLC. Kindle Edition.
A. Security
Explanation:
A. The SOC 2 auditing reports are built on a set of five principles: security, processing integrity, privacy, availability, and confidentiality. A SOC 2 audit can include any number of these principles, but under the official guidelines, the security principle must always be included. Within the security principle are seven categories: change management, communications, logical and physical access controls, monitoring of controls, organization and management, risk management and design and implementation of controls, and system operations. B is incorrect because while processing integrity is one of the five principles of the SOC 2 audits, it is not required to be included with any of the other principles. The processing integrity principle is focused on ensuring that data is in its correct format, accurate, and verified and that it has not been altered or modified by unauthorized parties or means. C is incorrect because while privacy is one of the five principles of the SOC 2 audits, it is not required to be included with any others during audits. The privacy principle is focused on personal and private information and ensuring that it is handled per the organization’s policies, as well as per any applicable regulations or laws, during all times—whether it is created, stored, processed, or disposed of by a system or application. D is incorrect because like processing integrity and privacy, availability is one of the five principles of the SOC 2 auditing reports, but it is not a required principle to be included while auditing any others. The availability principle evaluates whether data or functions are available to authorized parties when needed and in such a manner that meets requirements and policies. These requirements and policies can come from either business needs and expectations or in some instances legal or regulatory mandates.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 356-357). McGraw Hill LLC. Kindle Edition.
Which of the following would be used to isolate test systems from production systems within a cloud environment for testing or development purposes?
A. Sandboxing
B. Application virtualization
C. Firewalling
D. Puppet
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 357). McGraw Hill LLC. Kindle Edition.
A. Sandboxing
Explanation:
Sandboxing involves isolating systems and applications from others within the same environment. This is typically done to keep data segregated and inaccessible from other systems, such as keeping production and nonproduction data segregated from each other. This can also be done within environments to keep production data isolated, such as keeping employee data and customer data completely segregated from each other, or in an academic setting, keeping student data and faculty/staff data isolated from each other. The need for isolation can sometimes come from organizational security policies, but in many instances it will be required by regulation. B is incorrect because while application virtualization will keep applications isolated away from operating systems and other applications, it is restricted to the application layer and cannot be used for overall systems. Also, application virtualization will typically be within the same host systems, so any potential compromise of the host system could expose data between the two virtualization containers. C is incorrect because firewalling is used to limit or restrict specific network traffic from making successful inbound or outbound connections, usually with specific ports as well. Although a firewall is a security tool for protecting and isolating traffic, it is not used for segregating and isolating systems or applications as an overall concept like sandboxing is. D is incorrect because Puppet is a tool for maintaining configurations and deployments across systems and applications as well as for enforcing rules and requirements for the configurations. It is not a concept for segregating and isolating systems or applications within an environment.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 357-358). McGraw Hill LLC. Kindle Edition.
Which of the following is not an aspect of static application security testing (SAST)?
A. Access to source code
B. Offline system
C. Knowledge of system configurations
D. Live system
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 358). McGraw Hill LLC. Kindle Edition.
D. Live system
Explanation:
SAST is always done against systems that are not live and operational to users or customers. SAST is done by testers with extensive knowledge of systems and how they were coded, and as such, it will typically produce superior results as compared to other types of testing that must use scanning to discover how systems are put together. A is incorrect because the testers performing SAST will have access to the source code and in many instances full knowledge of the SDLC process that the application went through. It is intended to expose programming errors and typical security deficiencies related to coding, such as XSS and injection. B is incorrect because SAST testing is always done against nonproduction systems; these systems will not have production data or users interacting with them. This enables testers to do more invasive and deeper testing than what can be done against live systems because the risk of data corruption or negatively impacting users will not exist with SAST. C is incorrect because one of the key aspects of SAST is the knowledge on the part of the testers of the systems’ configurations and the technologies used. With other types of testing, where this inside knowledge is not present, the testers are limited to the information they are able to expose or glean from scanning and other discovery tools. Relying on scanning and discovery will always pose significant challenges because many other layers of security and complementary systems will likely limit or prohibit a high degree of success for these tools.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 358). McGraw Hill LLC. Kindle Edition.
Which of the following are the four cloud deployment models?
A. Public, private, hybrid, and community
B. Public, private, internal, and hybrid
C. Internal, external, hybrid, and community
D. Public, private, hybrid, and organizational
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 358-359). McGraw Hill LLC. Kindle Edition.
A. Public, private, hybrid, and community
Explanation:
A. The four cloud deployment models are public, private, hybrid, and community. Public cloud deployments are operated and maintained by companies that offer services to the public as a whole, without needing to be part of a special group or population. Many of these offerings are free or mostly free, and many are very commonly known to the public and in widespread use. Someone wanting to leverage a public cloud just needs network access and typically a credit card to purchase services or add-ons. Private clouds are run either by cloud service providers or by the organizations using them. They are not available to the general public and will necessitate a contractual or partnership relationship with the cloud customer. Hybrid clouds are a mixture of two or more of the other cloud models, typically public and private cloud offerings used together. The community cloud model is where cloud services are maintained and offered by an organization or company, which may or may not be a member of the specific community, but services are restricted to a certain population or type of cloud customer, such as universities or members of professional organizations. B is incorrect because while public, private, and hybrid are correct cloud deployment models, there is no “internal” model for cloud deployments. Instead, the correct cloud deployment model is community. C is incorrect because while hybrid and community are correct cloud deployment models, there are no “internal” and “external” cloud models. The other two correct cloud deployment models are public and private. D is incorrect because while public, private, and hybrid are correct cloud deployment models, there is no “organizational” cloud deployment model. Instead, the correct cloud deployment model is community.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 359). McGraw Hill LLC. Kindle Edition.
Which of the following is a commonly used tool for maintaining software versioning and code collaboration?
A. GitHub
B. Chef
C. Puppet
D. Nessus
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 359). McGraw Hill LLC. Kindle Edition.
A. GitHub
Explanation:
GitHub is an online code repository that works from both command-line and web-based interfaces. It provides robust access control and many different toolsets for code collaboration, including bug tracking, management tools, and wikis. For code collaboration and management, it offers extensive versioning and branching capabilities and is in widespread use throughout the IT industry. B is incorrect because Chef is a software tool for handling infrastructure configurations. It will often be used in conjunction with GitHub to form a comprehensive management solution for systems and applications, but by itself Chef does not handle code versioning and collaboration. C is incorrect because Puppet is also a software application for handling infrastructure configurations. It works much in the same way as Chef and is used to manage configurations and standards in regard to systems configuration, not to handle code versioning and collaboration. D is incorrect because Nessus is a tool for conducting vulnerability scans, and it does not have anything to do with code collaboration and versioning. Nessus works by taking a large ensemble of known vulnerabilities and scanning against systems to determine if they are vulnerable to them. With the results, application developers and security teams can proactively discover and mitigate security vulnerabilities before a malicious actor is able to exploit them.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 359-360). McGraw Hill LLC. Kindle Edition.
Which of the following is not a core component of an SIEM solution?
A. Correlation
B. Aggregation
C. Compliance
D. Escalation
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 360). McGraw Hill LLC. Kindle Edition.
D. Escalation
Explanation:
D. Escalation is the process of moving issues or alerts along a predefined path to others responsible for remediation and action if those prior to them in the chain do not respond. This is done to bring the issues to the attention of management. While SIEM solutions can trigger alerts based on predefined conditions, the full workflow of escalation is handled by an external tool or application, and the role of the SIEM solution would be the initial identification and alert. A is incorrect because correlation is a key component and use of SIEM solutions. An SIEM solution has as a primary function the collecting of logs from many systems throughout an infrastructure. With having data from many different systems, an SIEM solution can easily detect the same pattern or other details across those systems, whereas relying on log files from particular servers would require each server to be analyzed independently. The SIEM solution also allows for the identification of the same types of issues, traffic, or events across a heterogeneous environment. For example, if an IP address is suspected of attempting to attack a system or application, an SIEM solution can correlate the traffic and events across networking devices, servers, firewalls, IPSs, and so on, which otherwise would require different teams and substantial resources to search and would typically take much longer than the rapid nature of a security incident. B is incorrect because a core component of an SIEM solution is the aggregation of events and data from many disparate systems into a single searching and reporting platform. Without an SIEM solution, log data would be held through a data center environment on many different devices, and likely in many different formats. An SIEM solution will collect and aggregate all of that data into a single system that can be searched in a uniform and consolidated manner. This allows an organization to see the same particular traffic or details across the enterprise, without having to search many different systems, as well as being able to search logs (which are likely in many different formats) from a single interface using the same commands. Aggregation in this way allows an organization to analyze data in a much more rapid and efficient manner than would be possible without aggregation. C is incorrect because an SIEM solution is a crucial tool in many organizations for compliance activities. Almost all regulatory systems require activities such as periodic review of log data for specific types of activities. This could include invalid login attempts, account creations, access control changes, and many other types of data points. With an SIEM solution, this reporting is easy to do using the robust search and reporting features as well as leveraging correlation and aggregation to allow a single reporting tool to generate reports across the enterprise and many diverse and disparate systems.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 360-361). McGraw Hill LLC. Kindle Edition.
Which of the following threat types is the most difficult for an organization to defend against and detect?
A. Data loss
B. Malicious insiders
C. Insecure APIs
D. Account hijacking
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 361). McGraw Hill LLC. Kindle Edition.
B. Malicious insiders
Explanation:
A malicious insider is any user of a system, though typically someone with elevated access, who uses their otherwise authorized access for unauthorized means. Because a malicious insider uses authorized access, it is very difficult for an organization or monitoring tool to detect such a vulnerability. Typically, such an attack will only become obvious after it has already been completed and the damage is done. While possessing authorized access, a malicious insider in most instances will also have extensive knowledge of the system or application, as well as the data contained within it, and will know what has the most value and the best ways to compromise it. A is incorrect because data loss can typically be prevented by having in place redundant systems as well as appropriate business continuity and disaster recovery plans. While redundancy can help prevent data loss from happening at all, having robust and comprehensive backups, as well as the means to restore them quickly, will largely mitigate or minimize the effects of any data loss. C is incorrect because proper validation, certification, and testing of APIs will largely mitigate vulnerabilities and prevent successful exploits from ever occurring. Because the APIs of a system are known and selected prior to use, secure requirements and standards can be used in their selection and implementation, ensuring everything is done in a secure manner. The use of appropriate monitoring tools will also go a long way toward preventing insecure APIs from being successfully exploited and mitigating the damage should such exploitation occur. D is incorrect because many methods and tools are available to minimize or prevent account hijacking. Through the use of technologies such as multifactor authentication, the possibility of credentials being stolen and successfully used to access data is very minimal. Even if passwords and user IDs are successfully stolen and obtained by a malicious actor, they will not be in possession of the second factor needed to access the systems or data. Other approaches, such as active alerting for users attempting to access systems from unknown or unique locations, can also make such an attack much more difficult. For example, systems can monitor for the location or origination of login attempts, and any attempt made from outside a typical geographic region (especially from a foreign location) can cause logins for that user to be disabled until they can be validated, even in instances where multifactor authentication is not used.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 361-362). McGraw Hill LLC. Kindle Edition.
Which of the following storage types are used with Infrastructure as a Service (IaaS)?
A. Structured and unstructured
B. File and database
C. Object and volume
D. Block and striped
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 362). McGraw Hill LLC. Kindle Edition.
C. Object and volume
Explanation:
C. IaaS uses object and volume storage types. With volume storage, a logical storage unit will be allocated to the virtual machine, and it will appear to the system, applications, or users as part of the file system. It can then be used as normal storage would in a physical server model, complete with file system organization, permissions, data structures, and any other aspects of a file system. With object storage, data is kept in a flat structure and accessed through the use of opaque tokens, rather than a filename or through a directory structure. This type of storage is often used for media objects such as images, videos, and audio files and is where cloud providers store system images and virtual machine files. A is incorrect because structured and unstructured storage types belong to PaaS, not IaaS. Structured storage is done typically through systems such as databases, which have a set, defined data-organization scheme and are maintained by the cloud provider, with data inserted or created by the cloud customer. Unstructured data does not follow platform-defined structures and is open to the data structures defined by the cloud customer. This will typically be used for web-based systems within a PaaS environment, where the web objects, media files, and components are stored and accessed via the application framework. B is incorrect because while file and database are two common storage methods or concepts, they are higher-level concepts that many other data structures fit within, and they are not part of the formal data structures that IaaS uses. D is incorrect because while block and striped are concepts in computing that relate to data storage and structure, they are not data types themselves, nor are they used and defined within IaaS or other cloud models.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 362-363). McGraw Hill LLC. Kindle Edition.
26.Which of the following data-sanitation approaches is always available within a cloud environment?
A. Physical destruction
B. Shredding
C. Overwriting
D. Cryptographic erasure
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 363). McGraw Hill LLC. Kindle Edition.
D. Cryptographic erasure
Explanation:
D. Cryptographic erasure is a means of ensuring data is no longer accessible, and it can always be used within a cloud environment because it is purely a software approach and not dependent on the infrastructure. Rather than a traditional means of overwriting or destroying physical media, cryptographic erasure is performed by encrypting data and then destroying the keys that were used to encrypt it, thus rendering it inaccessible and unreadable. This method, especially where data is already encrypted, is extremely fast and efficient. Whereas deleting large volumes or numbers of files on a system can often take substantial time to complete, in addition to the significant time required for overwriting or ensuring it is deleted, keys can be deleted instantaneously and from where they are housed, sometimes without even accessing the systems holding the actual data. If the data was encrypted with strong encryption, the chances of it ever being accessed again are extremely low; for the most part, it’s virtually impossible. A is incorrect because physical destruction of media is virtually impossible within a cloud environment. With multitenancy and resource pooling, you can be assured that every physical device houses more than one cloud customer. Due to this, the idea of having the cloud provider destroy the physical media housing the data is an impossibility. Also, with how much data is always moving and being balanced within a cloud environment, it is almost impossible to fully determine all the physical locations of data at any one point so that such destruction could even be requested. B is incorrect because shredding is a form of physical destruction of media and, as explained for answer A, would not be possible within a cloud environment. C is incorrect because the realities of a cloud environment, with the use of virtualization and constant balancing and migrating of data, make it impossible to perform overwriting in a manner where it could be ensured that all data is overwritten. It also would be virtually impossible to isolate a particular customer’s data, even if one could determine all the locations of that data, and perform overwriting in a manner that would not impact other tenants within the same environment.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 363). McGraw Hill LLC. Kindle Edition.
Which of the following technologies will often make elasticity a bigger challenge in a cloud environment?
A. IPS
B. XML accelerator
C. Vulnerability scanner
D. Web application firewall
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 364). McGraw Hill LLC. Kindle Edition.
A. IPS
Explanation:
A. The use of intrusion prevention systems (IPSs) can be complicated with elasticity and auto-scaling; as systems are expanded programmatically, it is difficult to ensure that traffic is accurately routed through IPSs and that the correct signatures, policies, and rules are applied. Within a traditional data center, network pathways are known, and routing as well as physical network connections will ensure that the correct paths are always taken. In cloud environments, where the infrastructure is in a constant state of flux, this is far more difficult to achieve. The primary means to implement intrusion prevention to get around the shortcomings of virtual network-based IPSs is through the use of host-based IPSs in a cloud environment. B is incorrect because XML accelerators will be placed around load balancers and will automatically be added as systems are expanded programmatically. This differs from IPSs because it relates to where in the network flow XML accelerators are placed and how the network is routed. XML accelerators also are used in conjunction with established web services, which, regardless of the number of virtual machines accessing them, will remain the same. C is incorrect because elasticity will have no impact on vulnerability scanners, other than changing the number of systems that must be scanned. However, through auto-scaling and elasticity, the server type and purpose will be known, and it is easy to ensure that these systems are added to the lists for vulnerability scanning. D is incorrect because web application firewalls (WAFs) are used based on the purpose of the server, which will be known through auto-scaling. Also, they are often placed in front of servers at the load balancer level, so the number of servers behind the load balancer will not have any direct impact on the use of WAFs.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 364). McGraw Hill LLC. Kindle Edition.
28.Which of the following concepts involves the ability of cloud customers to easily move services from one cloud provider to another?
A. Interoperability
B. Portability
C. Multitenancy
D. Measured service
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 364). McGraw Hill LLC. Kindle Edition.
B. Portability
Explanation:
B. Portability is the feature that allows a system to easily move between different cloud providers. This is accomplished by relying on standardized toolsets and platforms and avoiding the use of propriety APIs or other toolsets that will end up binding an organization to a particular cloud provider, making the cost of moving to another substantial, in both time and money.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 365). McGraw Hill LLC. Kindle Edition.
29.What does the S stand for in the STRIDE threat model?
A. Secure
B. Structured
C. Standard
D. Spoofing
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 365). McGraw Hill LLC. Kindle Edition.
D. Spoofing
Explanation:
D. The S in the STRIDE threat model stands for “spoofing,” or more specifically, “spoofing identity.” This involves applications that have unique access controls for individual users and administrators, but then within the application they use service accounts or common credentials to communicate with databases, APIs, or other services. In this instance, it is possible for a user to assume the identity of another within the application once authenticated and then make it appear as if that user is accessing resources through the application. To mitigate this threat, the system should continually check the access of a user as they move between interfaces or functions to ensure they have the proper level of access. The system should also check that the identity it assumes the user has actually matches the identity they used to initially authenticate and access the system or application. A is incorrect because the S stands for “spoofing identity” and not for “secure.” While security is obviously a large part of the STRIDE threat model at a high level and is the overarching concept, it is not the actual term used here. B is incorrect because the S stands for “spoofing identity” and not for “structured.” The term structured typically applies to data types, especially for PaaS implementations, where structured and unstructured are the two official data types. C is incorrect because the S stands for “spoofing identity” and not for “standard.” While standard is a term used a lot within security and IT in general, especially as it relates to certifications and best practices, it is not applicable in this instance as part of the STRIDE threat model.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 365-366). McGraw Hill LLC. Kindle Edition.
Which of the following is not a major concern with encryption systems?
A. Integrity
B. Confidentiality
C. Efficiency
D. Key management
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 366). McGraw Hill LLC. Kindle Edition.
A. Integrity
Explanation:
A. Encryption is intended to protect the confidentiality and privacy of data first and foremost. While encryption can certainly prevent the unauthorized altering of data at rest, and thus its integrity, that is not its intended purpose. B is incorrect because confidentiality is the main concern and focus of encryption. It is intended to prevent the unauthorized exposure or leakage of data to parties that are not authorized to have it. In order to read data that is encrypted, a party would need to have access to the keys used to encrypt it. Encryption is focused solely on the ability to read data, so it is not used to prevent the encrypted volumes from being intercepted specifically—just the reading and access of the data contained with them. C is incorrect because in order for an encryption system to be usable in a real environment and within applications, it must be easy and efficient to use. That is one of the main benefits and features of encryption. Although an encryption system is virtually unbreakable with current technology and capabilities, if you are in possession of the correct keys, it takes very little overhead to decrypt and read the data. In order to integrate into applications, especially those open to the public and that have larger user bases, this speed and efficiency are absolutely crucial. D is incorrect because key management is one of the central challenges and components of any encryption system. The keys are central to encrypting and then decrypting data, and the corruption, loss, or exposure of the keys will either render the security useless or make the data unrecoverable. Each organization will have to carefully analyze its systems and applications where encryption is used, and based on the particulars of each system and application, where it is hosted, how it is accessed, and many other factors, make the most appropriate decision on how keys will be secured and managed.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 366). McGraw Hill LLC. Kindle Edition.
Which of the following types of data is the United States’ HIPAA regulations concerned with?
A. Financial
B. Historical
C. Healthcare
D. Hybrid cloud
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 367). McGraw Hill LLC. Kindle Edition.
C. Healthcare
Explanation:
C. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States is concerned with the protection of patient privacy and the security involved with the protection of medical records. While a major part of the law protects workers and their families from losing health insurance when they change or lose their jobs, the other major parts of the law that are important in this context are the protection of patient data, the requirements to establish electronic healthcare transactions, and the attempt to standardize identifiers with healthcare institutions. A is incorrect because HIPAA is concerned with healthcare data, not financial data. Other major regulatory and standards systems are concerned with financial data, such as SOX and PCI DSS. B is incorrect because HIPAA has nothing to do with historical data beyond how it relates to healthcare data. As with most regulatory systems, there are requirements for data retention that establish minimum periods of time to maintain data, but the overall focus of the regulations is not “historical” in any sense. D is incorrect because HIPAA was established long before cloud computing came into existence, and it is not focused on specific technologies, but rather on the overall handling of records and security requirements. While HIPAA will certainly apply to any healthcare systems hosted in a hybrid cloud environment, that is not the purpose or focus of the law.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 367). McGraw Hill LLC. Kindle Edition.
32.In a federated environment, which of the following is responsible for consuming authentication tokens?
A. Relying party
B. Identity provider
C. Cloud services broker
D. Authentication provider
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 367). McGraw Hill LLC. Kindle Edition.
A. Relying party
Explanation:
A. The relying party in a federated environment is the actual service provider that gives access to secure systems or data. The relying party consumes authentication tokens that are generated by an acceptable identity provider and then grants authorization to access the systems or data based on the successful authentication, and possibly based on specific attributes about the user or entity that are provided by the identity provider, enabling the relying party to make decisions about roles based on predefined configurations. B is incorrect because the identity provider is the generator of authentication tokens in a federated system, not the component that will consume and process them. The role of the identity provider is to perform authentication on users who are known to it, and in many instances to provide additional attributes and information about those users to the relying party so that it can make authorization decisions that are appropriate for the user and the data access they are attempting to use. C is incorrect because a cloud services broker does not play any role in a federated system or environment. The role of a cloud services broker is to take the cloud services offered by public or private cloud providers and then extend or add value to them through integration, aggregation, or by providing customized interfaces or data fields. D is incorrect because authentication provider could be another term for identity provider. Thus, the authentication provider would not be a consumer of authentication tokens, but rather a generator or provider of them.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 367-368). McGraw Hill LLC. Kindle Edition.
Which phase of the cloud data lifecycle involves processing by a user or application?
A. Create
B. Share
C. Store
D. Use
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 368). McGraw Hill LLC. Kindle Edition.
D. Use
Explanation:
D. The Use phase of the cloud data lifecycle is where the data is actually processed or consumed by an application or user. During the Use phase, data will transition between the data-at-rest and data-in-use states and will require additional security as it is exposed and accessed by systems. Therefore, it must be presented in an unencrypted state. This also extends the data security concerns from the server or storage aspect to the client aspect and the security of the specific device or client being used to access the data. Compared to some other phases, the Use phase is considered read-only because any modification or creation would fall under a different phase. A is incorrect because the Create phase is when data is first entered into a system, or modified from a previous form, and thus new data has been created. At the Create phase, the important initial decisions as to data classification are made so that security controls can be immediately placed on the data from the point of conception. These decisions will impact all later phases for the data and will govern much of its use and processing for its lifetime. B is incorrect because the Share phase is where data is made available for systems or applications outside of the original intended ones for the data. Because the data will be leaving the original system and its security enclave, security becomes an important aspect, as it is incumbent on the receiving party to secure it from that point onward. This is typically accomplished from auditing reports and operating agreements that establish security standards and requirements for all parties that will consume and accept the data. C is incorrect because the Store phase is where the data is officially recorded and entered upon its creation. This is usually a simultaneous process, or one that happens immediately after the creation of the data. Data can be entered in many different types of storage, including databases and file systems. Storage must be done with respect to the classification of the data, ensuring that appropriate security controls are in place immediately upon the data being entered. This is also the phase where concepts such as redundancy and backup methods are used on the data.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 368-369). McGraw Hill LLC. Kindle Edition.
Which of the following is not a state of data that is important for security and encryption?
A. Data in use
B. Data in transit
C. Data at rest
D. Data in archive
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 369). McGraw Hill LLC. Kindle Edition.
D. Data in archive
Explanation:
Data in archive is not one of the official states of data as it applies to security and encryption. Although the other three states of data in use, data at rest, and data in transit will have implications and applicability to archiving, the concept of archiving is found within them and is not considered a state in and of itself. A is incorrect because data in use is an official state of data. During this state, data is actually consumed and processed by a system or application. As such, additional security controls need to be applied compared to when the data is in static storage. This also exposes the security from the client side because it will be what is viewing the data and in some instances processing the data as well. B is incorrect because data in transit is also an official state of data. During this phase, data will traverse networks and systems, typically between storage and processing entities. During this phase, particular security concerns arise because the data will usually cross systems and networks that are not under the control or security perimeter of the originating organization. This will often be mitigated by the use of encryption, where the entities on both sides are knowledgeable of the keys. This prevents any systems in the middle, or anyone who manages to capture the data, from being able to read or modify it. C is incorrect because data at rest is an official state of data. With this state, the data is contained within storage systems and is not actively being processed or consumed. This is typically the easiest state in which to secure data because technologies such as encryption and isolation can be used to prevent the access or exposure of data.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 369). McGraw Hill LLC. Kindle Edition.
Which of the following is a standard and certification for cryptographic modules?
A. FIPS 199
B. FIPS 140
C. FIPS 201
D. FIPS 153
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 370). McGraw Hill LLC. Kindle Edition.
B. FIPS 140
Explanation:
B. FIPS 140 (specifically the current revision, FIPS 140-2) is a processing standard published by the United States government pertaining to the certification of cryptographic modules used within systems. Following this standard, which is contained in four levels, will ensure varying degrees of confidence in the security of cryptographic modules used to encrypt and decrypt data on systems. A is incorrect because FIPS 199 is a U.S. government standard that defines security categories of systems that are used by the government and are not specifically related to cryptographic modules. The FIPS 199 standard establishes low, moderate, and high categories for information systems, and it requires all agencies of the government to evaluate and rate their systems into one of the categories for confidentiality, integrity, and availability security concerns. The highest rating from any of these three areas becomes the overall rating of the system. For example, if a system is rated moderate for confidentiality and availability but high for integrity, then the system as a whole will be considered a high system. C is incorrect because FIPS 201 is a U.S. government standard that establishes guidelines for personal identity verification (PIV) for any employees or contractors of the federal government. The requirements apply to all federal government information systems and applications, with the exception of national security systems, which are covered under their own separate regulations and policies. The PIV standard advocates for the use of smartcard technology as a requirement for any identification systems, extending beyond the typical password requirements into the multifactor realm. D is incorrect because FIPS 153 is a standard relating to 3D graphics and has no impact on or role in cryptographic modules.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 370). McGraw Hill LLC. Kindle Edition.
The use of which of the following technologies will not require the security dependency of an operating system other than its own?
A. Management plane
B. Type 1 hypervisor
C. Type 2 hypervisor
D. Virtual machine
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 370). McGraw Hill LLC. Kindle Edition.
B. Type 1 hypervisor
Explanation:
B. Type 1 hypervisors run directly attached to the underlying hardware of the host and do not have any software between them or dependencies on external operating systems. With configuration, the Type 1 hypervisor is highly optimized for its intended functions, and all code is removed by the vendor, with the exception of the code explicitly required for it. This removes the complexity and flexibility of operating systems, which even with all unnecessary services and functions disabled or removed will still contain large amounts of code or components that are not needed to operate the hypervisor. The direct tie between the hypervisor and hardware allows the vendors to lock down and patch specific to threats and exploits in their software only, without the need to rely on other libraries or components from operating systems, including being at the mercy of the operating system vendors to appropriately patch their own systems within a reasonable timeframe. A is incorrect because the management plane is a web portal or utility for managing hypervisors that runs within its own systems and software. This creates dependencies on operating systems and application frameworks that will run the portal or utilities, potentially introducing many security vulnerabilities and requiring the reliance on those vendors for timely and comprehensive patching. Because the management plane is used to manage and control hypervisors throughout the environment, any security exploit of it will potentially expose an entire infrastructure or data center to threats and exposure. C is incorrect because Type 2 hypervisors are software-based applications that reside on a host system and then launch virtual machines within them. With this type of configuration, the hypervisor is dependent on the operating system of the host, rather than running directly on top of the hardware with a Type 1 hypervisor. Due to this dependency, the hypervisor is potentially vulnerable to any security exploits that occur with the underlying operating system. Operating systems are also designed to support a wide range of applications and uses. Therefore, they will have large amounts of code and components that are not necessary for the use of the hypervisor, potentially exposing far more possible vulnerabilities to protect and monitor than if the hypervisor was dedicated and running on the hardware directly. D is incorrect because, as part of their nature, virtual machines run under host systems and therefore are dependent on them and are largely at their mercy from a security perspective. Any compromise of the host system can potentially render any virtual machines hosted by it vulnerable as well.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 371). McGraw Hill LLC. Kindle Edition.
Which of the following threats involves sending untrusted data to a user’s browser in an attempt to have it executed using the user’s permissions and access?
A. Cross-site scripting
B. Injection
C. Unvalidated redirects
D. Man in the middle
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 371). McGraw Hill LLC. Kindle Edition.
A. Cross-site scripting
Explanation:
A. Cross-site scripting involves injecting scripts into web pages that are then executed on the client side by the browser. This allows an attack to run scripts using the permissions of the browser and any authenticated sessions to execute. This can expose web applications to potential attacks by allowing the bypassing of some security controls such as same-origin policies as well as by utilizing the credentials of a valid user to execute. B is incorrect because injection attempts involve sending segments of code through input fields in order to have the code executed by the system or application. This is done to attempt to access information and bypass security controls when the input fields are not properly validated or sanitized when submitted by the user. For example, a field may call for the user’s e-mail address, but an attacker may send SQL code in the input field. If the application does not properly validate the input fields, the application may either directly run the code or insert it into the database and then execute it later when a SQL command is run against that field. This can be used by an attacker to expose other database areas beyond those intended, or even to dump entire database fields or file system information back to the malicious actor. C is incorrect because unvalidated redirects occur when an application does not properly validate input and sets up a situation where users can be redirected through this untrusted input to external sites. Through this kind of attack, it is possible for the attacker to steal user credentials and attempt phishing attacks against users as well. Because the user went through a trusted application and was redirected by it, they may not be aware they are no longer sending input to the trusted application and are thus exposing their private data or privileged access. D is incorrect because a man-in-the-middle attack involves the interception of communications between two parties. The attacker attempts to read, alter, or redirect the data flows in such a manner that the parties are unaware it is happening and continue to use the transmissions as they normally would.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 372). McGraw Hill LLC. Kindle Edition.
38.Which of the following involves assigning an opaque value to sensitive data fields to protect confidentiality?
A. Obfuscation
B. Masking
C. Tokenization
D. Anonymization
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 372). McGraw Hill LLC. Kindle Edition.
C. Tokenization
Explanation:
C. Tokenization is the process of replacing sensitive data with an opaque or random value, with the ability to map back the value to the original real value. This allows an application to operate in the same manner in which it was coded and to use the same values as keys, but without using the actual real values, which may contain PII or other sensitive data. This can allow an application to conform to confidentiality or privacy requirements without the need for other, more expensive and intensive implementations such as encryption. With the ability to map back tokenized values to the original sensitive values, the system that contains the original mappings or is responsible for generating them must be protected and secured to prevent exposure. A is incorrect because obfuscation involves replacing sensitive or protected data fields with random information, typically for generating data sets for testing in nonproduction systems or other purposes similar in nature. The difference between tokenization and obfuscation is that, with obfuscation, the original mappings to the protected data are not maintained, nor are they important. Although this will be more secure than tokenization because the original mappings are not preserved anywhere, it also means that the data cannot be used in any meaningful way beyond functional testing or development purposes. B is incorrect because masking is another term for obfuscation. D is incorrect because anonymization involves replacing data so that it cannot be successfully mapped back to an individual. It is built on the concept of direct and indirect identifiers. Indirect identifiers are those attributes that by themselves cannot map to a single individual, but a combination of many indirect identifiers could lead to the identification of a specific individual. Anonymization is often used in conjunction with the obfuscation or tokenization of sensitive fields as a way of removing the indirect identifiers to ensure the data sets cannot be mapped back successfully through any means.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 373). McGraw Hill LLC. Kindle Edition.
Which of the following is not one of the security domains presented within the Cloud Controls Matrix?
A. Financial security
B. Mobile security
C. Data center security
D. Interface security
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 373). McGraw Hill LLC. Kindle Edition.
A. Financial security
Explanation:
Financial security is not one of the specific security domains presented as part of the Cloud Controls Matrix (CCM). While many other domains will play into the protection of financial information, there is not a domain that is specifically related to it. This also includes the inclusion of costs as a factor in security, because only security controls and policies are part of the CCM. B is incorrect because mobile security is one of the specific domains outlined in the Cloud Controls Matrix. C is incorrect because data center security is one of the specific domains outlined in the Cloud Controls Matrix. D is incorrect because interface security is one of the specific domains outlined in the Cloud Controls Matrix, specifically labeled as application and interface security.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 373-374). McGraw Hill LLC. Kindle Edition.
Which ISO/IEC set of standards documents the cloud definitions for staffing and official roles?
A. ISO/IEC 27001
B. ISO/IEC 17788
C. ISO/IEC 17789
D. ISO/IEC 27040
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 374). McGraw Hill LLC. Kindle Edition.
B. ISO/IEC 17788
Explanation:
B. ISO/IEC 17788 (specifically the latest revision, ISO/IEC 17788:2014) provides an overview and vocabulary for cloud computing. It defines much of the commonly used cloud terminology, such as service categories and cloud deployment models. A is incorrect because ISO/IEC 27001 is a general security standard that can apply to any type of system in any type of hosting environment. C is incorrect because ISO/IEC 17789 is focused on cloud computing and the reference architecture, including the common features that define cloud computing, such as measured service, broad network access, multitenancy, on-demand self-service, rapid elasticity and scalability, and resource pooling. D is incorrect because ISO/IEC 27040 is focused on security techniques as they relate to storage security.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 374). McGraw Hill LLC. Kindle Edition.
Which of the following pieces of information is not included as part of PII as a direct identifier?
A. Address
B. ZIP Code
C. Biometric records
D. Phone number
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 374). McGraw Hill LLC. Kindle Edition.
B. ZIP Code
Explanation:
B. As they relate to PII, ZIP Codes would not be considered a protected piece of information. A ZIP Code, being a broad geographic area, would not meet the definition required for PII because it solely cannot be used to identify an individual. However, combined with other various pieces of information, a ZIP Code could be used to narrow down information and possibly identify or distinguish an individual from others with similar attributes. A is incorrect because an address relates to a specific resident or location and, as such, can directly identify an individual. C is incorrect because biometrics can immediately and directly identify an individual, and most biometric markers will be unique to a single individual. D is correct because a personal phone number, and in many instances even a business phone number, can be directly tied to a specific individual and, as such, is definitely considered PII.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 374-375). McGraw Hill LLC. Kindle Edition.
42.Which concept pertains to the risk an organization entails in regard to the ability to move between cloud providers at a later date?
A. Interoperability
B. Reversibility
C. Portability
D. Broad network access
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 375). McGraw Hill LLC. Kindle Edition.
C. Portability
Explanation:
Portability is the concept that allows a cloud customer to easily move between cloud providers at a later date. Portability takes into account the characteristics and features of a system or application that can lead to vendor lock-in and therefore are aspects that should be avoided. For example, if a cloud customer builds their systems or applications around specific APIs or features that are proprietary to a specific cloud provider, it will be almost impossible for the cloud customer to later move to a different cloud provider without incurring substantial costs in both time and money to change their applications, which would also expose them to significant risk for such an undertaking. A is incorrect because interoperability refers to the ability of a system or application to reuse components from previous versions or other applications in new ways. With this ability, developers can save time and money building applications and components through the use of code that not only is already written but also tested and verified by both users and security scanning. B is incorrect because reversibility refers to the ability of a cloud customer to remove all systems, applications, and data from a cloud environment as well as to ensure that all traces of them have been securely deleted. This is governed by contract terms for the level of assistance that the cloud provider must provide as well as the timeliness of having all tasks completed and verified. D is incorrect because broad network access is one of the core components of cloud computing, but it does not relate at all to moving between cloud providers. Broad network access refers to the ability to access cloud resources and systems from anywhere and over the public Internet, rather than through restricted network tunnels or specific physical networks.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 375). McGraw Hill LLC. Kindle Edition.
Which cloud computing offering enables a company to offer the lowest possible latency for users to access data from their systems?
A. XML accelerator
B. Edge computing
C. DLP
D. IDS
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 376). McGraw Hill LLC. Kindle Edition.
B. Edge computing
ExplanatioN:
B. Edge computing is a computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible. The main purpose of edge computing is to reduce latency by removing the need for data and computing resources to be accessed over remote networks. A is incorrect because an XML accelerator can be used to improve performance of the processing of XML data, but it is not a better answer than edge computing to deliver the lowest latency to customers. C is incorrect because data loss prevention (DLP) is used to prevent the accidental disclosure or leakage of data, but it is not used to lower latency for data access. D is incorrect because an intrusion detection system (IDS) will monitor for possible breaches and attempted breaches, but it will not improve latency for data access.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 376). McGraw Hill LLC. Kindle Edition.
44.Which of the following is not one of the core building blocks of cloud computing?
A. CPU
B. Memory
C. Storage
D. Hardware
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 376). McGraw Hill LLC. Kindle Edition.
D. Hardware
Explanation:
D. Hardware is not considered one of the core building blocks of cloud computing. With cloud computing specifically, hardware should not be a concern at all for cloud customers, because they will never interact with it or even have a need to really know what it is. All cloud services are segregated from the hardware layer, and cloud customers are only buying computing resources that are consumable in nature and specific to their computing needs. A is incorrect because CPU is a core building block of cloud computing. When new virtual machines or virtual appliances are provisioned in a cloud environment, one of the main selections made is in regard to their CPU resources. The measured service costs associated with each virtual machine and the aggregate total of CPU resources will tie directly into the costs of hosting with the cloud environment. With the cloud built entirely on virtual and logical infrastructure from the perspective of the cloud customer, CPU allocations per virtual machine can easily be changed with stopping and starting of a virtual machine after configuration changes have been made through the service portal. CPU is part of the resource pooling and is shared between the tenants of the cloud environment. B is incorrect because memory is a core building block of cloud computing. Much like CPU resources, memory is configured per virtual machine, and the individual or aggregate totals will tie into the cost structure for the cloud customer. Memory can also be changed after the provisioning configurations have been updated by a simple stopping and starting of the virtual machine instance. Memory is part of the resource pooling and is shared among the tenants of the cloud environment. D is incorrect because storage is also part of the pooled resources of a cloud infrastructure, and it shares similar qualities to memory and CPU as far as ease of changes and modifications after initial builds. Depending on the cloud service category, storage will come in different formats, and billing may differ as a unit cost based on the type of storage selected.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 376-377). McGraw Hill LLC. Kindle Edition.
