CCSK Practice Exam 2 (WhizLabs) Flashcards
In which phase of the application design and development process, the focus in on architecture?
A.Training B.Define C.Design D.Develop E.Test
C.Design
Explanation:
Design
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features and automating and managing security for deployment and operations.
There are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attack paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific
Which of the following governance domain focuses on proper and adequate incident detection, response, notification and remediation?
A.Infrastructure Security B.Information Governance and Enterprise Risk Management C.Compliance and Audit Management D.Incident Response E.Information Governance
D.Incident Response
Explanation:
The Incident Response Lifecycle as defined in the NIST-800 document includes the following phases and major activities:
Detection and Analysis:
Alerts
Endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other IoCs, SIEM, security analytics (baseline and anomaly detection), end user behavior analytics
-Validate Alerts (reducing false positives) and escalation
-Estimate the scope of the incident
-Assign an Incident Manager who will coordinate further actions
-Designate a person who will communicate the incident containment and recovery status to senior management
-Build a timeline of the attack
-Determine the extent of the potential data loss
-Notification and coordination activities
-Containment, eradication and recovery
Containment
Taking systems offline. Considerations for data loss versus service availability. Ensuring systems dont destroy themselves upon detection
Eradication and Recovery
Clean up compromised devices and restore systems to normal operations. Confirm systems are functioning properly. Deploy controls to prevent similar incidents
Documenting the incident and gathering evidence (chain of custody)
The main difference between traditional virtualization and cloud computing is abstraction
A. True
B. False
B. False
Explanation:
Virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes
The key techniques to create a cloud are abstraction and orchestration.
We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers.
As you will see, these two techniques create all the essential characteristics we use to define something as a cloud
The difference between cloud computing and traditional virtualization; virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes
Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?
A.Public Cloud B.Private Cloud C.Community Cloud D.Hybrid Cloud E.Common Cloud
C.Community Cloud
Explanation:
Community Cloud is the cloud infrastructure that is shared by several organizations and supports a specific community that has shared concerns (ie mission, security requirements, policy, or compliance considerations)
Community Cloud
It may be managed by the organizations or by a third party and may be located on-premises or off-premises
Which of the following describes the cloud management plane?
A. APIs that are remotely accessible and those wrapped into a web-based user interface
B. Is a layer in which all types of devices and resources from different vendors and interconnected
C. Is a layer where the data center is the component element
D. Is a layer consisting of plenty of vendors and third party applications
A. APIs that are remotely accessible and those wrapped into a web-based user interface
Explanation:
APIs are both remotely accessible and wrapped into a web based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuration virtual networks
Option B is infrastructure
Option C is Cloud Control plane
Option D is application plane
If an attacker gets into your management plane, they have full remote access to your entire cloud environment
A. True
B. False
A. True
Explanation:
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud
The data and information like content in database or file storage are part of which layer of Logical Model?
A.Infrastructure
B. Metastructure
C.Infostructure
D.Applistructure
C.Infostructure
Explanation:
The data and information.
Content in a database, file storage, etc is part of Infostructure
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.
This is useful to illustrate the differences between the different computing models themselves:
Infrastructure
The core components of a computing system; compute, network and storage.
The foundation that everything is built on. The moving parts
Metastructure
The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enable management and configuration
Infostructure
The data and information. Content in a database, file storage, etc.
Applistructure
The application deployed in the cloud and the underlying application services used to build them.
For example, PaaS features like message queues, artificial intelligence analysis, or notification services.
Which of the following is the most commonly used application programming interface?
A. REST
B.SOAP
C. HTTP
D. JSON
A. REST
Explanation:
Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services.
APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud user to manage their resources and configurations.
Which of the following tools lists cloud security controls and maps them to multiple security and compliance standards?
A.Consensus Assessments Initiative Questionnaire B.Cloud Controls Matrix C.Cloud Provider Controls D. Supplier (Cloud Provider) Assessments E.Cloud Security Alliance STAR Registry
B.Cloud Controls Matrix
Explanation:
The Cloud Controls Matrix (CCM) lists cloud security controls and maps them to multiple security and compliance standards. The CCM can also be used to document security responsibilities
The Consensus Assessments Initiative Questionnaire (CAIQ) is a standard template for cloud providers to document their security and compliance controls
Both documents will need tuning for specific organizational and project requirements, but provider comprehensive starting template and can be especially useful for ensuring compliance requirements are met
Contracts are the primary tool of governance between a cloud provider and a cloud customer (this is true for public and private cloud). The contracts is your only guarantee of any level or service or commitment - assuming there is no breach of contract, which tosses everything into a legal scenario. Contracts are the primary tool to extend governance into business partners and providers
Supplier (Cloud Provider) Assessments
These assessments are performed by the potential cloud customer using available information and allowed processes/techniques. They combine contractual and manual research with third-party attestations (legal statements often used to communicate the results of an assessment or audit) and technical research.
They are very similar to any supplier assessment and can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers and so on
The Cloud Security Alliance STAR Registry
This is an an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments initiative questionnaire.
Some providers also disclose documentation for additional certifications and assessments (including self-assessments)
The following list of controls belongs to which domain of the CCM?
GRM 04 - Management Program
GRM 05 - Support / Involvement
GRM 06 - Policy
GRM 07 - Policy Enforcement
A.Data Center Security
B.Encryption and Key Management
C.Governance and Risk Management
D.Change Control & Configuration Management
C.Governance and Risk Management
Explanation:
The following list of controls belong to Governance and Risk Management domain of CCD
GRM -01 Baseline Requirements GRM - 02 Data Focus Risk Assessments GRM - 03 Management Oversight GRM - 04 Management Program GRM - 05 Management Support/Involvement GRM - 06 Management Policy GRM - 07 Policy Enforcement GRM - 08 Policy Impact on Risk Assessment GRM - 09 Policy Reviews GRM - 10 Risk Assessments GRM - 11 Risk Management Framework
Cloud service providers leverage which of the following to manage costs and enable capabilities?
A.On-demand self-service B.Broad Network Access C.Economies of Scale D.Measured Service E.Resource Pooling
C.Economies of Scale
Explanation:
Cloud service providers try to leverage economies of scale to manage costs and enable capabilities
This means creating extremely standardized services (including contracts and server level agreements) that are consistent across all customers.
Governance models can necessarily treat cloud providers the same way they would treat dedicated external service providers, which typically customize their offerings, including legal agreements, for each client.
In which of the five main phases of secure application design and development, would you perform Threat Modeling?
A.Training B.Define C.Design D.Develop E.Test
C.Design
Explanation:
During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud providers baseline capabilities, cloud provider features, and automating and managing security for deployment and operations.
We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the providers own security capabilities.
For example, inserting a serverless load balancer or message queue could completely block certain network attacks paths.
This is also where you perform threat modeling, which must also be cloud and provider/platform specific
All services from a particular provider meet the same audit/assessment standards
A.True
B.False
B.False
Explanation:
All services from a particular provider may not meet the same audit/assessment standards.
They can vary
In the United States, a party is obligated to take reasonable steps to prevent the destruction or modification of data in its possession that it knows is relevant to pending litigation or government investigation
A.True
B.False
A.True
Explanation:
In the United States, a party is generally obligated to undertake reasonable steps to prevent the destruction or modification of data in its possession, custody or control that it knows, or reasonably should know, is relevant either to pending or reasonably anticipated litigation or a government investigation
The nature of contracts with cloud providers will often preclude things like on-premises audits.
What options does the customer have in this situation?
A.Remote Audit of Provider Services B.Service Level Agreement C.Non Disclosure Agreement D.Third Party Certification E.Third Party Attestation
E.Third Party Attestation
Explanation:
Some cloud customers may be used to auditing the third party provides, but the nature of cloud computing and contracts with cloud providers will often preclude things like on-premises audits.
Customers should understand that providers can (and often should) consider on premises audits a security risk when proving multitenant services
Multiple on-premises audits from large numbers of customers present clear logistical and security challenges, especially when the provider relies on shared assets to create the resource pools
Customers working with these providers will have to rely more on third-party attestations rather than audits they perform themselves.
Depending on the audit standard, actual results may only be releasable under a NDA, which means customers will need to enter into a basic legal agreement before access to attestations for risk assessments or other evaluative purposes.
This is often due to legal or contractual requirements with the audit firm, not due to any attempts and obfuscation by the cloud provider
Cloud user does not require special permission to perform vulnerability assessment on its environment in cloud
A.True
B.False
B.False
Explanation:
Certain types of customer technical assessments and audits (such as vulnerability assessment) may be limited in the providers terms of service and may require permission.
This is often to help the provider distinguish between a legitimate assessment and an attack
All assets in the cloud require some business continuity
A.True
B.False
B.False
Explanation:
Overall, a risk based approach is key:
Not all assets need equal continuity
Dont drive yourself crazy by planning for full provider outages just because of the perceived loss of control.
Look at historical performance
Strive to design for RTOs and RPOs equivalent to those on traditional infrastructure
Which of the following is a key tool in enabling and enforcing separation and isolation in multi-tenancy?
A.Infrastructure
B.Infostructure
C.Applistructure
D.Metastructure
D.Metastructure
Explanation:
The management plane is a key tool for enabling and enforicing separation and isolation in multitenancy.
Limiting who can do what with the APIs is one important means for segregating out customers, or different users within a single tenant.
Resources are in the pool, out of the pool and where they are allocated
Which of the following statement regarding service administrator account is not true?
A.Service administrators account are more suited for common daily user
B.Service administrators help compartmentalize individual sessions
C.Service administrator accounts can expose the entire deployment
D.Service administrators accounts manage parts of the service
C.Service administrator accounts can expose the entire deployment
Explanation:
Service administrator accounts dont necessarily expose the entire deployment if they are abused or compromised and thus are better for common daily usage
Your platform or provider may support low level admin accounts that can only manage parts of the service
We sometimes call these service admins or day to day admins.
These accounts dont necessarily expose the entire deployment if they are abused or compromised, and thus are better for common daily usage.
They also help compartmentalize individual sessions, so it isnt unusual to allow a single human admin access to multiple service admin accounts (or roles) so they can log in with the privileges they need for that particular action instead of having to expose a much wider range of entitlements
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is completely responsible for it
A.True
B. False
B. False
Explanation:
Like security and compliance, BC/DR is a shared responsibility
There are aspects that the cloud provider has to manage, but the cloud customer is also ultimately responsible fhor how they use and manage the cloud service.
This is especially true when planning for outages of the cloud provider (or parts of the cloud providers service)
Which of the following statements regarding SDN (Software Defined networking) is not true?
A. SDN firewalls apply more flexible criteria than hardware-based firewalls
B. SDN fireewalls apply to single assets or group of assets
C.SDN firewall rules can be applied to any asset or groups of assets with a particular tag
D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)
E.SDN firewalls can define both ingress and egress rules
D.SDN firewalls define rules can apply to a specific network location only (within a given virtual network)
Explanation:
SDN firewalls (ie security groups) can apply to assets based on more flexible criteria than hardware-based firewalls, since they are not lmimited based on physical topology
SDN firewalls are typically policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location (within a given virtual network)
For example, you can create a set of firewall rules that apply to any asset with a particular tag
Which of the following WAN virtualization technology is used to create networks which span multiple base networks?
A.Cloud overlay networks
B.Virtual private networks
C.Virtual private cloud
D.Network peering
A.Cloud overlay networks
Explanation:
Cloud overlay networks are a special kind of WAN virtualization technology for created networks that span multiple base networks.
For example, an overlay network could span physical and cloud locations or multiple cloud networks, perhaps even on different providers.
Who manages the web console which is one of the ways the management plane is delivered?m
A.Super Admin User
B.Cloud Access Security Broker
C.Cloud Provider
D.Cloud User
C.Cloud Provider
Explanation:
Web consoles are managed by the provider.
They can be organization-specific (typically using DNS redirection tied to federation identity)
For example, when you connect to your cloud file sharing application you are redirected to your own version of the application after you login.
This version will have its own domain name associated with it, which allows you to integrate more easily with federated identity.
Logs, documentation and other materials that are needed for audits and compliance and are used as evidence to support compliance activities are called as-
A.Audit Proof B.Audit Evidence C.Audit Trail D.Artifacts E.Log Trail
D.Artifacts
Explanation:
Artifacts are the logs, documentation and other materials needed for audits and compliance; they are the evidence to support compliance activities
Both providers and customers have responsibilities for producing and managing their respective artifacts