CCSP Domain 3: Cloud Platform and Infrastructure Security Flashcards
Barry is the CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for this session?
A. Barry, as chief information officer
B. Chief information security officer
C. Disaster recovery team leader
D. External consultant
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.
D. External consultant
Explanation:
Barry should recruit an independent moderator to facilitate the session. Having a moderator who was not directly involved in the effort encourages honest and open feedback. While it is not necessary to use an external consultant, they may easily fill this role.
If the cloud is used for BC/DR purposes, the loss of ___________________ could gravely affect your organization’s RTO.
A. Any cloud administrator
B. A specific VM
C. Your policy and contract documentation
D. ISP connectivity
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.
D. ISP connectivity
Explanation:
Without ISP connectivity, nobody will be able to use the internet, and thus the cloud.
Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss at his on-premises datacenter. Which one of the following solutions would best meet his needs?
A. Redundant servers
B. Uninterruptible power supply (UPS)
C. Generator
D. RAID
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.
C. Generator
Explanation:
Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. UPS provide immediate, battery driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power.
Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What third-party security service can she implement to best detect this activity?
A. IDS
B. IPS
C. DLP
D. TLS
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.
C. DLP
Explanation:
DLP systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. DLP systems are commonly available as a third party managed service offering.
What individuals should have access to the management plane of a cloud datacenter?
A. Service provider engineers
B. Customer engineers
C. End users
D. Both A and B
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.
A. Service provider engineers
Explanation:
The management plane of a cloud service providers datacenter should be reserved for use by that providers own engineers.
Traffic on the management plane controls the operations of the infrastructure itself, and granting customers (even highly trained engineers) acess to that network could jeopardize the security of other customers
Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner?
A. IPS
B. Wi-Fi
C. RFID
D. Ethernet
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.
C. RFID
Explanation:
Radio Frequency identification technology is a cost effective way to track items in a facility.
Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.
A. Cold site
Explanation:
A cold site includes the basic capabilities required for datacenter operations - space, power, HVAC, and communications - but it does not include any of the hardware required to restore operations
Your organization has its production environment hosted in a cloud environment. You are considering using cloud backup services for your BC/DR purposes as well. What would probably be the best strategy for this approach, in terms of redundancy and resiliency?
A. Have your cloud provider also provide BC/DR backup.
B. Keep a BC/DR backup on the premises of your corporate headquarters.
C. Use another cloud provider for the BC/DR backup.
D. Move your production environment back into your corporate premises, and use your cloud provider to host your BC/DR backup.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.
C. Use another cloud provider for the BC/DR backup.
Explanation:
Its best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary providers environment.; this will be more complicated and expensive, but it provides the best redundancy and resiliency. Using the same provider for production and backup is not a bad option, but it entails the risk of the same contingency affecting both copies of your data.
Philip is developing a new security tool that will be used by individuals in many different subsidiaries of his organization. He chooses to use Docker to deploy the tool to simplify configuration. What term best describes this approach?
A. Virtualization
B. Abstraction
C. Simplification
D. Containerization
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.
D. Containerization
Explanation:
All of these terms accurately describe this use of technology. However, the use of Docker is best described as containerization technology, so this is the best possible answer choice
What is the most important asset to protect in cloud BC/DR activities?
A. Intellectual property
B. Hardware at the cloud datacenter
C. Personnel
D. Data on portable media
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.
C. Personnel
Explanation:
Health and human safety is always paramount in all security activity. All of these assets require some type of protectionb; however, human safety must always be the highest priority
Carla is developing the design of a cloud infrastructure service offering that she will be reselling to a number of customers. What component of her stack is most directly responsible for performing tenant partitioning of the virtual machines belonging to different customers?
A. Access control lists
B. Network security group
C. Firewall
D. Hypervisor
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.
D. Hypervisor
Explanation:
All of these technologies play some role in tenant partitioning. However, this question asked specifically about the partitioning of virtual machines belonging to different tenants. This is the responsibility of the hypervisor on a virtualization platform
Carlos is planning a design for a datacenter that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the datacenter?
A. Basement
B. First floor
C. Second floor
D. Third floor
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.
C. Second floor
Explanation:
Datacenters should be located in the core of a building. Locating it in the basement makes is susceptible to flooding. The first floor is the normal point of entry to a build, making it more susceptible to physical break ins. Locating it on the top floor makes it vulnerable to wind and roof damage
Chris is an information security professional for a major corporation and, as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating?
A. Due care
B. Due diligence
C. Separation of duties
D. Informed consent
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.
A. Due care
Explanation:
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is more of a specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner
Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?
A. Configuring the network firewall
B. Applying hypervisor updates
C. Patching operating systems
D. Wiping drives prior to disposal
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.
C. Patching operating systems
Explanation:
In a IaaS environment, the vendor is responsible for hardware related and network related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching OS on its virtual machine. The customer is responsible for managing network ingress and egress but does so by manipulating network security groups, rather than directly configuring the network firewall
Candace is designing a backup strategy for her organization’s file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform?
A. Incremental backup
B. Full backup
C. Differential backup
D> Transaction log backup
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.
A. Incremental backup
Explanation:
Incremental backups provide the option that includes the smallest amount of data. In this case, that would be only the data modified since the most recent backup. A differential would back up all data modified since the last full backup, which would be a substantial amount.
Alyssa’s team recently implemented a new system that gathers information from a variety of log sources, analyzes that information, and then triggers automated playbooks in response to security events. What term best describes this technology?
A. SIEM
B. Log repositories
C. IPS
D. SOAR
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 48-49). Wiley. Kindle Edition.
D. SOAR
Explanation:
SIEM systems do correlate information from multiple sources and perform analysis, but they stop short of providing automated playbook responses. That is the real of security orchestration, automation and response platforms
Nick is evaluating options for his organization’s future datacenters. Which one of the following options normally incurs the largest up-front cost?
A. Colocation facilities
B. Cloud datacenters
C. On-premises datacenters
D. SaaS offerings
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.
C. On-premises datacenters
Explanation:
This is a classic example of the buy vs build. Any time an organization chooses to build out capital resources, such as an on premises datacenter, it involves very high up front investments
Ben is an IT auditor and would like to ensure that the organization has mechanisms in place to create an appropriate audit trail for systems and applications. Which one of the following technologies aggregates and correlates log entries?
A. SIEM
B. IPS
C. EDR
D. CASB
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.
A. SIEM
Explanation:
SIEM solutions aggregate log entries from many different sources and correlate them to create an interpretable audit trail
In addition to the security controls implemented by the cloud provider, a cloud customer must consider the security controls implemented by ___________________.
A. The respective regulator
B. The end user(s)
C. Any vendor the cloud customer previously used in the on-premises environment
D. Any third parties the provider depends on
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.
D. Any third parties the provider depends on
Explanation:
Because supply chain dependencies can affect service, the cloud customer will need assurance that any third party reliance is secure
Brittney is reviewing her organization’s disaster recovery process data and notes that the MTD for the business’s database server is 30 minutes. What does she know about the RTO for the server?
A. It needs to be less than 30 minutes.
B. It needs to be at least 30 minutes.
C. The MTD is too short and needs to be longer.
D. The RTO is too short and needs to be longer.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.
A. It needs to be less than 30 minutes.
Explanation:
When Brittney reviews the recovery time objective (RTO) data, she needs to ensure that the organization can recover from an outage in less than 30 minutes based on the maximum tolerable downtime (MTD) of 30 minutes
Cameron is worried about distributed denial-of-service (DDoS) attacks against his company’s primary web application. Which of the following options will provide the most resilience against large-scale DDoS attacks?
A. Implement a CDN.
B. Increase the number of servers in the web application server cluster.
C. Contract for DDoS mitigation services via the company’s ISP.
D. Increase the amount of bandwidth available from one or more ISPs.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.
A. Implement a CDN.
Explanation:
A content delivery network run by a major provider can handle large scale DDoS attacks more easily than any of the other solutions. Using DDoS mitigation techniques via an ISP is the next most useful capability, followed by both increases in bandwidth and increases in the number of servers in the web application cluster
John’s network begins to experience symptoms of slowness. He launches a packet capture tool and realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?
A. Availability
B. Integrity
C. Confidentiality
D. Denial
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.
A. Availability
Explanation:
A DDoS attack is designed to overwhelm a system until it is unable to process legitimate requests. The purpose of this attack is to deny legitimate users access to the system, which is a violation of the principle of availability
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.
C. Risk mitigation
Explanation:
Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring.
You are trying to determine the critical assets that your organization must protect in your BC/DR activities. Which one of the following artifacts would be most useful in your work?
A. Quantitative risk analysis
B. Qualitative risk analysis
C. Business impact analysis
D. Risk appetite
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.
C. Business impact analysis
Explanation:
The business impact analysis is designed for this purpose: to determine the critical path of assets/resources/data within the organization
A component failure in the primary HVAC system leads to a high temperature alarm in the datacenter that Kim manages. After resolving the issue, what should Kim consider to prevent future issues like this?
A. A closed loop chiller
B. Redundant cooling systems
C. Swamp coolers
D. Relocating the datacenter to a colder climate
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.
B. Redundant cooling systems
Explanation:
A well designed datacenter should have redundant systems and capabilities for each critical part of its infrastructure. That means that power, cooliing and network connectivity should all be redundant
Joe is the security administrator for a cloud-based ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?
A. Read only
B. Editor
C. Administrator
D. No access
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.
D. No access
Explanation:
The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based on business need and not by default
Jason operates a cloud datacenter and would like to improve the ability of administrators to interact programmatically with backend solutions on the management plane. What technology can he use to best allow this type of automation?
A. CASB
B. API
C. Hypervisor
D. Python
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.
B. API
Explanation:
APIs allow for the programmatic interaction with services and platrforms. Jason can use APIs to tie together different technologies and interact with them programmatically. Python scripts may play a role in that automation but they do not, on their own, allow the automation to occur because the script must use the API to interact with services
Which of the following is a device specially designed to handle the management of cryptographic keys?
A. Key management box (KMB)
B. Hardware security module (HSM)
C. Ticket-granting ticket (TGT)
D. Trusted computing base (TCB)
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.
B. Hardware security module (HSM)
Explanation
The questions describes an HSM
What individual in an organization bears ultimate responsibility for the success of the disaster recovery plan?
A. End users
B. BC/DR team leader
C. CISO
D. CEO
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.
D. CEO
Explanation:
The key to successfully answering this question is noticing that it asks who bears ultimate responsibility. The CEO bears ultimate responsibility for the success of the organization and therefore will be the one held accountable if the business fails
Michael is responsible for forensic investigations and is investigating a security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?
A. Keep the website offline until the investigation is complete.
B. Take the virtualization platform offline as evidence.
C. Take a snapshot of the compromised system and use that for the investigation.
D. Ignore the incident and focus on quickly restoring the website.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.
C. Take a snapshot of the compromised system and use that for the investigation.
Explanation:
Michael should conduct his investigation, but there is a pressing business need to bring the website back online
In a virtualized computing environment, what component is responsible for enforcing separation between guest machines?
A. Guest operating system
B. Hypervisor
C. Kernel
D. Protection manager
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
B. Hypervisor
Explanation:
The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same platform
Best practice for planning the physical resiliency for a cloud datacenter facility includes ___________________.
A. Having one point of egress for personnel
B. Ensuring that redundant cabling/connectivity enters the facility from different sides of the building/property
C. Ensuring that all parking areas are near generators so that personnel in high-traffic areas are always illuminated by emergency lighting, even when utility power is not available
D. Ensuring that the foundation of the facility is rated to withstand earthquake tremors
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
B. Ensuring that redundant cabling/connectivity enters the facility from different sides of the building/property
Explanation:
To avoid a situation where severing a given physical connection results in severing its backups as well (such as construction/landscaping) have redundant lines enter on different sides of the building
Jen is designing a datacenter that will be used to offer cloud services to her organization’s customers. She is concerned about separating systems that process information that belongs to different customers from each other. What networking technology would best allow her to enforce this separation?
A. BGP
B. LAN
C. VLAN
D. VPN
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
C. VLAN
Explanation:
VLANs are used to create logical separation between systems in a datacenter and are the most cost-effective way to provide network segmentation. Creating LANs would require redundant equipment and unnecessary expense
Risk should always be considered from a business perspective. When a risk is accepted, it should be balanced by a corresponding ___________________.
A. Profit
B. Performance
C. Cost
D. Opportunity
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
D. Opportunity
Explanation:
The only reason organizations accept any level of risk is because of the potential benefit also afforded by a risk activity.
Profit is not the hallmark of every opportunity (or every organization - many organizations are nonprofit or government based)
Likewise, not all risky activities offer a chance to enhance performance, so option B is incorrect
Cost is not a benefit, so that does not make sense here
You are designing a cloud datacenter that is expected to meet Tier 2 status according to the Uptime Institute standards. What level of availability must you achieve to meet this standard?
A. 99.422%
B. 99.671%
C. 99.741%
D. 99.995%
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
C. 99.741%
Explanation:
Tier 2 datacenters are expected to achieve 99.741% availability
Tier 1 datacenters are expected to achieve 99.671% availability
Tier 3 datacenters are expected to achieve 99.982% availability
Tier 4 datacenters are expected to achieve 99.995% availability
Ursula is examining several virtual servers that her organization runs in an IaaS service. She discovers that the servers are all running a scheduling service that is no longer used by the organization. What action should she take?
A. Ensure the service is fully patched.
B. Remove the service.
C. Leave the service alone unless it is causing issues.
D. Contact the vendor for instructions.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.
B. Remove the service.
Explanation:
Running unnecessary services on a server increases the attack surface and exposes an organization to unnecessary risk. Therefore, Ursula should work through the organizations normal change management processes to remove the service
When discussing the cloud, we often segregate the datacenter into the terms compute, storage, and networking. Compute is made up of ___________________ and ___________________.
A. Routers; hosts
B. Application programming interfaces (APIs); northbound interfaces (NBIs)
C. Central processing units (CPUs); random access memory (RAM)
D. Virtualized; actual hardware devices
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.
C. Central processing units (CPUs); random access memory (RAM)
Explanation:
The compute nodes of a cloud datacenter can be measured in terms of how many central processing units and how much RAM is available within the datacenter
What type of IaaS storage is typically used to provide disk volumes that are mountable on virtual server instances?
A. Dedicated disks
B. Block
C. Encrypted
D. Object
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.
B. Block
Explanation:
Block storage, also known as volume storage, provides disk volumes for use by servers. Cloud environment generally do not provide dedicated disk because that approach would be highly inefficient.
Which one of the following statements about file storage security in the cloud is correct?
A. File stores are always kept in plaintext in the cloud.
B. There is no way to sanitize file storage space in the cloud.
C. Virtualization prevents the use of application-based security controls.
D. Virtual machines are stored as snapshotted files when not in use.
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.
D. Virtual machines are stored as snapshotted files when not in use.
Explanation:
VMs are snapshotted and simply stored as files when they are not being used; an attacker who gains access to those file stores could ostensibly steal entire machines in highly portable, easily copied formats. Therefore these cloud storage spaces must include a significant amount of controls
Javier is assisting with the implementation of a cloud-based SaaS solution. He is concerned about the ability of remote users to interact directly with the database supporting the application by exploiting a web application vulnerability. What type of vulnerability would permit this access?
A. SQL injection
B. Cross-site scripting
C. Cross-site request forgery
D. Server-side request forgery
Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.
A. SQL injection
Explanation:
SQL Injection vulnerabilities allow an attacker to send commands through a web application to the database support that application