CCSP Domain 3: Cloud Platform and Infrastructure Security Flashcards

1
Q

Barry is the CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for this session?

A. Barry, as chief information officer
B. Chief information security officer
C. Disaster recovery team leader
D. External consultant

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.

A

D. External consultant

Explanation:
Barry should recruit an independent moderator to facilitate the session. Having a moderator who was not directly involved in the effort encourages honest and open feedback. While it is not necessary to use an external consultant, they may easily fill this role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If the cloud is used for BC/DR purposes, the loss of ___________________ could gravely affect your organization’s RTO.

A. Any cloud administrator
B. A specific VM
C. Your policy and contract documentation
D. ISP connectivity

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.

A

D. ISP connectivity

Explanation:
Without ISP connectivity, nobody will be able to use the internet, and thus the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss at his on-premises datacenter. Which one of the following solutions would best meet his needs?

A. Redundant servers
B. Uninterruptible power supply (UPS)
C. Generator
D. RAID

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.

A

C. Generator

Explanation:
Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. UPS provide immediate, battery driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What third-party security service can she implement to best detect this activity?

A. IDS
B. IPS
C. DLP
D. TLS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.

A

C. DLP

Explanation:
DLP systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. DLP systems are commonly available as a third party managed service offering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What individuals should have access to the management plane of a cloud datacenter?

A. Service provider engineers
B. Customer engineers
C. End users
D. Both A and B

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 46). Wiley. Kindle Edition.

A

A. Service provider engineers

Explanation:
The management plane of a cloud service providers datacenter should be reserved for use by that providers own engineers.
Traffic on the management plane controls the operations of the infrastructure itself, and granting customers (even highly trained engineers) acess to that network could jeopardize the security of other customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory control process in a cost-effective manner?

A. IPS
B. Wi-Fi
C. RFID
D. Ethernet

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.

A

C. RFID

Explanation:
Radio Frequency identification technology is a cost effective way to track items in a facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

A. Cold site
B. Warm site
C. Hot site
D. Mobile site

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.

A

A. Cold site

Explanation:
A cold site includes the basic capabilities required for datacenter operations - space, power, HVAC, and communications - but it does not include any of the hardware required to restore operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your organization has its production environment hosted in a cloud environment. You are considering using cloud backup services for your BC/DR purposes as well. What would probably be the best strategy for this approach, in terms of redundancy and resiliency?

A. Have your cloud provider also provide BC/DR backup.
B. Keep a BC/DR backup on the premises of your corporate headquarters.
C. Use another cloud provider for the BC/DR backup.
D. Move your production environment back into your corporate premises, and use your cloud provider to host your BC/DR backup.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.

A

C. Use another cloud provider for the BC/DR backup.

Explanation:
Its best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary providers environment.; this will be more complicated and expensive, but it provides the best redundancy and resiliency. Using the same provider for production and backup is not a bad option, but it entails the risk of the same contingency affecting both copies of your data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Philip is developing a new security tool that will be used by individuals in many different subsidiaries of his organization. He chooses to use Docker to deploy the tool to simplify configuration. What term best describes this approach?

A. Virtualization
B. Abstraction
C. Simplification
D. Containerization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.

A

D. Containerization

Explanation:
All of these terms accurately describe this use of technology. However, the use of Docker is best described as containerization technology, so this is the best possible answer choice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the most important asset to protect in cloud BC/DR activities?

A. Intellectual property
B. Hardware at the cloud datacenter
C. Personnel
D. Data on portable media

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 47). Wiley. Kindle Edition.

A

C. Personnel

Explanation:
Health and human safety is always paramount in all security activity. All of these assets require some type of protectionb; however, human safety must always be the highest priority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Carla is developing the design of a cloud infrastructure service offering that she will be reselling to a number of customers. What component of her stack is most directly responsible for performing tenant partitioning of the virtual machines belonging to different customers?

A. Access control lists
B. Network security group
C. Firewall
D. Hypervisor

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.

A

D. Hypervisor

Explanation:
All of these technologies play some role in tenant partitioning. However, this question asked specifically about the partitioning of virtual machines belonging to different tenants. This is the responsibility of the hypervisor on a virtualization platform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Carlos is planning a design for a datacenter that will be constructed within a new four-story corporate headquarters. The building consists of a basement and three above-ground floors. What is the best location for the datacenter?

A. Basement
B. First floor
C. Second floor
D. Third floor

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.

A

C. Second floor

Explanation:
Datacenters should be located in the core of a building. Locating it in the basement makes is susceptible to flooding. The first floor is the normal point of entry to a build, making it more susceptible to physical break ins. Locating it on the top floor makes it vulnerable to wind and roof damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chris is an information security professional for a major corporation and, as he is walking into the building, he notices that the door to a secure area has been left ajar. Physical security does not fall under his responsibility, but he takes immediate action by closing the door and informing the physical security team of his action. What principle is Chris demonstrating?

A. Due care
B. Due diligence
C. Separation of duties
D. Informed consent

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.

A

A. Due care

Explanation:
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is more of a specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?

A. Configuring the network firewall
B. Applying hypervisor updates
C. Patching operating systems
D. Wiping drives prior to disposal

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.

A

C. Patching operating systems

Explanation:
In a IaaS environment, the vendor is responsible for hardware related and network related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching OS on its virtual machine. The customer is responsible for managing network ingress and egress but does so by manipulating network security groups, rather than directly configuring the network firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Candace is designing a backup strategy for her organization’s file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform?

A. Incremental backup
B. Full backup
C. Differential backup
D> Transaction log backup

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 48). Wiley. Kindle Edition.

A

A. Incremental backup

Explanation:
Incremental backups provide the option that includes the smallest amount of data. In this case, that would be only the data modified since the most recent backup. A differential would back up all data modified since the last full backup, which would be a substantial amount.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Alyssa’s team recently implemented a new system that gathers information from a variety of log sources, analyzes that information, and then triggers automated playbooks in response to security events. What term best describes this technology?

A. SIEM
B. Log repositories
C. IPS
D. SOAR

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 48-49). Wiley. Kindle Edition.

A

D. SOAR

Explanation:
SIEM systems do correlate information from multiple sources and perform analysis, but they stop short of providing automated playbook responses. That is the real of security orchestration, automation and response platforms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Nick is evaluating options for his organization’s future datacenters. Which one of the following options normally incurs the largest up-front cost?

A. Colocation facilities
B. Cloud datacenters
C. On-premises datacenters
D. SaaS offerings

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.

A

C. On-premises datacenters

Explanation:
This is a classic example of the buy vs build. Any time an organization chooses to build out capital resources, such as an on premises datacenter, it involves very high up front investments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Ben is an IT auditor and would like to ensure that the organization has mechanisms in place to create an appropriate audit trail for systems and applications. Which one of the following technologies aggregates and correlates log entries?

A. SIEM
B. IPS
C. EDR
D. CASB

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.

A

A. SIEM

Explanation:
SIEM solutions aggregate log entries from many different sources and correlate them to create an interpretable audit trail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In addition to the security controls implemented by the cloud provider, a cloud customer must consider the security controls implemented by ___________________.

A. The respective regulator
B. The end user(s)
C. Any vendor the cloud customer previously used in the on-premises environment
D. Any third parties the provider depends on

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.

A

D. Any third parties the provider depends on

Explanation:
Because supply chain dependencies can affect service, the cloud customer will need assurance that any third party reliance is secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Brittney is reviewing her organization’s disaster recovery process data and notes that the MTD for the business’s database server is 30 minutes. What does she know about the RTO for the server?

A. It needs to be less than 30 minutes.
B. It needs to be at least 30 minutes.
C. The MTD is too short and needs to be longer.
D. The RTO is too short and needs to be longer.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 49). Wiley. Kindle Edition.

A

A. It needs to be less than 30 minutes.

Explanation:
When Brittney reviews the recovery time objective (RTO) data, she needs to ensure that the organization can recover from an outage in less than 30 minutes based on the maximum tolerable downtime (MTD) of 30 minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Cameron is worried about distributed denial-of-service (DDoS) attacks against his company’s primary web application. Which of the following options will provide the most resilience against large-scale DDoS attacks?

A. Implement a CDN.
B. Increase the number of servers in the web application server cluster.
C. Contract for DDoS mitigation services via the company’s ISP.
D. Increase the amount of bandwidth available from one or more ISPs.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.

A

A. Implement a CDN.

Explanation:
A content delivery network run by a major provider can handle large scale DDoS attacks more easily than any of the other solutions. Using DDoS mitigation techniques via an ISP is the next most useful capability, followed by both increases in bandwidth and increases in the number of servers in the web application cluster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

John’s network begins to experience symptoms of slowness. He launches a packet capture tool and realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?

A. Availability
B. Integrity
C. Confidentiality
D. Denial

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.

A

A. Availability

Explanation:
A DDoS attack is designed to overwhelm a system until it is unable to process legitimate requests. The purpose of this attack is to deny legitimate users access to the system, which is a violation of the principle of availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.

A

C. Risk mitigation

Explanation:
Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You are trying to determine the critical assets that your organization must protect in your BC/DR activities. Which one of the following artifacts would be most useful in your work?

A. Quantitative risk analysis
B. Qualitative risk analysis
C. Business impact analysis
D. Risk appetite

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.

A

C. Business impact analysis

Explanation:
The business impact analysis is designed for this purpose: to determine the critical path of assets/resources/data within the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A component failure in the primary HVAC system leads to a high temperature alarm in the datacenter that Kim manages. After resolving the issue, what should Kim consider to prevent future issues like this?

A. A closed loop chiller
B. Redundant cooling systems
C. Swamp coolers
D. Relocating the datacenter to a colder climate

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 50). Wiley. Kindle Edition.

A

B. Redundant cooling systems

Explanation:
A well designed datacenter should have redundant systems and capabilities for each critical part of its infrastructure. That means that power, cooliing and network connectivity should all be redundant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Joe is the security administrator for a cloud-based ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?

A. Read only
B. Editor
C. Administrator
D. No access

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.

A

D. No access

Explanation:
The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based on business need and not by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Jason operates a cloud datacenter and would like to improve the ability of administrators to interact programmatically with backend solutions on the management plane. What technology can he use to best allow this type of automation?

A. CASB
B. API
C. Hypervisor
D. Python

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.

A

B. API

Explanation:
APIs allow for the programmatic interaction with services and platrforms. Jason can use APIs to tie together different technologies and interact with them programmatically. Python scripts may play a role in that automation but they do not, on their own, allow the automation to occur because the script must use the API to interact with services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is a device specially designed to handle the management of cryptographic keys?

A. Key management box (KMB)
B. Hardware security module (HSM)
C. Ticket-granting ticket (TGT)
D. Trusted computing base (TCB)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.

A

B. Hardware security module (HSM)

Explanation
The questions describes an HSM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What individual in an organization bears ultimate responsibility for the success of the disaster recovery plan?

A. End users
B. BC/DR team leader
C. CISO
D. CEO

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.

A

D. CEO

Explanation:
The key to successfully answering this question is noticing that it asks who bears ultimate responsibility. The CEO bears ultimate responsibility for the success of the organization and therefore will be the one held accountable if the business fails

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Michael is responsible for forensic investigations and is investigating a security incident that involved the defacement of a corporate website. The web server in question ran on a virtualization platform, and the marketing team would like to get the website up and running as quickly as possible. What would be the most reasonable next step for Michael to take?

A. Keep the website offline until the investigation is complete.
B. Take the virtualization platform offline as evidence.
C. Take a snapshot of the compromised system and use that for the investigation.
D. Ignore the incident and focus on quickly restoring the website.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 51). Wiley. Kindle Edition.

A

C. Take a snapshot of the compromised system and use that for the investigation.

Explanation:
Michael should conduct his investigation, but there is a pressing business need to bring the website back online

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

In a virtualized computing environment, what component is responsible for enforcing separation between guest machines?

A. Guest operating system
B. Hypervisor
C. Kernel
D. Protection manager

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

B. Hypervisor

Explanation:
The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same platform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Best practice for planning the physical resiliency for a cloud datacenter facility includes ___________________.

A. Having one point of egress for personnel
B. Ensuring that redundant cabling/connectivity enters the facility from different sides of the building/property
C. Ensuring that all parking areas are near generators so that personnel in high-traffic areas are always illuminated by emergency lighting, even when utility power is not available
D. Ensuring that the foundation of the facility is rated to withstand earthquake tremors

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

B. Ensuring that redundant cabling/connectivity enters the facility from different sides of the building/property

Explanation:
To avoid a situation where severing a given physical connection results in severing its backups as well (such as construction/landscaping) have redundant lines enter on different sides of the building

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Jen is designing a datacenter that will be used to offer cloud services to her organization’s customers. She is concerned about separating systems that process information that belongs to different customers from each other. What networking technology would best allow her to enforce this separation?

A. BGP
B. LAN
C. VLAN
D. VPN

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

C. VLAN

Explanation:
VLANs are used to create logical separation between systems in a datacenter and are the most cost-effective way to provide network segmentation. Creating LANs would require redundant equipment and unnecessary expense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Risk should always be considered from a business perspective. When a risk is accepted, it should be balanced by a corresponding ___________________.

A. Profit
B. Performance
C. Cost
D. Opportunity

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

D. Opportunity

Explanation:
The only reason organizations accept any level of risk is because of the potential benefit also afforded by a risk activity.

Profit is not the hallmark of every opportunity (or every organization - many organizations are nonprofit or government based)

Likewise, not all risky activities offer a chance to enhance performance, so option B is incorrect

Cost is not a benefit, so that does not make sense here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You are designing a cloud datacenter that is expected to meet Tier 2 status according to the Uptime Institute standards. What level of availability must you achieve to meet this standard?

A. 99.422%
B. 99.671%
C. 99.741%
D. 99.995%

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

C. 99.741%

Explanation:
Tier 2 datacenters are expected to achieve 99.741% availability
Tier 1 datacenters are expected to achieve 99.671% availability
Tier 3 datacenters are expected to achieve 99.982% availability
Tier 4 datacenters are expected to achieve 99.995% availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Ursula is examining several virtual servers that her organization runs in an IaaS service. She discovers that the servers are all running a scheduling service that is no longer used by the organization. What action should she take?

A. Ensure the service is fully patched.
B. Remove the service.
C. Leave the service alone unless it is causing issues.
D. Contact the vendor for instructions.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 52). Wiley. Kindle Edition.

A

B. Remove the service.

Explanation:
Running unnecessary services on a server increases the attack surface and exposes an organization to unnecessary risk. Therefore, Ursula should work through the organizations normal change management processes to remove the service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

When discussing the cloud, we often segregate the datacenter into the terms compute, storage, and networking. Compute is made up of ___________________ and ___________________.

A. Routers; hosts
B. Application programming interfaces (APIs); northbound interfaces (NBIs)
C. Central processing units (CPUs); random access memory (RAM)
D. Virtualized; actual hardware devices

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

C. Central processing units (CPUs); random access memory (RAM)

Explanation:
The compute nodes of a cloud datacenter can be measured in terms of how many central processing units and how much RAM is available within the datacenter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What type of IaaS storage is typically used to provide disk volumes that are mountable on virtual server instances?

A. Dedicated disks
B. Block
C. Encrypted
D. Object

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

B. Block

Explanation:
Block storage, also known as volume storage, provides disk volumes for use by servers. Cloud environment generally do not provide dedicated disk because that approach would be highly inefficient.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which one of the following statements about file storage security in the cloud is correct?

A. File stores are always kept in plaintext in the cloud.
B. There is no way to sanitize file storage space in the cloud.
C. Virtualization prevents the use of application-based security controls.
D. Virtual machines are stored as snapshotted files when not in use.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

D. Virtual machines are stored as snapshotted files when not in use.

Explanation:
VMs are snapshotted and simply stored as files when they are not being used; an attacker who gains access to those file stores could ostensibly steal entire machines in highly portable, easily copied formats. Therefore these cloud storage spaces must include a significant amount of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Javier is assisting with the implementation of a cloud-based SaaS solution. He is concerned about the ability of remote users to interact directly with the database supporting the application by exploiting a web application vulnerability. What type of vulnerability would permit this access?

A. SQL injection
B. Cross-site scripting
C. Cross-site request forgery
D. Server-side request forgery

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

A. SQL injection

Explanation:
SQL Injection vulnerabilities allow an attacker to send commands through a web application to the database support that application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

When considering cloud data backup strategies (i.e., whether you are making backups at the block, file, or database level), which element of your organization’s BC/DR plan will be most affected by your choice?

A. Recovery time objective
B. Recovery point objective
C. Maximum allowable downtime
D. Mean time to failure

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

B. Recovery point objective

Explanation:
The recovery point objective (RPO) is a measure of data that can be lost in an outage without irreparably damaging the organization. Data replication strategies will most affect this metric, as the choice of strategy will determine how much recent data is available for recovery purposes

Recovery time objective (RTO) is a measure of how long an organization can endure an outage without irreparable harm. This may be affected by the replication strategy but not as much as the RPO. Option A is incorrect

42
Q

Which of the following technologies is commonly implemented by websites to encrypt data being sent between the web server and an end user?

A. VPN
B. TLS
C. VLANs
D. IPsec

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 53). Wiley. Kindle Edition.

A

B. TLS

Explanation:
TLS is the primary protocol used to implement the HTTPS standard for secure communication between servers and users.

43
Q

“Return to normal operations” is a phase in BC/DR activity when the emergency is over and regular production can resume. Which of the following can sometimes be the result when the organization uses two different cloud providers for the production and BC/DR environments?

A. Both providers are affected by the emergency, extending the time before return to normal can occur.
B. The BC/DR provider becomes the new normal production environment.
C. Regulators will find the organization in violation of compliance guidance.
D. All data is lost irretrievably.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 53-54). Wiley. Kindle Edition.

A

B. The BC/DR provider becomes the new normal production environment.

Explanation:
Theoretically, all the options are possibly true. However, option B is the most likely to occur; the cost and risk of moving operations from one environment/provider to another is sizable, so staying with the secondary provider (making them the new primary) is a good way to reduce some of the risk involved in returning to normal

44
Q

Gary was recently hired as the first chief information security officer (CISO) for a local government agency that makes heavy use of cloud computing resources. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?

A. Separation of duties
B. Least privilege
C. Aggregation
D. Separation of privileges

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 54). Wiley. Kindle Edition.

A

B. Least privilege

Explanation:Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities.

Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes

45
Q

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?

A. Separation of duties
B. Aggregation
C. Two-person control
D. Defense in depth

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 54-55). Wiley. Kindle Edition.

A

A. Separation of duties

Explanation:
The matrix shown is the figure is known as separation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict

46
Q

Gary is preparing to create an account for a new user in a federal government agency. He is working to assign privileges to the HR database. What two elements of information must Gary verify before granting this access?

A. Credentials and need to know
B. Clearance and need to know
C. Password and clearance
D. Password and biometric scan

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 56). Wiley. Kindle Edition.

A

B. Clearance and need to know

Explanation:
Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not have to verify the users credentials, such as a password or biometric scan

47
Q

Gary is preparing to develop controls around access to root encryption keys and would like to apply a principle of security designed specifically for very sensitive operations. Which principle should he apply?

A. Least privilege
B. Defense in depth
C. Security through obscurity
D. Two-person control

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 56). Wiley. Kindle Edition.

A

D. Two-person control

Explanation:
Gary should follow the principle of two person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilges and defense in depth, but these principles apply to all operations are not specific to sensitive operations

48
Q

How often should Gary and his team conduct a review of the privileged access that a user has to sensitive systems?

A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles
D. On a daily basis

A

A. On a periodic basis
B. When a user leaves the organization
C. When a user changes roles

Explanation:
Privileged access reviews are one of the most critical components of an organizations’ security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organizations or changes roles as well as on a regular, recurring basis. However, it is not reasonable to expect that these time consuming reviews would take place on a daily basis

49
Q

Which one of the following hypervisor types is generally considered to offer the greatest level of security?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 56). Wiley. Kindle Edition.

A

A. Type 1

Explanation:
Type 1 or bare metal hypervisors run directly on top of hardware and provide a greater degree of security than Type 2 hypervisors. This is because Type 2 must run on top of another OS, increasing the total attack surface. Type 3 and Type 4 do not exists

50
Q

Yolanda is helping her organization decide whether to build their own datacenters or lease space from a colocation provider. What would be the major benefit of using a colocation provider?

A. Reduced cost
B. Increased security
C. Reduced complexity
D. Increased capability

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 56). Wiley. Kindle Edition.

A

A. Reduced cost

Explanation:
The major driving factor organizations to lease space in a colocation facility is reduction in cost achieved through economies of scale. Leased facilities are not necessarily more or less secure than custom built facilities, and they do not necessarily have greater capability

51
Q

Which one of the following components is not necessary in a Tier 1 datacenter?

A. Uninterruptible power supplies
B. Dual-power supplies in systems
C. Backup generator
D. Cooling

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

B. Dual-power supplies in systems

Explanation:
Tier 1 datacenters required dedicated space for IT systems an uninterruptible power supply system for line condition and backup purposes, sufficient cooling systems to service all critical equipment and a power generator for extended electrical outages with at least 12 hours of fuel to run the generator at sufficient load to power the IT systems

52
Q

Fred is working to design security controls for a cloud environment where remote systems will need to gain command-line access to Linux servers in an automated fashion. Which one of the following authentication approaches will provide the strongest security in this scenario?

A. Multifactor authentication
B. Digital certificates
C. Biometric authentication
D. Strong passwords

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

B. Digital certificates

Explanation:
The most important detail in this question is that the access must be automated. This means that systems will connect to each other without any human intervention. Because of this requirement, biometric controls are not useful because they require that a person be involved in the authentication process. Using passwords would require storing that password on the remote server. This is possible but not ideal from a security perspective

53
Q

A user signs on to a cloud-based social media platform. In another browser tab, the user finds an article worth posting to the social media platform. The user clicks on the platform’s icon listed on the article’s website, and the article is automatically posted to the user’s account on the social media platform. This is an example of what?

A. Single sign-on
B. Insecure direct identifiers
C. Identity federation
D. Cross-site scripting

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

C. Identity federation

Explanation:
This is a very popular function of federated identity

SSO is similar to federation but it is limited to a single organization; federation is basically SSO across multiple organizations. Option A is incorrect

54
Q

In software-defined networking (SDN), the northbound interface (NBI) usually handles traffic between the ___________________ and the ___________________.

A. Cloud customer; ISP
B. SDN controllers; SDN applications
C. Cloud provider;
D. ISP Router; host

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

B. SDN controllers; SDN applications

Explanation:
The NBI usually handles traffic between the SDN controller and SDN applications

55
Q

Which of the following is a device specially purposed to handle the issuance, distribution, and storage of cryptographic keys?

A. Key management box (KMB)
B. Hardware security module (HSM)
C. Ticket-granting ticket (TGT)
D. Trusted computing base (TCB)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

B. Hardware security module (HSM)

Explanation:
HSMs are security solutions designed to manage the processes surrouding cryptographic keys. Key management boxes provide for the management of physical keys

56
Q

Sprawl is mainly a(n) ___________________ problem.

A. Technical
B. External
C. Management
D. Logical

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 57). Wiley. Kindle Edition.

A

C. Management

Explanation:
Sprawl needs to be addresses from a mangerial perspective because it is caused by allowed user actions (usually in a completely authorized capacity

57
Q

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. You decide to have a tabletop test of the BC/DR activity. Which of the following will offer the best value during the test?

A. Have all participants conduct their individual activities via remote meeting technology.
B. Task a moderator well versed in BC/DR actions to supervise and present scenarios to the participants, including randomized special events.
C. Provide copies of the BC/DR policy to all participants.
D. Allow all users in your organization to participate.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 58). Wiley. Kindle Edition.

A

A. Have all participants conduct their individual activities via remote meeting technology.

Explanation:
A trained and experienced moderator can guide the participants through the activity, enhancing their training and noting pitfalls and areas for improvement

58
Q

What can be revealed by an audit of a baseline virtual image, used in a cloud environment?

A. Adequate physical protections in the datacenter
B. Potential criminal activity before it occurs
C. Whether necessary security controls are in place and functioning properly
D. Lack of user training and awareness

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 58). Wiley. Kindle Edition.

A

C. Whether necessary security controls are in place and functioning properly

Explanation:
The baseline will contain the suite of security controls applied uniformly throughout the environment

59
Q

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted by a cloud provider, and you have appropriate protections in place. Which of the following is a significant consideration for your BC/DR backup?

A. Enough personnel at the BC/DR recovery site to ensure proper operations
B. Good cryptographic key management
C. Access to the servers where the BC/DR backup is stored
D. Forensic analysis capabilities

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 58). Wiley. Kindle Edition.

A

B. Good cryptographic key management

Explanation:
Option B is correct because appropriate cloud data security practices require encrypting a great deal of data and having the keys will be necessary during contingency operations in order to access the backup; without the keys you wont be able to access your data.

60
Q

The minimum essential characteristics of a cloud datacenter are often referred to as “ping, power, pipe.” What does this term mean?

A. Remote access for a customer to racked devices in the datacenter; electrical utilities; connectivity to an internet service provider (ISP)/the internet
B. Application suitability; availability; connectivity
C. Infrastructure as a service (IaaS); software as a service (SaaS); platform as a service (PaaS)
D. Antimalware tools; controls against distributed denial-of-service (DDoS) attacks; physical/environmental security controls, including fire suppression

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 58). Wiley. Kindle Edition.

A

A. Remote access for a customer to racked devices in the datacenter; electrical utilities; connectivity to an internet service provider (ISP)/the internet

Explanation:
A ping is a term used to describe the ability of customers to access their systems remotely. Power is shorthand for electrical power to the systems. Pipe refers to the network connectivity that supports servers connections to the internet

61
Q

Which of the following poses a new risk in the cloud, not affecting the traditional, on-premises IT environment?

A. Internal threats
B. Multitenancy
C. Natural disasters
D. Distributed denial-of-service (DDoS) attacks

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 58). Wiley. Kindle Edition.

A

B. Multitenancy

Explanation:
Sharing resources with other, unknown customers (some of whom may be competitors of or even hostile to the organization is a risk not faced by organizations that maintain their own on premises datacenters

62
Q

Software-defined networking (SDN) allows network administrators and architects to perform all the following functions except ___________________.

A. Reroute traffic based on current customer demand
B. Create logical subnets without having to change any actual physical connections C. Filter access to resources based on specific rules or settings
D. Deliver streaming media content in an efficient manner by placing it closer to the end user

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

D. Deliver streaming media content in an efficient manner by placing it closer to the end user

Explanation:
Software defined networks allow admins to perform a variety of automated functions. These include rerouting traffic based on current customers demand, creating logical subnets without having to change any physical

63
Q

Mary is reviewing the availability controls for the system architecture shown here. What technology is shown that provides fault tolerance for the database servers?

A. Failover cluster
B. UPS
C. Tape backup
D. Cold site

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

A. Failover cluster

Explanation:
The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. A

64
Q

Using one cloud provider for your operational environment and another for your BC/DR backup will give you the additional benefit of ___________________.

A. Allowing any custom VM builds you use to be instantly ported to another environment
B. Avoiding vendor lock-in/lockout
C. Increased performance
D. Lower cost

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

B. Avoiding vendor lock-in/lockout

Explanation:
Having an additional backup with a different provider means that if your primary provider becomes unusable for any reason including bankruptcy or unfavorable contract terms, your data is not held hostage or lost

65
Q

The cloud customer will usually not have physical access to the cloud datacenter. This enhances security by ___________________.

A. Reducing the need for qualified personnel
B. Limiting access to sensitive information
C. Reducing jurisdictional exposure
D. Ensuring statutory compliance

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

B. Limiting access to sensitive information

Explanation:
The sensitive information in this case is whatever knowledge of the datacenters sedcurity controls and processes might be gathered by physically visiting the datacenter. Even though a customer cannot get access to the facility, this also means that other cloud customers (some of who may be hostile to another customers interests) also will not have access so none would have advantage over the others

66
Q

Which one of the following services would be least likely described as providing computing capability?

A. Virtual server instances
B. FaaS
C. Object storage
D. Containers

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

C. Object storage

Explanation:
Virtual server instances and containers provide direct computing resources to cloud service users. Function as a service provides a platform upon which computing may be performed. Object storage does not provide any compute capability as it is solely storage service

67
Q

What is the main reason virtualization is used in the cloud?

A. Virtual machines (VMs) are easier to administer.
B. If a VM is infected with malware, it can be easily replaced.
C. With VMs, the cloud provider does not have to deploy an entire hardware device for every new customer.
D. VMs are easier to operate than actual devices.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

C. With VMs, the cloud provider does not have to deploy an entire hardware device for every new customer.

Explanation:
While options A and B are both also true, C is the most significant reason cloud datacenters use VMs. If the cloud provider had to purchase a new box for every user, the cost of cloud services would be as much as running a traditional environment (or likely cost even more) and there would be no reason for any organization to migrate to the cloud, especially considering the risks associated with disclosing data to a third party

68
Q

Which one of the following test types is most likely to have an impact on production operations?

A. Full test
B. Parallel test
C. Walkthrough test
D. Simulation test

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

A. Full test

Explanation:
Full tests, also known as full interruption tests shut down the primary operating facility and shift operations to the backup facility. These tests very likely to have serious impact on production operations. The parallel test activates the backup facility but does not move production responsibility to it

69
Q

 Questions 69 and 70 refer to the following scenario: Brendan is analyzing the symptoms of a cloud attack that took place in his organization’s IaaS offering. In this attack, one customer was able to access resources on a virtual machine belonging to another customer by launching an attack from their own virtual machine. What term best describes this attack?

A. Escape
B. Overflow
C. Injection
D. Scripting

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

A. Escape

Explanation:
This is an example of an escape attack because the attacker was able to leave the confinges of their own virtual machine and access resources belonging to another customer; There is no indicastion in the scenario that the attack used any specific overflow, injection or scripting vulnerability

70
Q

What component of Brendan’s service offering was most directly responsible for allowing this attack?

A. Compute
B. Hypervisor
C. Management plane
D. Storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 59). Wiley. Kindle Edition.

A

B. Hypervisor

Explanation:
Escape attacks always occur as the result of a vulnerability or malfunction in the hypervisor because the hypervidsor id responsible for performing the separation that prevents one customer from accessing resources belonging to another customer

71
Q

Melissa uses the snapshot capabilities of her cloud service provider to make backup copies of the disk volumes that support her virtual machines. What type of storage is most likely used to store these backups?

A. Dedicated disks
B. Block
C. Encrypted
D. Object

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

D. Object

Explanation:
Disk volumes used to support virtual machines are typically stored on block storage. However, when snapshotting is used to create backups of those disks, the backups are commonly stored in less expensive object storage. Dedicated disks are generally used in cloud environments. The backups may be encrypted while in object storage but this is not a technical requirement

72
Q

If you use the cloud for BC/DR purposes, even if you don’t operate your production environment in the cloud, you can cut costs by eliminating your ___________________.

A. Security personnel
B. BC/DR policy
C. Old access credentials
D. Need for a physical hot site/warm site

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

D. Need for a physical hot site/warm site

Explanation:
Having your data backed up and accessible in the cloud eliminates any need for having a distinct hot site/warm site separate from your primary operating environment; instead your personnel can recover operations from anywhere with a good broadband connection

73
Q

Using a virtual machine baseline image could be very useful for which of the following options?

A. Physical security
B. Auditing
C. Training
D. Customization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

B. Auditing

Explanation:
A specified configuration built to defined standards and with a controlled process can be used to demonstrate that all VMs within an environment include certain controls; this can greatly enhance the efficiency of an audit process

74
Q

Which one of the following audit mechanisms would be able to provide the most accurate reconstruction of user activity?

A. Application logs
B. Security logs
C. Netflow records
D. Packet capture

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

D. Packet capture

Explanation:
Log entries do provide some insight into user activity but they generally do not provide the full context of user communication. Netflow records only provide the telephone bill level detail of communications and not the content. While those sources would be useful, full packet capture provides the most accurate reconstruction of user activity, but it is costly to implement due to data storage requirements

75
Q

You are in charge of creating the business continuity and disaster recovery (BC/DR) plan and procedures for your organization. Your organization has its production environment hosted in a cloud environment and no longer operates secure on-premises datacenters. You are considering using cloud backup services for your BC/DR purposes as well. What would probably be the best strategy for this approach, in terms of redundancy and resiliency?

A. Have your cloud provider also provide BC/DR backup.
B. Keep a BC/DR backup on the premises of your corporate headquarters.
C. Use another cloud provider for the BC/DR backup.
D. Move your production environment back into your corporate premises, and use your cloud provider to host your BC/DR backup.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

C. Use another cloud provider for the BC/DR backup.

Explanation:
Its best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary providers environment; this will be more complicated and expensive, but it provides the best redundancy and resiliency.

76
Q

The BC/DR plan/policy should include all of the following except ___________________.

A. Tasking for the office responsible for maintaining/enforcing the plan
B. Contact information for essential entities, including BC/DR personnel and emergency services agencies
C. Copies of the laws/regulations/standards governing specific elements of the plan
D. Checklists for BC/DR personnel to follow

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 60). Wiley. Kindle Edition.

A

C. Copies of the laws/regulations/standards governing specific elements of the plan

Explanation:
Every plan/policy should include mention of the governance documents that drive the formation of the plan/policy; however, these can be included by reference only - you dont need to include full copies of these governance documents. All the other options should be included in the BC/DR plan/policy

77
Q

A Security Assertion Markup Language (SAML) identity assertion token uses the ___________________ protocol.

A. Extensible Markup Language (XML)
B. Hypertext Transfer Protocol (HTTP)
C. Hypertext Markup Language (HTML)
D. American Standard Code for Information Interchange (ASCII)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

A. Extensible Markup Language (XML)

Explanation:
SAML is based on XML. HTTP is used for port 80 web traffic; HTML is used to present web pages. ASCII is the universal alphanumerical character set

78
Q

Anita’s IaaS provider allows her to choose the region of the world where she will operate her primary server instances and a different region where she will operate her backup instances. Which one of the following is the most important concern that Anita should consider?

A. Regulatory compliance.
B. Physical security.
C. Environmental factors such as humidity.
D. It doesn’t matter. Data can be saved anywhere without consequence.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

A. Regulatory compliance.

Explanation:
Depending on your industry and the nature of your data, moving information into another jurisdiction may affect or invalidate your regulatory compliance

79
Q

There are many ways to handle risk. However, the usual methods for addressing risk are not all possible in the cloud because ___________________.

A. Cloud data risks cannot be mitigated
B. Migrating into a cloud environment necessarily means you are accepting all risks
C. Some risks cannot be transferred to a cloud provider
D. Cloud providers cannot avoid risk

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

C. Some risks cannot be transferred to a cloud provider

Explanation:
Under current legal frameworks, some risks (such as legal liability for privacy data breaches) cannot be transferred to a contracted party, so the data owners (that is, cloud customers) will still retain those risks. It is important to note that customers are always responsible for managing risk in some way, even if risk is transferred to a cloud provider

80
Q

To support all aspects of the CIA triad (confidentiality, integrity, availability), all of the following aspects of a cloud datacenter need to be engineered with redundancies except ___________________.

A. Power supply
B. HVAC
C. Administrative offices
D. Internet service provider (ISP)/connectivity lines

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

C. Administrative offices

Explanation:
the administrative offices of a cloud data center rarely are part of the critical functions of the operation; a data center could likely endure the loss of the admin offices for a considerable length of time, so redundancy here is probably not cost effective

81
Q

You are reviewing the requirements for a new datacenter with leaders from functional teams. The discussions are centering on the amount of data that may be lost if an outage occurs. What metric is most directly related to this discussion?

A. Recovery time objective
B. Recovery point objective
C . Maximum allowable downtime
D. Mean time to failure

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

B. Recovery point objective

Explanation:
RPO is a measure of data that can be lost in a outage without irreparably damaging the organization. Data replication strategies will most effect this metric, as the choice of strategy will determine how much recent data is available for recovery purposes.

82
Q

What term describes the process of granting users access to resources?

A. Identification
B. Authentication
C. Authorization
D. Federation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 61). Wiley. Kindle Edition.

A

C. Authorization

Explanation:
Authorization is the process of granting users and other security principles access to resources in an environment

83
Q

Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BC/DR backup/archive?

A. Physical intrusion
B. Proprietary formats/lack of interoperability
C. Vendor lock-in/lockout
D. Natural disasters

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

B. Proprietary formats/lack of interoperability

Explanation:
When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment cant be readily adapted to other providers service, thus causing delays during an actual failover

84
Q

In which cloud service model does the customer lose the most control over configuration of services?

A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Function as a service (FaaS)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

C. Software as a service (SaaS)

Explanation:
As the models increase in level of abstraction and service, the customers control over the environment decreases. Therefore, the customer has the most control over the configuration of IaaS services, a moderate degree of control over PaaS/FaaS services and the least control over SaaS services

85
Q

Warren is working with a cloud service provider on the terms of a new service that his organization will depend on as a disaster recovery capability. Which one of the following actions will provide Warren with the best assurance that the service will function correctly?

A. Audit all performance functions.
B. Audit all security functions.
C. Perform a full-scale test.
D. Mandate this capability in the contract.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

C. Perform a full-scale test.

Explanation:
Without a full test, Warren cant be sure the BC/DR plan/process will work the way it is intended. Audits are good, but they will not demonstrate actual performance the way a test will so options A and B are incorrect.

86
Q

Charles is the BC/DR program manager for a cloud service provider. He is assessing the risks facing his program. He believes that the organization has done adequate BC/DR planning but they have never actually activated the plan. Which of the following would most likely pose the most significant risk to the organization?

A. Not having essential BC/DR personnel available during a contingency
B. Not including all BC/DR elements in the cloud contract
C. Returning to normal operations too soon
D. Telecommunications outages

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

C. Returning to normal operations too soon

Explanation:
A premature return to normal operations can jeopardize not only production, but personnel; if the contingency that caused the BC/DR action is not fully complete/addressed, there may still be danger remaining

The BC/DR plan/process should take into account both the absence of essential personnel and telecommunications capabilities, so options A and D are incorrect

Option B does present a serious problem for the organization, but option C is still a greater risk, so B is incorrect

87
Q

What type of fire suppression system poses the greatest risk to datacenter equipment if it fails?

A. Dry pipe
B. Preaction
C. Wet pipe
D. Gas

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

C. Wet pipe

Explanation:
Systems that use water always pose a greater failure risk to electronic equipment than those that use gas because water can destroy equipment. Of the systems listed, wet pipe systems pose the greatest risk because water is always present in the pipes

88
Q

Where is isolation failure probably least likely to pose a significant risk?

A. Public cloud
B. Private cloud
C. PaaS environment
D. SaaS environment

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 62). Wiley. Kindle Edition.

A

B. Private cloud

Explanation:
Guest escape is less likely to occur and to have a significant impact in an environment provisioned for and used by a single customer

89
Q

What can hamper the ability of a cloud customer to protect their assets in a managed services arrangement?

A. Prohibitions on port scanning and penetration testing
B. Geographical dispersion
C. Rules against training users
D. Laws that prevent them from doing so

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

A. Prohibitions on port scanning and penetration testing

Explanation:
Many cloud providers restrict activities that are common for admin and security purposes but can also be construed/used for hacking; this includes port scanning and pentesting. These restrictions can reduce the customers ability to perform basic security functions.

90
Q

Which of the following terms describes a means to centralize logical control of all networked nodes in the environment, abstracted from the physical connections to each?

A. Virtual private network (VPN)
B. Software-defined network (SDN)
C. Access control lists (ACLs)
D. Role-based access control (RBAC)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

B. Software-defined network (SDN)

Explanation:
The question describes a SDN

A VPN is used for creating an encrypted communications tunnel over an untrusted medium, so option A is incorrect.

91
Q

Of the following options, which is a reason cloud datacenter audits are often less easy to verify than traditional audits?

A. Data in the cloud can’t be audited.
B. Controls in the cloud can’t be audited.
C. Getting physical access can be difficult.
D. There are no regulators for cloud operations.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

C. Getting physical access can be difficult.

Explanation:
Cloud providers may be reluctant to grant physical access, even to their customers, on the assumption that allow access would disclose information about security controls. In some cases, cloud customers wont even know the location of the datacenters where their data is stored

92
Q

Which of these most directly determines the critical assets, recovery service level (RSL), recovery time objective (RTO), and recovery point objective (RPO) for BC/DR purposes?

A. Business drivers
B. User input
C. Regulator mandate
D. Industry standards

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

A. Business drivers

Explanation:
The business requirements will determine the crucial aspects of BC/DR

All the other options may constitute some input that will influence the BC/DR, but they are not the prevailing factors and so are incorrect

93
Q

A cloud provider will probably require all of the following except ___________________ before a customer conducts a penetration test.

A. Notice
B. Description of scope of the test
C. Physical location of the launch point
D. Test timeframe/duration

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

C. Physical location of the launch point

Explanation:
Because cloud access is remote access, pentests will be remote tests; it doesnt really matter what the physical origin of the simulated attack is

94
Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

A. Tabletop exercise
B. Parallel test
C. Full interruption test
D. Checklist review

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 63). Wiley. Kindle Edition.

A

D. Checklist review

Explanation:
The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their DR checklists on their own and suggest any necessary changes.

95
Q

DDoS attacks do not affect ___________________ for cloud customers.

A. Productivity
B. Availability
C. Connectivity
D. Integrity

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

D. Integrity

Explanation:
DDoS prevents all these things except for data integrity. DDoS only prevents communication; it does not usually result in modified data

96
Q

Where should multiple emergency egress points be included?

A. At the power distribution substation
B. Within the datacenter
C. In every building on the campus
D. In the security operations center

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

C. In every building on the campus

Explanation:
Health and human safety is a paramount goal of security; all facilities must have multiple emergency egress points. All the other options are distractors

97
Q

Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?

A. GPS tracking/locator
B. Automated vulnerability scan on system startup
C. Access control list (ACL) of authorized personnel
D. Write protection

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

B. Automated vulnerability scan on system startup

Explanation:
Because VMs dont take updates when they are not in use (snapshotted and saved as image files) and updates may be pushed while the VMs are saved, its important to ensure that they receive updates when they are next instantiated. Systems may be configure to perform automatic updates

98
Q

Cloud providers will probably not allow ___________________ as part of a customer’s penetration test.

A. Network mapping
B. Vulnerability scanning
C. Reconnaissance
D. Social engineering

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

D. Social engineering

Explanation:
Performing live deception and trickery against employees of the cloud provider (or its suppliers/vendors) could be construed as unethical and possibly illegal, especially without their knowledge and or consent.

99
Q

Having your BC/DR backup stored with the same cloud provider as your production environment can help you ___________________.

A. Maintain regulatory compliance
B. Spend less of your budget on traveling
C. Train your users about security awareness
D. Recover quickly from minor incidents

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

D. Recover quickly from minor incidents

Explanation:
Having the backup within the same environment can allow easy rollback to a last known good state or to reinstantiate a clean VM image after minor incidents

100
Q

Virtual machine (VM) configuration management (CM) tools should require that managed systems perform ___________________.

A. Biometric recognition
B. Anti-tampering mechanisms
C. Log file generation
D. Hackback capabilities

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 64). Wiley. Kindle Edition.

A

C. Log file generation

Explanation:
Event logging is essential for incident management and resolution; this can be set as an automated function of the CM tools

101
Q
A