Certified Cloud Security Professional Study Guide Chapter 2 Review Questions (Ben Masilow)

Question 1

Gathering business requirements can aid the organization in determining all of these facets of organizational assets except __________

A. Full Inventory
B. Usefulness
C. Value
D. Criticality

Answer 1

B. Usefulness

Explanation:
When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality.
However, this collection of information does not objectively tell us how useful an asset is

Question 2

The BIA can be used to provide information about all the following elements except _____

A. Risk Analysis
B. Secure Acquisition
C. BC/DR Planning
D. Selection of Security Controls

Answer 2

B. Secure Acquisition

Explanation:
The business impact analysis gathers assets valuation information that is beneficial for risk analysis and selection of security controls (it helps avoid putting the $10 lock on the $5 bicycle) in addition to criticality information that helps in BC/DR planning by letting the organization understand which systems, data and personnel are necessary to continuously maintain.
However, it does not aid secure acquisition efforts, since the assets examined by the BIA have already been acquired.

Question 3

In which cloud service model is the customer required to maintain the OS?

A. CaaS
B. SaaS
C. PaaS
D. IaaS

Answer 3

D. IaaS

Explanation:
In IaaS, the service is a bare metal, and the customer has to install the OS and the software; the customer is then responsible for maintaining that OS.
In other models, the provider installs and maintains the OS

Question 4

In which cloud service model is the customer required to maintain and update only the applications?

A. CaaS
B. SaaS
C. PaaS
D. IaaS

Answer 4

C. PaaS

Explanation:
In PaaS, the provider supplies the hardware, connectivity, and OS: the customer installs and maintains applications.
In IaaS, the customer must install the OS, and in SaaS, the provider supplies and maintains the application

Question 5

In which cloud service model is the customer only responsible for the data?

A. CaaS
B. SaaS
C. PaaS
D. IaaS

Answer 5

B. SaaS

Explanation:
SaaS is the model in which the customer supplies only the data, in the other models, the customer also supplies the OS, applications or both

Question 6

The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service.
Where is the eventual agreement codified?

A. RMF
B. Contract
C. MOU
D. BIA

Answer 6

B. Contract

Explanation:
The contract codifies the rights and responsibilities of the parties involved upon completion of negotiation.
The RMF aids in risk analysis and design of the environment.
A memorandum of agreement/understanding (MOA/MOU) is shared between parties for a number of possible reasons.
The BIA aids in risk assessment, DR/BC efforts, and selection of security controls by determining the criticality and value of assets

Question 7

In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?

A. Technological
B. Physical
C. Administrative
D. All of the above

Answer 7

D. All of the above

Explanation:
Layered defense calls for a diverse approach to security

Question 8

Which of the following is considered an administrative control?

A. Access Control Process
B. Keystroke Logging
C. Door Locks
D. Bio-metric Authentication

Answer 8

A. Access Control Process

Explanation:
A process is an administrative control; sometimes, the process includes elements of other types of controls (in this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative.
Keystroke logging is a technical control (or an attack, if done for malicious purposes and not for auditing), door locks are a physical control and bio metric authentication is a technological control.

Question 9

Which of the following is considered a technological control?

A. Firewall software
B. Fireproof safe
C. Fire extinguisher
D. Firing personnel

Answer 9

A. Firewall software

Explanation:
A firewall is a technological control.
The safe and extinguisher are physical controls, and firing someone is an administrative control

Question 10

Which of the following is the best example of a physical control?

A. Carpets
B. Ceiling
C. Doors
D. Fences

Answer 10

D. Fences

Explanation:
Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control; the lock on the door would be a physical security control.
Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct

Question 11

In a cloud environment, encryption should be useful for all the following except ______

A. Long-term storage of data
B. Near-term storage of virtualized images
C. Secure sessions/VPN
D. Profile formatting

Answer 11

D. Profile formatting

Explanation:
All of these activities should incorporate encryption except for profile formatting, which is a made up term

Question 12

The process of hardening a device should include all the following except _________

A. Improve default accounts
B. Close unsued ports
C. Delete unnecessary services
D. Strictly control administrator access

Answer 12

A. Improve default accounts

Explanation:
We do not want to improve default accounts - we want to remove them.
All the other options are steps we take to harden devices

Question 13

The process of hardening a device should include which of the following?

A. Encrypting the OS
B. Updating and patching the system
C. Using video cameras
D. Performing thorough personnel background checks

Answer 13

B. Updating and patching the system

Explanation:
Updating and patching the system helps harden the system.
Encrypting the OS is a distractor
That would make the OS/machine impossible to use.
Video cameras are a security control but not one used to harden a device.
Background checks are good for vetting personnel but not for hardening devices

Question 14

What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?

A. Homomorphic
B. Polyinstantiation
C. Quantum-state
D. Gastronomic

Answer 14

A. Homomorphic

Explanation:
Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption

Question 15

Risk appetite for an organization is determined by which of the following?

A. Reclusion evaluation
B. Senior management
C.Legislative mandates
D. Contractual agreement

Answer 15

B. Senior management

Explanation:
Senior management decides the risk appetite of the organization.
There is no such thing as “reclusion evaluation”
Legislative mandates (laws) do not tell an organization which risks are acceptable except in very, very specific industries, and those are outliers
Contracts dont dictate acceptable risk for an organization; the organization should use risk appetite to guide how it crafts contracts

Question 16

What is the risk left over after controls and countermeasures are put in place?

A. Null
B. High
C. Residual
D. Pertinent

Answer 16

C. Residual

Explanation:
This is the definition of the term residual

Question 17

All of the following are ways of addressing risk except ___________

A. Acceptance
B. Reversal
C. Mitigation
D. Transfer

Answer 17

B. Reversal

Explanation:
Reversal is not a method for handling risk

Question 18

To protect data on user devices in a BYOD environment, the organization should consider requiring all the following except _____

A. DLP Agents
B. Local Encryption
C. Multifactor Authentication
D. Two-person integrity

Answer 18

D. Two-person integrity

Explanation:
Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices

Question 19

Devices in the cloud data center should be secure against attack.
All the following are means of hardening devices except ______

A. Using a strong password policy
B. Removing default passwords
C. Strictly limiting physical access
D. Removing all admin accounts

Answer 19

D. Removing all admin accounts

Explanation:
Although the rest of the options are good tactics for securing devices, we cant remove all admin accounts; the device will need to be administered at some point, and that account needs to be there.
This question is good practice for the exam, where every word in each question and each answer is important

Question 20

Which of the following best describes risk?

A. Preventable
B. Everlasting
C. The likelihood that a threat will exploit a vulnerability
D. Transient

Answer 20

C. The likelihood that a threat will exploit a vulnerability

Explanation:
Option C is the definition of risk - and risk is never preventable.
It can be obviated, attenuated, reduced, and minimized but never completely prevented.
Any particular, specific risk may be everlasting or transient, but its not the case that all risks could be described by either of these terms