Certified Cloud Security Professional Study Guide Chapter 4 Review Questions (Ben Masilow)

Question 1

All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes except ______

A. Tokenization
B. Data Discovery
C. Obfuscation
D. Masking

Answer 1

B. Data Discovery

Explanation:
Data discovery is a term used to describe the process of identifying information according to specific traits or categories.
The rest are all methods for obscuring data

Question 2

The goals of SIEM solution implementation include all of the following except _______

A. Centralization of log streams
B. Trend analysis
C. Dashboarding
D. Performance enhancement

Answer 2

D. Performance enhancement

Explanation:
SIEM is not intended to provide enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead.
All the rest are goals of SIEM implementations

Question 3

The goals of DLP solution implementation include all of the following except _________

A. Policy enforcement
B. Elasticity
C. Data Discovery
D. Mitigating loss

Answer 3

B. Elasticity

Explanation:
DLP does not have anything to do with elasticity, which is the capability of the environment to scale up or down according to demand.
All the rest are goals of DLP implementations

Question 4

DLP solutions can aid in deterring loss due to which of the following?

A. Randomization
B. Inadvertent disclosure
C. Natural disaster
D. Device Failure

Answer 4

B. Inadvertent disclosure

Explanation:
DLP solutions may protect against inadvertent disclosure.
Randomization is a technique for obscuring data, not a risk to data.
DLP tools will not protect against risks from natural disasters or against impacts due to device failure.

Question 5

DLP solutions can help deter loss because of which of the following?

A. Malicious Disclosure
B. Performance Issues
C. Bad Policy
D. Power Failure

Answer 5

A. Malicious Disclosure

Explanation:
DLP tools can identify outbound traffic that violates the organizations policies.
DLP will not protect against losses due to performance issues or power failures.
The DLP solution must be configured according to the organizations policies, so bad policies will attenuate the effectiveness of DLP tools, not the other way around

Question 6

What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?

A. AES
B. Link Encryption
C. Homomorphic Encryption
D. One-Time Pads

Answer 6

C. Homomorphic Encryption

Explanation:
AES is an encryption standard.
Link encryption is a method for protecting communications traffic.
Using one-time pads is an encryption method

Question 7

Proper implementation of DLP solutions for successful function requires which of the following?

A. Accurate Data Categorization
B. Physical Access Limitations
C. USB Connectivity
D. Physical Presence

Answer 7

A. Accurate Data Categorization

Explanation:
DLP tools need to be aware of which information to monitor and what information requires categorization (usually done upon data creation, by data owners)
DLPs can be implemented with or without physical access or presence.
USB connectivity has nothing to do with DLP solutions

Question 8

Tokenization requires two distinct ________

A. Authentication Factors
B. Databases
C. Encryption Keys
D. Personnel

Answer 8

B. Databases

Explanation:
In order to implement tokenization, there will need to be two databases: the database containing the raw, original data and the token database containing tokens that map to the original data.
Having 2FA is nice, but not required.
Encryption keys are necessary for tokenization
Two-person integrity does not have anything to do with tokenization

Question 9

Data masking can be used to provide all of the following functionality except _____

A. Secure remote access
B. Enforcing least privilege
C. Testing data in sandboxed environments
D. Authentication of privileged users

Answer 9

D. Authentication of privileged users

Explanation:
Data masking does not support authentication in any way.
All the others are excellent use cases for data masking

Question 10

DLP can be combined with what other security tools to enhance data controls?

A. IRM
B. SIEM
C. Kerberos
D. Hypervisors

Answer 10

A. IRM

Explanation:
DLP can be combined with IRM tools to protect intellectual property; both are designed to deal with data that falls into special categories

SIEMs are used for monitoring event logs, not live data movement

Kerberos is an authentication mechanism

Hypervisors are used for virtualization

Question 11

What are the US State Department controls on technology exports known as?

A. ITAR
B. EAR
C. EAL
D. IRM

Answer 11

A. ITAR

Explanation:
ITAR is a Department of State Program.
EAR is a Commerce Department program
Evaluation assurance levels are part of the Common Criteria standard from ISO.
Information rights management tools are used for protecting electronic processing of intellectual property

Question 12

What are the US Commerce Department controls on technology exports known as?

A. ITAR
B. EAR
C. EAL
D. IRM

Answer 12

B. EAR

Explanation:
EAR is a Commerce Department program.
ITAR is a State Department program.
Evaluation assurance levels are part of the ISOs Common Criteria standard.
Information rights management tools are used for protecting electronic processing of intellectual property

Question 13

Cryptographic keys for encrypted data stored in the cloud should be _______

A. Atleast 128 bits long
B. Not stored with the cloud provider
C. Split into groups
D. Generated with dependencies

Answer 13

B. Not stored with the cloud provider

Explanation:
Cryptographic keys should not be stored along with the data they secure, regardless of key length.
We dont group crypto keys (doing so would violate the principle of secrecy necessary for keys to serve their purpose)
Keys should be based on randomized (or pseudo-randomized) generation and not have any dependency

Question 14

Best practices for key management include all of the following except ______

A. Have key recovery processes
B. Maintain key security
C. Pass keys out of band
D. Ensure multifactor authentication

Answer 14

D. Ensure multifactor authentication

Explanation:
We should all of these except MFA.

Question 15

Cryptographic keys should be secured _______

A. To a level at least as high as the data they can decrypt

A. To a level at least as high as the data they can decrypt
B. In vaults
C. By armed guards
D. With two-person integrity

Answer 15

A. To a level at least as high as the data they can decrypt

Explanation:
The physical security of crypto keys is of some concern, but guards or vaults are not necessary.
Two-person integrity might be a good practice for protecting keys.
The best answer to this question is option A, because it is always true, wheras the remaining options depend on circumstances.

Question 16

When crafting plans and policies for data archiving, we should consider all of the following except ______

A. Archive location
B. The backup process
C. The format of the data
D. Immediacy of the technology

Answer 16

D. Immediacy of the technology

Explanation:
All of these things should be considered when creating data archival policies except option D, which is a nonsense term

Question 17

What is the correct order of the phases of the data lifecycle?

A. Create, Store, Use, Archive, Share, Destroy
B. Create, Store, Use, Share, Archive, Destroy
C. Create, Use, Store , Share, Archive, Destroy
D. Create, Archive, Store, Share, Use, Destroy

Answer 17

B. Create, Store, Use, Share, Archive, Destroy

Explanation:
The other options are the names of the phases, but they are out of proper order

Question 18

What are third-party providers of IAM functions for cloud environments?

A. DLPs
B. CASBs
C. SIEMs
D. AESs

Answer 18

B. CASBs

Explanation:
Cloud Access Security brokers provide IAM functions.
Data loss, leak prevention and protection are a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information.
SIEMs are tools used to collate and manage log data.
AES is an encryption standard

Question 19

What is a cloud storage architecture that manages the data in an arrangement of fields according to characteristics of each data element?

A. Object-based storage
B. File-based storage
C. Database
D. CDN

Answer 19

C. Database

Explanation:
Databases store data in fields, in a relational motif.
Object-based storage stores data and objects in a volume, with labels and metadata
File-based is a cloud storage architecture that manages the data in a hierarchy of files.
A CDN stores data in caches of copied content near locations of high demand

Question 20

What is a cloud storage architecture that manages the data in caches of copied content close to locations of high demand?

A. Object-based storage
B. File-based storage
C. Database
D. CDN

Answer 20

D. CDN

Explanation:
A CDN stores data in caches of copied content near locations of high demand.
Object-based storage stores data as objects in a volume, with labels and metadata
File-based is a cloud storage architecture that manages the data in a hierarchy of files.
Databases store data in fields in a relational motif