Certified Cloud Security Professional Study Guide Chapter 6 Review Questions (Ben Masilow) Flashcards

1
Q

What is the cloud service model in which the customer is responsible for administration of the OS?

A. IaaS
B. PaaS
C. SaaS
D. QaaS

A

A. IaaS

Explanation:
In IaaS, the cloud provider only owns the hardware and supplies the utlities.
The customer is responsible for the OS, programs, and data.
In PaaS and SaaS, the provider also owns the OS. There is no QaaS tf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except _______

A. Access to audit logs and performance data
B. SIM, SIEM, and SEM logs
C. DLP solution results
D. Security control administration

A

D. Security control administration

Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?

A. Statues
B. The contract
C. Security control matrix
D. HIPAA

A

B. The contract

Explanation:
The contract between the provider and the customer enhances the customers trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures)
Statutes, however, largely leave customers liable.
The security control matrix is a tool for ensuring compliance with regulations
HIPAA is a statue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3

A

D. SOC 3

Explanation:
The SOC 3 is the least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting, and not relevant.
The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which kind of SSAE audit report is most beneficial for a cloud customer, even though its unlikely the cloud provider will share it without additional protections?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3

A

B. SOC 2 Type 2

Explanation:
The SOC 3 is least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting and not relevant.
The SOC Type 2 is much more detailed and will most likely be held closely by the provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The auditor should not ________

A. Review documents
B. Physically visit the business location
C. Perform system scans
D. Deliver consulting services

A

D. Deliver consulting services

Explanation:
The auditor should be impartial to the success of the target organization; consulting creates a conflict of interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Hardening the operating system refers to all of the following except ______

A. Limiting administrator access
B. Removing anti-malware agents
C. Closing unused ports
D. Removing unnecessary services and libraries

A

B. Removing anti-malware agents

Explanation:
Removing anti-malware agents.
Hardening the operating system means making it more secure.
Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure.
But removing anti-malware agents would actually make the system less secure.
If anything, anti-malware agents should be added, not removed, as part of the hardening process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The cloud customers trust in the cloud provider can be enhanced by all of the following except ______

A. Audits
B. Shared administration
C. Real-time environmental controls
D. SLAs

A

C. Real-time environmental controls

Explanation:
Real-time environmeantal controls will not provider meaningful information and will not enhance trust.
All the others will and do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

User access to the cloud environment can be administered in all of the following ways except: _______

A. Customer directly administers access
B. Customer providers administration on behalf of the provider
C. Provider provides administration on behalf of the customer
D. Third party provides confirmation on behalf of the customer

A

B. Customer providers administration on behalf of the provider

Explanation:
The customer does not administer on behalf of the provider.
All the rest are possible options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which kind of SSAE audit reviews the organizations controls for assuring the the confidentiality, integrity, and availability of data?

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4

A

B. SOC 2

Explanation:
The SOC 2 details with the CIA triad.
SOC 1 is for financial reporting
SOC 3 is only an attestation by the auditor 
There is no SOC 4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which kind of SSAE report provides only an attestation by a certified auditor?

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4

A

C. SOC 3

Explanation:
SOC 2 deals with the CIA triad.
SOC 1 is for financial reporting
SOC 3 is only an attestation by the auditor.
There is no SOC 4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is a cloud provider likely to provide its customers in order to enhance the customers trust in the provider?

A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access

A

C. Audit and performance log data

Explanation:
The provider may share audit and performance log data with the customer.
The provider will most likely not share A and D since they reveal too much information about the providers security program.
B is already public information and does not enhance trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In all cloud models, the customer will be given access and ability to modify which of the following?

A. Data
B. Security controls
C. User Permissions
D. OS

A

A. Data

Explanation:
The customer always owns the data and will therefore always have access to it.
The customer will never have administrative access to the providers security controls, regardless of the model.
The customer may or may not have administrative control over use permissions
The customer only has administrative power over the OS in an IaaS model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In all cloud models, security controls are driven by which of the following?

A. Virtualization Engine
B. Hypervisor
C. SLAs
D. Business Requirements

A

D. Business Requirements

Explanation:
Security is always contingent on business drivers and beholden to operational needs.
The virtualization engine does not dictate security controls, and the hypervisor may vary (depending on its type and implementation)
The SLAs do not drive security control; they drive performance goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure

A. Vendor
B. Customer
C. State
D. Administrator

A

B. Customer

Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why will cloud providers be unlikely to allow physical access to their data centers?

A. They want to enhance security bye keeping information about physical layout and controls confidential
B. They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access
C. They want to minimize traffic in those areas to maximize efficiency of operational personnel
D. Most data centers are inhospitable to human life, so minimizing physical access also minimizes safety concerns

A

A. They want to enhance security bye keeping information about physical layout and controls confidential

Explanation:
Knowledge of the physical layout and site controls could be of great use to an attacker, so they are kept extremely confidential.
The other options are all red herrings

17
Q

Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?

A. Database management software
B. Open-source software
C. Secure software
D. Proprietary software

A

B. Open-source software

Explanation:
Open-source software is available on the public, and often draws inspection from numerous, disparate reviewers,
DBMS is not reviewed more or less than other software.
All software in a production environment should be secure.
That is not a valid discriminator for answering this question, so option C is not optimum
Proprietary software reviews are limited to the personnel in the employ/under contract of the software developer, which narrows the perspective and necessarily reduces the amount of potential reviewers

18
Q

A firewall can use all of the following techniques for controlling traffic except ______

A. Rule sets
B. Behaviour analysis
C. Content filtering
D. Randomization

A

D. Randomization

Explanation:
Firewalls do use rules, behavior analytics, and/content filtering in order to determine which traffic is allowable.
Firewalls ought not use random criteria, because any such limitations would be just as likely to damage protection efforts as enhance them

19
Q

A honeypot should contain _______ data

A. Raw
B. Production
C. Useless
D. Sensitive

A

C. Useless

Explanation:
A honeypot is meant to draw in attackers but not divulge anything of value.
It should not use raw, production or sensitive data

20
Q

Vulnerability assessments cannot detect which of the following?

A. Malware
B. Defined vulnerabilities
C. Zero-day exploits
D. Programming flaws

A

C. Zero-day exploits

Explanation:
Vulnerability assessments can only detect known vulnerabilities, using definitions.
Some malware is known, as are programming flaws.
Zero-day exploits, on the other hand, are necessarily unknown until discovered and exercised by an attacker and will therefore not be detected by vulnerability assessments