Certified Cloud Security Professional Study Guide Chapter 6 Review Questions (Ben Masilow) Flashcards
What is the cloud service model in which the customer is responsible for administration of the OS?
A. IaaS
B. PaaS
C. SaaS
D. QaaS
A. IaaS
Explanation:
In IaaS, the cloud provider only owns the hardware and supplies the utlities.
The customer is responsible for the OS, programs, and data.
In PaaS and SaaS, the provider also owns the OS. There is no QaaS tf
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except _______
A. Access to audit logs and performance data
B. SIM, SIEM, and SEM logs
C. DLP solution results
D. Security control administration
D. Security control administration
Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer
In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?
A. Statues
B. The contract
C. Security control matrix
D. HIPAA
B. The contract
Explanation:
The contract between the provider and the customer enhances the customers trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures)
Statutes, however, largely leave customers liable.
The security control matrix is a tool for ensuring compliance with regulations
HIPAA is a statue
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
D. SOC 3
Explanation:
The SOC 3 is the least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting, and not relevant.
The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider
Which kind of SSAE audit report is most beneficial for a cloud customer, even though its unlikely the cloud provider will share it without additional protections?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
B. SOC 2 Type 2
Explanation:
The SOC 3 is least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting and not relevant.
The SOC Type 2 is much more detailed and will most likely be held closely by the provider
The auditor should not ________
A. Review documents
B. Physically visit the business location
C. Perform system scans
D. Deliver consulting services
D. Deliver consulting services
Explanation:
The auditor should be impartial to the success of the target organization; consulting creates a conflict of interest
Hardening the operating system refers to all of the following except ______
A. Limiting administrator access
B. Removing anti-malware agents
C. Closing unused ports
D. Removing unnecessary services and libraries
B. Removing anti-malware agents
Explanation:
Removing anti-malware agents.
Hardening the operating system means making it more secure.
Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure.
But removing anti-malware agents would actually make the system less secure.
If anything, anti-malware agents should be added, not removed, as part of the hardening process.
The cloud customers trust in the cloud provider can be enhanced by all of the following except ______
A. Audits
B. Shared administration
C. Real-time environmental controls
D. SLAs
C. Real-time environmental controls
Explanation:
Real-time environmeantal controls will not provider meaningful information and will not enhance trust.
All the others will and do
User access to the cloud environment can be administered in all of the following ways except: _______
A. Customer directly administers access
B. Customer providers administration on behalf of the provider
C. Provider provides administration on behalf of the customer
D. Third party provides confirmation on behalf of the customer
B. Customer providers administration on behalf of the provider
Explanation:
The customer does not administer on behalf of the provider.
All the rest are possible options
Which kind of SSAE audit reviews the organizations controls for assuring the the confidentiality, integrity, and availability of data?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
B. SOC 2
Explanation: The SOC 2 details with the CIA triad. SOC 1 is for financial reporting SOC 3 is only an attestation by the auditor There is no SOC 4
Which kind of SSAE report provides only an attestation by a certified auditor?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
C. SOC 3
Explanation: SOC 2 deals with the CIA triad. SOC 1 is for financial reporting SOC 3 is only an attestation by the auditor. There is no SOC 4
Which of the following is a cloud provider likely to provide its customers in order to enhance the customers trust in the provider?
A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access
C. Audit and performance log data
Explanation:
The provider may share audit and performance log data with the customer.
The provider will most likely not share A and D since they reveal too much information about the providers security program.
B is already public information and does not enhance trust.
In all cloud models, the customer will be given access and ability to modify which of the following?
A. Data
B. Security controls
C. User Permissions
D. OS
A. Data
Explanation:
The customer always owns the data and will therefore always have access to it.
The customer will never have administrative access to the providers security controls, regardless of the model.
The customer may or may not have administrative control over use permissions
The customer only has administrative power over the OS in an IaaS model
In all cloud models, security controls are driven by which of the following?
A. Virtualization Engine
B. Hypervisor
C. SLAs
D. Business Requirements
D. Business Requirements
Explanation:
Security is always contingent on business drivers and beholden to operational needs.
The virtualization engine does not dictate security controls, and the hypervisor may vary (depending on its type and implementation)
The SLAs do not drive security control; they drive performance goals
In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure
A. Vendor
B. Customer
C. State
D. Administrator
B. Customer
Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious
Why will cloud providers be unlikely to allow physical access to their data centers?
A. They want to enhance security bye keeping information about physical layout and controls confidential
B. They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access
C. They want to minimize traffic in those areas to maximize efficiency of operational personnel
D. Most data centers are inhospitable to human life, so minimizing physical access also minimizes safety concerns
A. They want to enhance security bye keeping information about physical layout and controls confidential
Explanation:
Knowledge of the physical layout and site controls could be of great use to an attacker, so they are kept extremely confidential.
The other options are all red herrings
Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?
A. Database management software
B. Open-source software
C. Secure software
D. Proprietary software
B. Open-source software
Explanation:
Open-source software is available on the public, and often draws inspection from numerous, disparate reviewers,
DBMS is not reviewed more or less than other software.
All software in a production environment should be secure.
That is not a valid discriminator for answering this question, so option C is not optimum
Proprietary software reviews are limited to the personnel in the employ/under contract of the software developer, which narrows the perspective and necessarily reduces the amount of potential reviewers
A firewall can use all of the following techniques for controlling traffic except ______
A. Rule sets
B. Behaviour analysis
C. Content filtering
D. Randomization
D. Randomization
Explanation:
Firewalls do use rules, behavior analytics, and/content filtering in order to determine which traffic is allowable.
Firewalls ought not use random criteria, because any such limitations would be just as likely to damage protection efforts as enhance them
A honeypot should contain _______ data
A. Raw
B. Production
C. Useless
D. Sensitive
C. Useless
Explanation:
A honeypot is meant to draw in attackers but not divulge anything of value.
It should not use raw, production or sensitive data
Vulnerability assessments cannot detect which of the following?
A. Malware
B. Defined vulnerabilities
C. Zero-day exploits
D. Programming flaws
C. Zero-day exploits
Explanation:
Vulnerability assessments can only detect known vulnerabilities, using definitions.
Some malware is known, as are programming flaws.
Zero-day exploits, on the other hand, are necessarily unknown until discovered and exercised by an attacker and will therefore not be detected by vulnerability assessments
