Certified Cloud Security Professional Study Guide Chapter 6 Review Questions (Ben Masilow)

Question 1

What is the cloud service model in which the customer is responsible for administration of the OS?

A. IaaS
B. PaaS
C. SaaS
D. QaaS

Answer 1

A. IaaS

Explanation:
In IaaS, the cloud provider only owns the hardware and supplies the utlities.
The customer is responsible for the OS, programs, and data.
In PaaS and SaaS, the provider also owns the OS. There is no QaaS tf

Question 2

To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except _______

A. Access to audit logs and performance data
B. SIM, SIEM, and SEM logs
C. DLP solution results
D. Security control administration

Answer 2

D. Security control administration

Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer

Question 3

In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?

A. Statues
B. The contract
C. Security control matrix
D. HIPAA

Answer 3

B. The contract

Explanation:
The contract between the provider and the customer enhances the customers trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures)
Statutes, however, largely leave customers liable.
The security control matrix is a tool for ensuring compliance with regulations
HIPAA is a statue

Question 4

Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3

Answer 4

D. SOC 3

Explanation:
The SOC 3 is the least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting, and not relevant.
The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider

Question 5

Which kind of SSAE audit report is most beneficial for a cloud customer, even though its unlikely the cloud provider will share it without additional protections?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3

Answer 5

B. SOC 2 Type 2

Explanation:
The SOC 3 is least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting and not relevant.
The SOC Type 2 is much more detailed and will most likely be held closely by the provider

Question 6

The auditor should not ________

A. Review documents
B. Physically visit the business location
C. Perform system scans
D. Deliver consulting services

Answer 6

D. Deliver consulting services

Explanation:
The auditor should be impartial to the success of the target organization; consulting creates a conflict of interest

Question 7

Hardening the operating system refers to all of the following except ______

A. Limiting administrator access
B. Removing anti-malware agents
C. Closing unused ports
D. Removing unnecessary services and libraries

Answer 7

B. Removing anti-malware agents

Explanation:
Removing anti-malware agents.
Hardening the operating system means making it more secure.
Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure.
But removing anti-malware agents would actually make the system less secure.
If anything, anti-malware agents should be added, not removed, as part of the hardening process.

Question 8

The cloud customers trust in the cloud provider can be enhanced by all of the following except ______

A. Audits
B. Shared administration
C. Real-time environmental controls
D. SLAs

Answer 8

C. Real-time environmental controls

Explanation:
Real-time environmeantal controls will not provider meaningful information and will not enhance trust.
All the others will and do

Question 9

User access to the cloud environment can be administered in all of the following ways except: _______

A. Customer directly administers access
B. Customer providers administration on behalf of the provider
C. Provider provides administration on behalf of the customer
D. Third party provides confirmation on behalf of the customer

Answer 9

B. Customer providers administration on behalf of the provider

Explanation:
The customer does not administer on behalf of the provider.
All the rest are possible options

Question 10

Which kind of SSAE audit reviews the organizations controls for assuring the the confidentiality, integrity, and availability of data?

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4

Answer 10

B. SOC 2

Explanation:
The SOC 2 details with the CIA triad.
SOC 1 is for financial reporting
SOC 3 is only an attestation by the auditor 
There is no SOC 4

Question 11

Which kind of SSAE report provides only an attestation by a certified auditor?

A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4

Answer 11

C. SOC 3

Explanation:
SOC 2 deals with the CIA triad.
SOC 1 is for financial reporting
SOC 3 is only an attestation by the auditor.
There is no SOC 4

Question 12

Which of the following is a cloud provider likely to provide its customers in order to enhance the customers trust in the provider?

A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access

Answer 12

C. Audit and performance log data

Explanation:
The provider may share audit and performance log data with the customer.
The provider will most likely not share A and D since they reveal too much information about the providers security program.
B is already public information and does not enhance trust.

Question 13

In all cloud models, the customer will be given access and ability to modify which of the following?

A. Data
B. Security controls
C. User Permissions
D. OS

Answer 13

A. Data

Explanation:
The customer always owns the data and will therefore always have access to it.
The customer will never have administrative access to the providers security controls, regardless of the model.
The customer may or may not have administrative control over use permissions
The customer only has administrative power over the OS in an IaaS model

Question 14

In all cloud models, security controls are driven by which of the following?

A. Virtualization Engine
B. Hypervisor
C. SLAs
D. Business Requirements

Answer 14

D. Business Requirements

Explanation:
Security is always contingent on business drivers and beholden to operational needs.
The virtualization engine does not dictate security controls, and the hypervisor may vary (depending on its type and implementation)
The SLAs do not drive security control; they drive performance goals

Question 15

In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure

A. Vendor
B. Customer
C. State
D. Administrator

Answer 15

B. Customer

Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious

Question 16

Why will cloud providers be unlikely to allow physical access to their data centers?

A. They want to enhance security bye keeping information about physical layout and controls confidential
B. They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access
C. They want to minimize traffic in those areas to maximize efficiency of operational personnel
D. Most data centers are inhospitable to human life, so minimizing physical access also minimizes safety concerns

Answer 16

A. They want to enhance security bye keeping information about physical layout and controls confidential

Explanation:
Knowledge of the physical layout and site controls could be of great use to an attacker, so they are kept extremely confidential.
The other options are all red herrings

Question 17

Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?

A. Database management software
B. Open-source software
C. Secure software
D. Proprietary software

Answer 17

B. Open-source software

Explanation:
Open-source software is available on the public, and often draws inspection from numerous, disparate reviewers,
DBMS is not reviewed more or less than other software.
All software in a production environment should be secure.
That is not a valid discriminator for answering this question, so option C is not optimum
Proprietary software reviews are limited to the personnel in the employ/under contract of the software developer, which narrows the perspective and necessarily reduces the amount of potential reviewers

Question 18

A firewall can use all of the following techniques for controlling traffic except ______

A. Rule sets
B. Behaviour analysis
C. Content filtering
D. Randomization

Answer 18

D. Randomization

Explanation:
Firewalls do use rules, behavior analytics, and/content filtering in order to determine which traffic is allowable.
Firewalls ought not use random criteria, because any such limitations would be just as likely to damage protection efforts as enhance them

Question 19

A honeypot should contain _______ data

A. Raw
B. Production
C. Useless
D. Sensitive

Answer 19

C. Useless

Explanation:
A honeypot is meant to draw in attackers but not divulge anything of value.
It should not use raw, production or sensitive data

Question 20

Vulnerability assessments cannot detect which of the following?

A. Malware
B. Defined vulnerabilities
C. Zero-day exploits
D. Programming flaws

Answer 20

C. Zero-day exploits

Explanation:
Vulnerability assessments can only detect known vulnerabilities, using definitions.
Some malware is known, as are programming flaws.
Zero-day exploits, on the other hand, are necessarily unknown until discovered and exercised by an attacker and will therefore not be detected by vulnerability assessments