Certified Cloud Security Professional Study Guide Chapter 8 Review Questions (Ben Masilow) Flashcards
What is the lowest tier of data center redundancy, according to the Uptime Institute?
A. 1
B. 2
C. 3
D. 4
A. 1
Explanation:
There are four tiers of the Uptime Institute’s data center redundancy rating system, with 1 being the lowest and 4 being the highest
What is the amount of fuel that should be on hand to power generators for backup data center power, in all tiers, according to Uptime Institute?
A. 1
B. 1,000 gallons
C. Enough to last 12 hours
D. As much as needed to ensure all systems may be gracefully shut down and data securely stored
C. Enough to last 12 hours
Explanation:
The other answers are distractors
Who should not be involved in application security testing?
A. Quality Assurance team members
B. Testing contractors
C. User community representatives
D. Developers of the application
D. Developers of the application
Explanation:
The development team should not be involved in direct testing of their own software because they bring personal biases and foreknowledge of the application and also because independent perspective is much more useful.
All the other answers may be used as part of the testing team
Which of the following is part of the STRIDE model?
A. Repudiation
B. Redundancy
C. Resiliency
D. Rijndael
A. Repudiation
Explanation:
Repudiation is an element of the STRIDE model; the rest of the answers are not
Which of the following is not part of the STRIDE model?
A. Spoofing
B. Tampering
C. Resiliency
D. Information Disclosure
C. Resiliency
Explanation:
Resiliency is not an element of the STRIDE mode;l; all the rest of the answers are.
Which of the following is not a feature of SAST?
A. Source code review
B. Team-building efforts
C. White-box testing
D. Highly skilled, often expensive outside consultants
B. Team-building efforts
Explanation:
Team-building has nothing to do with SAST; all the rest of the answers are characteristics of SAST
Which of the following is not a feature of DAST?
A. Testing in runtime
B. User teams performing executable testing
C. Black-box testing
D. Binary inspection
D. Binary inspection
Explanation:
Binary inspection has nothing to do with DAST, and it is not really a term that means anything in our industry (although it could be interpreted as a type of code review, more related to SAST; all the others are characteristics of DAST
Which of the following is not a feature of a secure KVM component?
A. Keystroke logging
B. Sealed exterior case
C. Soldered chipsets
D. Push-button selectors
A. Keystroke logging
Explanation:
Keystroke logging is not a characteristic of secure KVM design; in fact, secure KVM components should attenuate the potential for keystroke logging.
All the rest of the answers are characteristics of secure KVM components
What type of redundancy can we expect to find in a data center of any tier?
A. All operational components
B. All infrastructure
C. Emergency egress
D. Full power capabilities
C. Emergency egress
Explanation:
Emergency egress redundancy is the only aspect of data centers that can be expected to be found in data centers of any tier; the rest of the answers list characteristics that can be found only in specific tiers
What should be the primary focus of data center redundancy and contingency planning?
A. Critical path/Operations
B. Health and human safety
C. Infrastructure supporting the production environment
D. Power and HVAC
B. Health and human safety
Explanation:
Regardless of the tier level or purpose of any data center, design focus for security should always consider health and human safety paramount
Which of the following techniques for ensuring cloud data center storage resiliency uses parity bits and disk striping?
A. Cloud bursting
B. RAID
C. Data dispersion
D. SAN
B. RAID
Explanation:
PArity bits and disk striping are characteristics of RAID implementations
Cloud-bursting is a feature of scalable cloud hosting.
Data dispersion uses parity bits but not disk striping; instead, it uses data chunks and encryption
SAN is a data storage technique but not focused on resiliency
Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations?
A. Cross-training
B. Metered usage
C. Proper placement of HVAC temperature measurement tools
D. Raised floors
A. Cross-training
Explanation:
Cross-training offers attenuation of lost contingency capabilities by ensuring personnel will be able to perform essential tasks, even if they are not primarily assigned to those positions in a full-time capacity
Metered usage is a benefit for cloud customers associated with ensuring value for payment, but not resiliency
Proper placement of HVAC temperature measurement and raised floors both aid in optimizing component performance but are not practically associated with resiliency.
This is a difficult question, and it could be read in ways that would suggest other correct answers
Which of the following has not be attributed as the cause of lost capabilities due to DoS?
A. Hackers
B. Construction equipment
C. Changing regulatory motif
D. Squirrels
C. Changing regulatory motif
Explanation:
Changing regulations should not result in lack of availability.
All the other answers have caused DoS outages
If a hospital is considering using a cloud data centet, which Uptime Institure Tier should it require?
A. 2
B. 4
C. 8
D. X
B. 4
Explanation:
Tier 4 is the highest in the Uptime Institute standard; it is the only suitable tier for life-critical systems
Tier 2 does not provide sufficient redundancy/resiliency for support medical services.
There are no Tiers 8 or X
As a test taking tips, it helps to assume all the hospitals systems will migrate to the cloud unless otherwise stated
There could arguably be hospital systems that are not life-critical which wouldnt require Tier 4, but since that detail is not in the question, the broadest reading is appropriate
What is often a major challenge to getting both redundant power and communications utility connections?
A. Expense
B. Carrying medium
C. Personnel deployment
D. Location of many data centers
D. Location of many data centers
Explanation:
The location of many data centers - rural situated, distant from metropolitan areas - may create challenges for finding multiple power utility providers and ISPs as those areas just arent usually served by multiple vendors.
Expense is not usually a concern; economies of scale make costs acceptable as part of the pricing structure
Personnel deployment doesnt usually affect access to either type of connection
The carrying medium has nothing to do with challenges for finding multiple providers and is not even a common industry term