Certified Cloud Security Professional Study Guide Chapter 8 Review Questions (Ben Masilow) Flashcards

1
Q

What is the lowest tier of data center redundancy, according to the Uptime Institute?

A. 1
B. 2
C. 3
D. 4

A

A. 1

Explanation:
There are four tiers of the Uptime Institute’s data center redundancy rating system, with 1 being the lowest and 4 being the highest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the amount of fuel that should be on hand to power generators for backup data center power, in all tiers, according to Uptime Institute?

A. 1
B. 1,000 gallons
C. Enough to last 12 hours
D. As much as needed to ensure all systems may be gracefully shut down and data securely stored

A

C. Enough to last 12 hours

Explanation:
The other answers are distractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who should not be involved in application security testing?

A. Quality Assurance team members
B. Testing contractors
C. User community representatives
D. Developers of the application

A

D. Developers of the application

Explanation:
The development team should not be involved in direct testing of their own software because they bring personal biases and foreknowledge of the application and also because independent perspective is much more useful.
All the other answers may be used as part of the testing team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is part of the STRIDE model?

A. Repudiation
B. Redundancy
C. Resiliency
D. Rijndael

A

A. Repudiation

Explanation:
Repudiation is an element of the STRIDE model; the rest of the answers are not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is not part of the STRIDE model?

A. Spoofing
B. Tampering
C. Resiliency
D. Information Disclosure

A

C. Resiliency

Explanation:
Resiliency is not an element of the STRIDE mode;l; all the rest of the answers are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not a feature of SAST?

A. Source code review
B. Team-building efforts
C. White-box testing
D. Highly skilled, often expensive outside consultants

A

B. Team-building efforts

Explanation:
Team-building has nothing to do with SAST; all the rest of the answers are characteristics of SAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is not a feature of DAST?

A. Testing in runtime
B. User teams performing executable testing
C. Black-box testing
D. Binary inspection

A

D. Binary inspection

Explanation:
Binary inspection has nothing to do with DAST, and it is not really a term that means anything in our industry (although it could be interpreted as a type of code review, more related to SAST; all the others are characteristics of DAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is not a feature of a secure KVM component?

A. Keystroke logging
B. Sealed exterior case
C. Soldered chipsets
D. Push-button selectors

A

A. Keystroke logging

Explanation:
Keystroke logging is not a characteristic of secure KVM design; in fact, secure KVM components should attenuate the potential for keystroke logging.
All the rest of the answers are characteristics of secure KVM components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of redundancy can we expect to find in a data center of any tier?

A. All operational components
B. All infrastructure
C. Emergency egress
D. Full power capabilities

A

C. Emergency egress

Explanation:
Emergency egress redundancy is the only aspect of data centers that can be expected to be found in data centers of any tier; the rest of the answers list characteristics that can be found only in specific tiers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should be the primary focus of data center redundancy and contingency planning?

A. Critical path/Operations
B. Health and human safety
C. Infrastructure supporting the production environment
D. Power and HVAC

A

B. Health and human safety

Explanation:
Regardless of the tier level or purpose of any data center, design focus for security should always consider health and human safety paramount

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following techniques for ensuring cloud data center storage resiliency uses parity bits and disk striping?

A. Cloud bursting
B. RAID
C. Data dispersion
D. SAN

A

B. RAID

Explanation:
PArity bits and disk striping are characteristics of RAID implementations
Cloud-bursting is a feature of scalable cloud hosting.
Data dispersion uses parity bits but not disk striping; instead, it uses data chunks and encryption
SAN is a data storage technique but not focused on resiliency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations?

A. Cross-training
B. Metered usage
C. Proper placement of HVAC temperature measurement tools
D. Raised floors

A

A. Cross-training

Explanation:
Cross-training offers attenuation of lost contingency capabilities by ensuring personnel will be able to perform essential tasks, even if they are not primarily assigned to those positions in a full-time capacity
Metered usage is a benefit for cloud customers associated with ensuring value for payment, but not resiliency
Proper placement of HVAC temperature measurement and raised floors both aid in optimizing component performance but are not practically associated with resiliency.
This is a difficult question, and it could be read in ways that would suggest other correct answers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following has not be attributed as the cause of lost capabilities due to DoS?

A. Hackers
B. Construction equipment
C. Changing regulatory motif
D. Squirrels

A

C. Changing regulatory motif

Explanation:
Changing regulations should not result in lack of availability.
All the other answers have caused DoS outages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If a hospital is considering using a cloud data centet, which Uptime Institure Tier should it require?

A. 2
B. 4
C. 8
D. X

A

B. 4

Explanation:
Tier 4 is the highest in the Uptime Institute standard; it is the only suitable tier for life-critical systems
Tier 2 does not provide sufficient redundancy/resiliency for support medical services.
There are no Tiers 8 or X
As a test taking tips, it helps to assume all the hospitals systems will migrate to the cloud unless otherwise stated
There could arguably be hospital systems that are not life-critical which wouldnt require Tier 4, but since that detail is not in the question, the broadest reading is appropriate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is often a major challenge to getting both redundant power and communications utility connections?

A. Expense
B. Carrying medium
C. Personnel deployment
D. Location of many data centers

A

D. Location of many data centers

Explanation:
The location of many data centers - rural situated, distant from metropolitan areas - may create challenges for finding multiple power utility providers and ISPs as those areas just arent usually served by multiple vendors.
Expense is not usually a concern; economies of scale make costs acceptable as part of the pricing structure
Personnel deployment doesnt usually affect access to either type of connection
The carrying medium has nothing to do with challenges for finding multiple providers and is not even a common industry term

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is generally not a high-priority aspect of physical security in the planning and design of a cloud data center facility?

A. Perimeter
B. Vehicular approach/traffic
C. Fire suppression
D. Elevation of dropped ceilings

A

D. Elevation of dropped ceilings

Explanation:
The height of dropped ceiling is not a security concern, except in action movies.
The rest of the answers are all aspects of physical security that should be taken into account when planning and designing a data center

17
Q

The Brewer-Nash security model is also known as which of the following?

A. MAC
B. The Chinese Wall model
C. Preventive measures
D. RBAC

A

B. The Chinese Wall model

Explanation:
The Brewer-Nash model is also known as the Chinese Wall model

18
Q

Which kind of hypervisor would malicious actors prefer to attack ostensibly because it offers a greater attack surface?

A. Cat IV
B. Type II
C. Bare Metal
D. Converged

A

B. Type II

Explanation:
Type II hypervisors run via the OS on the host machine; this makes them attractive to attackers because both the machine and the OS offer potential attack vectors.
Cat IV and converged are not terms associated with hypervisors
Bare-metal hypervisors (Type 1) are less preferable to attackers because they offer less attack surface

19
Q

Which of the following techniques for ensuring cloud data center storage resiliency uses encrypted chunks of data?

A. Cloud-bursting
B. RAID
C. Data Dispersion
D. SAN

A

C. Data Dispersion

Explanation:
Data dispersion uses parity bits, data chunks and encryption
Parity bits and disk striping are characteristics of RAID implementations
Cloud-bursting is a feature of scalable cloud hosting
SAN is a data storage technique but not focused on resiliency

20
Q

Which of the following data center redundancy efforts probably poses the greatest threat to human safety?

A. Emergency egress
B. Communications
C. Generators
D. Spare components

A

C. Generators

Explanation:
Generators require fuel, and fuel is flammable
All the other answers do not represent an appreciable threat to human safety