Chapter 1 Domain 1: Cloud Concepts, Architecture, and Design (Ben Malisow) Flashcards
Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?
A.Platform as a service (PaaS)
B.Software as a service (SaaS)
C.Backup as a service (Baas)
D.Infrastructure as a service (IaaS)
A.Platform as a service (PaaS)
Explanation:
PaaS will allow her developers to create and design their software on a variety of operating systems (OSs), increasing the breadth of the market she can sell to. Also, she can use geographically dispersed programmers to work on projects concurrently, and the provider will be responsible for maintaining and updating the OSs as necessary. IaaS is a less attractive option because it would retain the need for Alice’s company to administer the OSs in addition to building their software; it might be less expensive in terms of paying the cloud provider, but the time and effort and personnel necessary to maintain the OSs would offset that cost, probably in a net-negative way. SaaS is not an option; Alice wants her company to build software, not rent it or buy it. Backup as a Service (BaaS) would not be useful for creating, designing, or deploying Alice’s company’s software.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 200). Wiley. Kindle Edition.
Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues?
A.Multitenancy
B.Metered service
C. Service-level agreement (SLA)
D.Remote access
A.Multitenancy
Explanation:
Of these four options, multitenancy poses the greatest risk to software developers in the cloud, because developers need to be concerned with two things: protecting their intellectual property (the software they’re making) and protecting resource calls their software makes to the underlying infrastructure (which, if detectable by other cloud customers, could provide information that constitutes a side-channel attack). Metered service doesn’t pose much of a security risk. The SLA might include some security aspects (such as response time), but it’s usually more of a performance-ensuring tool, and this choice is not as good as option A.
Remote access, in this particular case, provides more benefit than risk: Alice can utilize work from developers located across the country or across the planet. While she does have to consider the risks inherent in all remote access, those risks are not as significant as the risks due to multitenancy, so option A is still preferable.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 200). Wiley. Kindle Edition.
Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. In order to protect her company’s intellectual property, Alice might want to consider implementing all these techniques/solutions except ____________.
A.Egress monitoring
B. Encryption
C. Turnstiles
D. Digital watermarking
C. Turnstiles
Explanation:
Turnstiles are a physical security barrier to prevent piggybacking/tailgating (an unauthorized person coming through an entrance behind someone who is authorized), but they don’t really present much protection for intellectual property in this case. Egress monitoring (often referred to as “DLP” solutions) is a great way to reduce the likelihood of intellectual property leaving the owner’s control in an unexpected/unapproved manner. Likewise, strong encryption is useful in the cloud to reduce the impact of theft either from leakage to other cloud tenants or from insider threats (such as malicious admins in the employ of the cloud provider). Finally, digital watermarks aid protection of intellectual property by proving original ownership, which is essential for enforcing intellectual property rights (in the case of software design, mainly copyright protections).
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 200). Wiley. Kindle Edition.
Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. What is probably the biggest factor in her decision?
A. Network scalability
B. Off-site backup capability
C. Global accessibility
D.Reduced overall cost due to outsourcing administration
D.Reduced overall cost due to outsourcing administration
Explanation:
While all of these are traits of cloud computing and will likely benefit Alice’s company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 200). Wiley. Kindle Edition.
In which of the following situations does the data owner have to administer the OS?
A. IaaS
B. PaaS
C. Off-site archive
D.SaaS
A. IaaS
Explanation:
With infrastructure as a service (IaaS), the customer (data owner) will administer the OS and applications. In PaaS, the provider will manage the underlying hardware and the OS. In an on-premises enterprise, the data owner is also the system owner and will be responsible for everything. In an SaaS environment, the cloud provider will handle all aspects of processing, except for adding and manipulating the production data.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 200). Wiley. Kindle Edition.
You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the Payment Card Industry Data Security Standard (PCI DSS), what can you never store for any length of time?
A. Personal data of consumers
B. The credit card verification (CCV) number
C. The credit card number
D. Home address of the customer
B. The credit card verification (CCV) number
Explanation:
PCI DSS requires that the CCV (or, sometimes, “CVV” for “card verification value”) only be used in the transaction, not stored. The data described in all the other options may be stored after the transaction is complete.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on ____________.
A. Number of transactions per year
B. Dollar value of transactions per year
C. Geographic location
D.Jurisdiction
A. Number of transactions per year
Explanation:
The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year. The dollar value of transactions per year, geographic location, and jurisdiction are not attributes that are evaluated for PCI DSS tier levels.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?
A. BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).
B. BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.
C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.
D. BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).
C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.
Explanation:
Technically, BC efforts are meant to ensure that critical business functions can continue during a disruptive event, and DR efforts are supposed to support the return to normal operations. However, in practice, the efforts often coincide, use the same plans/personnel, and have many of the same procedures. Option A is incorrect; both BC and DR use the RTO and RPO as metrics to determine success. Option B is incorrect; BC and DR efforts are not specific to the cause of a disruptive event. Option D is incorrect; health and human safety should be paramount in all security efforts, with very few exceptions.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
For business continuity and disaster recovery (BC/DR) purposes, the contract between the primary cloud provider and customer should include all of the following except _______________.
A. Which party will be responsible for initiating a BC/DR response activity
B. How a BC/DR response will be initiated
C. How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service
D. How much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event
D. How much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event
Explanation:
The contract between the cloud customer and current cloud provider has no bearing on what the customer will have to pay to a new provider; that will be governed by the contract between the customer and the new provider. All the other options are topics that should be addressed in the contract between the current cloud provider and the cloud customer in order to properly address BCDR needs.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
When the cloud customer requests modifications to the current contract or service-level agreement (SLA) for business continuity/disaster recovery (BD/DR) purposes, who should absorb the cost of modification?
A. The customer absorbs the cost.
B. The provider absorbs the cost.
C. The cost should be split equally.
D. Modifications don’t cost anything.
A. The customer absorbs the cost.
Explanation:
The customer will have to pay for the costs of modification requested by the customer, regardless of purpose.
All the other options are simply incorrect, especially option D, which is never true.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected
D. Branding associated with which cloud provider might be selected
Explanation:
The brand associated with the cloud provider should not influence the cost–benefit analysis; the cloud provider’s brand (and even which cloud provider an organization uses) will most likely not even be known to the consumers who have a business relationship with the organization.
The provider does not absorb the cost when the customer’s requests a modification of the SLA. Though an even split of the cost between customer and provider may seem fair, the customer pays for all costs associated with modifications to the SLA by the customer. Finally, customer modifications to their SLA are chargeable expenses that will almost certainly be paid for by the customer.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
Which of the following is the least important factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?
A. Depreciation of IT assets ?
B. Shift in focus from IT dependencies to business process opportunities
C. Whether the provider bills on a monthly or weekly basis
D. Costs associated with utility consumption
C. Whether the provider bills on a monthly or weekly basis
Explanation:
The timing of recurring payments to the provider will probably not be a significant factor in the cost–benefit analysis. All the other options are topics that are more important to review when an organization is considering cloud migration.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 201). Wiley. Kindle Edition.
Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment into the cloud?
A. Number of users
B. Cost of software licensing
C. Number of applications
D. Number of clientele
B. Cost of software licensing
Explanation:
In a traditional environment, enterprise software costs can be exorbitant, and the price of licensing doesn’t even reflect the hidden costs associated with licensing, such as managing the license library. In a cloud arrangement, especially software as a service (SaaS), the customer pays only the contract fee to the cloud provider, and it is the provider’s responsibility to arrange for software licensing and to manage those licenses. Option A is incorrect because the number of users should not be affected whether the organization is operating in the cloud or a legacy environment. The exception would be the reduced number of privileged users, because the cloud provider will be handling more administrative tasks in the environment; however, because “privileged” was not specified, option B is still a better answer. Option C is incorrect because that may or may not be true of an organization’s migration to the cloud. Option D is incorrect because the organization certainly hopes it is not going to lose clientele by moving to the cloud!
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 201-202). Wiley. Kindle Edition.
Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?
A. Utilities costs
B. Security costs
C. Landscaping costs
D. Travel costs
A. Utilities costs
Explanation:
Cloud providers are purchasing utilities (power, water, Internet connectivity) at such a massive rate that they can realize per-unit cost savings that would far exceed any smaller organizations’ pricing for individual data centers. In this case, economies of scale are very much in favor of the larger entity. Option B may or may not be true, depending on the degree of sensitivity and value of the organization’s data and what controls the organization will request/contract for in the cloud. Options C and D are not influenced by cloud migration in any way and are wholly dependent on other factors within the organization.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 202). Wiley. Kindle Edition.
Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?
A. Personnel training
B. Personnel turnover
C. Capital expenses for IT assets
D. Loss due to an internal data breach
C. Capital expenses for IT assets
Explanation:
Constant reinvestment in IT assets (which are almost always obsolete by the time they’re marketed, much less by the time they’re deployed in operational environments) is plagued with sunk costs; money spent on hardware devices or software licenses is unlikely to be recovered. Avoiding expenditures for IT systems by moving to the cloud means reducing these costs considerably. Option A is incorrect; cloud migration should not affect the need for personnel training; employees will just need to be trained in a different manner. Options B and D should not be affected by cloud migration in any way; whether your organization has a high personnel turnover rate or risk from internal threat is not based on whether the IT environment is owned or leased.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 202). Wiley. Kindle Edition.
Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual financial benefit the organization realizes in a cloud environment?
A. Altitude of the cloud data center
B. Security controls and countermeasures
C. Loss of ownership of IT assets
D. Costs of Internet connectivity for remote users
B. Security controls and countermeasures
Explanation:
Every security process, tool, and behavior entails a related cost, both financially and operationally. Although a “base price” cloud service might appear extremely affordable compared to the traditional environment, add-ons such as encryption, digital rights management (DRM), security incident/event management (SIM/SEM/SIEM), and intrusion detection/prevention systems (IDS/IPS) may all come with additional cost and may degrade performance, thus reducing the cost savings compared to the cost of operations prior to migration. This is extremely important for the organization to consider before migration, especially if the organization exists in a highly regulated industry. Option A is incorrect because the altitude of the cloud data center does not translate into a reduction of the actual financial benefit the organization would realize in moving to the cloud environment. Option C is wrong because it should be the opposite of the actual case: losing ownership of the IT assets, and paying only for the use of those assets, should lead directly to a savings over the costs of a traditional IT environment, if compared on a seat-to-seat basis. Option D should not be true; the cost of connecting users to the Internet should not be significantly greater if the organization operates in the cloud or with an on-premises data center—if the cost is considerably greater, the organization should never have migrated in the first place.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 202). Wiley. Kindle Edition.
What is the international standard that dictates creation of an organizational information security management system (ISMS)?
A. NIST SP 800-53
B. PCI DSS
C. ISO 27001
D. NIST SP 800-37
C. ISO 27001
Explanation:
ISO 27001 mandates an ISMS; organizations can be certified according to compliance with 27001. National Institute of Standards and Technology (NIST) SP 800-53 is the list of security controls approved for use by U.S. government agencies and a means to map them to the Risk Management Framework. The Payment Card Industry Data Security Standard (PCI DSS) is the payment card industry’s framework of compliance for all entities accepting or processing credit card payments. NIST SP 800-37 is the Risk Management Framework.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
ISO 27001 favors which type of technology?
A. Open source
B. PC
C. Cloud-based
D.None
D.None
Explanation:
The ISO 27001 standard is designed to be product agnostic. The other answers suggest ISO 27001 favors a type of technology, and are therefore incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
Why might an organization choose to comply with the ISO 27001 standard?
A. Price
B. Ease of implementation
C. International acceptance
D. Speed
C. International acceptance
Explanation:
The ISO standards are almost universally accepted and recognized, and they’re even mandated for certain industries/locales.
They are not, however, cheap, fast, or easy to adopt, implement, and audit against, so all the other answers are incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
Why might an organization choose to comply with NIST SP 800-series standards?
A. Price
B. Ease of implementation
C. International acceptance
D.Speed
A. Price
Explanation:
The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not widely recognized or mandated outside of the U.S. government federal sector. However, they are in the public domain, so an organization would not have to pay for the standards material if the organization chose to use NIST standards.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?
A. ISO 27002
B. Payment Card Industry Data Security Standard (PCI DSS)
C. NIST SP 800-37
D. Health Insurance Portability and Accountability Act (HIPAA)
A. ISO 27002
Explanation;
ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001. PCI DSS is the payment card industry’s framework of compliance for all entities accepting or processing credit card payments. NIST SP 800-37 is the Risk Management Framework. HIPAA is the U.S. law regarding patient data privacy in the medical sector.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
The current American Institute of Certified Public Accountants (AICPA) publishes the _______________ standard, from which the Service Organization Control (SOC) reports are derived.
A. Sherwood Applied Business Security Architecture (SABSA)
B. Statement on Standards for Attestation Engagements (SSAE) 18
C. Biba
D. NIST SP 800-53
B. Statement on Standards for Attestation Engagements (SSAE) 18
Explanation:
SSAE 18 is the current AICPA audit standard, as of 2018. All the other options are distractors: SABSA is an IT architecture framework, Biba is an access control model, and NIST SP 800-53 contains guidance for selecting security controls in accordance with the Risk Management Framework.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
Which U.S. federal law affects banking and insurance companies?
A. NIST 800-53
B. HIPAA
C. Sarbanes-Oxley Act (SOX)
D. Gramm-Leach-Bliley Act (GLBA)
D. Gramm-Leach-Bliley Act (GLBA)
Explanation:
GLBA is a U.S. federal law pertaining to financial and insurance customer information. NIST 800-53 is a standard, not a law, so option A is incorrect. Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law concerning medical information, so option B is incorrect. SOX affects publicly traded corporations, making option C incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
The Statement on Standards for Attestation Engagements 18 (SSAE 18) Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA).
What kind of entities were SOC reports designed to audit?
A. U.S. federal government
B. Privately held companies
C. Companies that provide services
D. Nonprofit organizations
C. Companies that provide services
Explanation:
The SSAE 18 is an audit standard, and the SOC reports were specifically designed to report on the suitability of organizations that provide services. This is not to say that SOC reports are not used to assess other types of organizations— organizations—they are, but they were not designed for that purpose, so all the other answers are incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 203). Wiley. Kindle Edition.
The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you most like to see?
A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
C. SOC 2, Type 2
Explanation:
The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. The SOC 1 report provides information about financial reporting mechanisms of the target only and is of little interest to the IT security professional, so option A is incorrect. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function, so option B is incorrect. The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.
The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an investor, when reviewing SOC reports for a cloud provider, which report would you most like to see?
A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
A. SOC 1
Explanation:
The SOC 1 report provides information about financial reporting mechanisms of the target only. Although this information may be of little use to the IT security professional, it may be of great use to potential investors, if for nothing other than providing some assurance that reporting is valid and believable. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, this is of little interest to the investor, so option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, this is of little interest to the investor, so option C is incorrect. The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.
The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 18 audits and some haven’t, which SOC report might be best to use for your initial review of several different cloud providers in order to narrow down the field of potential services in a fast, easy way?
A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
D. SOC 3
Explanation:
The SOC 3 report is an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.
The SOC 1 report provides information about financial reporting mechanisms of the target only. This information may be of little use to the IT security professional and won’t help you choose a cloud vendor, so option A is incorrect. The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, it is more comprehensive and detailed than a SOC 3 report, so it would take more time; option B is incorrect. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, it is very detailed and comprehensive and wouldn’t be a speedy tool to narrow the field. Option C is incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.
Which of the following entities would not be covered by the Payment Card Industry Data Security Standard (PCI DSS)?
A. A bank issuing credit cards
B. A retailer accepting credit cards as payment
C. A business that processes credit card payments on behalf of a retailer
D. A company that offers credit card debt repayment counseling
D. A company that offers credit card debt repayment counseling
Explanation:
PCI DSS applies only to those entities that want to engage in the business of taking or processing credit card payments, which would include options A, B, and C. A counseling service is not engaged in commerce involving credit cards and therefore is under no obligation to adhere to the PCI DSS.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.
What sort of legal enforcement may the Payment Card Industry (PCI) Security Standards Council not bring to bear against organizations that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS)?
A. Fines
B. Jail time
C. Suspension of credit card processing privileges
D. Subject to increased audit frequency and scope
B. Jail time
Explanation:
Because PCI DSS is strictly voluntary, and the PCI Council is not a government body but a consortium of private interests, they cannot detain or imprison anyone. They can, however, assess fees, suspend processing privileges, and require more auditing, so the other answers
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 204). Wiley. Kindle Edition.
The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on _______________.
A. Dollar value of transactions over the course of a year
B. Number of transactions over the course of a year
C. Location of the merchant or processor
D. Dollar value and number of transactions over the course of a year
B. Number of transactions over the course of a year
Explanation:
The PCI merchant levels are based on how many transactions a compliant entity engages in over the course of a year. All the other options are incorrect because the dollar value of transactions and location of the merchant or processor are not the criteria used for determining PCI DSS merchant levels. Only the transactions a compliant entity engages in over the course of a year is the correct answer.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
In terms of greatest stringency and requirements for security validation, which is the highest merchant level in the Payment Card Industry (PCI) standard?
A.1
B.2
C.3
D.4
A.1
Explanation:
Merchant level 1 is for the merchants that engage in the most transactions per year (six million or more). It carries with it the requirement for the most comprehensive, detailed, and repeated security validation actions.
It may be tempting to choose the highest number when choosing an answer for the highest merchant level. It may be counterintuitive to think that level 1 would be a higher level than a level 4. However, level 1 is the highest merchant level and is the correct answer to this question.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
The Payment Card Industry Data Security Standard (PCI DSS) requires _______________ security requirements for entities involved in credit card payments and processing.
A. Technical
B. Nontechnical
C.Technical and nontechnical
D.Neither technical nor nontechnical
C.Technical and nontechnical
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) requires multiple kinds of technical and nontechnical security requirements (including specific control types) for those entities that choose to subscribe to the standard. Option A is partially correct and partially incorrect. While the security requirements are partially technical, some requirements are also nontechnical. Therefore, option A is incorrect. Option B is also partially correct and partially incorrect. While the security requirements are partially nontechnical, some requirements are technical. Therefore, option B is incorrect. Option C is incorrect because the requirements are technical and nontechnical, not neither technical nor nontechnical.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
According to the Payment Card Industry Data Security Standard (PCI DSS), if a merchant is going to store credit cardholder information for any length of time, what type of security protection must be used?
A. Tokenization or masking
B. Obfuscation or tokenization
C. Masking or obfuscation
D. Tokenization or encryption
D. Tokenization or encryption
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) allows for cardholder information at rest to be secured with either tokenization or encryption, but use of one is mandatory. The other options are distractors and not dictated by PCI DSS. They can, however, be useful in fulfilling certain credit card support services, such as customer support, where the personnel engaged in the activity (customer support agents, for instance) may need access to a limited set of the cardholder’s account information (for instance, name, mailing address, and date of the payment) but do not have a need to know other elements of that data set (particularly, the full credit card number); masking and obfuscation can satisfy that business need without putting data unduly at risk.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
What element of credit cardholder information may never be stored for any length of time, according to the Payment Card Industry Data Security Standard (PCI DSS)?
A. The full credit card number
B. The card verification value (CVV)
C. The cardholder’s mailing address
D. The cardholder’s full name
B. The card verification value (CVV)
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) disallows the storage of the CVV for any length of time; the CVV may only be used during the payment transaction, and not saved.
The other options may be stored for future transactions with the same merchant. However, unlike the CVV they may be stored by the merchant.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
When reviewing IT security products that have been subjected to Common Criteria certification, what does the Evaluation Assurance Level (EAL) tell you?
A. How secure the product is from an external attack
B. How thoroughly the product has been tested
C. The level of security the product delivers to an environment
D. The level of trustworthiness you can have if you deploy the product
B. How thoroughly the product has been tested
Explanation:
The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom. The EAL does not offer any true measure of how well those security features will work in a production environment so options A and C are incorrect. Whether those features are preferable to other features offered by competing products, or whether the product is “good.” Therefore, option D is incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 205). Wiley. Kindle Edition.
Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are functionally tested by their manufacturer/vendor?
A. 1
B. 3
C. 5
D. 7
A. 1
Explanation:
EAL 1 is for functionally tested products. Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked. Option C, EAL 5 is incorrect because that is for solutions that have been semi-formally designed and tested.
Option D is incorrect because EAL 7 is for solutions that have been formally verified design and tested.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?
A. 1
B. 3
C. 5
D. 7
D. 7
Explanation:
EAL 7 is for those products that have undergone independent third-party testing and verification of security feature design. All other options are distractors and incorrect. EAL 1 is for functionally tested products. EAL 3 is for solutions that have been methodically tested and checked. EAL 5 is for solutions that have been semi-formally designed and tested.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
Who pays for the Common Criteria certification of an IT product?
A. National Institute of Standards and Technology (NIST)
B. The vendor/manufacturer
C. The cloud customer
D. The end user
B. The vendor/manufacturer
Explanation:
The vendor/manufacturer of a given product will pay to have it certified, with the premise that certification costs are offset by premium prices that certified products command and that customers won’t purchase uncertified products. NIST does not certify products for Common Criteria. NIST is a U.S. government organization.
Option C is incorrect because the cloud customer does not pay to have IT products certified. Option D is incorrect because the end user is an individual and individuals do not pay to have IT products certified. (Note: Of course, the manufacturer/vendor is going to amortize the cost of the certification process across the price of the products they sell, so the customers who purchase the product will eventually “pay” for the certification, but that’s a very oblique and abstract way of reading the question.)
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
Who publishes the list of cryptographic modules validated according to the Federal Information Processing Standard (FIPS) 140-2?
A. The U.S. Office of Management and Budget (OMB)
B. The International Standards Organization (ISO)
C. International Information System Security Certification Consortium, or (ISC)2
D. The National Institute of Standards and Technology (NIST)
D. The National Institute of Standards and Technology (NIST)
Explanation:
NIST publishes the list of validated crypto modules. The other choices are government or non-government organizations that are not involved with publishing the list of cryptographic modules that meet FIPS 140-2 requirements.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
Who performs the review process for hardware security modules (HSMs) in accordance with the Federal Information Processing Standard (FIPS) 140-2?
A. The National Institute of Standards and Technology (NIST)
B. The National Security Agency (NSA)
C. Independent (private) laboratories
D. The European Union Agency for Network and Information Security (ENISA)
C. Independent (private) laboratories
Explanation: Vendors seeking HSM certification under FIPS 140-2 send their products to independent laboratories that have been validated as Cryptographic Module Testing Laboratories under the National Voluntary Laboratory Accreditation Program (the Accreditation Program is run by NIST, which approves the laboratories). As of this writing, 21 labs in the United States and Canada are accredited. Option A is incorrect because NIST does not perform the review process. NIST approves the independent laboratories that perform the review process. Option B is incorrect. Of all the activities that the NSA does perform, reviewing the process for Hardware Security Modules in accordance with FIPS 140-2 is certainly not one of them. Option D is incorrect because the ENISA is a European Union organization that supports European Union institutions and stakeholders.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
In terms of the number of security functions offered, which is the highest Federal Information Processing Standard (FIPS) 140-2 security level a cryptographic module can achieve in certification?
A. 1
B. 2
C.3
D. 4
D. 4
Explanation:
The highest security level a product can reach is 4. Option A is incorrect because Level 1 is the lowest level of security. Option B is incorrect because Level 2 simply improves upon the physical security of Level 2. Option C is incorrect because Level 3 improves upon Level 2 certification and adds tamper-detection/response capabilities.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 206). Wiley. Kindle Edition.
What distinguishes the Federal Information Processing Standard (FIPS) 140-2 security levels for cryptographic modules?
A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic locations in which the product is allowed
B. The amount of physical protection provided by the product, in terms of tamper resistance
Explanation: The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts. The question asks what distinguishes the security levels for cryptographic modules. Option A focuses on the sensitivity of the data being protected. The sensitivity of the data that is being protected is important when it comes to the cryptographic module being used, but that is not the distinction between the security levels in FIPS 140-2. Option C is incorrect because the size of the IT environment the cryptographic module is protecting is not what distinguishes the different levels. Option D is not correct because whether the cryptographic module is or is not allowed in a certain geographic location has no bearing on whether or not it works. The cryptographic module either works or it does not, regardless of its location.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.
For U.S. government agencies, what level of data sensitivity/classification may be processed by cryptographic modules certified according to the Federal Information Processing Standard (FIPS) 140-2 criteria?
A. Sensitive but unclassified (SBU)
B. Secret
C. Top Secret
D. Sensitive Compartmentalized Information (SCI)
A. Sensitive but unclassified (SBU)
Explanation:
FIPS 140-2 is only for SBU data. Options B, C, and D are incorrect because FIPS 140-2 certifies cryptographic modules for unclassified data. Secret, Top Secret, and Sensitive Compartmentalized Information all are categorized as classified information when it refers to their sensitivity level.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.
Who pays for cryptographic modules to be certified in accordance with Federal Information Processing Standard (FIPS) 140-2 criteria?
A. The U.S. government
B. Module vendors
C. Certification laboratories
D. Module users
B. Module vendors
Explanation: Vendors who want their products certified under FIPS 140-2 must pay the laboratory that performs the evaluation. Option A is incorrect because the U.S. government is not in the business of paying for cryptographic module certifications. The U.S. government can require the use of cryptographic modules in certain situations. Certification laboratories receive funds for certifying cryptographic modules. They do not pay to have them certified. Therefore, option C is incorrect. Option D is incorrect. Users do not pay to have solutions certified.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. What is probably the single most important way of countering the highest number of items on the OWASP Top Ten (regardless of year)?
A. Social engineering training
B. Disciplined coding practices and processes
C. White-box source code testing
D. Physical controls at all locations at which the application is eventually used
B. Disciplined coding practices and processes
Explanation:
Most of the items on the Top Ten could be addressed with strong coding practices and by adhering to strict internal management processes (on the part of the organization involved in development). A good number of the items that continually appear on the list, such as injection, cross-site scripting, insecure direct object references, security misconfiguration, missing function-level access control, use of components with known vulnerabilities, and unvalidated redirects and forwards, can all be addressed by basic development practices, such as bounds checking/input validation, code validation/verification protocols, and informed oversight of the project. Strangely, option A is not correct in this case. Social engineering is perhaps the aspect of information security that is least understood (by users) and easiest to exploit, and it is the attack tactic most likely to succeed. Social engineering training could probably reduce the greatest number of overall security threats in our field today. However, this specific question is all about application security, and the element of social engineering is negligible. Option C is not correct because source code testing is only one aspect of code review and would not address as many items on the Top Ten as option B would. Option D is not correct for much the same reason option A is incorrect; this question is specifically about application security, and the physical protection element is very minor.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 207). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the attacker trying to do with an injection attack?
A.Get the user to allow access for the attacker.
B. Insert malware onto the system.
C. Trick the application into running commands.
D. Penetrate the facility hosting the software.
C. Trick the application into running commands.
Explanation:
In injection attacks (a large percentage of which are called SQL injection, for the prevalence with which attackers target databases with this attack), the attacker enters a string of command code into a user-facing field in an attempt to get the application to run the command. This results in a process that the attacker can leverage or puts the software into a fail state that might negate some of the security controls that are present in normal operation. Option A is incorrect; this is a description of social engineering. Option B is incorrect; SQL injection does not typically involve malware. An attack that allows someone to penetrate a facility is a physical attack. The attacker has to physically be at the facility itself. Option D is incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the method for reducing the risk of an injection attack?
A. User training
B. Hardening the OS
C. Input validation/bounds checking
D. Physical locks
C. Input validation/bounds checking
Explanation:
Attackers attempting injection put command code into a data entry field; if the application has suitable input validation (that is, refusing code strings and confirming that input conforms to field value types), it will block those attacks. Injection attacks target applications, not users, so user training has little to do with preventing injection, making option A incorrect. The OS usually has little to do with injection attacks, which usually target user-facing web apps that ride on the OS, so option B is not correct. Injection attacks are logical, not physical, so locks won’t aid the security effort in this case, making option D incorrect.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is a good method for reducing the risk of broken authentication and session management?
A. Do not use custom authentication schemes.
B. Implement widespread training programs.
C. Ensure that strong input validation is in place.
D. Use X.400 protocol standards.
A. Do not use custom authentication schemes.
Explanation:
This answer requires a bit of thought and knowledge of common practices. Throughout the IT industry, many developers attempt to design and implement their own authentication schema. According to OWASP, this approach is almost always a bad idea because of the many vulnerabilities such custom schemes may fail to address. Using approved, tested authentication implementations is a way to avoid this problem. Authentication schema should be transparent to users, who will have little or (preferably) no control over that element of communication. Thus, training is not applicable in this case, making option B wrong. Input validation is used to counter injection attacks and has no efficacy in authentication implementations, making option C incorrect. The X.400 standards are for email communication and are not applicable to session authentication; thus, option D is wrong.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?
A. Session identification exposed in URLs
B. Unprotected stored credentials
C. Lack of session timeout
D. Failure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance
D. Failure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance
Explanation:
HIPAA is the U.S. federal law governing medical information; it has nothing to do with authentication or session management. Failure to follow HIPAA leads to regulatory noncompliance (for those covered by it).
All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?
A. Failure to rotate session IDs after a successful login
B. Easily guessed authentication credentials
C. Weak physical entry points in the data center
D. Credentials sent over unencrypted lines
C. Weak physical entry points in the data center
Explanation:
As breaking authentication and session management is a logical attack, lack of physical controls don’t affect such attacks. All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 208). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).”
Which of the following is not a method for reducing the risk of XSS attacks?
A. Put untrusted data in only allowed slots of HTML documents.
B. HTML escape when including untrusted data in any HTML elements.
C. Use the attribute escape when including untrusted data in attribute elements.
D. Encrypt all HTML documents.
D. Encrypt all HTML documents.
Explanation:
In many cases, HTML documents are meant to be seen by the public or new users who do not yet have trust associations (accounts) with the organization, so encrypting every HTML document would be counter to the purpose. Moreover, total encryption of everything, even material that is not particularly sensitive or valuable, incurs an additional cost with no appreciable benefit. The other options are all actions that OWASP recommends for reducing the risk of XSS attacks: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).” Which of the following is not a method for reducing the risk of XSS attacks?
A. Use an auto-escaping template system.
B. Use XML escape for all identity assertions.
C. Sanitize HTML markup with a library designed for the purpose.
D. HTML escape JSON values in an HTML context and read the data with JSON.parse.
B. Use XML escape for all identity assertions.
Explanation:
Option B is a incorrect because the answer narrows the risk for only the identity assertions and does not address XSS attack risks. All the other options are actions recommended by OWASP for reducing XSS attack risks. This question is particularly difficult as it delves into a level of detail that may or may not appear on the actual exam; however, all source documents listed in the Candidate Information Bulletin, including the OWASP Top Ten, are fair game for the test, so it is best to have at least an understanding of these sources.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is an example of an insecure direct object reference?
A. www.sybex.com/authoraccounts/benmalisow
B. 10 ? “sybex accounts”; 20 goto 10
C. mysql -u [bmalisow] -p [database1];
D. bmalisow@sybex.com
A. www.sybex.com/authoraccounts/benmalisow
Explanation:
The URL in option A reveals a location of specific data as well as the format for potential other data (such as other authors’ pages/accounts); this is a classic example of an insecure direct object reference. Option B is a DoS program string; C is a SQL database command line (which wouldn’t reveal any information on its own; it would prompt for a password); and option D is just an email address.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?
A. Perform user security training.
B. Check access each time a direct object reference is called by an untrusted source.
C. Install high-luminosity interior lighting throughout the facility.
D. Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.
B. Check access each time a direct object reference is called by an untrusted source.
Explanation:
Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object. Option A will not aid in insecure direct object risks; this is not a user issue, usually, but a programming issue. Option C is for physical security, while insecure direct object references are logical attacks. Option D does not reduce the risk of insecure direct object references because classification and categorization are not protections themselves but need to be paired with proper control sets in order to provide protection.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?
A. Not providing encryption keys to untrusted users
B. Having a public-facing website
C. Leaving default accounts unchanged
D. Using turnstiles instead of mantraps
C. Leaving default accounts unchanged
Explanation:
Default accounts are a continual security problem in the InfoSec space, and one that is relatively easy to address. Any new systems should be checked for default accounts, which should be stripped out before deployment. Untrusted users should not have encryption keys, so this is not a misconfiguration; therefore, option A is incorrect. A public-facing website can be extremely useful for marketing purposes and is not necessarily a security issue in and of itself, so option B is incorrect. Option D might or might not be true; both turnstiles and mantraps are physical security controls, and we can’t be sure whether one or the other is preferable in any given situation, so we don’t know if this is a misconfiguration or a proper configuration. Option C is therefore preferable.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 209). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?
A. Having unpatched software in the production environment
B. Leaving unprotected portable media in the workplace
C. Letting data owners determine the classifications/categorizations of their data
D. Preventing users from accessing untrusted networks
A. Having unpatched software in the production environment
Explanation:
Any software with out-of-date builds can be considered misconfigured. Option B is bad security practice but not considered a misconfiguration. Data owners are supposed to classify/categorize the data under their control, so option C is not a correct answer. Preventing users from reaching untrusted resources may be a proper control in a given environment, so option D is not a misconfiguration, and not a correct answer.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?
A. Enforce strong user access control processes.
B. Have a repeatable hardening process for all systems/software.
C. Use encryption for all remote access.
D. Use encryption for all stored data.
B. Have a repeatable hardening process for all systems/software.
Explanation:
This question requires some thought. All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option B is the best answer for this specific question: it is a method for reducing risks due to misconfiguration—a repeatable process for hardening systems/software that addresses other bad practices and is itself a good practice. This is the best answer.
Malisow, Ben. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 210). Wiley. Kindle Edition.