Chapter 5 All In One Flashcards
What is the most commonly overlooked but essential component to a comprehensive logging and monitoring strategy?
A. Capturing login failures
B. External log storage
C. Reviewing logs
D. Collecting administrative privilege elevation events
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 214-215). McGraw Hill LLC. Kindle Edition.
B. External log storage
Explanation:
While many systems collect logs and store them locally, without a strategy and process in place to collect the logs externally, the system and auditing remain vulnerable to tampering or deletion of logs from a compromised system.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 215). McGraw Hill LLC. Kindle Edition.
What are the two components to a federated identity system?
A. Service provider and relying party
B. LDAP and web server
C. Identity provider and relying party
D. Identity provider and password store
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 215). McGraw Hill LLC. Kindle Edition.
C. Identity provider and relying party
Explanation:
The identity provider and relying party are the two components of a federated identity system, with the identity provider handling authentication and providing information about the user, and the relying party accepting the authentication token and then granting access to some or all parts of an application. The other answers offer various components that are likely included with the implementation of the identity provider or relying party.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 215). McGraw Hill LLC. Kindle Edition.
Which of the following security devices would enable a system to filter out attacks such as SQL injection before they reach the application servers?
A. Firewall
B. XML accelerator
C. Sandbox
D. WAF
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 215). McGraw Hill LLC. Kindle Edition.
D. WAF
Explanation:
A WAF (web application firewall) sits in front of an application and has the capability to analyze and apply policies to incoming traffic and transactions based on their content. A very common use for a WAF is to detect and block common security threats such as injection attacks or cross-site scripting attacks. A firewall is used to deny or allow network traffic based solely on the source, destination, and port of the packets; it does not perform analysis of the packets or have the ability to inspect the packets for content. An XML accelerator performs XML processing before the data reaches an application server to offload the processing from the actual application. A sandbox is merely a segregated and isolated system configuration and does not relate to network traffic or an analysis of it at all.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 215). McGraw Hill LLC. Kindle Edition.
Which type of testing would not be performed against an application that does not contain self-protection capabilities?
A. RASP
B. Pen
C. SAST
D. DAST
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
A. RASP
Explanation:
Runtime application self-protection (RASP) would only be performed against systems that contain self-protection capabilities. These systems have the ability to tune and refocus their security protections and controls based on the actual attacks and methods being used against them in real time. Pen (penetration) testing, static application security testing (SAST), and dynamic application security testing (DAST) are all tests against any applications and do not pertain to self-protection capabilities at all.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
Which of the following could not be used in a multifactor authentication system along with a password?
A. RSA token
B. Retina scan
C. Challenge-response with personal questions
D. Fingerprint
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
C. Challenge-response with personal questions
Explanation:
A personal challenge-response falls under the same category as a password, which is something the user knows, so it could not be used as part of a multifactor authentication system if the password was the other factor. The RSA token could be used along with a password, as it constitutes something that is in possession of the user rather than something known. A retina scan or fingerprint also could be used, as each constitutes biometric data.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
6.Which of the following would be the most important reason to have the development and production systems in the same cloud environment?
A. APIs
B. Operating systems
C. Programming libraries
D. Programming languages
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
A. APIs
Explanation:
APIs can differ greatly between cloud providers and, depending on how the applications are built or implemented, may make it difficult to seamlessly move from one environment to another. Also, unless there is a specific reason not to use the same cloud environment for development and production, separating them out only adds complexity and potential problems. The other choices—operating systems, programming libraries, and programming languages—are all universal toolsets that would easily be available from different cloud providers as well.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 216). McGraw Hill LLC. Kindle Edition.
Which is the most commonly used assertion method with federated identity systems?
A. OAuth
B. SAML
C. OpenID
D. WS
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
B. SAML
Explanation:
SAML is the most commonly and widely used method for assertions within federated identity systems. WS is another protocol that was developed by a group of companies for use within their own projects, but it is not as widely or openly used as SAML. OpenID and OAuth are two single sign-on methods used with federated identity systems but are not as widely used protocols within federated systems as SAML.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
Which of the following is not part of the OWASP Top Ten list?
A. Cryptographic failures
B. Weak password requirements
C. Vulnerable and outdated components
D. Server-side request forgery
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
B. Weak password requirements
Explanation:
The OWASP Top Ten list does not include weak password requirements. There is not a specific item in regard to password policies or requirements, but it would fall under some of the other topics as a mitigating factor for general security policies. The other choices—cryptographic failures, vulnerable and outdated components, and server-side request forgery—are specific threats listed.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
With a single sign-on system, what is passed between systems to verify the user’s authentication?
A. Tokens
B. Masks
C. Certificates
D. Credentials
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
A. Tokens
Explanation:
Tokens are passed between systems, which enables the relying parties or service providers to verify back to the identity provider that a user has authenticated as well as to obtain encoded information about the user to determine specific authorizations and roles within the application. Credentials are never passed with a federated system, as they are passed solely between the user and the identity provider, with only the tokens being used after that. Certificates are used for the encrypted connections in general but are not passed as part of the primary functions of the system, and masks do not come into play at all with a federated identity system.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 217). McGraw Hill LLC. Kindle Edition.
Which of the following is the only data format supported by SOAP?
A. YAML
B. SAML
C. JSON
D. XML
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
D. XML
Explanation:
SOAP only supports XML for data transfer and encoding. SAML is used within federated identity systems, while JSON is used for data exchange between applications, but not as part of SOAP. YAML is a data-encoding protocol for use with scripting languages such as Perl and Python.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
11.If you are running application security tests against a system where you have knowledge and access to the code, which type of test are you running?
A. Dynamic
B. Static
C. Hybrid
D. Open
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
B. Static
Explanation:
Static tests are done with knowledge of the system and security configurations, typically with the source code as well. This enables testers to perform on an offline system comprehensive analyses (such as scans of source code and evaluation of the coding and security mechanisms in place) that would not be possible from external tests without such knowledge. Tests can be directed to the specific protocols and technologies used, rather than applying general tests or having to discover what is being used. On the other end of the spectrum, dynamic testing is done without knowledge of the systems or code, and the testers must use tools and methods to discover anything about the environment to use with security evaluations. Open and hybrid are not terms that apply here at all.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
If you need to determine whether software being used by your organization contains any code from open source repositories, which type of testing would you utilize?
A. Dynamic
B. SCA
C. White box
D. Static
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
B. SCA
Explanation:
SCA testing is used to scan code and determine if any open source repositories were used within it. This is crucial for both security scanning and license compliance. The other types of testing do not include scanning for open source code.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 218). McGraw Hill LLC. Kindle Edition.
Who would not be included for the initial requirements gathering for a software development project?
A. Management
B. Users
C. Developers
D. Security
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 219). McGraw Hill LLC. Kindle Edition.
C. Developers
Explanation:
Developers would not be part of requirements gathering, as their role does not begin until the project and scope are defined and ready for them to translate the design requirements and technology decisions into executable code. Management, users, and security staffers are crucial to design decisions and project requirements at all stages.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (pp. 219-220). McGraw Hill LLC. Kindle Edition.