(ISC)² Certified Cloud Security Professional Exam 1 (CCSP) Practice (Aris Athanasiou) Flashcards
A medium-sized software house is going through the risk management process to ascertain threats to its flagship product, an enterprise-level ERP system. According to the statistics, the average number of significant vulnerabilities discovered in their product is five per year, with each vulnerability costing the company about $50.000 in terms of reputation and $50.000 additional development efforts required to patch the system. Which of the following controls would be the best option for the company?
A. Hire specialized testing consultations for $250,000 per year which will reduce the average number of significant vulnerabilities to 3 per year
B. Accept the risk since all the identified potential responses would cost more
C. Hire an insurance company for $550,000 per year which will fully cover any associated cost with disclosed vulnerabilities
D. Hire public relations consultants to help with the company reputation for $300,000 per year which would reduce the impact of the company’s reputation to $30,000 per security vulnerability
B. Accept the risk since all the identified potential responses would cost more
Explanation:
Analysing the costs and residual risk:
Initial risk: 5 x ($50,000 + $50,000) = $500,000
Insurance company approach: $550,000
Testing consultants approach: $300,00 + 5 x ($30,000 + $50,000) = $700,000
Hence the best approach in this instance is to accept the risk since all the identified potential risk responses would cost more
Which of the following has been discontinued?
A. EU Data Retention Directive
B. HIPAA
C. Privacy Shield
D. Sarbanes Oxley Act
A. EU Data Retention Directive
Explanation:
On 8 April 2014, in the landmark Digital Rights Ireland, the Court of Justice of the European Union declared the Directive 2006/24/EC invalid for violating fundamental rights. The Council’s Legal Services have been reported to have stated in closed session that paragraph 59 of the European Court of Justice’s ruling “suggests that general and blanket data retention is no longer possible”
Which cloud service model allows customers to directly transfer the majority of existing governance and risk management processes?
A. PaaS
B. SaaS
C. IDaaS
D. IaaS
D. IaaS
Explanation:
IaaS provides more flexibility and options compared to PaaS and SaaS which are quite limited. Customers have more control and can transfer most of their existing governance and risk management. Thus IaaS is the BEST answer.
Which of the following is not related to risk management?
A, ISO 31000:2009
B. ISO GUIDE 73:2009
C. NIST SP 800-37
D. ENISA
D. ENISA
Explanation:
European Union Agency for Network and Information Security (ENISA): is an agency dedicated to preventing and addressing network security and information security problems. It is not a risk management framework.
NIST SP 800-37: Risk Management Framework for Information Systems and Organizations
ISO 31000:2009: Risk management — Principles and guidelines
ISO GUIDE 73:2009: Provides the definitions of generic terms related to risk management
What is the full name of the Uptime Institute’s Data Center Site Infrastructure for a Tier II data center?
A. Concurrently Maintainable Site Infrastructure
B. Parallel Site Infrastructure
C. Basic Site Infrastructure
D. Redundant Site Infrastructure Capacity Components
D. Redundant Site Infrastructure Capacity Components
Explanation:
Uptime Institute’s Data Center Site Infrastructure Tier Standard:
Tier I: Basic Site Infrastructure
Tier II: Redundant Site Infrastructure Capacity Components
Tier III: Concurrently Maintainable Site Infrastructure
Tier IV: Fault-Tolerant Site Infrastructure
What would be the most effective control for the root account of the cloud tenant?
A. MFA
B. Password & security questions
C. Password & Retina Scan
D. Split Knowledge and Dual Control
D. Split Knowledge and Dual Control
Explanation:
A combination of password and security questions provides only a single factor of authentication. A combination of password and biometrics (retina scan) provides multi-factor authentication. However, a split knowledge or dual control is considered more secure; as it forces the collusion of at least two or more individuals to gain access to an asset.
Which of the following concepts included allowing a limit to adjust to current circumstances, without the actual limit value changing?
A. Adapting
B. Scaling
C. Borrowing
D. Loaning
C. Borrowing
Explanation:
A limit creates a maximum ceiling for resource allocation. This ceiling may be fixed or expandable, allowing for the acquisition of more compute resources through a “borrowing” scheme from the root resource provider.
Which cloud deployment model can enhance portability?
A. Private
B. Hybrid
C. Commodity
D. Public
B. Hybrid
Explanation:
The hybrid cloud architecture refers to a cloud environment made up of a mixture of on-premises resources combined with cloud resources that use some kind of orchestration between them. The integration between the 2 environments implies that the cloud tenant is using open standards, non-proprietary technologies. Hence the cloud tenant is more likely to be easily portable.
Which of the following is not typically found in a service level agreement?
A. Performance
B. Availability
C. Logging and Reporting
D. Alert Frequency
D. Alert Frequency
Explanation:
Alert frequency is not included in SLAs as it depends on uncontrollable factors such as frequency of attacks, malware outbreaks, disclosed vulnerabilities, and tuning of the detection systems.
STRIDE is a model of threats developed by Microsoft for identifying computer security threats. Which of the following is not an element of STRIDE?
A. Unauthorized Alterations
B. Masquerading
C. Malicious Insiders
D. Loss of Availability
C. Malicious Insiders
Explanation:
STRIDE stands for:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of Privileges
In which cloud service model a negotiated contract is the most critical?
A. DaaS
B. SaaS
C. IaaS
D. PaaS
B. SaaS
Explanation:
SaaS by definition provides less control for the customer compared to IaaS and PaaS. In addition, the risk of vendor lock-in is higher as SaaS applications are more difficult to migrate away from as that would typically impact business processes. Hence, when procuring a SaaS application, contract negotiation is of paramount importance.
Which of the following combinations of temperature and humidity levels would be considered optimal for a data center according to the American Society of Heating, Refrigeration, and Air-Conditioning Engineers (ASHRAE)?
A. 30 degrees C and 65% relative humidity
B. 25 degrees C and 65% relative humidity
C. 25 degrees C and 45% relative humidity
D. 30 degrees C and 45% relative humidity
C. 25 degrees C and 45% relative humidity
Explanation:
According to ASHRAE the recommended operating range for temperature and humidity are:
Temperature: 64.4oF (18oC) - 80.6oF (27oC)
Humidity: 40% relative humidity and 41.9oF (5.5oC) dew point - 60% relative humidity and 59.9oF (15oC) dew point
What are the (CSA) date lifecycle stages in order?
A. Create, Store, Use, Share, Archive, Delete
B. Create, Save, Use, Share, Archive, Destroy
C. Create, Save, Use, Share, Archive, Delete
D. Create, Store, Use, Share, Archive, Destroy
D. Create, Store, Use, Share, Archive, Destroy
Explanation:
The correct order of CSA’s data lifecycle stages are:
Create
Store
Use
Share
Archive
Destroy
What can affect the cost benefits of economies of scale derived from cloud migration?
A. Lack of cloud development skills in the organization
B. Risk Increase
C. Contract Negotiations
D. Loss of Governance
C. Contract Negotiations
Explanation:
Negotiating and tailoring a tailored contract with a cloud provider, can significantly increase the cost of the cloud service.
Which cloud storage architecture manages the data in caches of copied content close to locations of high demand?
A. Volume Storage
B. Object Storage
C. Content Delivery Network (CDN)
D. In-memory Store
C. Content Delivery Network (CDN)
Explanation:
A content delivery network (CDN) is a system of distributed servers that deliver (web) content to a user, based on their geographic locations, the origin of the webpage, and the content delivery server.
What is a consideration in network monitoring when moving to the cloud?
A. Containers dont have IP addresses which makes logging events more ambiguous
B. NTP services might not be available in a cloud environment
C. Assets are less likely to exist at static IP addresses
D. SIEM services might not be available in a cloud environment
C. Assets are less likely to exist at static IP addresses
Explanation:
The dynamic nature of a cloud environment typically means that assets are likely to be associated with fixed IP addresses. All the other options are not true.
Live migration is the transferring of the operation of one virtual instance to another physical machine in a way that is transparent to the user. What is one of the risks of virtual machine live migration?
A. Virtual Machines are live-migrated in clear
B. Unsuccessful migration can cause data loss
C. Migration time is inversely proportional to the VM size
D. Frequently migrating virtual machines can reduce the lifetime of the underlying hard disks
A. Virtual Machines are live-migrated in clear
Explanation:
Virtual machines are typically live-migrated in clear (without encrypting the user’s data) which can increase the risk of data leaking.
When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?
A. Limits
B. Shares
C. Reservations
D. Clusters
B. Shares
Explanation:
Resource contention implies that there are too many requests for resources based on the actual available amount of resources currently in the system.
Shares allow the cluster’s reservations to be allocated, and then to address the remaining available resources for use by members of the cluster through a prioritized percentage-based allocation mechanism.
Which step in the risk management process establishes a risk context?
A. Assess
B. Frame
C. Identify
D. Evaluate
B. Frame
Explanation:
Framing risk is the step that sets the environment in which risk-based decisions are made known as risk context.
Which of the following is not included in an X509 certificate?
A. Certificate Signature Algorithm
B. Serial Number
C. Certification Authority Private Key
D. Issuer Name
C. Certification Authority Private Key
Explanation:
Public Key Infrastructure (PKI) relies on the secrecy of the private key of the certification authority. Of course, it is not included in the certificates they are issuing.