(ISC)² Certified Cloud Security Professional Exam 1 (CCSP) Practice (Aris Athanasiou)

Question 1

A medium-sized software house is going through the risk management process to ascertain threats to its flagship product, an enterprise-level ERP system. According to the statistics, the average number of significant vulnerabilities discovered in their product is five per year, with each vulnerability costing the company about $50.000 in terms of reputation and $50.000 additional development efforts required to patch the system. Which of the following controls would be the best option for the company?

A. Hire specialized testing consultations for $250,000 per year which will reduce the average number of significant vulnerabilities to 3 per year
B. Accept the risk since all the identified potential responses would cost more
C. Hire an insurance company for $550,000 per year which will fully cover any associated cost with disclosed vulnerabilities
D. Hire public relations consultants to help with the company reputation for $300,000 per year which would reduce the impact of the company’s reputation to $30,000 per security vulnerability

Answer 1

B. Accept the risk since all the identified potential responses would cost more

Explanation:
Analysing the costs and residual risk:

Initial risk: 5 x ($50,000 + $50,000) = $500,000

Insurance company approach: $550,000

Testing consultants approach: $300,00 + 5 x ($30,000 + $50,000) = $700,000

Hence the best approach in this instance is to accept the risk since all the identified potential risk responses would cost more

Question 2

Which of the following has been discontinued?

A. EU Data Retention Directive
B. HIPAA
C. Privacy Shield
D. Sarbanes Oxley Act

Answer 2

A. EU Data Retention Directive

Explanation:
On 8 April 2014, in the landmark Digital Rights Ireland, the Court of Justice of the European Union declared the Directive 2006/24/EC invalid for violating fundamental rights. The Council’s Legal Services have been reported to have stated in closed session that paragraph 59 of the European Court of Justice’s ruling “suggests that general and blanket data retention is no longer possible”

Question 3

Which cloud service model allows customers to directly transfer the majority of existing governance and risk management processes?

A. PaaS
B. SaaS
C. IDaaS
D. IaaS

Answer 3

D. IaaS

Explanation:
IaaS provides more flexibility and options compared to PaaS and SaaS which are quite limited. Customers have more control and can transfer most of their existing governance and risk management. Thus IaaS is the BEST answer.

Question 4

Which of the following is not related to risk management?

A, ISO 31000:2009
B. ISO GUIDE 73:2009
C. NIST SP 800-37
D. ENISA

Answer 4

D. ENISA

Explanation:
European Union Agency for Network and Information Security (ENISA): is an agency dedicated to preventing and addressing network security and information security problems. It is not a risk management framework.

NIST SP 800-37: Risk Management Framework for Information Systems and Organizations

ISO 31000:2009: Risk management — Principles and guidelines

ISO GUIDE 73:2009: Provides the definitions of generic terms related to risk management

Question 5

What is the full name of the Uptime Institute’s Data Center Site Infrastructure for a Tier II data center?

A. Concurrently Maintainable Site Infrastructure
B. Parallel Site Infrastructure
C. Basic Site Infrastructure
D. Redundant Site Infrastructure Capacity Components

Answer 5

D. Redundant Site Infrastructure Capacity Components

Explanation:
Uptime Institute’s Data Center Site Infrastructure Tier Standard:

Tier I: Basic Site Infrastructure

Tier II: Redundant Site Infrastructure Capacity Components

Tier III: Concurrently Maintainable Site Infrastructure

Tier IV: Fault-Tolerant Site Infrastructure

Question 6

What would be the most effective control for the root account of the cloud tenant?

A. MFA
B. Password & security questions
C. Password & Retina Scan
D. Split Knowledge and Dual Control

Answer 6

D. Split Knowledge and Dual Control

Explanation:
A combination of password and security questions provides only a single factor of authentication. A combination of password and biometrics (retina scan) provides multi-factor authentication. However, a split knowledge or dual control is considered more secure; as it forces the collusion of at least two or more individuals to gain access to an asset.

Question 7

Which of the following concepts included allowing a limit to adjust to current circumstances, without the actual limit value changing?

A. Adapting
B. Scaling
C. Borrowing
D. Loaning

Answer 7

C. Borrowing

Explanation:
A limit creates a maximum ceiling for resource allocation. This ceiling may be fixed or expandable, allowing for the acquisition of more compute resources through a “borrowing” scheme from the root resource provider.

Question 8

Which cloud deployment model can enhance portability?

A. Private
B. Hybrid
C. Commodity
D. Public

Answer 8

B. Hybrid

Explanation:
The hybrid cloud architecture refers to a cloud environment made up of a mixture of on-premises resources combined with cloud resources that use some kind of orchestration between them. The integration between the 2 environments implies that the cloud tenant is using open standards, non-proprietary technologies. Hence the cloud tenant is more likely to be easily portable.

Question 9

Which of the following is not typically found in a service level agreement?

A. Performance
B. Availability
C. Logging and Reporting
D. Alert Frequency

Answer 9

D. Alert Frequency

Explanation:
Alert frequency is not included in SLAs as it depends on uncontrollable factors such as frequency of attacks, malware outbreaks, disclosed vulnerabilities, and tuning of the detection systems.

Question 10

STRIDE is a model of threats developed by Microsoft for identifying computer security threats. Which of the following is not an element of STRIDE?

A. Unauthorized Alterations
B. Masquerading
C. Malicious Insiders
D. Loss of Availability

Answer 10

C. Malicious Insiders

Explanation:
STRIDE stands for:

Spoofing

Tampering

Repudiation

Information disclosure

Denial of Service

Elevation of Privileges

Question 11

In which cloud service model a negotiated contract is the most critical?

A. DaaS
B. SaaS
C. IaaS
D. PaaS

Answer 11

B. SaaS

Explanation:
SaaS by definition provides less control for the customer compared to IaaS and PaaS. In addition, the risk of vendor lock-in is higher as SaaS applications are more difficult to migrate away from as that would typically impact business processes. Hence, when procuring a SaaS application, contract negotiation is of paramount importance.

Question 12

Which of the following combinations of temperature and humidity levels would be considered optimal for a data center according to the American Society of Heating, Refrigeration, and Air-Conditioning Engineers (ASHRAE)?

A. 30 degrees C and 65% relative humidity
B. 25 degrees C and 65% relative humidity
C. 25 degrees C and 45% relative humidity
D. 30 degrees C and 45% relative humidity

Answer 12

C. 25 degrees C and 45% relative humidity

Explanation:
According to ASHRAE the recommended operating range for temperature and humidity are:

Temperature: 64.4oF (18oC) - 80.6oF (27oC)

Humidity: 40% relative humidity and 41.9oF (5.5oC) dew point - 60% relative humidity and 59.9oF (15oC) dew point

Question 13

What are the (CSA) date lifecycle stages in order?

A. Create, Store, Use, Share, Archive, Delete
B. Create, Save, Use, Share, Archive, Destroy
C. Create, Save, Use, Share, Archive, Delete
D. Create, Store, Use, Share, Archive, Destroy

Answer 13

D. Create, Store, Use, Share, Archive, Destroy

Explanation:
The correct order of CSA’s data lifecycle stages are:

Create

Store

Use

Share

Archive

Destroy

Question 14

What can affect the cost benefits of economies of scale derived from cloud migration?

A. Lack of cloud development skills in the organization
B. Risk Increase
C. Contract Negotiations
D. Loss of Governance

Answer 14

C. Contract Negotiations

Explanation:
Negotiating and tailoring a tailored contract with a cloud provider, can significantly increase the cost of the cloud service.

Question 15

Which cloud storage architecture manages the data in caches of copied content close to locations of high demand?

A. Volume Storage
B. Object Storage
C. Content Delivery Network (CDN)
D. In-memory Store

Answer 15

C. Content Delivery Network (CDN)

Explanation:
A content delivery network (CDN) is a system of distributed servers that deliver (web) content to a user, based on their geographic locations, the origin of the webpage, and the content delivery server.

Question 16

What is a consideration in network monitoring when moving to the cloud?

A. Containers dont have IP addresses which makes logging events more ambiguous
B. NTP services might not be available in a cloud environment
C. Assets are less likely to exist at static IP addresses
D. SIEM services might not be available in a cloud environment

Answer 16

C. Assets are less likely to exist at static IP addresses

Explanation:
The dynamic nature of a cloud environment typically means that assets are likely to be associated with fixed IP addresses. All the other options are not true.

Question 17

Live migration is the transferring of the operation of one virtual instance to another physical machine in a way that is transparent to the user. What is one of the risks of virtual machine live migration?

A. Virtual Machines are live-migrated in clear
B. Unsuccessful migration can cause data loss
C. Migration time is inversely proportional to the VM size
D. Frequently migrating virtual machines can reduce the lifetime of the underlying hard disks

Answer 17

A. Virtual Machines are live-migrated in clear

Explanation:
Virtual machines are typically live-migrated in clear (without encrypting the user’s data) which can increase the risk of data leaking.

Question 18

When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?

A. Limits
B. Shares
C. Reservations
D. Clusters

Answer 18

B. Shares

Explanation:
Resource contention implies that there are too many requests for resources based on the actual available amount of resources currently in the system.

Shares allow the cluster’s reservations to be allocated, and then to address the remaining available resources for use by members of the cluster through a prioritized percentage-based allocation mechanism.

Question 19

Which step in the risk management process establishes a risk context?

A. Assess
B. Frame
C. Identify
D. Evaluate

Answer 19

B. Frame

Explanation:
Framing risk is the step that sets the environment in which risk-based decisions are made known as risk context.

Question 20

Which of the following is not included in an X509 certificate?

A. Certificate Signature Algorithm
B. Serial Number
C. Certification Authority Private Key
D. Issuer Name

Answer 20

C. Certification Authority Private Key

Explanation:
Public Key Infrastructure (PKI) relies on the secrecy of the private key of the certification authority. Of course, it is not included in the certificates they are issuing.

Question 21

What is the responsibility of the cloud service provider (CSP) in IaaS?

A. Backing up application data
B. Certificate management
C. Patching the OS
D. Patching the hypervisor

Answer 21

D. Patching the hypervisor

Explanation:
The only item in the list which falls under the responsibility of the cloud service provider in IaaS is the protection of the hypervizor.

Question 22

Which of the following acronyms represent a measure of the minimum desired performance level of the DR system in comparison to the production system’s current performance level?

A. RTO
B. RSL
C. ROI
D. RPO

Answer 22

B. RSL

Explanation:
Recovery Service Level (RSL): represents a measure of the minimum desired performance level of the DR system in comparison to the production system’s current performance level.

Recovery Point Objective (RPO): represents the maximum acceptable age of the data that can be restored (or recovery point) and the version of data lost.

Recovery Time Objective (RTO): represents the maximum acceptable length of time required for an organization to recover lost data and get back up and running.

Return on Investment (ROI): is red herring

Question 23

Which of the following is not a typical capability of a SIEM platform?

A. Producing reports necessary for compliance
B. Create dashboard for data visualization
C. Generate alerts
D. Enforce segregation of duties

Answer 23

D. Enforce segregation of duties

Explanation:
Enforcing segregation of duties is not a typical feature of a SIEM. All the other options essential characteristics of a SIEM.

Question 24

Which of the following is not a typical step in establishing a system baseline?

A. Place the baseline under a configuration management system
B. Encrypt the operating system
C. Removal of non-essential services
D. Apply the latest patches issued by the vendor

Answer 24

B. Encrypt the operating system

Explanation:
Encrypting the operating system is not part of establishing a system baseline, and it would most likely cause functional problems. All the other answers are typical steps in establishing a baseline.

Question 25

Which ISO/IEC standards set documents the cloud definitions for staffing and official roles?

A. ISO/IEC 17789
B.. ISO/IEC 27001
C. ISO/IEC 27040
D. ISO/IEC 17788

Answer 25

A. ISO/IEC 17789

Explanation:
ISO/IEC 17789 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.

Question 26

ISO 27001 is the most widely used global standard for ISMS implementations. Which is not one of the ISO 27001 domains?

A. Penetration testing
B. Human resources security
C. Physical and environmental security
D. Asset management

Answer 26

A. Penetration testing

Explanation:
ISO 27001 domains include the following domains:

Information security policies

Organization of information security

Human resource security

Asset management

Access control

Cryptography

Physical and environmental security

Operations security

Communications security

System acquisition, development, and maintenance

Supplier relationship

Information security incident management

Information security aspects of business continuity management

Compliance

Question 27

What are the customer responsibilities in IaaS?

A. Updating the application server
B. Patching the hypervisor
C. Securing the host OS the hypervisor runs in
D. Securing the software defined networks (SDN)

Answer 27

A. Updating the application server

Explanation:
Maintenance and security of an application running in an IaaS is the responsibility of the customer.

Question 28

Which of these characteristics of cloud environments adds compliance risk?

A. Rapid Elasticity
B. Measure Service
C. On-Demand Self-Service
D. Redundancy

Answer 28

A. Rapid Elasticity

Explanation:
Elasticity describes the degree to which a system is able to adapt to workload changes by provisioning and de-provisioning resources in an autonomic manner. This can lead to resources being automatically provisioned in various geographical regions with different regulatory compliance requirements.

Question 29

The newly appointed CIO of a large retailer is considering migrating workloads to a medium-size cloud service provider. The CIO has concerns about the provider since they only recently started offering cloud services and they don’t have an established presence in the market. Which of the following would not help to reduce the risk of vendor lock-in?

A. Use of a key escrow
B. Use of standards-based data formats
C. Use Kerberos for centralized authentication
D. use of open-source software

Answer 29

C. Use Kerberos for centralized authentication

Explanation:
Kerberos is a proprietary Microsoft authentication protocol that is used to verify the identity of a user or host. The use of proprietary technology does not reduce the risk of vendor lock-in.

Question 30

What is a typically expected downtime for public cloud services?The

A. 10 hours/month
B. 8 seconds/year
C. 7 hours/year
D. 3 hours/week

Answer 30

C. 7 hours/year

Explanation:
7 hours of downtime/year equals to 99.9% uptime, which is typical for a cloud service

Question 31

Which type of cooling removes heat that can be measured by a thermometer?

A. Sensible Cooling
B. Latent Cooling
C. Passive Cooling
D. Hydro Cooling

Answer 31

A. Sensible Cooling

Explanation:
Sensible cooling is defined as the ability of an air-conditioning system to remove heat that can be measured by a thermometer.

Question 32

Which is not included in ENISA’s top 8 threats to cloud computing?

A. Encryption key disclosure
B. Compliance Risks
C. Isolation Failure
D. Insecure of Incomplete Data Deletion

Answer 32

A. Encryption key disclosure

Explanation:
Encryption keys disclosure is not part of ENISA’s top 8 threats to cloud computing.

The full list is:

Loss of governance

Lock-in

Isolation failure

Compliance risks

Management interface compromise

Data protection

Insecure or incomplete data deletion

Malicious insider

Question 33

An organisation based in Palo Alto, CA wants to ensure they protect their new HQ office which costs $1,000,000. By looking at statistics the CIO has determined that CA is impacted by approximately 2 earthquakes a year. By running earthquake simulation software the company determined that an earthquake would destroy about 25% of the building. The company has identified an insurance company that can fully insure the building for earthquake damages for $150,000/year. Would that be a cost-effective control for the organisation?

A. It depends on how many earthquakes will actually happen
B. Yes
C. There is not enough data to make a conclusion
D. No

Answer 33

B. Yes

Explanation:
We can compute the Single Loss Expectancy (SLE) as follows SLE=AV*EF

In the above scenario, 25% * $1,000,000 = $250,000

The Annualised Loss Expectancy (ALE) can be computed as ALE=SLE*ARO, in the above scenario ALE=$500,000

Therefore hiring the insurance company for $150,000/year would be a cost-effective control for the organisation.

Question 34

What is the potential negative effect of a negotiated contract with a public cloud provider?

A. Lack of Controls
B. Vendor Lock-In
C. Privacy Reduction
D. Increase of Cost

Answer 34

D. Increase of Cost

Explanation:
Public cloud providers are able to offer competitive prices compared to traditional data center providers by leveraging economies of scale and standardized contracts. Negotiating a tailor-made contract can increase their costs and consequently their prices.

Question 35

Redundancy is described as the duplication of components of a platform with the intention of increasing reliability. Given a system with N required components, which of the following deployment patterns represents a “Fully redundant system”?

A. 2N-1
B. N+1
C. 2N
D. 2N+1

Answer 35

C. 2N

Explanation:
According to the CCSP Student Guide:

N: No redundancy. Only the exact number of required components.

N+1: “Parallel redundancy.” The exact number of components required plus one additional component.

2N: “Fully redundant system.” Two of every component.

2N+1: “Fully fail-safe.” Two of every component plus one extra component.

Question 36

Which of the following has been discontinued?

A. HIPAA
B. Safe Harbor
C. GDPR
D. Privacy Shield

Answer 36

B. Safe Harbor

Explanation:
The US-EU Safe harbor program has been discontinued and was replaced by EU-U.S. Privacy Shield.

Question 37

The Treacherous 12 is a list produced by the CSA representing the most important threats to secure cloud computing. Which of the following is not included in the list?

A. Advanced Persistent Threat
B. Man in the Middle
C. Malicious Insiders
D. Data Breach

Answer 37

B. Man in the Middle

Explanation:
Man in the middle is not included in CSA’s Treacherous 12.

Question 38

Which mathematical problem does Diffie–Hellman rely on?

A. Finding a discrete logarithm of a random elliptic curve element with respect to a publicly known base point
B. Traveling salesman problem
C. Discrete Logarithm Problem
D. Factorization of the product of two large prime number

Answer 38

C. Discrete Logarithm Problem

Explanation:
The security of Diffie-Hellman relies on the complexity of the discrete logarithm problem.

https://security.stackexchange.com/questions/45963/diffie-hellman-key-exchange-in-plain-english

Question 39

Which is not included in the OWASP Top 10?

A. Insecure Deserialization
B. XML External Entities (XXE)
C. Security Misconfigurations
D. Malicious Insiders

Answer 39

D. Malicious Insiders

Explanation:
“Malicious insiders” is not part of the OWASP Top 10. The full list includes:

Injection

Broken Authentication

Sensitive data exposure

XML External Entities (XXE)

Broken Access control

Security misconfigurations

Cross-Site Scripting (XSS)

Insecure Deserialization

Using Components with known vulnerabilities

Insufficient logging and monitoring

Question 40

Which of the following is not a typical data discovery technique?

A. Digest
B. Content Analysis
C. Metadata
D. Labels

Answer 40

A. Digest

Explanation:
The different data discovery techniques include:

Metadata

Content analysis

Labels

Question 41

Which attribute should be used from monitoring and alerting tools to uniquely identify instances in a cloud environment?

A. Instance Tags
B. IPv6 Addresses
C. IPv4 Addresses
D. MAC Addresses

Answer 41

A. Instance Tags

Explanation:
A MAC address is tied to the physical network card of a computer; hence it is not a reliable identifier in a cloud environment. IPv4 and IPv6 might be suitable identifiers under specific circumstances but ideally, they should not be used in a cloud environment because of its dynamic nature.

Question 42

DREAD is part of a system for risk-assessing computer security threats. Which of the following is not part of DREAD?

A. Affected Users
B. Damage
C. Reproducibility
D. Elevation of Privilege

Answer 42

D. Elevation of Privilege

Explanation:
DREAD stands for

Damage – how bad would an attack be?

Reproducibility – how easy is it to reproduce the attack?

Exploitability – how much work is it to launch the attack?

Affected users – how many people will be impacted?

Discoverability – how easy is it to discover the threat?

Question 43

Which of the following is not part of the Organization for Economic Co-operation and Development (OECD) privacy principles?

A. Explicit consent principle
B. Use limitation principle
C. Collection limitation principle
D. Purpose specification principle

Answer 43

A. Explicit consent principle

Explanation:
The OECD principles include:

Collection Limitation Principle

Data Quality Principle

Purpose Specification Principle

Use Limitation Principle

Security Safeguards Principle

Openness Principle

Individual Participation Principle

Accountability Principle

Question 44

An LDAP administrator has configured a directory server to store passwords using the SHA-1 hash function. The minimum password length is 6 and the salt consists of 8 bits. If the directory contains 50 accounts and their passwords. What is the length of the SHA-1 digest (bits)?

A. 2^6
B. 50
C. 160
D. 2^8

Answer 44

C. 160

Explanation:
SHA-1 is a cryptographic hash function which takes an arbitrary input and produces a 160-bit hash value

Question 45

Which statement is true about the differences between virtual machines and containers?

A. Containers are inherently more secure than VMs
B. Each container includes a full OS isolated from the host OS
C. Virtual machines are more lightweight compared to containers
D. All containers running on a single host are sharing the same OS kernel

Answer 45

D. All containers running on a single host are sharing the same OS kernel

Explanation:
According to Wikipedia http://en.wikipedia.org/wiki/Docker_(software)

A single control host (CoreOS instance) runs multiple isolated Linux systems (containers), using Docker as an additional layer of abstraction and interface to the underlying operating-system-level virtualization features of the Linux kernel.

Question 46

Which of the following is not a trend of data discovery in the cloud?

A. Machine learning classification
B. Big Data
C. Agile Business Intelligence
D. Real-time Analytics

Answer 46

A. Machine learning classification

Explanation:
According to the CCSP CBK data discovery in the cloud is being driven by the following trends:

Big data

Real-time analytics

Agile business intelligence

Question 47

Which of the following actions does NOT take place in the TLS record protocol?

A. Establishing a symmetric key
B. Calculation of Data Digest
C. Symmetrically Encrypting Data
D. Symmetrically Decrypting Data

Answer 47

A. Establishing a symmetric key

Explanation:
Establishing a symmetric key takes place in the TLS Handshake protocol

Question 48

A medium-sized software house is launching a new enterprise resource planning product, which of the following groups should not be involved in the process of testing the new product?

A. Management
B. Interns
C. External Consultants
D. The developers of the application

Answer 48

D. The developers of the application

Explanation:
The developers of an application should not be involved in testing their own code as this creates a conflict of interest.

Question 49

Which of the following is not a privacy regulation?

A. HIPPA
B.PIPEDA
C. ISO/IEC 27040
D. GLBA

Answer 49

C. ISO/IEC 27040

Explanation:
ISO/IEC 27040 provides detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security.

Question 50

What should be a primary concern when designing a BC/DR strategy?

A. Failing over workloads to a different location might affect regulatory compliance requirements
B. Failing over workloads to a different location might increase cost
C. Failing over workloads to a different location might be likely to increase latency
D. Failing over workloads to a different location might affect user experience

Answer 50

A. Failing over workloads to a different location might affect regulatory compliance requirements

Explanation:
The organisation needs to operate legally and lawfully at all times; meeting the regulatory compliance requirements is the most important item on the list.