(ISC)² Certified Cloud Security Professional Exam 3 (CCSP) Practice (Aris Athanasiou)

Question 1

STRIDE is a model of threats developed from Microsoft for identifying computer security threats. Which of the following is not an element of STRIDE?

A. Tampering
B. Impersonation
C. Reputation Damage
D. Elevation of Privilege

Answer 1

C. Reputation Damage

Explanation:
Reputation damage is not one of the 6 categories defined in STRIDE.

Question 2

Which of the following firewall types would be the most challenging for the customer to deploy in a public cloud environment?

A. Host-based firewall
B. Web Application Firewall (WAF)
C. Hardware Firewall
D. Layer 3 Firewall

Answer 2

C. Hardware Firewall

Explanation:
Cloud service customers typically do not have access to the underlying infrastructure of public cloud providers. Hence the installation of a hardware firewall would be very challenging.

Question 3

What should be the first step in incident response in a cloud environment?

A. Look at the firewall logs to determine the root cause
B. Ensuring the management plane has not been breached
C. Resetting the password of all cloud administrators
D. Shutting down affected components to contain the breach

Answer 3

B. Ensuring the management plane has not been breached

Explanation:
Ensuring the management plane has not been breached should be the priority of the cloud provider, as any remediation actions can be reverted if the attacker still has access to the management plane.

Question 4

The newly appointed CIO of a large retailer is considering migrating workloads to a medium-size cloud service provider. The CIO has concerns about the provider since they only recently started offering cloud services and they don’t have an established presence in the market. Which of the following service models would pose the smallest risk with regards to vendor lock-in?

A. SaaS
B. IDaaS
C. IaaS
D. PaaS

Answer 4

C. IaaS

Explanation:
Applications build on top of IaaS are easier to migrate to a different platform if needed, compared to applications build on PaaS or software as a service (SaaS). The IaaS is also the deployment model closest to the traditional data-center hosting. In the scenario above, the CIO is concerned about the newly established CSP, therefore the best option would be to choose the option which would allow for easy migration.

Question 5

An EU-based IT services provider recently decided to build a public cloud offering. They quickly attracted several clients which migrated workloads to the cloud and started storing customer data in both volume and object storage. In the above example who is considered the data processor?

A. The health and financial regulators
B. The cloud service consumer
C. The customers of the cloud service consumer
D. The cloud service provider

Answer 5

D. The cloud service provider

Explanation:
In the above scenario, the cloud service provider is considered the data processor.

Question 6

A large IT training provider is concerned about unauthorized sharing of the training material they are providing to their students. Which of the following controls would be the most appropriate?

A. Printing the material so that students can not transfer the files via USB or email
B. Asymmetrically encrypt the files with a unqie public key per student and hand out smartcards containing the associated private key
C. Protecting the files by using IRM/DRM technologies
D. Associating the material with an access control list (ACL) and explicitly granting access to the students

Answer 6

C. Protecting the files by using IRM/DRM technologies

Explanation:
Protecting the files by using IRM/DRM technologies would the most appropriate control in the above scenario. The rest of the controls are either not effective or not scalable

Question 7

Which term describes the probability that a threat to an asset will materialize?

A. Risk
B. Impact
C. Vulnerability
D. Exploit

Answer 7

A. Risk

Explanation:
That is the definition of risk.

Question 8

An LDAP administrator has configured a directory server to store passwords using the SHA-2 hash function. The minimum password length is 6 and the salt consists of 8 bits. If the directory contains 50 accounts and their passwords. How many unique salts can the above setup support?

A. 2^6
B. 2^8
C. 50
D. 256

Answer 8

B. 2^8

Explanation:
The above setup can support 2^8=256 unique salts.

Question 9

Which of the following is not an identity federation protocol?

A. RADIUS
B. OIDC
C.SAML
D. WS-Federation

Answer 9

A. RADIUS

Explanation:
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting. The rest of the options are protocols widely used for federated access.

Question 10

Which of the following should be a primary consideration when designing a leaver process?

A. Deprovision the employee from the company’s HR system or any other authoritative source
B. Block printer access to prevent data exfiltration
C. Update the payroll system
D. Ensure the employee returns any property of the company

Answer 10

A. Deprovision the employee from the company’s HR system or any other authoritative source

Explanation:
Deprovisioning (or scheduling the deprovisioning) of the employee from the company’s HR system or any other authoritative source should be the priority of every company for the leaver process. Employees who have been dismissed or quit and still retain access to the company’s information systems pose a significant risk.

Question 11

What is one of the delivery models of SaaS?

A. Tailored Application
B. Hosted Application
C. Off-Premise Application
D. Remote Application

Answer 11

B. Hosted Application

Explanation:
The two delivery models for SaaS applications are:

Hosted Application: a cloud provider hosts software for customers and delivers it over the Internet.

Software-on-demand: a cloud provider supplies customers with network-based access to a single copy of an application created specifically for SaaS distribution.

Question 12

What kind of attack does the following code describe SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’.

A. LDAPi
B. CSRF
C. SQLi
D. XSS

Answer 12

C. SQLi

Explanation:
The above is the most typical example of a SQL injection (SQLi) attack.

Question 13

After Bob has proved his identity to an application he is assigned a JWT token containing his Active Directory group memberships. He then sends that token to an API that is protected from an API gateway. The gateway intercepts the request and inspects group memberships in the token, it then decides to block the user from accessing the API. The latter is an example of?

A. Identification
B. Access Federation
C. Authorization
D. Authentication

Answer 13

C. Authorization

Explanation:
The user has been already been authenticated and based on the persona he has been assigned to and the resource he/she is trying to access, the system makes a decision to deny access, this is a classic example of authorisation.

Question 14

The cloud security alliance has defined a model for the cloud data lifecycle which consists of 6 phases. In which phase does data classification take place?

A. Store
B. Share
C. Create
D. Use

Answer 14

C. Create

Explanation:
The creation phase is the best time to classify data according to its value to the organization.

Question 15

Which of the following verbs is not associated with REST?

A. DELETE
B. FETCH
C. PATCH
D. PUT

Answer 15

B. FETCH

Explanation:
RESTful APIs primarily use HTTP as a transport layer. The verbs (HTTP methods) available are GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, and TRACE.

Question 16

Which of the following is not a common approach for data masking according to the CCSP CBK?

A. Random Substitution
B. Anagram
C. Deletion
D. Algorithmic Substitution

Answer 16

B. Anagram

Explanation:
An anagram is a word formed by rearranging the letters of a different word. Simply rearranging the characters of a word would not be sufficient, as it would be trivial for someone to reconstruct/guess the original data. The rest of the methods above are common approaches for data masking.

Question 17

An organisation has several applications deployed in a hybrid cloud architecture. At the moment each application handles its own authentication and authorisation by maintaining local user accounts and their entitlements. The CIO wants to improve the way the employees access the applications, increasing security, and productivity. The CIO decided to implement single-sign-on between the application with tokens issued from a third-party cloud service. Which of the following best describe the third party?

A. Identity as a Service (IDaaS)
B. Service Provider (SP)
C. Blockchain-based Authentication
D. External Kerberos Provider

Answer 17

A. Identity as a Service (IDaaS)

Explanation:
Single-sign-on (SSO) is one of the typical offerings of an Identity as a Service (IDaaS) platform along with multi-factor authentication, federation, and authorisation.

Question 18

Which of the following can protect cloud operations from rogue employees?

A. Mantraps
B. 24/7 Video Surveillance
C. Single Egress Point in the data center
D. Dual Authority Controls

Answer 18

D. Dual Authority Controls

Explanation:
Dual authority controls are often used as a control against collusion. The rest of the controls would not be effective against rogue employees which have anyway access to the facilities.

The “Single egress point in the data center” in particular is a risk on its own and could riks the health and safety of the employees if an incident occurred.

Question 19

Which is not included in the OWASP Top 10 (2021)?

A. Insecure Media Sanitization
B. Identification and Authentication Failures
C. Broken Access Control
D. Insecure Design

Answer 19

A. Insecure Media Sanitization

Explanation:
Insecure media sanitization is not included in the OWASP Top 10, the rest of the options are.

The OWASP TOP 10 (2021) includes:

Broken Access Control

Cryptographic Failures

Sensitive Data Exposure

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Question 20

Which of the following is the most important for ensuring non-repudiation?

A. Centralized Authentication
B. Formal Certification and Authorization of the system
C. Strong Cryptography
D. Continuous Audit Trail

Answer 20

D. Continuous Audit Trail

Explanation:
A continuous audit trail is the most important aspect of ensuring non-repudiation. Strong cryptography and centralised authentication can also help but unless the system is capable of capturing a complete audit trail, non-repudiation can be challenging to achieve.

Question 21

The application owner of a medium-size retailer’s website is designing its system upgrade approach. In order to upgrade the platform, he needs to set it in maintenance mode. Which of the following is not typically done when a system enters maintenance mode?

A. Disable Event Logging
B. Disable New Logins
C. Disable Customer Access
D. Disable Alerts

Answer 21

A. Disable Event Logging

Explanation:
Event logging should never be disabled, during maintenance mode it is even more important to retain a continuous audit trail of events.

Question 22

Which of the following has been discontinued?

A. HITECH
B. EU Data Retention Directive
C. Privacy Shield
D. Sarbanes-Oxley Act

Answer 22

B. EU Data Retention Directive

Explanation:
In 2014, the Court of Justice of the European Union repealed the entire Data Retention Directive.

Question 23

Which risk does full disk encryption mitigate in a cloud environment?

A. DDoS Attacks
B. Physical Theft of Hardware
C. Buffer overflow on the OS
D. Attacks through the application containers

Answer 23

B. Physical Theft of Hardware

Explanation:
Physical theft of hardware is the only scenario in which full disk encryption mitigates, provided that the keys are not also stored in the same hard disk.

Question 24

Which of the following statements regarding open-source software is incorrect?

A. Open-source software is considered less secure since everybody can inspect the source and identify flaws/vulnerabilities
B. Open-source software can enhance the interoperability of an application
C. Not all open-source software is free of charge
D. Open-source software is maintained from a community of users

Answer 24

A. Open-source software is considered less secure since everybody can inspect the source and identify flaws/vulnerabilities

Explanation:
Open-source software is not considered less secure. In fact, the fact everybody can inspect the source and identify flaws/vulnerabilities makes it more secure.

On the other hand, closed-source software is relying on security through obscurity which has never achieved engineering acceptance as a good way to secure a system.

Question 25

Which tier of Uptime Institute’s Data Center Tier standard is known as “Concurrently Maintainable Site Infrastructure”?

A. Tier 1
B. Tier 3
C. Tier 4
D. Tier 2

Answer 25

B. Tier 3

Explanation:
Concurrently Maintainable Site Infrastructure is also known as Tier 3 in the Uptime Institute’s Data Center Tier Standard Topology.

Question 26

The PCI DSS (Payment Card Industry Data Security Standard) merchant levels are rankings of merchant transactions per year. What is the highest and strictest PCI DSS compliance level in terms of validation requirements?

A. Merchant Level: 3
B. Merchant Level: 1
C. Merchant Level: 2
D. Merchant Level: 4

Answer 26

B. Merchant Level: 1

Explanation:
Merchant level 1 is the highest and strictest merchant category specified in the standard.

Vendors processing more than 6,000,000 transactions per year or any merchant that has had a data breach or attack that resulted in an account data compromise fall under this category.

Question 27

What does ISO/IEC 27034 deal with?

A. Key Management in Cloud
B. Application Security
C. Supply Chain
D. Risk Management

Answer 27

B. Application Security

Explanation:
ISO/IEC 27034 deals with Application security.

Question 28

An organisation based in Palo Alto, CA wants to ensure they protect their new HQ office which costs $1,000,000. By looking at statistics the CIO has determined that CA is impacted by approximately 20 earthquakes a year. By running earthquake simulation software the company determined that an earthquake would destroy about 25% of the building. The company has identified an insurance company that can fully insure the building for earthquakes damages for $150,000/year. What kind of risk response would that be?

A. Mitigate
B. Transfer
C. Avoid
D. Accept

Answer 28

B. Transfer

Explanation:
Insurance is the most common form of transferring risk.

Question 29

Two common data format types are JSON and XML. Which of the following is not a benefit of JSON over XML?

A. Less Verbose
B. Easily consumed by JavaScript
C. Easier parsing from SOAP services
D. Faster Parsing

Answer 29

C. Easier parsing from SOAP services

Explanation:
SOAP services typically parse XML rather than JSON. XML is typically slower compared to JSON since you need 2 XML tags rather than 1 JSON key. In most programming languages a map lookup such as this will be more costly than an attribute lookup.

Question 30

Which cloud service model would be most impacted by the usage of proprietary cryptographic algorithms for protecting data at rest (DAR)?

A. Public
B. Private
C. Hybrid
D. Community

Answer 30

C. Hybrid

Explanation:
Hybrid cloud implementations comprise a combination of on-premises, private cloud, and third-party, public cloud services with orchestration between the two platforms. The use of proprietary encryption schemes can impact the interoperability of the cloud platform and hinder the integration between the different components.

Question 31

Which are the four steps in the risk management process?

A. Frame, Assess, Respond, Monitor
B. Frame, Assess, Mitigate, Review
C. Identify, Evaluate, Mitigate, Review
D. Frame, Evaluate, Mitigate, Monitor

Answer 31

A. Frame, Assess, Respond, Monitor

Explanation:
The four steps in the risk management process defined in the NIST SP 800-39 are:

Frame, Assess, Respond, Monitor

Question 32

Which of the following the Identity Provider (IdP) is not typically responsible for?

A. Prevent the user from accessing a system he/she is not entitled to
B. Providing identifiers/tokens for users looking to interact with a system
C. Asserting to such a system that such an identifier/token presented by a user is known to the provider
D. Providing other information/attributes about the user that is known to the provider

Answer 32

A. Prevent the user from accessing a system he/she is not entitled to

Explanation:
Typically the Identity Provider (IdP) is not responsible for determining who has access to what resources. The IdP is responsible for deciding with high assurance whether a user is, who he/she claims to be, and then assign some sort of persona to them.

Policy decision points (PDPs) are responsible for deciding whether a user is entitled to access a resource and policy enforcement points (PEPs) implement the decision by allowing or blocking access.

Question 33

Which of the following would pose the biggest risk in a data centre?

A. Absence of secure KVM hardware
B. Multiple ingresses points
C. Single egress point
D. Blind corners without CCTV coverage

Answer 33

C. Single egress point

Explanation:
The single egress point is the biggest risk, as it could potentially risk the health and safety of employees in case of an incident.

In this kind of question, remember always to prioritise the health and safety of people rather than the security of the computing systems. The only exception is if the question is set in a military/war context.

Question 34

Software-defined networking (SDN) is intended to separate different network capabilities and allow for the granting of granular configurations, permissions, and features to non-network staff or customers. Which network capabilities are separated?

A. Forwarding and Routing
B. Forwarding and Filtering
C. Management and Routing
D. Management and Filtering

Answer 34

A. Forwarding and Routing

Explanation:
Software-defined networking (SDN) separates a router’s control plane from the data (forwarding) plane. The control plane makes routing decisions. The data plane forwards data (packets) through the router.

Question 35

A medium-sized software house is going through the risk management process to ascertain threats to its flagship product, an enterprise-level ERP system. According to the statistics, the average number of significant vulnerabilities discovered in their product is five per year, with each vulnerability costing the company about $50,000 in terms of reputation and $50,000 additional development efforts required to patch the system. Which of the following controls would be the best option for the company?

A. Hire specialized testing consultants for $80,000 per year which will reduce the average number of significant vulnerabilities to 2 per year
B. Hire an insurance company for $300,000 per year which will fully cover any associated cost with disclosed vulnerabilities
C. Hire public relations consultants to help with the company’s reputation for $100,000 per year which would reduce the impact to the company’s reputation to $5,000 per security vulnerability
D. Accept the risk since all the identified potential risk responses would cost more

Answer 35

A. Hire specialized testing consultants for $80,000 per year which will reduce the average number of significant vulnerabilities to 2 per year

Explanation:
Let’s analyse the above 4 options:

Hire an insurance company: would cost $300,000

Hire specialised testing consultant: would cost =$80,000 and would reduce the number of vulnerabilities to 2, yielding a total cost of $80,000 + 2*($50,000+$50,000)=$280,000

Hire public relations consultants: would cost 100.000$ and would reduce the impact on the company’s reputation, yielding a total cost of $100,000+5*($50,000+$5,000)=$375,000

Accept the risk: would cost 5*($50,000+$50.000)=$500,000

Hence hiring a specialised testing consultant would be the best option for the software house.

Question 36

Which is not one of the ISO 27001 domains?

A. Personnel training
B. Physical and environmental security
C. Access Control
D. Information Security Incident Management

Answer 36

A. Personnel training

Explanation:
Personnel training is not one of the ISO 27001 domains.

Question 37

A medium-size retailer decides to deploy a database activity monitoring (DAM) to protect their relational database holding customer data. Which OSI layer does the DAM operate in?

A. Storage (Layer 6)
B. Application (Layer 7)
C. Session (Layer 6)
D. Database (Layer 5)

Answer 37

B. Application (Layer 7)

Explanation:
Database activity monitoring (DAM) operates in the Application Layer (Layer 7).

Question 38

ISO 27034-1 lays out an organizational normative framework (ONF) that acts as a framework for all components of application-security best practices. What is the relationship between ANF and ONF in terms of multiplicity?

A. 1 to many
B. Many to 1
C. 1 to 1
D. Many to Many

Answer 38

B. Many to 1

Explanation:
Multiple Application Normative Frameworks (ANF) map to a single Organization Normative Framework (ONF) (N…1).

Question 39

Which of the following key size is not supported by AES?

A. 158
B. 128
C. 256
D. 192

Answer 39

A. 158

Explanation:
AES supports the following key sizes:

128 bits

192 bits

256 bits

Question 40

Which of the following is true about Secret Sharing Made Short (SSMS)?

A. Data is split into m fragments, while the key remains intact. The original data can be reconstructed by accessing n out of m fragments (lower than n) and providing the encryption key
B. Both the data and the encryption keys are split into m fragments. The original data can be reconstructed by accessing n out of 5 fragments of the data and the key (lower than n)
C. Both the data and the encryption keys are split into m fragments. Data reconstruction requires all m fragments
D. Data is split into m fragments, while they key remains intact. Data reconstruction requires all m fragments and the encryption key

Answer 40

B. Both the data and the encryption keys are split into m fragments. The original data can be reconstructed by accessing n out of 5 fragments of the data and the key (lower than n)

Explanation:
Secret Sharing Made Short (SSMS) follows a 3-steps process: encryption, use of information dispersal algorithm (IDA), and finally splitting the encryption key itself using the secret-sharing algorithm.

The fragments of the data and encryption key are then signed and split to different storage services. The user can reconstruct the original data by accessing only m (lower than n) arbitrarily chosen fragments of the data and encryption key.

Question 41

Which aspect of information security is ensured from digital signatures?

A. Non-Repudiation
B. Resiliency
C. Availability
D. Confidentiality

Answer 41

A. Non-Repudiation

Explanation:
Digital signatures ensure integrity and non-repudiation.

Question 42

An organisation based in Palo Alto, CA wants to ensure they protect their new HQ office which costs $1,000,000. By looking at statistics the CIO has determined that CA is impacted by approximately 20 earthquakes a year. By running earthquake simulation software the company determined that an earthquake would destroy about 25% of the building. In the above scenario, what is the exposure factor (EF)?

A. 1,00,000
B . 250
C. 20
D. 25%

Answer 42

D. 25%

Explanation:
The exposure factor is defined as the potential percentage of loss to a specific asset if a specific threat is realized. In the above scenario, the exposure factor is 25%.

Question 43

Which of the following cloud characteristics is not considered a distinct advantage in implementing a robust BCDR strategy?

A. Rapid Elasticity
B. Multi-tenancy
C. On-Demand Self-Service
D. Broad Network Connectivity

Answer 43

B. Multi-tenancy

Explanation:
Multitenancy does not have advantages over single-tenant systems as far as BC/DR strategy is considered.

Question 44

Which of the following is not a valid data at rest encryption approach in cloud systems?

A. OS Encryption
B. Volume Encryption
C. Whole Instance Encryption
D. File Encryption

Answer 44

A. OS Encryption

Explanation:
Encrypting the Operating System (OS) is not a valid approach, in fact, it would make the computer unusable. Whole-instance, file, and Volume encryption are all valid approaches.

Question 45

A medium-sized retailer is going through the risk management process to ascertain threats to its e-shop. According to the statistics, they are subject to 100 cyber-attacks per year. Only 10% of the attacks are successful with each attack costing an average of $10,000. The annual revenue of the shop alone is $500,000 with a net profit of $250,000. The organisation has decided that shutting down the e-shop and focusing on its high-street operations would be the best option. What form of risk handling did the organisation follow?

A. Risk Transference
B. Risk Mitigation
C. Risk Acceptance
D. Risk Avoidance

Answer 45

D. Risk Avoidance

Explanation:
Shutting down the e-shop to avoid any potential cost of attacks is a typical example of risk avoidance.

Question 46

Which of the following does OpenID Connect extend to provide authentication?

A. RADIUS
B. OAuth 2.0
C. SAML
D. Kerberos

Answer 46

B. OAuth 2.0

Explanation:
OpenID Connect extends OAuth 2.0 to provide user authentication and single sign-on (SSO) functionality on top of OAuth2’s scoped access tokens.

Read more about OAuth 2.0 and OpenID Connect.

Question 47

Which of the following is not a container in the Organization Normative Framework (ONF)?

A. Business Context
B. Security Context
C. Regulatory Context
D. Technical Context

Answer 47

B. Security Context

Explanation:
The context containers in the Organization Normative Framework (ONF) are:

Business Context

Regulatory Context

Technical Context

The security context is not one of the containers in the ONF.

Question 48

Which of the following is not true about with End-User Experience Monitoring (EUM)?

A. It is more predictable than synthetic performance monitoring
B. It is a form of passive monitoring
C. It provides valuable insights into ways to optimize an applications components
D. it might have privacy implications

Answer 48

A. It is more predictable than synthetic performance monitoring

Explanation:

Question 49

Which of the following is not a typical capability of a SIEM platform?

A. Facilitate forensic investigations
B. Event correlation
C. Enable clock synchronization for multiple sources
D. Log aggregation from multiple sources

Answer 49

C. Enable clock synchronization for multiple sources

Explanation:
Security Information and Event Management (SIEM) are not capable of synchronising the clocks of remote sources. This is why it is very important that all sources feeding to the SIEM are connected to Network Time Protocol (NTP) services. All the other answers are features of most SIEM platforms.

Question 50

Which of type of cooling regulates moisture?

A. Hydro Cooling
B. Sensible Cooling
C. Latent Cooling
D. Passive Cooling

Answer 50

C. Latent Cooling

Explanation:
Latent cooling regulates moisture, Sensible cooling regulates heat.