(ISC)² Certified Cloud Security Professional Exam 5 (CCSP) Practice (Aris Athanasiou) Flashcards

Question 1

Q

Which of the following is not a responsibility of the cloud service provider (CSP) in IaaS?

A. Patching the hypervisor
B. Ensure the data center temperature does not exceed 30 degrees C
C. Patching the web/application servers
D. Limiting access in the data center to authorized personnel

Answer

A

C. Patching the web/application servers

Explanation:
Patching the web/application servers would fall under the responsibilities of the customer in an IaaS deployment.

Question 2

Q

Which of the following cloud service models is likely to have higher portability?

A. IaaS
B. PaaS
C. SaaS
D. CaaS

Answer

A

A. IaaS

Explanation:
Infrastructure as a Service (IaaS) is likely to have higher portability compared to PaaS or SaaS. The abstraction and hiding of underlying complexities offered by PaaS and SaaS have also the result of reducing flexibility and customisation options.

Question 3

Q

What is the full name of Uptime Institute’s Data Center Site Infrastructure for a Tier V data center?

A. Basic Site Infrastructure
B. Parallel Site Infrastructure
C. Concurrently Maintainable Site Infrastructure
D. The Uptime Institute does not specify a Tier V Data Center

Answer

A

D. The Uptime Institute does not specify a Tier V Data Center

Explanation:
The Uptime Institute specifies only 4 Tiers for data centres, namely:

Basic Site Infrastructure

Parallel Site Infrastructure

Concurrently Maintainable Site Infrastructure

Fault-Tolerant Site Infrastructure

Question 4

Q

Which of the following is not part of the Organization for Economic Co-operation and Development (OECD) privacy principles?

A. Security Safeguards Principle
B. Openess Principle
C. Individual Participant Principle
D. Lawfulness, fainrness and transparency Principle

Answer

A

D. Lawfulness, fainrness and transparency Principle

Explanation:
Lawfulness, fairness, and transparency is a principle of GDPR not OECD. The full list of OECD principles include:

Collection Limitation Principle

Data Quality Principle

Purpose Specification Principle

Use Limitation Principle

Security Safeguards Principle

Openness Principle

Individual Participation Principle

Accountability Principle

Question 5

Q

Which of the following is not part of the CSA date lifecycle stages?

A. Share
B. Store
C. Process
D. Archive

Answer

A

C. Process

Explanation:
The CSA data lifecycle stages in order are:

Create

Store

Use

Share

Archive

Destroy

You can read more about the specific data lifecycle model, here.

Question 6

Q

Which is not included in the OWASP Top 10?

A. Broken Access Control
B. Insufficient Physical Access Control
C. Security Misconfiguration
D. Sensitive Data Exposure

Answer

A

B. Insufficient Physical Access Control

Explanation:
“Insufficient physical access control” is not part of the OWASP Top 10 (2021). The full list includes:

Broken Access Control

Cryptographic Failures

Sensitive Data Exposure

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

Remember OWASP stands for Open Web Application Security Project and as the name implies they focus on web technologies. Physical access control, although quite important, is not related to web technologies.

Question 7

Q

The risk management process includes framing, assessing, responding, and monitoring risk. In which of those steps would a qualitative estimation of the risk take place?

A. Framing
B. Monitoring
C. Assessing
D. Responding

Answer

A

C. Assessing

Explanation:
During a risk assessment, the organisation identifies, estimates, and prioritises information security risks. Risks can be assessed following either a quantitative or qualitative approach.

Question 8

Q

A medium-sized pharmaceutical company that has been traditionally using on-premise infrastructure has recently put in production a new ERP platform. The deployment of the new platform has gone through several stages of risk assessment and the organization has reached a sufficient residual risk in line with their appetite. The organisation has the policy to conduct annual risk assessments for all their platforms. The newly appointed CIO has decided to move the aforementioned ERP system in the cloud to cut down on infrastructure costs, when would the next risk assessment for the application take place?

A. The application has recently gone through risk assessment and the stakeholders are happy with residual risk. The application can be migrated to the cloud and the assessment can take place in the next scheduled annual review.
B. A risk assessment should take place immediately after the application has been successfully migrated to the cloud and its new environment is sufficiently understood.
C. A risk assessment should take place before migrating the application to the cloud
D. The organization should not migrate the ERP platform in the cloud as it is a core system to their business and they should retain tight control over it

Answer

A

C. A risk assessment should take place before migrating the application to the cloud

Explanation:
A risk assessment should take place before migrating the application to the cloud. The current risk assessment assumed hosting the application on-premise. The migration of the application to the cloud completely changes the risk landscape and invalidates the current estimations/computations.

Question 9

Q

Which of the following is not typically found in a Service Level Agreement (SLA)?

A. Service Availability
B. Patching frequency of the cloud infrastructure
C. Penalties should the agreed-on service levels not be achieved
D. The process of adding or removing metrics.

Answer

A

B. Patching frequency of the cloud infrastructure

Explanation:
Patching frequency of the cloud infrastructure would not typically be included in the SLA between the cloud provider and the customer. A service-level agreement (SLA) defines the level of service you expect from a cloud provider, laying out the metrics by which service is measured as well as remedies or penalties should agreed-on service levels not be achieved. SLAs focus on the service quality and not on the technicalities of how that is achieved.

Question 10

Q

The Federal Information Processing Standard is a U.S. government computer security standard used to approve cryptographic modules. The standard defines different levels of security for cryptographic components. What is the highest level of security described in FIPS?

A. Security Level 0
B. Security Level 1
C. Security Level 4
D. Security Level 5

Answer

A

C. Security Level 4

Explanation:
Security Level 4 is the highest level of security in FIPS.

Question 11

Q

An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?

A. Encrypt all passwords using the same key and Triple DES
B. Encrypt all passwords using a unique key for each entry and Triple DES
C. Hash the password without any key using SHA-512
D. Hash the password using a fixed key using SHA-512

Answer

A

C. Hash the password without any key using SHA-512

Explanation:
The best option for the above scenario would be to hash the password without any key using SHA-512. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). SHA-512 does not require a key to compute the digest.

Question 12

Q

Financial penalties for not complying with the General Data Protection Regulation (GDPR) can range up to?

A. 20,000,000 Euros
B. 50,000,000 Euros
C. 70,000,000 Euros
D. 100,000,000 Euros

Answer

A

A. 20,000,000 Euros

Explanation:
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million.

Question 13

Q

An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?

A. Encrypt all passwords using the same key and Triple DES
B. Store the password in plaintext
C. Hash the password using SHA-512
D. Hash the password using PBKDF2

Answer

A

D. Hash the password using PBKDF2

Explanation:
The best option for the above scenario would be to hash the password without any key using PBKDF2. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). That leaves us with SHA-512 and PBKDF2 as candidate options. PBKDF2 is slow by design and was created specifically for handling passwords. Generic cryptographic hashing algorithms like SHA-256 are fast. Slowing down the algorithm (usually by iteration) makes the attacker’s job much harder in case of a rainbow table attack.

Question 14

Q

Which of the following is a valid cloud storage type?

A. Elastic Disc
B. Context Delivery Network (CDN)
C. Content Delivery Network (CDN)
D. Cloud Box

Answer

A

C. Content Delivery Network (CDN)

Explanation:
Content delivery network (CDN) is the only valid cloud storage type among the above options.

Question 15

Q

A database administrator looks to migrate his on-premise hosted database to the cloud. They are going through the documentation trying to find whether the cloud database of their provide satisfies ACID properties. What does ACID stand for?

A. Atomicity, Consistency, Isolation, Durability
B. Agile, Concurrency, Input, Defragment
C. Auhmentation, Concurrency, Indivisibility, Data
D. Automation, Cache, Integration, Denary

Answer

A

A. Atomicity, Consistency, Isolation, Durability

Explanation:
ACID stands for Atomicity, Consistency, Isolation, Durability

Question 16

Q

Two organisations agree to provide federated access to each other employees by using OpenID Connect (OIDC). What is the data format of the identity token issued as part of the OIDC flow?

A. XML
B. YAML
C. ISON
D. SAML

Answer

A

C. ISON

Explanation:
Identity tokens issued as part of the OIDC flow follow the JSON data format. They are also known as “JSON Web Token (JWT)”.

Question 17

Q

Which of the following is a value included in the Agile manifesto?

A. Processes and tools over individuals
B. Detailed planning over ad-hoc changes
C. Upfront design over multiple iterations
D. Customer collaboration over contract negotiations

Answer

A

D. Customer collaboration over contract negotiations

Explanation:
The Agile Manifesto is a brief document built on 4 values and 12 principles for software development. The 4 values are:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

Question 18

Q

A medium-sized retailer is going through the risk management process to ascertain threats to its e-shop. According to the statistics, they are subject to 100 cyber-attacks per year. Only 10% of the attacks are successful with each attack costing an average of $10,000. The annual revenue of the shop alone is $500,000 with a net profit of $250,000. Which of the following controls would be the best option for the company?

A. Hire an insurance company for $150,000 per year which will fully cover any associated cost with cyber attacks
B. Accept the risk since all the identified potential risk responses would cost more
C. Shut down the e-shop and focus on their high-street shops
D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average

Answer

A

D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average

Explanation:
Let’s analyse the above 4 options. The company suffers 10 successful attacks per year with an average cost of $10,000 for an Annualised Loss Expectancy (ALE) of $100,000.

The net profit of the e-shop is higher than the ALE which means, shutting down the e-shop would not be a good option.

Hiring the insurance company would cost more than the ALE which means it is not a good option either.

Accepting the risk would leave the company with a net profit of $150,000 ($250,000 - $100,000) after subtracting the ALE.

The WAF would reduce the ALE to $25,000 while costing $50,000, bringing the total cost to $75,000, which is lower than the net profit of the e-shop and the ALE before the controls. This is the best option.

Question 19

Q

What are the key considerations for determining controls for securing data?

A. Functions, Locations, Actors
B. Methods, Locations, Users
C. Methods, Context, Users
D. Methods, Context, Actors

Answer

A

A. Functions, Locations, Actors

Explanation:
According to the CCSP CBK the key considerations for determining controls for securing data are:

Functions, Locations and Actors

Question 20

Q

Which risk is not mitigated from full disk encryption in a cloud environment?

A. Physical theft of hardware
B. Attacks through the application container
C. Malicious CSP employees
D. Not effective hard disk destruction

Answer

A

B. Attacks through the application container

Explanation:
Attacks through the application container would still be able to read the data encrypted on the disk level. The OS and the application container in particular need access to the plaintext data.

Question 21

Q

Which risk is not mitigated from full disk encryption in a cloud environment?

A. Physical theft of hardware
B. Attacks through the application container
C. Malicious CSP employees
D. Not effective hard disk destruction

Answer

A

B. Attacks through the application container

Explanation:
Attacks through the application container would still be able to read the data encrypted on the disk level. The OS and the application container in particular need access to the plaintext data.

Question 22

Q

A database administrator wants to use a database as a service that has an embedded encryption engine. This type of encryption can provide effective protection from physical media theft. What is the name of the above encryption mechanism?

A. Hard-disk encryption
B. Application level encryption
C. Transparent encryption
D. Customer Key Managed (CKM) encryption

Answer

A

C. Transparent encryption

Explanation:
That is a typical use case of transparent database encryption. This type of encryption is transparent to any application relying on the database.

Question 23

Q

The CIO of a regulated organisation is informed by its database vendor about a serious vulnerability that they have just discovered and that they should patch their production instances as soon as possible. The internal policy of the company regarding patching mandates that patches are installed only every 1st of each month. This means that the company will install the patch in 10 days. Which of the following approaches would demonstrate due diligence?

A. Follow the internal policy and patch the system in 10 days according to the well known business process
B. Ask the database administrator to make a decision, as they know the system better
C. Follow the vendor guidelines and install the patch as soon as possible
D. Ask the regulator for guidance

Answer

A

C. Follow the vendor guidelines and install the patch as soon as possible

Explanation:
The CIO should follow the guidelines/recommendations from the database vendor. Vendors have a better understanding of the criticality of the vulnerability and the potential impact. Choosing to ignore the vendor guidelines and sticking to the internal policy would mean the CIO did not perform the necessary due diligence in case of a breach because of the vulnerability. Database administrators are not necessarily familiar with the underlying software implementation of a database, particularly closed source products. Regulators might be able to provide high-level guidance and best practices but they would not be able to help in this instance.

Question 24

Q

A medium-size retailer that has been using on-premise infrastructure recently acquired an e-shop which hosts its infrastructure in a public cloud. In an attempt to integrate their platforms they decided to adopt a hybrid cloud approach. They currently have a flat network topology with a subnet 10.1.0.0/21 while the e-shop has deployed a VPC with a range of 10.1.0.0/24. Can this create problems for the organisation?

A. No, there is no overlap between IP ranges, the integration between the two networks can be seamless
B. No, this is not an issue as long as the routers in the data center have a different MAC address from the ones in the public cloud
C. Yes, this is an issue, overlapping IP ranges between a VPC subnet and an on-premise network can make the integration complex
D. Yes, this is an issue, modern public cloud infrastructure can not be integrated directly with traditional on-premise infrastructure

Answer

A

C. Yes, this is an issue, overlapping IP ranges between a VPC subnet and an on-premise network can make the integration complex

Explanation:
Overlapping IP ranges between a VPC subnet and the on-premise network can create serious complexities. It is important that the organisation plans carefully before starting migrating services to a cloud environment.

Question 25

Q

Which of the following is not a container orchestration system?

A. Kubernetes
B.OpenShift
C. Apache Mesos
D. Jenkins

Answer

A

D. Jenkins

Explanation:
Jenkins is not a container orchestration system, it open source automation platform

Question 26

Q

Which of the following IP ranges are not reserved for private networks?

A. 10.0.0.0/8
B. 169.4.0.0/10
C. 172.16.0.0/12
D. 192.168.0.0/16

Answer

A

B. 169.4.0.0/10

Explanation:
The 169.4.0.0/10 range is not reserved for private networks, all the other IP ranges are.

You can read more about private networks here.

Question 27

Q

A customer has informed their cloud provider that they are planning to conduct a penetration testing exercise against their application which is deployed in the public cloud. Which of the following would the provider typically not require before giving their approval for the pentest?

A. The list with vulnerability scanning tools used
B. The scope of the exercise
C. Advance Notice
D. The duration of the exercise

Answer

A

A. The list with vulnerability scanning tools used

Explanation:
Typically a cloud service provider would require to be notified few weeks in advance for any pentest activity against applications deployed in the cloud infrastructure. They would typically ask the customer for the services in scope as well as the duration of the exercise.

Typically, the cloud service provider does not need to know about the specific vulnerability scanning tools used in the exercise.

Question 28

Q

Which of the following is not usually included in the service level agreement between the cloud service provider and the customer?

A. Service Availability
B. Maximum capacity of cloud storage per region
C. Background check results for the providers personnel
D. Service quotas

Answer

A

C. Background check results for the providers personnel

Explanation:
The results of background checks conducted from the cloud provider on their staff are not typically shared with customers.

Question 29

Q

A public cloud service provider is trying to streamline their compliance reporting. Which of the following tools could help them achieve that?

A. IDS
B. IRM
C. IPS
D. SIEM

Answer

A

D. SIEM

Explanation:
Security information and event management systems (SIEM) collect security log events from multiple systems within the enterprise and provide central storage and analysis. By collating these log streams, SIEM products enable streamlining the reporting process on an organization’s security events. Compliance mandates are placing more stress on detecting and reporting breaches as well as log retention for multiple months or years. SIEM tools are the only ones in the above list that can help an organisation meet their regulatory compliance requirements and prove they are operating lawfully.

Question 30

Q

The newly appointed CISO of a medium-sized pharmaceutical company has been granted $4,000,000 to modernise its security arsenal. The CIO sent a request for proposal (RFP) to several security vendors and received multiple offers with different approaches ranging between $500,000 and $3,000,000. Which vendor offer should the CIO go with?

A. They should go with the $3,000,000 offer, as their budget is $4,000,000 and they can afford it
B. They should go with the $500,000 offer, as this is the cheapest option and they would save the organization $3,500,000
C. They should first conduct a risk assessment in order to understand the value of their assets and decide on their risk appetite. Then they should evaluate the offers from the vendors and choose the one that aligns the best with their strategy
D. Given that the organization has $4,000,000 and the most expensive offer is $3,000,000; they can afford to hire multiple vendors. This way, they will achieve the maximum possible level of security for the enterprise.

Answer

A

C. They should first conduct a risk assessment in order to understand the value of their assets and decide on their risk appetite. Then they should evaluate the offers from the vendors and choose the one that aligns the best with their strategy

Explanation:
You can not protect assets that you don’t know the value of. The organisation should conduct a risk assessment and an impact analysis first before deciding on any potential risk responses (e.g. hiring security vendors).

Question 31

Q

Which of the following technology concepts has its dedicated domain assigned in ISO/IEC 27001?

A. IPS
B. Firewalls
C. Cryptography
D. Honeypots

Answer

A

C. Cryptography

Explanation:
Cryptography is the only of the above concepts which has its own dedicated domain in ISO 27000

Question 32

Q

A large size retailer is considering using a managed cloud service provider for hosting its e-shop. The retailer has clients all over the world, but the majority of its customers reside in EU countries. The retailer collects personal data from its customers in order to offer a more personalised experience and show them relevant advertisements. The cloud provider has multiple data centres across the world. Which of the following data centres would not be a suitable option for the retailer?

A. The data center in Belgium
B. The data center in Japan
C. The data center in New Zealand
D. The data center in Chile

Answer

A

D. The data center in Chile

Explanation:
As pers the European data protection regulations, the personal information of EU citizens should not be transferred to countries which do not offer an adequate level of data protection.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

You can read more about the adequacy decisions, here.

Question 33

Q

Which of the following is the correct definition of a problem?

A. An unplanned interruption to a service, or the failure of a component of a service that hasnt yet impacted service
B. The unknown cause of one or more incidents, often identified as a result of multiple similar incidents
C. Any placed or unplanned interruption to a service, including scheduled maintenance
D. Any event which would result in a reduction in a services quality without fully interrupting it

Answer

A

B. The unknown cause of one or more incidents, often identified as a result of multiple similar incidents

Explanation:
According to ITIL, a problem is defined as a condition from a number of incidents that are related or have common issues. This means that it is more serious than an Incident and needs separate follow up at a deeper level to avoid future Incidents

Question 34

Q

Which of the following functions aims to identify an organisation’s key assets and the most urgent activities that underpin them, and then, devise plans and strategies that will enable them to continue the business operations and enable them to recover quickly and effectively in the event of a disruption.

A. Change Management
B. Incident Management
C. Problem Management
D. Continuity Management

Answer

A

D. Continuity Management

Explanation:
This is the definition of continuity management.

Question 35

Q

Which of the following is not a typical capability of a CASB?

A. DLP
B. Policy Control
C. SIEM Integration
D. Meet-in-the-middle Attack Prevention

Answer

A

D. Meet-in-the-middle Attack Prevention

Explanation:
Meet-in-the-middle is a cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence, including DES. All the other answers are standard offerings of most CASBs.

Question 36

Q

The PCI DSS (Payment Card Industry Data Security Standard) merchant levels are rankings of merchant transactions per year. How many merchant levels does the standard specify?

A. 3
B. 4
C. 5
D. 6

Answer

A

B. 4

Explanation:
PCI DSS specifies 4 distinct merchant levels based on their transactions per year.

Question 37

Q

Which of the following is not an attack on SSL/TLS?

A. POODLE
B. BEAST
C. CRIME
D. SPECTRE

Answer

A

D. SPECTRE

Explanation:
SPECTRE is not an SSL/TLS attack. SPECTRE is a vulnerability that affects modern microprocessors that perform branch prediction.

Question 38

Q

Bob is joining a new company as a Java developer next Monday. As part of the onboarding process, several accounts are created in different systems. Which account is most likely to be created first?

A. Active Directory
B. Github
C. HR System
D. Payroll

Answer

A

C. HR System

Explanation:
The first account is most likely to be created in the Human Resources system. The HR department typically carries out all the background checks and is heavily involved in the onboarding process. The identity management system periodically checks the HR system for new entries and provisions accounts to relevant systems based on the employee’s role.

Question 39

Q

The Cloud Security Alliance (CSA) published the Treacherous 12 which expounds on 12 categories of security issues that are relevant to cloud environments. Which of the following is not one of the 12 categories?

A. Advanced Persistent Threat (APTs)
B. Nefarious Use of Cloud Services
C. Weak Identity, Credential and Access Management
D. Database Injection

Answer

A

D. Database Injection

Explanation:
Database Injection is not included in the Treacherous 12, the rest of the options are all on CSA’s list.

Question 40

Q

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. It is one of the most common web vulnerabilities according to OWASP. If a web application is vulnerable to XSS, where is the malicious code being executed?

A. The malicious code is executed on the machine of the attacker exploiting the vulnerable application
B. The malicious code is executed on the server hosting the web application
C. The malicious code is executed on the computer of people visiting the exploited webpage
D. XSS does not involve the execution of malicious code

Answer

A

C. The malicious code is executed on the computer of people visiting the exploited webpage

Explanation:
XSS allows the attacker to store arbitrary code on a vulnerable web application. The malicious code gets executed on the computer of people visiting the exploited webpage.

You can read more about XSS, here.

Question 41

Q

Cloud storage often uses a technique known as data dispersion. Each storage block is fragmented and the storage application writes each bit into different storage containers in order to increase assurance. Which legacy is data dispersion most similar to?

A. FAT32
B. NTFS
C. BitLocker
D. RAID

Answer

A

D. RAID

Explanation:
Data dispersion resembles the traditional RAID technology. Both of the technologies break down the data and store them in multiple locations/devices instead of a single disk.

Question 42

Q

How are egress monitor solutions also known as?

A. Web Application Firewalls
B. Data Loss Protection Tools
C. Outbound Policies
D. NAT devices

Answer

A

B. Data Loss Protection Tools

Explanation:
Egress monitor solutions are also known as DLP tools and their aim is to monitor and restrict the data leaving the corporate network.

Question 43

Q

The cloud security alliance has defined a model for the cloud data lifecycle which consists of 6 phases. In which does crypto-shredding belong?

A. Store
B. Destroy
C. Use
D. Erase

Answer

A

B. Destroy

Explanation:
Crypto-shredding is the practice of deleting data by deliberately deleting or overwriting the encryption keys which have encrypted the data. “Erase” does not constitute an actual phase in CSA’s model. The correct answer is the “Destroy” phase.

Question 44

Q

A medium-size insurance company has just implemented a security information and event management platform and has integrated it with several applications. Which of the following is not a capability of a SIEM?

A. Log Files Compression
B. Alert Correlation
C. Reporting and Dashboards
D. SSL/TLS Offboarding

Answer

A

D. SSL/TLS Offboarding

Explanation:
SSL/TLS offloading is not a feature of SIEM platforms. SSL offloading is the process of removing the SSL-based encryption from incoming traffic to relieve a web server of the processing burden of decrypting and/or encrypting traffic sent via SSL. It is typically implemented on load balancers.

Question 45

Q

A large online retailer is in the process of modernising their IT infrastructure. Currently, the call center personnel have access to all the private information of the customers in cleartext. The information stored includes the customer’s name, address, date of birth, social security number, and credit card number. Which of the above data should be protected by using static masking?

A. Name
B. Address
C. Social Security Number
D. Credit Card Number

Answer

A

C. Social Security Number

Explanation:
The best use case for using static masking is the social security number. In static masking, specific characters are replaced before storing the data. The retailer needs the full credit card number of the customers in order to process payments hence static masking would not be a suitable solution. A partial (masked) version of the customer’s social security number can be used by the agents to authenticate the customers over the phone.

Question 46

Q

Which of the following is not provided from DNSSEC?

A. Confidentiality
B. Origin Authentication
C. Authenticated Denial of Existence
D. Data Integrity

Answer

A

A. Confidentiality

Explanation:
DNSSEC does not provide confidentiality instead it provides:

Origin authentication

Authenticated denial of existence

Data integrity

Brainscape's Knowledge GenomeTM

(ISC)² Certified Cloud Security Professional Exam 5 (CCSP) Practice (Aris Athanasiou) Flashcards

Brainscape's Knowledge Genome^TM