(ISC)² Certified Cloud Security Professional Exam 5 (CCSP) Practice (Aris Athanasiou) Flashcards
Which of the following is not a responsibility of the cloud service provider (CSP) in IaaS?
A. Patching the hypervisor
B. Ensure the data center temperature does not exceed 30 degrees C
C. Patching the web/application servers
D. Limiting access in the data center to authorized personnel
C. Patching the web/application servers
Explanation:
Patching the web/application servers would fall under the responsibilities of the customer in an IaaS deployment.
Which of the following cloud service models is likely to have higher portability?
A. IaaS
B. PaaS
C. SaaS
D. CaaS
A. IaaS
Explanation:
Infrastructure as a Service (IaaS) is likely to have higher portability compared to PaaS or SaaS. The abstraction and hiding of underlying complexities offered by PaaS and SaaS have also the result of reducing flexibility and customisation options.
What is the full name of Uptime Institute’s Data Center Site Infrastructure for a Tier V data center?
A. Basic Site Infrastructure
B. Parallel Site Infrastructure
C. Concurrently Maintainable Site Infrastructure
D. The Uptime Institute does not specify a Tier V Data Center
D. The Uptime Institute does not specify a Tier V Data Center
Explanation:
The Uptime Institute specifies only 4 Tiers for data centres, namely:
Basic Site Infrastructure
Parallel Site Infrastructure
Concurrently Maintainable Site Infrastructure
Fault-Tolerant Site Infrastructure
Which of the following is not part of the Organization for Economic Co-operation and Development (OECD) privacy principles?
A. Security Safeguards Principle
B. Openess Principle
C. Individual Participant Principle
D. Lawfulness, fainrness and transparency Principle
D. Lawfulness, fainrness and transparency Principle
Explanation:
Lawfulness, fairness, and transparency is a principle of GDPR not OECD. The full list of OECD principles include:
Collection Limitation Principle
Data Quality Principle
Purpose Specification Principle
Use Limitation Principle
Security Safeguards Principle
Openness Principle
Individual Participation Principle
Accountability Principle
Which of the following is not part of the CSA date lifecycle stages?
A. Share
B. Store
C. Process
D. Archive
C. Process
Explanation:
The CSA data lifecycle stages in order are:
Create
Store
Use
Share
Archive
Destroy
You can read more about the specific data lifecycle model, here.
Which is not included in the OWASP Top 10?
A. Broken Access Control
B. Insufficient Physical Access Control
C. Security Misconfiguration
D. Sensitive Data Exposure
B. Insufficient Physical Access Control
Explanation:
“Insufficient physical access control” is not part of the OWASP Top 10 (2021). The full list includes:
Broken Access Control
Cryptographic Failures
Sensitive Data Exposure
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery
Remember OWASP stands for Open Web Application Security Project and as the name implies they focus on web technologies. Physical access control, although quite important, is not related to web technologies.
The risk management process includes framing, assessing, responding, and monitoring risk. In which of those steps would a qualitative estimation of the risk take place?
A. Framing
B. Monitoring
C. Assessing
D. Responding
C. Assessing
Explanation:
During a risk assessment, the organisation identifies, estimates, and prioritises information security risks. Risks can be assessed following either a quantitative or qualitative approach.
A medium-sized pharmaceutical company that has been traditionally using on-premise infrastructure has recently put in production a new ERP platform. The deployment of the new platform has gone through several stages of risk assessment and the organization has reached a sufficient residual risk in line with their appetite. The organisation has the policy to conduct annual risk assessments for all their platforms. The newly appointed CIO has decided to move the aforementioned ERP system in the cloud to cut down on infrastructure costs, when would the next risk assessment for the application take place?
A. The application has recently gone through risk assessment and the stakeholders are happy with residual risk. The application can be migrated to the cloud and the assessment can take place in the next scheduled annual review.
B. A risk assessment should take place immediately after the application has been successfully migrated to the cloud and its new environment is sufficiently understood.
C. A risk assessment should take place before migrating the application to the cloud
D. The organization should not migrate the ERP platform in the cloud as it is a core system to their business and they should retain tight control over it
C. A risk assessment should take place before migrating the application to the cloud
Explanation:
A risk assessment should take place before migrating the application to the cloud. The current risk assessment assumed hosting the application on-premise. The migration of the application to the cloud completely changes the risk landscape and invalidates the current estimations/computations.
Which of the following is not typically found in a Service Level Agreement (SLA)?
A. Service Availability
B. Patching frequency of the cloud infrastructure
C. Penalties should the agreed-on service levels not be achieved
D. The process of adding or removing metrics.
B. Patching frequency of the cloud infrastructure
Explanation:
Patching frequency of the cloud infrastructure would not typically be included in the SLA between the cloud provider and the customer. A service-level agreement (SLA) defines the level of service you expect from a cloud provider, laying out the metrics by which service is measured as well as remedies or penalties should agreed-on service levels not be achieved. SLAs focus on the service quality and not on the technicalities of how that is achieved.
The Federal Information Processing Standard is a U.S. government computer security standard used to approve cryptographic modules. The standard defines different levels of security for cryptographic components. What is the highest level of security described in FIPS?
A. Security Level 0
B. Security Level 1
C. Security Level 4
D. Security Level 5
C. Security Level 4
Explanation:
Security Level 4 is the highest level of security in FIPS.
An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?
A. Encrypt all passwords using the same key and Triple DES
B. Encrypt all passwords using a unique key for each entry and Triple DES
C. Hash the password without any key using SHA-512
D. Hash the password using a fixed key using SHA-512
C. Hash the password without any key using SHA-512
Explanation:
The best option for the above scenario would be to hash the password without any key using SHA-512. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). SHA-512 does not require a key to compute the digest.
Financial penalties for not complying with the General Data Protection Regulation (GDPR) can range up to?
A. 20,000,000 Euros
B. 50,000,000 Euros
C. 70,000,000 Euros
D. 100,000,000 Euros
A. 20,000,000 Euros
Explanation:
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million.
An LDAP administrator has configured a directory server and is considering different schemes for password storage. Which of the following would be the best option in terms of security?
A. Encrypt all passwords using the same key and Triple DES
B. Store the password in plaintext
C. Hash the password using SHA-512
D. Hash the password using PBKDF2
D. Hash the password using PBKDF2
Explanation:
The best option for the above scenario would be to hash the password without any key using PBKDF2. Hashing is considered a better option for handling passwords since it is a one-way operation that can not be reversed (unlike encryption). That leaves us with SHA-512 and PBKDF2 as candidate options. PBKDF2 is slow by design and was created specifically for handling passwords. Generic cryptographic hashing algorithms like SHA-256 are fast. Slowing down the algorithm (usually by iteration) makes the attacker’s job much harder in case of a rainbow table attack.
Which of the following is a valid cloud storage type?
A. Elastic Disc
B. Context Delivery Network (CDN)
C. Content Delivery Network (CDN)
D. Cloud Box
C. Content Delivery Network (CDN)
Explanation:
Content delivery network (CDN) is the only valid cloud storage type among the above options.
A database administrator looks to migrate his on-premise hosted database to the cloud. They are going through the documentation trying to find whether the cloud database of their provide satisfies ACID properties. What does ACID stand for?
A. Atomicity, Consistency, Isolation, Durability
B. Agile, Concurrency, Input, Defragment
C. Auhmentation, Concurrency, Indivisibility, Data
D. Automation, Cache, Integration, Denary
A. Atomicity, Consistency, Isolation, Durability
Explanation:
ACID stands for Atomicity, Consistency, Isolation, Durability
Two organisations agree to provide federated access to each other employees by using OpenID Connect (OIDC). What is the data format of the identity token issued as part of the OIDC flow?
A. XML
B. YAML
C. ISON
D. SAML
C. ISON
Explanation:
Identity tokens issued as part of the OIDC flow follow the JSON data format. They are also known as “JSON Web Token (JWT)”.
Which of the following is a value included in the Agile manifesto?
A. Processes and tools over individuals
B. Detailed planning over ad-hoc changes
C. Upfront design over multiple iterations
D. Customer collaboration over contract negotiations
D. Customer collaboration over contract negotiations
Explanation:
The Agile Manifesto is a brief document built on 4 values and 12 principles for software development. The 4 values are:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
A medium-sized retailer is going through the risk management process to ascertain threats to its e-shop. According to the statistics, they are subject to 100 cyber-attacks per year. Only 10% of the attacks are successful with each attack costing an average of $10,000. The annual revenue of the shop alone is $500,000 with a net profit of $250,000. Which of the following controls would be the best option for the company?
A. Hire an insurance company for $150,000 per year which will fully cover any associated cost with cyber attacks
B. Accept the risk since all the identified potential risk responses would cost more
C. Shut down the e-shop and focus on their high-street shops
D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average
D. Deploy a next generation Web Application Firewall (WAF) for $50,000/year which wouldnt prevent 75% of the currently successful attacks on average
Explanation:
Let’s analyse the above 4 options. The company suffers 10 successful attacks per year with an average cost of $10,000 for an Annualised Loss Expectancy (ALE) of $100,000.
The net profit of the e-shop is higher than the ALE which means, shutting down the e-shop would not be a good option.
Hiring the insurance company would cost more than the ALE which means it is not a good option either.
Accepting the risk would leave the company with a net profit of $150,000 ($250,000 - $100,000) after subtracting the ALE.
The WAF would reduce the ALE to $25,000 while costing $50,000, bringing the total cost to $75,000, which is lower than the net profit of the e-shop and the ALE before the controls. This is the best option.
What are the key considerations for determining controls for securing data?
A. Functions, Locations, Actors
B. Methods, Locations, Users
C. Methods, Context, Users
D. Methods, Context, Actors
A. Functions, Locations, Actors
Explanation:
According to the CCSP CBK the key considerations for determining controls for securing data are:
Functions, Locations and Actors
Which risk is not mitigated from full disk encryption in a cloud environment?
A. Physical theft of hardware
B. Attacks through the application container
C. Malicious CSP employees
D. Not effective hard disk destruction
B. Attacks through the application container
Explanation:
Attacks through the application container would still be able to read the data encrypted on the disk level. The OS and the application container in particular need access to the plaintext data.